Rules In DISA STIG for Oracle Linux 7


V-ID CCI CAT Title Description Check Procedures Fixtext Version
OL07-00-010010 CCI-001496 high The Oracle Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values. Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated. The following command will list which files on the system have permissions different from what is expected by the RPM database: $ rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }' Is it the case that there is output? The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions of system files and commands match vendor values. Check the file permissions with the following command:
$ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'
Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it:
$ rpm -qf FILENAME

Next, run the following command to reset its permissions to the correct values:
$ sudo rpm --setperms PACKAGENAME
OL07-00-010010
OL07-00-010020 CCI-000366 high The Oracle Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values. The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. The following command will list which files on the system have file hashes different from what is expected by the RPM database. $ rpm -Va | awk '$1 ~ /..5/ && $2 != "c"' Is it the case that there is output? Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands match vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database:
$ rpm -Va | grep '^..5'
A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file:
$ rpm -qf FILENAME
The package can be reinstalled from a yum repository using the command:
$ sudo yum reinstall PACKAGENAME
Alternatively, the package can be reinstalled from trusted media using the command:
$ sudo rpm -Uvh PACKAGENAME
OL07-00-010020
OL07-00-010030 CCI-001388 medium The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
To ensure a login warning banner is enabled, run the following: $ grep banner-message-enable /etc/dconf/db/gdm.d/* If properly configured, the output should be true. To ensure a login warning banner is locked and cannot be changed by a user, run the following: $ grep banner-message-enable /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/banner-message-enable. Is it the case that it is not? In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting banner-message-enable to true.

To enable, add or edit banner-message-enable to /etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-enable=true
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/banner-message-enable
After the settings have been set, run dconf update. The banner text must also be set.
OL07-00-010030
OL07-00-010040 CCI-000048 medium The Oracle Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. To ensure the login warning banner text is properly set, run the following: $ grep banner-message-text /etc/dconf/db/gdm.d/* If properly configured, the proper banner text will appear. To ensure the login warning banner text is locked and cannot be changed by a user, run the following: $ grep banner-message-text /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/banner-message-text. Is it the case that it does not? In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on the login screen by setting banner-message-text to string 'APPROVED_BANNER' where APPROVED_BANNER is the approved banner for your environment.

To enable, add or edit banner-message-text to /etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-text='APPROVED_BANNER'
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/banner-message-text
After the settings have been set, run dconf update. When entering a warning banner that spans several lines, remember to begin and end the string with ' and use \n for new lines.
OL07-00-010040
OL07-00-010050 CCI-000048 medium The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
To check if the system login banner is compliant, run the following command: $ cat /etc/issue Is it the case that it does not display the required banner? To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.


OR:

I've read & consent to terms in IS user agreem't.
OL07-00-010050
OL07-00-010060 CCI-000058 medium The Oracle Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. To check the status of the idle screen lock activation, run the following command: $ gsettings get org.gnome.desktop.screensaver lock-enabled If properly configured, the output should be true. To ensure that users cannot change how long until the the screensaver locks, run the following: $ grep lock-enabled /etc/dconf/db/local.d/locks/* If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly? To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set lock-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-enabled=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update.
OL07-00-010060
OL07-00-010061 CCI-001948 medium The Oracle Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon. Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. To ensure smart card authentication on the login screen is enabled, run the following command: $ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/* The output should be true. To ensure that users cannot disable smart card authentication on the login screen, run the following: $ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/enable-smartcard-authentication Is it the case that enable-smartcard-authentication has not been configured or is disabled? In the default graphical environment, smart card authentication can be enabled on the login screen by setting enable-smartcard-authentication to true.

To enable, add or edit enable-smartcard-authentication to /etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
enable-smartcard-authentication=true
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/enable-smartcard-authentication
After the settings have been set, run dconf update.
OL07-00-010061
OL07-00-010062 CCI-000057 medium The Oracle Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. To ensure that users cannot change how long until the the screensaver locks, run the following: $ grep lock-enabled /etc/dconf/db/local.d/locks/* If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled Is it the case that screensaver locking is not locked? If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding
/org/gnome/desktop/screensaver/lock-enabled
to /etc/dconf/db/local.d/00-security-settings. For example:
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update.
OL07-00-010062
OL07-00-010070 CCI-000057 medium The Oracle Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock. To check the current idle time-out value, run the following command: $ gsettings get org.gnome.desktop.session idle-delay If properly configured, the output should be 'uint32 '. To ensure that users cannot change the screensaver inactivity timeout setting, run the following: $ grep idle-delay /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/session/idle-delay Is it the case that idle-delay is not equal to or less than the expected value? The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.

For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings:
[org/gnome/desktop/session]
idle-delay=uint32 900
Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.
OL07-00-010070
OL07-00-010081 CCI-000057 medium The Oracle Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface. A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. To ensure that users cannot change session idle and lock settings, run the following: $ grep 'lock-delay' /etc/dconf/db/local.d/locks/* If properly configured, the output should return: /org/gnome/desktop/screensaver/lock-delay Is it the case that GNOME3 session settings are not locked or configured properly? If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding /org/gnome/desktop/screensaver/lock-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update.
OL07-00-010081
OL07-00-010082 CCI-000057 medium The Oracle Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface. A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. To ensure that users cannot change session idle and lock settings, run the following: $ grep 'idle-delay' /etc/dconf/db/local.d/locks/* If properly configured, the output should return: /org/gnome/desktop/session/idle-delay Is it the case that GNOME3 session settings are not locked or configured properly? If not already configured, ensure that users cannot change GNOME3 session idle settings by adding /org/gnome/desktop/session/idle-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.
OL07-00-010082
OL07-00-010090 CCI-000057 medium The Oracle Linux operating system must have the screen package installed. A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.

The screen package allows for a session lock to be implemented and configured.
Run the following command to determine if the screen package is installed: $ rpm -q screen Is it the case that the package is not installed? To enable console screen locking, install the screen package. The screen package can be installed with the following command:
$ sudo yum install screen
Instruct users to begin new terminal sessions with the following command:
$ screen
The console can now be locked with the following key combination:
ctrl+a x
OL07-00-010090
OL07-00-010100 CCI-000057 medium The Oracle Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces. A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock.

Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.
To check the screensaver mandatory use status, run the following command: $ gsettings get org.gnome.desktop.screensaver idle-activation-enabled If properly configured, the output should be true. To ensure that users cannot disable the screensaver idle inactivity setting, run the following: $ grep idle-activation-enabled /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled Is it the case that idle_activation_enabled is not enabled or configured? To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set idle-activation-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
idle-activation-enabled=true
Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/screensaver/idle-activation-enabled
After the settings have been set, run dconf update.
OL07-00-010100
OL07-00-010101 CCI-000057 medium The Oracle Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. To ensure that users cannot disable the screensaver idle inactivity setting, run the following: $ grep idle-activation-enabled /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled Is it the case that idle_activation_enabled is not locked? If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding
/org/gnome/desktop/screensaver/idle-activation-enabled
to /etc/dconf/db/local.d/00-security-settings. For example:
/org/gnome/desktop/screensaver/idle-activation-enabled
After the settings have been set, run dconf update.
OL07-00-010101
OL07-00-010110 CCI-000057 medium The Oracle Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. To check that the screen locks immediately when activated, run the following command: $ gsettings get org.gnome.desktop.screensaver lock-delay If properly configured, the output should be 'uint32 '. To ensure that users cannot change how long until the the screensaver locks, run the following: $ grep lock-delay /etc/dconf/db/local.d/locks/* If properly configured, the output for lock-delay should be /org/gnome/desktop/screensaver/lock-delay Is it the case that the screensaver lock delay is missing, or is set to a value greater than 5? To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set lock-delay to uint32 in /etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-delay=uint32 
Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update.
OL07-00-010110
OL07-00-010118 CCI-000192 medium The Oracle Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords. Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. To check how many retry attempts are permitted on a per-session basis, run the following command: $ grep pam_pwquality /etc/pam.d/system-auth The retry parameter will indicate how many attempts are permitted. The DoD required value is less than or equal to 3. This would appear as retry=3, or a lower value. Is it the case that it is not the required value? To configure the number of retry prompts that are permitted per-session: Edit the pam_pwquality.so statement in /etc/pam.d/system-auth to show retry=, or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session. OL07-00-010118
OL07-00-010119 CCI-000192 medium The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used. Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. To check how many retry attempts are permitted on a per-session basis, run the following command: $ grep pam_pwquality /etc/pam.d/system-auth The retry parameter will indicate how many attempts are permitted. The DoD required value is less than or equal to 3. This would appear as retry=3, or a lower value. Is it the case that it is not the required value? To configure the number of retry prompts that are permitted per-session: Edit the pam_pwquality.so statement in /etc/pam.d/system-auth to show retry=, or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session. OL07-00-010119
OL07-00-010120 CCI-000192 medium The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character. Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
To check how many uppercase characters are required in a password, run the following command: $ grep ucredit /etc/security/pwquality.conf The ucredit parameter (as a negative number) will indicate how many uppercase characters are required. The DoD and FISMA require at least one uppercase character in a password. This would appear as ucredit = -1. Is it the case that ucredit is not found or not set less than or equal to the required value? The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords. OL07-00-010120
OL07-00-010130 CCI-000193 medium The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.
To check how many lowercase characters are required in a password, run the following command: $ grep lcredit /etc/security/pwquality.conf The lcredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one lowercase character in a password. This would appear as lcredit = -1. Is it the case that lcredit is not found or not less than or equal to the required value? The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords. OL07-00-010130
OL07-00-010140 CCI-000194 medium The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
To check how many digits are required in a password, run the following command: $ grep dcredit /etc/security/pwquality.conf The dcredit parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as dcredit = -1. Is it the case that dcredit is not found or not equal to or less than the required value? The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords. OL07-00-010140
OL07-00-010150 CCI-001619 medium The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.
To check how many special characters are required in a password, run the following command: $ grep ocredit /etc/security/pwquality.conf The ocredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one special character in a password. This would appear as ocredit = -1. Is it the case that ocredit is not found or not equal to or less than the required value? The pam_pwquality module's ocredit= parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the ocredit setting in /etc/security/pwquality.conf to equal to require use of a special character in passwords. OL07-00-010150
OL07-00-010160 CCI-000195 medium The Oracle Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute–force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.
To check how many characters must differ during a password change, run the following command: $ grep difok /etc/security/pwquality.conf The difok parameter will indicate how many characters must differ. Is it the case that difok is not found or not equal to or greater than the required value? The pam_pwquality module's difok parameter sets the number of characters in a password that must not be present in and old password during a password change.

Modify the difok setting in /etc/security/pwquality.conf to equal to require differing characters when changing passwords.
OL07-00-010160
OL07-00-010170 CCI-000195 medium The Oracle Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space.
To check how many categories of characters must be used in password during a password change, run the following command: $ grep minclass /etc/security/pwquality.conf The minclass parameter will indicate how many character classes must be used. If the requirement was for the password to contain characters from three different categories, then this would appear as minclass = 3. Is it the case that minclass is not found or not set equal to or greater than the required value? The pam_pwquality module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available:
* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)
Modify the minclass setting in /etc/security/pwquality.conf entry to require differing categories of characters when changing passwords.
OL07-00-010170
OL07-00-010180 CCI-000195 medium The Oracle Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
To check the maximum value for consecutive repeating characters, run the following command: $ grep maxrepeat /etc/security/pwquality.conf Look for the value of the maxrepeat parameter. The DoD requirement is 3, which would appear as maxrepeat=3. Is it the case that maxrepeat is not found or not greater than or equal to the required value? The pam_pwquality module's maxrepeat parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Modify the maxrepeat setting in /etc/security/pwquality.conf to equal to prevent a run of ( + 1) or more identical characters. OL07-00-010180
OL07-00-010190 CCI-000195 medium The Oracle Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters. Use of a complex password helps to increase the time and resources required to comrpomise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.
To check the value for maximum consecutive repeating characters, run the following command: $ grep maxclassrepeat /etc/security/pwquality.conf For DoD systems, the output should show maxclassrepeat=4. Is it the case that that is not the case? The pam_pwquality module's maxclassrepeat parameter controls requirements for consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters from the same character class. Modify the maxclassrepeat setting in /etc/security/pwquality.conf to equal to prevent a run of ( + 1) or more identical characters. OL07-00-010190
OL07-00-010200 CCI-000196 medium The Oracle Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
Inspect the password section of /etc/pam.d/system-auth and ensure that the pam_unix.so module includes the argument sha512: $ grep sha512 /etc/pam.d/system-auth Is it the case that it does not? The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/system-auth, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below:
password    sufficient    pam_unix.so sha512 other arguments...

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
OL07-00-010200
OL07-00-010210 CCI-000196 medium The Oracle Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using a stronger hashing algorithm makes password cracking attacks more difficult.
Inspect /etc/login.defs and ensure the following line appears: ENCRYPT_METHOD SHA512 Is it the case that it does not? In /etc/login.defs, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm:
ENCRYPT_METHOD SHA512
OL07-00-010210
OL07-00-010219 CCI-000366 low The Oracle Linux operating system must be integrated into a directory service infrastructure. Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space. Run the following command to determine if /var/log/audit is on its own partition or logical volume: $ mount | grep "on /var/log/audit" If /var/log/audit has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. OL07-00-010219
OL07-00-010220 CCI-000196 medium The Oracle Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
Inspect /etc/libuser.conf and ensure the following line appears in the [default] section: crypt_style = sha512 Is it the case that it does not? In /etc/libuser.conf, add or correct the following line in its [defaults] section to ensure the system will use the SHA-512 algorithm for password hashing:
crypt_style = sha512
OL07-00-010220
OL07-00-010230 CCI-000198 medium The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime. Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.
To check the minimum password age, run the command: $ grep PASS_MIN_DAYS /etc/login.defs Is it the case that it is not equal to or greater than the required value? To specify password minimum age for new accounts, edit the file /etc/login.defs and add or correct the following line:
PASS_MIN_DAYS 
A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is .
OL07-00-010230
OL07-00-010240 CCI-000198 medium The Oracle Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime. Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. Check whether the minimum time period between password changes for each user account is one day or greater by running the following command for each user: $ sudo chage -l USER | grep Minimum The output for each user should return something similary to the following: Minimum number of days between password change\t\t: 1 Is it the case that existing passwords are not configured correctly? Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command:
$ sudo chage -m 1 USER
OL07-00-010240
OL07-00-010250 CCI-000199 medium The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime. Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.
To check the maximum password age, run the command: $ grep PASS_MAX_DAYS /etc/login.defs The DoD and FISMA requirement is 60. A value of 180 days is sufficient for many environments. Is it the case that PASS_MAX_DAYS is not set equal to or greater than the required value? To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line:
PASS_MAX_DAYS 
A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .
OL07-00-010250
OL07-00-010260 CCI-000199 medium The Oracle Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime. Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Check whether the maximum time period for existing passwords is restricted to 60 days by running the following command for each user: $ sudo chage -l USER | grep Maximum The output for each user should return something similary to the following: Maximum number of days between password change\t\t: 60 Is it the case that existing passwords are not configured correctly? Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction by running the following command:
$ sudo chage -M 60 USER
OL07-00-010260
OL07-00-010270 CCI-000200 medium The Oracle Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations. Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. To verify the password reuse setting is compliant, run the following command: $ grep remember /etc/pam.d/system-auth The output should show the following at the end of the line: remember= Is it the case that the value of remember is not set equal to or greater than the expected setting? Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules.

In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below:
  • for the pam_unix.so case:
    password sufficient pam_unix.so ...existing_options... remember=
  • for the pam_pwhistory.so case:
    password requisite pam_pwhistory.so ...existing_options... remember=
The DoD STIG requirement is 5 passwords.
OL07-00-010270
OL07-00-010280 CCI-000205 medium The Oracle Linux operating system must be configured so that passwords are a minimum of 15 characters in length. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password.
To check how many characters are required in a password, run the following command: $ grep minlen /etc/security/pwquality.conf Your output should contain minlen = Is it the case that minlen is not found, or not equal to or greater than the required value? The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements. OL07-00-010280
OL07-00-010290 CCI-000366 high The Oracle Linux operating system must not have accounts configured with blank or null passwords. If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. To verify that null passwords cannot be used, run the following command: $ grep nullok /etc/pam.d/system-auth If this produces any output, it may be possible to log into accounts with empty passwords. Remove any instances of the nullok option to prevent logins with empty passwords. Is it the case that NULL passwords can be used? If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords. OL07-00-010290
OL07-00-010300 CCI-000766 high The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password. Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command: $ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value no is returned, then the required value is set. Is it the case that the required value is not set? To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config:
PermitEmptyPasswords no

Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.
OL07-00-010300
OL07-00-010310 CCI-000795 medium The Oracle Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires. Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. To verify the INACTIVE setting, run the following command: $ grep "INACTIVE" /etc/default/useradd The output should indicate the INACTIVE configuration option is set to an appropriate integer as shown in the example below: $ grep "INACTIVE" /etc/default/useradd INACTIVE= Is it the case that the value of INACTIVE is greater than the expected value? To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in /etc/default/useradd, substituting NUM_DAYS appropriately:
INACTIVE=
A value of 35 is recommended; however, this profile expects that the value is set to . If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.
OL07-00-010310
OL07-00-010320 CCI-002238 medium Accounts on the Oracle Linux operating system subjected to three unsuccessful logon attempts within 15 minutes must be locked for the maximum configurable period. Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. To ensure the failed password attempt policy is configured correctly, run the following command: $ grep pam_faillock /etc/pam.d/system-auth The output should show deny=. Is it the case that that is not the case? To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • add the following line immediately before the pam_unix.so statement in the AUTH section:
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
  • add the following line immediately after the pam_unix.so statement in the AUTH section:
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
    account required pam_faillock.so
OL07-00-010320
OL07-00-010330 CCI-002238 medium The Oracle Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period. By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. To ensure that even the root account is locked after a defined number of failed password attempts, run the following command: $ grep even_deny_root /etc/pam.d/system-auth The output should show even_deny_root. Is it the case that that is not the case? To configure the system to lock out the root account after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • Modify the following line in the AUTH section to add even_deny_root:
    auth required pam_faillock.so preauth silent even_deny_root deny= unlock_time= fail_interval=
  • Modify the following line in the AUTH section to add even_deny_root:
    auth [default=die] pam_faillock.so authfail even_deny_root deny= unlock_time= fail_interval=
OL07-00-010330
OL07-00-010340 CCI-002038 medium The Oracle Linux operating system must be configured so that users must provide a password for privilege escalation. Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
To determine if NOPASSWD has been configured for sudo, run the following command: $ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/ The command should return no output. Is it the case that nopasswd is enabled in sudo? The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. OL07-00-010340
OL07-00-010430 CCI-000366 medium The Oracle Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds. Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack. Verify the FAIL_DELAY setting is configured correctly in the /etc/login.defs file by running the following command: $ sudo grep -i "FAIL_DELAY" /etc/login.defs All output must show the value of FAIL_DELAY set as shown in the below: $ sudo grep -i "FAIL_DELAY" /etc/login.defs fail_delay Is it the case that the above command returns no output, or FAIL_DELAY is configured less than the expected value? To ensure the logon failure delay controlled by /etc/login.defs is set properly, add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:
FAIL_DELAY 
OL07-00-010430
OL07-00-010440 CCI-000366 high The Oracle Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface. Failure to restrict system access to authenticated users negatively impacts operating system security. To verify that automatic logins are disabled, run the following command: $ grep -Pzoi "^\[daemon]\\nautomaticlogin.*" /etc/gdm/custom.conf The output should show the following: [daemon] AutomaticLoginEnable=false Is it the case that GDM allows users to automatically login? The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials. User should always be required to authenticate themselves to the system that they are authorized to use. To disable user ability to automatically login to the system, set the AutomaticLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example:
[daemon]
AutomaticLoginEnable=false
OL07-00-010440
OL07-00-010450 CCI-000366 high The Oracle Linux operating system must not allow an unrestricted logon to the system. Failure to restrict system access to authenticated users negatively impacts operating system security. To verify that timed logins are disabled, run the following command: $ grep -Pzoi "^\[daemon]\\ntimedlogin.*" /etc/gdm/custom.conf The output should show the following: [daemon] TimedLoginEnable=false Is it the case that GDM allows a guest to login without credentials? The GNOME Display Manager (GDM) can allow users to login without credentials which can be useful for public kiosk scenarios. Allowing users to login without credentials or "guest" account access has inherent security risks and should be disabled. To do disable timed logins or guest account access, set the TimedLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example:
[daemon]
TimedLoginEnable=false
OL07-00-010450
OL07-00-010460 CCI-000366 medium The Oracle Linux operating system must not allow users to override SSH environment variables. SSH environment options potentially allow users to bypass access restriction in some configurations. To ensure users are not able to send environment variables, run the following command: $ sudo grep PermitUserEnvironment /etc/ssh/sshd_config If properly configured, output should be: PermitUserEnvironment no Is it the case that PermitUserEnvironment is not disabled? To ensure users are not able to override environment variables of the SSH daemon, add or correct the following line in /etc/ssh/sshd_config:
PermitUserEnvironment no
OL07-00-010460
OL07-00-010470 CCI-000366 medium The Oracle Linux operating system must not allow a non-certificate trusted host SSH logon to the system. SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. To determine how the SSH daemon's HostbasedAuthentication option is set, run the following command: $ sudo grep -i HostbasedAuthentication /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value no is returned, then the required value is set. Is it the case that the required value is not set? SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config:
HostbasedAuthentication no
OL07-00-010470
OL07-00-010480 CCI-000213 high Oracle Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes. Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. To verify the boot loader superuser password has been set, run the following command: sudo grep "superusers" /etc/grub2.cfg The output should show the following: password_pbkdf2 superusers-account ${GRUB2_PASSWORD} To verify the boot loader superuser account password has been set, and the password encrypted, run the following command: sudo cat /boot/grub2/user.cfg The output should be similar to: GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 Is it the case that it does not? The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command:
$ grub2-setpassword
When prompted, enter the password that was selected.

Once the superuser password has been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg
OL07-00-010480
OL07-00-010481 CCI-000213 medium The Oracle Linux operating system must require authentication upon booting into single-user and maintenance modes. This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. To check if authentication is required for single-user mode, run the following command: $ grep sulogin /usr/lib/systemd/system/rescue.service The output should be similar to the following, and the line must begin with ExecStart and /sbin/sulogin. ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" Is it the case that the output is different? Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected.

By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service.
OL07-00-010481
OL07-00-010490 CCI-000213 high Oracle Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes. Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. To verify the boot loader superuser password has been set, run the following command: sudo grep "password" /etc/grub2-efi.cfg The output should show the following: password_pbkdf2 superusers-account ${GRUB2_PASSWORD} To verify the boot loader superuser account password has been set, and the password encrypted, run the following command: sudo cat /boot/efi/EFI/redhat/user.cfg The output should be similar to: GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 Is it the case that it does not? The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command:
$ grub2-setpassword
When prompted, enter the password that was selected.

Once the superuser password has been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
OL07-00-010490
OL07-00-010500 CCI-000770 medium The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. Interview the SA to determine if all accounts not exempted by policy are using CAC authentication. For DoD systems, the following systems and accounts are exempt from using smart card (CAC) authentication: SIPRNET systemsStandalone systemsApplication accountsTemporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIVOperational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALTTest systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT. Is it the case that non-exempt accounts are not using CAC authentication? To enable smart card authentication, consult the documentation at: OL07-00-010500
OL07-00-020000 CCI-000381 high The Oracle Linux operating system must not have the rsh-server package installed. The rsh-server service provides unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The rsh-server package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation. Run the following command to determine if the rsh-server package is installed: $ rpm -q rsh-server Is it the case that the package is installed? The rsh-server package can be removed with the following command:
$ sudo yum erase rsh-server
OL07-00-020000
OL07-00-020010 CCI-000381 high The Oracle Linux operating system must not have the ypserv package installed. The NIS service provides an unencrypted authentication service which does not provide for the confidentiality and integrity of user passwords or the remote session. Removing the ypserv package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services. Run the following command to determine if the ypserv package is installed: $ rpm -q ypserv Is it the case that the package is installed? The ypserv package can be removed with the following command:
$ sudo yum erase ypserv
OL07-00-020010
OL07-00-020020 CCI-002235 medium The Oracle Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.

Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.
To verify the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures, run the following command: $ sudo semanage login -l All administrators must be mapped to the sysadm_u or staff_u users with the appropriate domains (sysadm_t and staff_t). All authorized non-administrative users must be mapped to the user_u role or the appropriate domain (user_t). Is it the case that non-admin users are not confined correctly? Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. All administrators must be mapped to the sysadm_u or staff_u users with the appropriate domains (sysadm_t and staff_t).
$ sudo semanage login -m -s sysadm_u USER
or
$ sudo semanage login -m -s staff_u USER


All authorized non-administrative users must be mapped to the user_u role or the appropriate domain (user_t).
$ sudo semanage login -m -s user_u USER
OL07-00-020020
OL07-00-020030 CCI-002699 medium The Oracle Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly. By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
To determine that periodic AIDE execution has been scheduled, run the following command: $ grep aide /etc/crontab The output should return something similar to the following: 05 4 * * * root /usr/sbin/aide --check NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. Is it the case that there is no output? At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable.
OL07-00-020030
OL07-00-020040 CCI-001744 low The Oracle Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
To determine that periodic AIDE execution has been scheduled, run the following command: $ grep aide /etc/crontab The output should return something similar to the following: 05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost Is it the case that AIDE has not been configured or has not been configured to notify personnel of scan details? AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in /etc/crontab, append the following line to the existing AIDE line:
 | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
Otherwise, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
AIDE can be executed periodically through other means; this is merely one example.
OL07-00-020040
OL07-00-020050 CCI-001749 high The Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).
To determine whether yum is configured to use gpgcheck, inspect /etc/yum.conf and ensure the following appears in the [main] section: gpgcheck=1 A value of 1 indicates that gpgcheck is enabled. Absence of a gpgcheck line or a setting of 0 indicates that it is disabled. Is it the case that GPG checking is not enabled? The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section:
gpgcheck=1
OL07-00-020050
OL07-00-020060 CCI-001749 high The Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor.

Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
To verify that localpkg_gpgcheck is configured properly, run the following command: $ grep localpkg_gpgcheck /etc/yum.conf The output should return something similar to: localpkg_gpgcheck=1 Is it the case that gpgcheck is not enabled or configured correctly to verify local packages? yum should be configured to verify the signature(s) of local packages prior to installation. To configure yum to verify signatures of local packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf. OL07-00-020060
OL07-00-020100 CCI-000778 medium The Oracle Linux operating system must be configured to disable USB mass storage. USB storage devices such as thumb drives can be used to introduce malicious software. If the system is configured to prevent the loading of the usb-storage kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install usb-storage /bin/true
This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.
OL07-00-020100
OL07-00-020101 CCI-001958 medium The Oracle Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required. Disabling DCCP protects the system against exploitation of any flaws in its implementation. If the system is configured to prevent the loading of the dccp kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r dccp /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the dccp kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install dccp /bin/true
OL07-00-020101
OL07-00-020110 CCI-000778 medium The Oracle Linux operating system must disable the file system automounter unless required. Disabling the automounter permits the administrator to statically control filesystem mounting through /etc/fstab.

Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity.
To check that the autofs service is disabled in system boot configuration, run the following command: $ systemctl is-enabled autofs Output should indicate the autofs service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled autofs disabled Run the following command to verify autofs is not active (i.e. not running) through current runtime configuration: $ systemctl is-active autofs If the service is not running the command will return the following output: inactive By default the service will also be masked, to check that the autofs is masked, run the following command: $ systemctl show autofs | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that ? The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter.

The autofs service can be disabled with the following command:
$ sudo systemctl disable autofs.service
The autofs service can be masked with the following command:
$ sudo systemctl mask autofs.service
OL07-00-020110
OL07-00-020200 CCI-002617 low The Oracle Linux operating system must remove all software components after updated versions have been installed. Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries. To verify that clean_requirements_on_remove is configured properly, run the following command: $ grep clean_requirements_on_remove /etc/yum.conf The output should return something similar to: clean_requirements_on_remove=1 Is it the case that clean_requirements_on_remove is not enabled or configured correctly? yum should be configured to remove previous software components after new versions have been installed. To configure yum to remove the previous software components after updating, set the clean_requirements_on_remove to 1 in /etc/yum.conf. OL07-00-020200
OL07-00-020210 CCI-002696 high The Oracle Linux operating system must enable SELinux. Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. Check the file /etc/selinux/config and ensure the following line appears: SELINUX= Is it the case that SELINUX is not set to enforcing? The SELinux state should be set to at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode:
SELINUX=
OL07-00-020210
OL07-00-020230 CCI-000366 high The Oracle Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled. A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. To ensure the system is configured to mask the Ctrl-Alt-Del sequence, enter the following command: $ sudo ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target or $ sudo systemctl mask ctrl-alt-del.target Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed? By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following:
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or
systemctl mask ctrl-alt-del.target


Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, as this file may be restored during future system updates.
OL07-00-020230
OL07-00-020240 CCI-000366 medium The Oracle Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users. Verify the UMASK setting is configured correctly in the /etc/login.defs file by running the following command: # grep -i "UMASK" /etc/login.defs All output must show the value of umask set as shown in the below: # grep -i "UMASK" /etc/login.defs umask Is it the case that the above command returns no output, or if the umask is configured incorrectly? To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK 
OL07-00-020240
OL07-00-020250 CCI-000366 high The Oracle Linux operating system must be a vendor supported release. An operating system is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve any security issue discovered in the system software. To verify that the installed operating system is supported, run the following command: $ grep -i "oracle" /etc/oracle-release The output should contain something similar to: Oracle Linux 7 Is it the case that the installed operating system is not supported? The installed operating system must be maintained by a vendor. Oracle Linux is supported by Oracle Corporation. As the Oracle Linux vendor, Oracle Corporation is responsible for providing security patches. OL07-00-020250
OL07-00-020260 CCI-000366 medium The Oracle Linux operating system security patches and updates must be installed and up to date. Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. If the system is joined to the ULN or a yum server, run the following command to install updates:
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the ULN and installed using rpm.

NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.
OL07-00-020260
OL07-00-020270 CCI-000366 medium The Oracle Linux operating system must not have unnecessary accounts. Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space. Run the following command to determine if /var/log/audit is on its own partition or logical volume: $ mount | grep "on /var/log/audit" If /var/log/audit has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. OL07-00-020270
OL07-00-020300 CCI-000764 low The Oracle Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file. If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group. To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, run the following command: $ sudo pwck -qr There should be no output. Is it the case that GIFs referenced in /etc/passwd are returned as not defined in /etc/group? Add a group to the system for each GID referenced without a corresponding group. OL07-00-020300
OL07-00-020310 CCI-000366 high The Oracle Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system. An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. To list all password file entries for accounts with UID 0, run the following command: $ awk -F: '($3 == \"0\") {print}' /etc/passwd This should print only one line, for the user root. If there is a finding, change the UID of the failing (non-root) user. If the account is associated with the system commands or applications the UID should be changed to one greater than 0 but less than 1000. Otherwise assign a UID of greater than 1000 that has not already been assigned. Is it the case that any account other than root has a UID of 0? If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.
OL07-00-020310
OL07-00-020320 CCI-000366 medium The Oracle Linux operating system must be configured so that all files and directories have a valid owner. Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. The following command will discover and print any files on local partitions which do not belong to a valid user. $ sudo find / -xdev -fstype local -nouser Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the chown command: $ sudo chown user file Is it the case that files exist that are not owned by a valid user? If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. OL07-00-020320
OL07-00-020330 CCI-000366 medium The Oracle Linux operating system must be configured so that all files and directories have a valid group owner. Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. The following command will discover and print any files on local partitions which do not belong to a valid group. $ sudo find / -xdev -fstype local -nogroup Either remove all files and directories from the system that do not have a valid group, or assign a valid group with the chgrp command: $ sudo chgrp group file Is it the case that there is output? If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group. OL07-00-020330
OL07-00-020600 CCI-000366 medium The Oracle Linux operating system must be configured so that all local interactive users have a home directory assigned in the /etc/passwd file. If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. To verify interactive users on the system have a home directory assigned, run the following command: $ sudo awk -F":" '{print $1 ":" $6}' /etc/passwd Inspect the output and verify that all interactive users have a home directory defined. Is it the case that users home directory is not defined? Assign home directories to all interactive users that currently do not have a home directory assigned. OL07-00-020600
OL07-00-020610 CCI-000366 medium The Oracle Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory. If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. Check if the system is configured to create home directories for local interactive users with the following command: $ sudo grep create_home /etc/login.defs Is it the case that the value of CREATE_HOME is not set to yes, is missing, or the line is commented out? All local interactive user accounts, upon creation, should be assigned a home directory.

Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME parameter in /etc/login.defs to yes as follows:

CREATE_HOME yes
OL07-00-020610
OL07-00-020620 CCI-000366 medium The Oracle Linux operating system must be configured so that all local interactive user home directories are defined in the /etc/passwd file. If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. To verify the assigned home directory of all interactive users on the system exist, run the following command: $ sudo pwck -r The output should not return any interactive users. Is it the case that users home directory does not exist? Create home directories to all interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in /etc/passwd:
$ sudo mkdir /home/USER
OL07-00-020620
OL07-00-020630 CCI-000366 medium The Oracle Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive. Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. To verify the assigned home directory of all interactive user home directories have a mode of 0750 or less permissive, run the following command: $ sudo ls -l /home Inspect the output for any directories with incorrect permissions. Is it the case that they are more permissive? Change the mode of interactive users home directories to 0750. To change the mode of interactive users home directory, use the following command:
$ sudo chmod 0750 /home/USER
OL07-00-020630
OL07-00-020640 CCI-000366 medium The Oracle Linux operating system must be configured so that all local interactive user home directories are owned by their respective users. If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files. To verify the home directory ownership, run the following command: $ sudo ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6) Is it the case that the user ownership is incorrect? Change the owner of interactive users home directories to that correct owner. To change the owner of a interactive users home directory, use the following command:
$ sudo chown USER /home/USER
OL07-00-020640
OL07-00-020650 CCI-000366 medium The Oracle Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group. If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should. To verify the assigned home directory of all interactive users is group- owned by that users primary GID, run the following command: $ sudo ls -ld $ (egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6) Is it the case that the group ownership is incorrect? Change the group owner of interactive users home directory to the group found in /etc/passwd. To change the group owner of interactive users home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USER
OL07-00-020650
OL07-00-020660 CCI-000366 medium The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory. If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise. To verify all files and directories in interactive users home directory are owned by the user, run the following command: $ sudo ls -lLR /home/USER Is it the case that the user ownership is incorrect? Change the owner of a interactive users files and directories to that owner. To change the of a local interactive users files and directories, use the following command:
$ sudo chown -R USER /home/USER
OL07-00-020660
OL07-00-020670 CCI-000366 medium The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member. If a local interactive users files are group-owned by a group of which the user is not a member, unintended users may be able to access them. To verify all files and directories in interactive user home directory are group-owned by a group the user is a member of, run the following command: $ sudo ls -lLR /home/USER Is it the case that the group ownership is incorrect? Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories, use the following command:
$ sudo chgrp USER_GROUP /home/USER/FILE_DIR
OL07-00-020670
OL07-00-020680 CCI-000366 medium The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive. If a local interactive user files have excessive permissions, unintended users may be able to access or modify them. To verify all files and directories contained in interactive user home directory, excluding local initialization files, have a mode of 0750, run the following command: $ sudo ls -lLR /home/USER Is it the case that home directory files or folders have incorrect permissions? Set the mode on files and directories in the local interactive user home directory with the following command:
$ sudo chmod 0750 /home/USER/FILE_DIR
OL07-00-020680
OL07-00-020690 CCI-000366 medium The Oracle Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root. Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. To verify all local initialization files for interactive users are owned by the primary user, run the following command: $ sudo ls -al /home/USER/.* The user initialization files should be owned by USER. Is it the case that they are not? Set the owner of the user initialization files for interactive users to the primary owner with the following command:
$ sudo chown USER /home/USER/.*
OL07-00-020690
OL07-00-020700 CCI-000366 medium The Oracle Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root. Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. To verify the local initialization files of all local interactive users are group- owned by the appropriate user, inspect the primary group of the respective users in /etc/passwd and verify all initialization files under the respective users home directory. Check the group owner of all local interactive users initialization files. Is it the case that they are not? Change the group owner of interactive users files to the group found in
/etc/passwd
for the user. To change the group owner of a local interactive user home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USER/.INIT_FILE
OL07-00-020700
OL07-00-020710 CCI-000366 medium The Oracle Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive. Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. To verify that all user initialization files have a mode of 0740 or less permissive, run the following command: $ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \) There should be no output. Is it the case that they are not 0740 or more permissive? Set the mode of the user initialization files to 0740 with the following command:
$ sudo chmod 0740 /home/USER/.INIT_FILE
OL07-00-020710
OL07-00-020720 CCI-000366 medium The Oracle Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory. The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the users home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO). To verify that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory, run the following command: $ sudo grep -r PATH /home/ Inspect the output for any PATH is references directories outside the home directory. Is it the case that paths contain more than local home directories? Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory. OL07-00-020720
OL07-00-020730 CCI-000366 medium The Oracle Linux operating system must be configured so that local initialization files do not execute world-writable programs. If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level. To verify that local initialization files do not execute world-writable programs, execute the following command: $ sudo find /home -perm -002 -type f -exec ls -ld {} -name ".[^.]*"\; There should be no output. Is it the case that files are executing world-writable programs? Set the mode on files being executed by the user initialization files with the following command:
$ sudo chmod 0755 FILE
OL07-00-020730
OL07-00-020900 CCI-000366 medium The Oracle Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification. If a device file carries the SELinux type device_t or unlabeled_t, then SELinux cannot properly restrict access to the device file. To check for incorrectly labeled device files, run following commands: $ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" $ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n" It should produce no output in a well-configured system. Is it the case that there is output? Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type device_t or unlabeled_t, report the bug so that policy can be corrected. Supply information about what the device is and what programs use it.

To check for incorrectly labeled device files, run following commands:
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
It should produce no output in a well-configured system.
OL07-00-020900
OL07-00-021000 CCI-000366 medium The Oracle Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed. The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions. To verify the nosuid option is configured for the /home mount point, run the following command: $ mount | grep '\s/home\s' The output should show the corresponding mount point along with the nosuid setting in parentheses. Is it the case that the is not present in the output line, or there is no output line at all? The nosuid mount option can be used to prevent execution of setuid programs in /home. The SUID and SGID permissions should not be required in these user data directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /home. OL07-00-021000
OL07-00-021010 CCI-000366 medium The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs. The nosuid mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions. OL07-00-021010
OL07-00-021020 CCI-000366 medium The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS). NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. To verify the nosuid option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the nosuid setting in parentheses. This is not applicable if NFS is not implemented. Is it the case that the setting does not show? Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. OL07-00-021020
OL07-00-021021 CCI-000366 medium The Oracle Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS). The noexec mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. To verify the noexec option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the noexec setting in parentheses. This is not applicable if NFS is not implemented. Is it the case that the setting does not show? Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. OL07-00-021021
OL07-00-021022 CCI-001764 low The Oracle Linux operating system must mount /dev/shm with the nodev option. The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. To verify the nodev option is configured for the /dev/shm mount point, run the following command: $ mount | grep '\s/dev/shm\s' The output should show the corresponding mount point along with the nodev setting in parentheses. Is it the case that the is not present in the output line, or there is no output line at all? The nodev mount option can be used to prevent creation of device files in /dev/shm. Legitimate character and block devices should not exist within temporary directories like /dev/shm. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm. OL07-00-021022
OL07-00-021023 CCI-001764 low The Oracle Linux operating system must mount /dev/shm with the nosuid option. The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. To verify the nosuid option is configured for the /dev/shm mount point, run the following command: $ mount | grep '\s/dev/shm\s' The output should show the corresponding mount point along with the nosuid setting in parentheses. Is it the case that the is not present in the output line, or there is no output line at all? The nosuid mount option can be used to prevent execution of setuid programs in /dev/shm. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm. OL07-00-021023
OL07-00-021024 CCI-001764 low The Oracle Linux operating system must mount /dev/shm with the noexec option. Allowing users to execute binaries from world-writable directories such as /dev/shm can expose the system to potential compromise. To verify the noexec option is configured for the /dev/shm mount point, run the following command: $ mount | grep '\s/dev/shm\s' The output should show the corresponding mount point along with the noexec setting in parentheses. Is it the case that the is not present in the output line, or there is no output line at all? The noexec mount option can be used to prevent binaries from being executed out of /dev/shm. It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /dev/shm. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm. OL07-00-021024
OL07-00-021030 CCI-000366 medium The Oracle Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group. Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 500. Run it once for each local partition PART: $ sudo find PART -xdev -type d -perm -0002 -uid +499 -print Is it the case that there is output? All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. OL07-00-021030
OL07-00-021040 CCI-000366 medium The Oracle Linux operating system must set the umask value to 077 for all local interactive user accounts. The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be 0. This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. Verify the UMASK setting is not configured for interactive users, run the following command: $ sudo grep -ri "UMASK" /home There should be no output. Is it the case that the above command returns no output, or if the umask is configured incorrectly? Remove the UMASK environment variable from all interactive users initialization files. OL07-00-021040
OL07-00-021100 CCI-000366 medium The Oracle Linux operating system must have cron logging implemented. Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. To verify that cron is logging to rsyslog, run the following command: grep -rni "cron\.\*" /etc/rsyslog.* The output should return some similar to: cron.* /var/log/cron Is it the case that cron is not logging to rsyslog? Cron logging must be implemented to spot intrusions or trace cron job status. If cron is not logging to rsyslog, it can be implemented by adding the following to the RULES section of /etc/rsyslog.conf:
cron.*                                                  /var/log/cron
OL07-00-021100
OL07-00-021110 CCI-000366 medium The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root. If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. To check the ownership of /etc/cron.allow, run the command: $ ls -lL /etc/cron.allow If properly configured, the output should indicate the following owner: root Is it the case that /etc/cron.allow has owner root? If /etc/cron.allow exists, it must be owned by root. To properly set the owner of /etc/cron.allow, run the command:
$ sudo chown root /etc/cron.allow 
OL07-00-021110
OL07-00-021120 CCI-000366 medium The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root. If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. To check the group ownership of /etc/cron.allow, run the command: $ ls -lL /etc/cron.allow If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/cron.allow has group owner root? If /etc/cron.allow exists, it must be group-owned by root. To properly set the group owner of /etc/cron.allow, run the command:
$ sudo chgrp root /etc/cron.allow
OL07-00-021120
OL07-00-021300 CCI-000366 medium The Oracle Linux operating system must disable Kernel core dumps unless needed. Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service. To check that the kdump service is disabled in system boot configuration, run the following command: $ systemctl is-enabled kdump Output should indicate the kdump service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled kdump disabled Run the following command to verify kdump is not active (i.e. not running) through current runtime configuration: $ systemctl is-active kdump If the service is not running the command will return the following output: inactive By default the service will also be masked, to check that the kdump is masked, run the following command: $ systemctl show kdump | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that ? The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The kdump service can be disabled with the following command:
$ sudo systemctl disable kdump.service
The kdump service can be masked with the following command:
$ sudo systemctl mask kdump.service
OL07-00-021300
OL07-00-021310 CCI-000366 low The Oracle Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent). Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. Run the following command to determine if /home is on its own partition or logical volume: $ mount | grep "on /home" If /home has its own partition or volume group, a line will be returned. Is it the case that no line is returned? If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. OL07-00-021310
OL07-00-021320 CCI-000366 low The Oracle Linux operating system must use a separate file system for /var. Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages. Run the following command to determine if /var is on its own partition or logical volume: $ mount | grep "on /var" If /var has its own partition or volume group, a line will be returned. Is it the case that no line is returned? The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM. OL07-00-021320
OL07-00-021330 CCI-001849 low The Oracle Linux operating system must use a separate file system for the system audit data path large enough to hold at least one week of audit data. Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space. Run the following command to determine if /var/log/audit is on its own partition or logical volume: $ mount | grep "on /var/log/audit" If /var/log/audit has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. OL07-00-021330
OL07-00-021340 CCI-000366 low The Oracle Linux operating system must use a separate file system for /tmp (or equivalent). The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. Run the following command to determine if /tmp is on its own partition or logical volume: $ mount | grep "on /tmp" If /tmp has its own partition or volume group, a line will be returned. Is it the case that no line is returned? The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM. OL07-00-021340
OL07-00-021350 CCI-002476 high The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. To verify that FIPS is enabled properly in grub, run the following command: $ grep fips /etc/default/grub The output should contain fips=1 Is it the case that FIPS is not configured or enabled in grub? To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
$ sudo yum install dracut-fips
dracut -f
After the dracut command has been run, add the argument fips=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1"
Finally, rebuild the grub.cfg file by using the
grub2-mkconfig -o
command as follows:
  • On BIOS-based machines, issue the following command as root:
    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • On UEFI-based machines, issue the following command as root:
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
OL07-00-021350
OL07-00-021600 CCI-000366 low The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs). ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools. To determine that AIDE is verifying ACLs, run the following command: $ grep acl /etc/aide.conf Verify that the acl option is added to the correct ruleset. Is it the case that the acl option is missing or not added to the correct ruleset? By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.
OL07-00-021600
OL07-00-021610 CCI-000366 low The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes. Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. To determine that AIDE is verifying extended file attributes, run the following command: $ grep xattrs /etc/aide.conf Verify that the xattrs option is added to the correct ruleset. Is it the case that the xattrs option is missing or not added to the correct ruleset? By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.
OL07-00-021610
OL07-00-021620 CCI-000366 medium The Oracle Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories. File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes. To determine that AIDE is configured for FIPS 140-2 file hashing, run the following command: $ grep sha512 /etc/aide.conf Verify that the sha512 option is added to the correct ruleset. Is it the case that the sha512 option is missing or not added to the correct ruleset? By default, the sha512 option is added to the NORMAL ruleset in AIDE. If using a custom ruleset or the sha512 option is missing, add sha512 to the appropriate ruleset. For example, add sha512 to the following line in /etc/aide.conf:
NORMAL = FIPSR+sha512
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.
OL07-00-021620
OL07-00-021700 CCI-001813 medium The Oracle Linux operating system must not allow removable media to be used as the boot loader unless approved. Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. To verify the system is not configured to use a boot loader on removable media, run the following command: $ sudo grep "set root='hd0" /boot/grub2/grub.cfg The output should return something similar to: set root='hd0,msdos1' usb0, cd, fd0, etc. are some examples of removeable media which should not exist in the line: set root='hd0,msdos1' Is it the case that it is not? The system must not allow removable media to be used as the boot loader. Remove alternate methods of booting the system from removable media. usb0, cd, fd0, etc. are some examples of removeable media which should not exist in the line:
set root='hd0,msdos1'
OL07-00-021700
OL07-00-021710 CCI-000381 high The Oracle Linux operating system must not have the telnet-server package installed. It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain unsecure. They increase the risk to the platform by providing additional attack vectors.
The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised.
Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation.
Run the following command to determine if the telnet-server package is installed: $ rpm -q telnet-server Is it the case that the package is installed? The telnet-server package can be removed with the following command:
$ sudo yum erase telnet-server
OL07-00-021710
OL07-00-030000 CCI-001814 high The Oracle Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users. Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
Run the following command to determine the current status of the auditd service: $ systemctl is-active auditd If the service is running, it should return the following: active Is it the case that ? The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service
OL07-00-030000
OL07-00-030010 CCI-000140 medium The Oracle Linux operating system must shut down upon audit processing failure unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.

Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
To verify that the system will shutdown when auditd fails, run the following command: $ sudo grep "\-f 2" /etc/audit/audit.rules The output should contain: -f 2 Is it the case that the system is not configured to shutdown on auditd failures? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-f 2
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to the top of the /etc/audit/audit.rules file:
-f 2
OL07-00-030010
OL07-00-030200 CCI-001851 medium The Oracle Linux operating system must be configured to use the au-remote plugin. If option name_format is left at its default value of none, audit events from different computers may be hard to distinguish. To verify that Audit Daemon is configured to record the hostname in audit events, run the following command: $ sudo grep name_format /etc/audit/auditd.conf The output should return the following: name_format = hostname Is it the case that name_format isn't set to hostname? To configure Audit daemon to use value returned by gethostname syscall as computer node name in the audit events, set name_format to hostname in /etc/audit/auditd.conf. OL07-00-030200
OL07-00-030201 CCI-001851 medium The Oracle Linux operating system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon. If option name_format is left at its default value of none, audit events from different computers may be hard to distinguish. To verify that Audit Daemon is configured to record the hostname in audit events, run the following command: $ sudo grep name_format /etc/audit/auditd.conf The output should return the following: name_format = hostname Is it the case that name_format isn't set to hostname? To configure Audit daemon to use value returned by gethostname syscall as computer node name in the audit events, set name_format to hostname in /etc/audit/auditd.conf. OL07-00-030201
OL07-00-030210 CCI-001851 medium The Oracle Linux operating system must take appropriate action when the audisp-remote buffer is full. If option name_format is left at its default value of none, audit events from different computers may be hard to distinguish. To verify that Audit Daemon is configured to record the hostname in audit events, run the following command: $ sudo grep name_format /etc/audit/auditd.conf The output should return the following: name_format = hostname Is it the case that name_format isn't set to hostname? To configure Audit daemon to use value returned by gethostname syscall as computer node name in the audit events, set name_format to hostname in /etc/audit/auditd.conf. OL07-00-030210
OL07-00-030211 CCI-001851 medium The Oracle Linux operating system must label all off-loaded audit logs before sending them to the central log server. If option name_format is left at its default value of none, audit events from different computers may be hard to distinguish. To verify that Audit Daemon is configured to record the hostname in audit events, run the following command: $ sudo grep name_format /etc/audit/auditd.conf The output should return the following: name_format = hostname Is it the case that name_format isn't set to hostname? To configure Audit daemon to use value returned by gethostname syscall as computer node name in the audit events, set name_format to hostname in /etc/audit/auditd.conf. OL07-00-030211
OL07-00-030300 CCI-001851 medium The Oracle Linux operating system must off-load audit records onto a different system or media from the system being audited. Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity. To verify the audispd plugin off-loads audit records onto a different system or media from the system being audited, run the following command: $ sudo grep -i remote_server /etc/audisp/audisp-remote.conf The output should return something similar to remote_server = Is it the case that audispd is not sending logs to a remote system? Configure the audispd plugin to off-load audit records onto a different system or media from the system being audited. Set the remote_server option in
/etc/audisp/audisp-remote.conf
with an IP address or hostname of the system that the audispd plugin should send audit records to. For example
remote_server = 
OL07-00-030300
OL07-00-030310 CCI-001851 medium The Oracle Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. To verify the audispd plugin encrypts audit records off-loaded onto a different system or media from the system being audited, run the following command: $ sudo grep -i enable_krb5 /etc/audisp/audisp-remote.conf The output should return the following: enable_krb5 = yes Is it the case that audispd is not encrypting audit records when sent over the network? Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. Uncomment the enable_krb5 option in
/etc/audisp/audisp-remote.conf
, and set it with the following line:
enable_krb5 = yes
OL07-00-030310
OL07-00-030320 CCI-001851 medium The Oracle Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full. Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. Inspect /etc/audisp/audisp-remote.conf and locate the following line to determine if the system is configured to either send to syslog, switch to single user mode, or halt when the disk is full: grep -i disk_full_action /etc/audisp/audisp-remote.conf The output should return something similar to: disk_full_action = single Acceptable values also include syslog and halt. Is it the case that the system is not configured to switch to single user mode for corrective action? Configure the action the operating system takes if the disk the audit records are written to becomes full. Edit the file /etc/audisp/audisp-remote.conf. Add or modify the following line, substituting ACTION appropriately:
disk_full_action = ACTION
Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include syslog and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined.
OL07-00-030320
OL07-00-030321 CCI-001851 medium The Oracle Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system. Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records. Inspect /etc/audisp/audisp-remote.conf and locate the following line to determine if the system is configured to either send to syslog, switch to single user mode, or halt when there is a network failure with audispd: grep -i network_failure_action /etc/audisp/audisp-remote.conf The output should return something similar to: network_failure_action = single Acceptable values also include syslog and halt. Is it the case that the system is not configured to switch to single user mode for corrective action? Configure the action the operating system takes if there is an error sending audit records to a remote system. Edit the file /etc/audisp/audisp-remote.conf. Add or modify the following line, substituting ACTION appropriately:
network_failure_action = ACTION
Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include syslog and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined.
OL07-00-030321
OL07-00-030330 CCI-001855 medium The Oracle Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured correctly: space_left SIZE_in_MB Is it the case that the system is not configured a specfic size in MB to notify administrators of an issue? The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting SIZE_in_MB appropriately:
space_left = SIZE_in_MB
Set this value to the appropriate size in Megabytes cause the system to notify the user of an issue.
OL07-00-030330
OL07-00-030340 CCI-001855 medium The Oracle Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached. Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low: $ sudo grep space_left_action /etc/audit/auditd.conf space_left_action Acceptable values are email, suspend, single, and halt. Is it the case that the system is not configured to send an email to the system administrator when disk space is starting to run low? The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately:
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • syslog
  • email
  • exec
  • suspend
  • single
  • halt
Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt.
OL07-00-030340
OL07-00-030350 CCI-001855 medium The Oracle Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator: action_mail_acct = root Is it the case that auditd is not configured to send emails per identified actions? The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations:
action_mail_acct = 
OL07-00-030350
OL07-00-030360 CCI-002234 medium The Oracle Linux operating system must audit all executions of privileged functions. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command for each local partition PART to find relevant setuid / setgid programs: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: $ sudo grep path /etc/audit/audit.rules It should be the case that all relevant setuid / setgid programs have a line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART:
$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
OL07-00-030360
OL07-00-030370 CCI-000172 medium The Oracle Linux operating system must audit all uses of the chown syscall. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the chown system call, run the following command: preserve$ sudo grep "chown" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
OL07-00-030370
OL07-00-030380 CCI-000172 medium The Oracle Linux operating system must audit all uses of the fchown syscall. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the fchown system call, run the following command: preserve$ sudo grep "fchown" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
OL07-00-030380
OL07-00-030390 CCI-000172 medium The Oracle Linux operating system must audit all uses of the lchown syscall. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the lchown system call, run the following command: preserve$ sudo grep "lchown" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
OL07-00-030390
OL07-00-030400 CCI-000172 medium The Oracle Linux operating system must audit all uses of the fchownat syscall. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the fchownat system call, run the following command: preserve$ sudo grep "fchownat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
OL07-00-030400
OL07-00-030410 CCI-000172 medium The Oracle Linux operating system must audit all uses of the chmod syscall. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the chmod system call, run the following command: preserve$ sudo grep "chmod" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
OL07-00-030410
OL07-00-030420 CCI-000172 medium The Oracle Linux operating system must audit all uses of the fchmod syscall. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the fchmod system call, run the following command: preserve$ sudo grep "fchmod" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
OL07-00-030420
OL07-00-030430 CCI-000172 medium The Oracle Linux operating system must audit all uses of the fchmodat syscall. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the fchmodat system call, run the following command: preserve$ sudo grep "fchmodat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
OL07-00-030430
OL07-00-030440 CCI-000172 medium The Oracle Linux operating system must audit all uses of the setxattr syscall. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the setxattr system call, run the following command: preserve$ sudo grep "setxattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
OL07-00-030440
OL07-00-030450 CCI-000172 medium The Oracle Linux operating system must audit all uses of the fsetxattr syscall. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the fsetxattr system call, run the following command: preserve$ sudo grep "fsetxattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
OL07-00-030450
OL07-00-030460 CCI-000172 medium The Oracle Linux operating system must audit all uses of the lsetxattr syscall. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the lsetxattr system call, run the following command: preserve$ sudo grep "lsetxattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
OL07-00-030460
OL07-00-030470 CCI-000172 medium The Oracle Linux operating system must audit all uses of the removexattr syscall. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the removexattr system call, run the following command: preserve$ sudo grep "removexattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
OL07-00-030470
OL07-00-030480 CCI-000172 medium The Oracle Linux operating system must audit all uses of the fremovexattr syscall. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the fremovexattr system call, run the following command: preserve$ sudo grep "fremovexattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
OL07-00-030480
OL07-00-030490 CCI-000172 medium The Oracle Linux operating system must audit all uses of the lremovexattr syscall. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the lremovexattr system call, run the following command: preserve$ sudo grep "lremovexattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
OL07-00-030490
OL07-00-030500 CCI-000172 medium The Oracle Linux operating system must audit all uses of the creat syscall. Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. To determine if the system is configured to audit calls to the creat system call, run the following command: preserve$ sudo grep "creat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
OL07-00-030500
OL07-00-030510 CCI-000172 medium The Oracle Linux operating system must audit all uses of the open syscall. Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. To determine if the system is configured to audit calls to the open system call, run the following command: preserve$ sudo grep "open" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
OL07-00-030510
OL07-00-030520 CCI-000172 medium The Oracle Linux operating system must audit all uses of the openat syscall. Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. To determine if the system is configured to audit calls to the openat system call, run the following command: preserve$ sudo grep "openat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
OL07-00-030520
OL07-00-030530 CCI-000172 medium The Oracle Linux operating system must audit all uses of the open_by_handle_at syscall. Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. To determine if the system is configured to audit calls to the open_by_handle_at system call, run the following command: preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
OL07-00-030530
OL07-00-030540 CCI-000172 medium The Oracle Linux operating system must audit all uses of the truncate syscall. Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. To determine if the system is configured to audit calls to the truncate system call, run the following command: preserve$ sudo grep "truncate" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
OL07-00-030540
OL07-00-030550 CCI-000172 medium The Oracle Linux operating system must audit all uses of the ftruncate syscall. Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. To determine if the system is configured to audit calls to the ftruncate system call, run the following command: preserve$ sudo grep "ftruncate" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
OL07-00-030550
OL07-00-030560 CCI-002884 medium The Oracle Linux operating system must audit all uses of the semanage command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/sbin/semanage" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Is it the case that ? At a minimum, the audit system should collect any execution attempt of the semanage command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
OL07-00-030560
OL07-00-030570 CCI-002884 medium The Oracle Linux operating system must audit all uses of the setsebool command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/sbin/setsebool" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Is it the case that ? At a minimum, the audit system should collect any execution attempt of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
OL07-00-030570
OL07-00-030580 CCI-002884 medium The Oracle Linux operating system must audit all uses of the chcon command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/bin/chcon" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Is it the case that ? At a minimum, the audit system should collect any execution attempt of the chcon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
OL07-00-030580
OL07-00-030590 CCI-002884 medium The Oracle Linux operating system must audit all uses of the setfiles command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/sbin/setfiles" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Is it the case that ? At a minimum, the audit system should collect any execution attempt of the setfiles command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
OL07-00-030590
OL07-00-030610 CCI-002884 medium The Oracle Linux operating system must generate audit records for all unsuccessful account access events. Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/var/run/faillock\|-w /var/run/faillock" Is it the case that there is not output? The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:
-w /var/run/faillock -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
-w /var/run/faillock -p wa -k logins
OL07-00-030610
OL07-00-030620 CCI-002884 medium The Oracle Linux operating system must generate audit records for all successful account access events. Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/var/log/lastlog\|-w /var/log/lastlog" Is it the case that there is not output? The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
OL07-00-030620
OL07-00-030630 CCI-000135 medium The Oracle Linux operating system must audit all uses of the passwd command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep passwd /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
OL07-00-030630
OL07-00-030640 CCI-000135 medium The Oracle Linux operating system must audit all uses of the unix_chkpwd command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep unix_chkpwd /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
OL07-00-030640
OL07-00-030650 CCI-000135 medium The Oracle Linux operating system must audit all uses of the gpasswd command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep gpasswd /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
OL07-00-030650
OL07-00-030660 CCI-000135 medium The Oracle Linux operating system must audit all uses of the chage command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep chage /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
OL07-00-030660
OL07-00-030670 CCI-000135 medium The Oracle Linux operating system must audit all uses of the userhelper command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep userhelper /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
OL07-00-030670
OL07-00-030680 CCI-000172 medium The Oracle Linux operating system must audit all uses of the su command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep su /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
OL07-00-030680
OL07-00-030690 CCI-000172 medium The Oracle Linux operating system must audit all uses of the sudo command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep sudo /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
OL07-00-030690
OL07-00-030700 CCI-000172 medium The Oracle Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory. The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d\|-w /etc/sudoers\|-w /etc/sudoers.d" Is it the case that there is not output? At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
OL07-00-030700
OL07-00-030710 CCI-000172 medium The Oracle Linux operating system must audit all uses of the newgrp command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep newgrp /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
OL07-00-030710
OL07-00-030720 CCI-000130 medium The Oracle Linux operating system must audit all uses of the chsh command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep chsh /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
OL07-00-030720
OL07-00-030740 CCI-000135 medium The Oracle Linux operating system must audit all uses of the mount command and syscall. The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. To verify that auditing is configured for all media exportation events, run the following command: $ sudo auditctl -l | grep syscall | grep mount Is it the case that there is not output? At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
OL07-00-030740
OL07-00-030750 CCI-000135 medium The Oracle Linux operating system must audit all uses of the umount command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep umount /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
OL07-00-030750
OL07-00-030760 CCI-000135 medium The Oracle Linux operating system must audit all uses of the postdrop command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep postdrop /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
OL07-00-030760
OL07-00-030770 CCI-000135 medium The Oracle Linux operating system must audit all uses of the postqueue command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep postqueue /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
OL07-00-030770
OL07-00-030780 CCI-000135 medium The Oracle Linux operating system must audit all uses of the ssh-keysign command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep ssh-keysign /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/libexec/openssh/key-sign -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
OL07-00-030780
OL07-00-030800 CCI-000135 medium The Oracle Linux operating system must audit all uses of the crontab command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep crontab /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
OL07-00-030800
OL07-00-030810 CCI-000172 medium The Oracle Linux operating system must audit all uses of the pam_timestamp_check command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep pam_timestamp_check /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
OL07-00-030810
OL07-00-030819 CCI-000172 medium The Oracle Linux operating system must audit all uses of the create_module syscall. The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. To determine if the system is configured to audit calls to the init_module system call, run the following command: preserve$ sudo grep "init_module" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
OL07-00-030819
OL07-00-030820 CCI-000172 medium The Oracle Linux operating system must audit all uses of the init_module syscall. The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. To determine if the system is configured to audit calls to the init_module system call, run the following command: preserve$ sudo grep "init_module" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
OL07-00-030820
OL07-00-030821 CCI-000172 medium The Oracle Linux operating system must audit all uses of the finit_module syscall. The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. To determine if the system is configured to audit calls to the finit_module system call, run the following command: preserve$ sudo grep "finit_module" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F key=modules
OL07-00-030821
OL07-00-030830 CCI-000172 medium The Oracle Linux operating system must audit all uses of the delete_module syscall. The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. To determine if the system is configured to audit calls to the delete_module system call, run the following command: preserve$ sudo grep "delete_module" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
OL07-00-030830
OL07-00-030840 CCI-000172 medium The Oracle Linux operating system must audit all uses of the kmod command. The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. To determine if the system is configured to audit calls to the init_module system call, run the following command: preserve$ sudo grep "init_module" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
OL07-00-030840
OL07-00-030870 CCI-002130 medium The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/passwd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/passwd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/passwd -p wa -k audit_rules_usergroup_modification
OL07-00-030870
OL07-00-030871 CCI-000018 medium The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/group)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/group -p wa -k audit_rules_usergroup_modification
OL07-00-030871
OL07-00-030872 CCI-000018 medium The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/gshadow)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
OL07-00-030872
OL07-00-030873 CCI-000018 medium The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/shadow)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/shadow -p wa -k audit_rules_usergroup_modification
OL07-00-030873
OL07-00-030874 CCI-000018 medium The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/security/opasswd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
OL07-00-030874
OL07-00-030880 CCI-000172 medium The Oracle Linux operating system must audit all uses of the rename syscall. Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. To determine if the system is configured to audit calls to the rename system call, run the following command: preserve$ sudo grep "rename" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
OL07-00-030880
OL07-00-030890 CCI-000172 medium The Oracle Linux operating system must audit all uses of the renameat syscall. Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. To determine if the system is configured to audit calls to the renameat system call, run the following command: preserve$ sudo grep "renameat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
OL07-00-030890
OL07-00-030900 CCI-000172 medium The Oracle Linux operating system must audit all uses of the rmdir syscall. Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. To determine if the system is configured to audit calls to the rmdir system call, run the following command: preserve$ sudo grep "rmdir" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
OL07-00-030900
OL07-00-030910 CCI-000172 medium The Oracle Linux operating system must audit all uses of the unlink syscall. Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. To determine if the system is configured to audit calls to the unlink system call, run the following command: preserve$ sudo grep "unlink" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
OL07-00-030910
OL07-00-030920 CCI-000172 medium The Oracle Linux operating system must audit all uses of the unlinkat syscall. Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. To determine if the system is configured to audit calls to the unlinkat system call, run the following command: preserve$ sudo grep "unlinkat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
OL07-00-030920
OL07-00-031000 CCI-000366 medium The Oracle Linux operating system must send rsyslog output to a log aggregation server. A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. To ensure logs are sent to a remote host, examine the file /etc/rsyslog.conf. If using UDP, a line similar to the following should be present: *.* @ If using TCP, a line similar to the following should be present: *.* @@ If using RELP, a line similar to the following should be present: *.* :omrelp: Is it the case that none of these are present? To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery:
*.* @

To use TCP for log message delivery:
*.* @@

To use RELP for log message delivery:
*.* :omrelp:

There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility.
OL07-00-031000
OL07-00-031010 CCI-000366 medium The Oracle Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation. Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network. The rsyslog daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure the following lines are not found in /etc/rsyslog.conf:
$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun port
OL07-00-031010
OL07-00-032000 CCI-000366 high The Oracle Linux operating system must use a virus scan program. Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. To verify that McAfee VirusScan Enterprise for Linux is installed and running, run the following command(s): $ sudo systemctl status nails $ rpm -q McAfeeVSEForLinux Is it the case that virus scanning software is not installed or running? Install McAfee VirusScan Enterprise for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem. OL07-00-032000
OL07-00-040000 CCI-000054 low The Oracle Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types. Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. Run the following command to ensure the maxlogins value is configured for all users on the system: # grep "maxlogins" /etc/security/limits.conf You should receive output similar to the following: *\t\thard\tmaxlogins\t Is it the case that maxlogins is not equal to or less than the expected value? Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in /etc/security/limits.conf or a file under /etc/security/limits.d/:
* hard maxlogins 
OL07-00-040000
OL07-00-040100 CCI-002314 medium The Oracle Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.

Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.

To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
Inspect the list of enabled firewall ports and verify they are configured correctly by running the following command: $ sudo firewall-cmd --list-all Is it the case that the default rules are not configured? Configure the firewalld ports to allow approved services to have access to the system. To configure firewalld to open ports, run the following command:
$ sudo firewall-cmd --permanent --add-port=port_number/tcp
or
$ sudo firewall-cmd --permanent --add-port=service_name
Run the command list above for each of the ports listed below: To configure firewalld to allow access, run the following command(s): firewall-cmd --permanent --add-service=ssh
OL07-00-040100
OL07-00-040110 CCI-003123 medium The Oracle Linux operating system must use a FIPS 140-2 approved cryptographic algorithm for SSH communications. Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Oracle Linux 7.
Only FIPS ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: $ sudo grep Ciphers /etc/ssh/sshd_config The output should contain only those ciphers which are FIPS-approved. Is it the case that FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved? Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
The man page sshd_config(5) contains a list of supported ciphers.

Only the following ciphers are FIPS 140-2 certified on Oracle Linux 7:
- aes128-ctr
- aes192-ctr
- aes256-ctr
- aes128-cbc
- aes192-cbc
- aes256-cbc
- 3des-cbc
- rijndael-cbc@lysator.liu.se

Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for Oracle Linux 7 can be found at https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3028.pdf The rule is parametrized to use the following ciphers: .
OL07-00-040110
OL07-00-040160 CCI-001133 medium The Oracle Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. Run the following command to ensure the TMOUT value is configured for all users on the system: $ sudo grep TMOUT /etc/profile The output should return the following: TMOUT= Is it the case that value of TMOUT is not less than or equal to expected setting? Setting the TMOUT option in /etc/profile ensures that all user sessions will terminate based on inactivity. The TMOUT setting in /etc/profile should read as follows:
TMOUT=
OL07-00-040160
OL07-00-040170 CCI-000048 medium The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts. The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. To determine how the SSH daemon's Banner option is set, run the following command: $ sudo grep -i Banner /etc/ssh/sshd_config If a line indicating /etc/issue is returned, then the required value is set. Is it the case that the required value is not set? To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config:
Banner /etc/issue
Another section contains information on how to create an appropriate system-wide warning banner.
OL07-00-040170
OL07-00-040180 CCI-001453 medium The Oracle Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications. Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. If the system is not using TLS, set the ldap_id_use_start_tls option in /etc/sssd/sssd.conf to True. Is it the case that the 'ldap_id_use_start_tls' option is not set to 'True'? This check verifies that Oracle Linux 7 implements cryptography to protect the integrity of remote LDAP authentication sessions.

To determine if LDAP is being used for authentication, use the following command:
$ sudo grep -i useldapauth /etc/sysconfig/authconfig


If USELDAPAUTH=yes, then LDAP is being used. To check if LDAP is configured to use TLS, use the following command:
$ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf
OL07-00-040180
OL07-00-040190 CCI-001453 medium The Oracle Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications. Without cryptographic integrity protections, information can be altered by unauthorized users without detection.

Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.
To verify the operating system implements cryptography to protect the integrity of remote ldap access sessions, run the following command: $ sudo grep ldap_tls_cacertdir /etc/sssd/sssd.conf The output should return the following with a correctly configured CA cert path: ldap_tls_cacertdir /path/to/tls/cacert Is it the case that the TLS CA cert is not configured? Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the
ldap_tls_cacertdir
option in
/etc/sssd/sssd.conf
to point to the path for the X.509 certificates used for peer authentication.
ldap_tls_cacertdir /path/to/tls/cacert
OL07-00-040190
OL07-00-040200 CCI-001453 medium The Oracle Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications. Without cryptographic integrity protections, information can be altered by unauthorized users without detection.

Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.
To verify the operating system implements cryptography to protect the integrity of remote ldap access sessions, run the following command: $ sudo grep ldap_tls_cacert /etc/sssd/sssd.conf The output should return the following with a correctly configured CA cert path: ldap_tls_cacert /path/to/tls/ca.cert Is it the case that the TLS CA cert is not configured? Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the
ldap_tls_cacert
option in
/etc/sssd/sssd.conf
to point to the path for the X.509 certificates used for peer authentication.
ldap_tls_cacert /path/to/tls/ca.cert
OL07-00-040200
OL07-00-040201 CCI-002824 medium The Oracle Linux operating system must implement virtual address space randomization. Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. The runtime status of the kernel.randomize_va_space kernel parameter can be queried by running the following command: $ sysctl kernel.randomize_va_space The output of the command should indicate a value of 2. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*kernel.randomize_va_space\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than kernel.randomize_va_space = 2 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains kernel.randomize_va_space = 2, and that one assignment is returned when $ grep -r kernel.randomize_va_space /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.randomize_va_space = 2
OL07-00-040201
OL07-00-040300 CCI-002422 medium The Oracle Linux operating system must be configured so that all networked systems have SSH installed. Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. Run the following command to determine if the openssh-server package is installed: $ rpm -q openssh-server Is it the case that the package is not installed? The openssh-server package should be installed. The openssh-server package can be installed with the following command:
$ sudo yum install openssh-server
OL07-00-040300
OL07-00-040310 CCI-002418 medium The Oracle Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission. Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered.

This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
Run the following command to determine the current status of the sshd service: $ systemctl is-active sshd If the service is running, it should return the following: active Is it the case that ? The SSH server service, sshd, is commonly needed. The sshd service can be enabled with the following command:
$ sudo systemctl enable sshd.service
OL07-00-040310
OL07-00-040320 CCI-002361 medium The Oracle Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. Run the following command to see what the timeout interval is: $ sudo grep ClientAliveInterval /etc/ssh/sshd_config If properly configured, the output should be: ClientAliveInterval Is it the case that it is commented out or not configured properly? SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows:
ClientAliveInterval 


The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
OL07-00-040320
OL07-00-040330 CCI-000366 medium The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication. Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere. To check which SSH protocol version is allowed, check version of openssh-server with following command: $ rpm -qi openssh-server | grep Version Versions equal to or higher than 7.4 have deprecated the RhostsRSAAuthentication option. If version is lower than 7.4, run the following command to check configuration: To determine how the SSH daemon's RhostsRSAAuthentication option is set, run the following command: $ sudo grep -i RhostsRSAAuthentication /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value no is returned, then the required value is set. Is it the case that the required value is not set? SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:
RhostsRSAAuthentication no
OL07-00-040330
OL07-00-040340 CCI-001133 medium The Oracle Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity. This ensures a user login will be terminated as soon as the ClientAliveInterval is reached. To ensure the SSH idle timeout will occur when the ClientAliveInterval is set, run the following command: $ sudo grep ClientAliveCountMax /etc/ssh/sshd_config If properly configured, output should be: ClientAliveCountMax Is it the case that it is commented out or not configured properly? To ensure the SSH idle timeout occurs precisely when the ClientAliveInterval is set, edit /etc/ssh/sshd_config as follows:
ClientAliveCountMax 
OL07-00-040340
OL07-00-040350 CCI-000366 medium The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication. SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. To determine how the SSH daemon's IgnoreRhosts option is set, run the following command: $ sudo grep -i IgnoreRhosts /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value yes is returned, then the required value is set. Is it the case that the required value is not set? SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:
IgnoreRhosts yes
OL07-00-040350
OL07-00-040360 CCI-000366 medium The Oracle Linux operating system must display the date and time of the last successful account logon upon an SSH logon. Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. To check if PrintLastLog is enabled or set correctly, run the following command: $ sudo grep PrintLastLog /etc/ssh/sshd_config If configured properly, output should be yes Is it the case that it is commented out or is not enabled? When enabled, SSH will display the date and time of the last successful account logon. To enable LastLog in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
PrintLastLog yes
OL07-00-040360
OL07-00-040370 CCI-000366 medium The Oracle Linux operating system must not permit direct logons to the root account using remote access via SSH. Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. To determine how the SSH daemon's PermitRootLogin option is set, run the following command: $ sudo grep -i PermitRootLogin /etc/ssh/sshd_config If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config:
PermitRootLogin no
OL07-00-040370
OL07-00-040380 CCI-000366 medium The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication. Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere. To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command: $ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config If a line indicating yes is returned, then the required value is set. Is it the case that the required value is not set? SSH can allow system users to connect to systems if a cache of the remote systems public keys is available. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:
IgnoreUserKnownHosts yes
OL07-00-040380
OL07-00-040390 CCI-000197 high The Oracle Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol. SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. To check which SSH protocol version is allowed, check version of openssh-server with following command: $ rpm -qi openssh-server | grep Version Versions equal to or higher than 7.4 only allow Protocol 2. If version is lower than 7.4, run the following command to check configuration: $ sudo grep Protocol /etc/ssh/sshd_config If configured properly, output should be Protocol 2 Is it the case that it is commented out or is not set correctly to Protocol 2? Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears:
Protocol 2
OL07-00-040390
OL07-00-040400 CCI-001453 medium The Oracle Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2. Only FIPS-approved MACs should be used. To verify that only FIPS-approved MACs are in use, run the following command: $ sudo grep -i macs /etc/ssh/sshd_config The output should contain only those MACs which are FIPS-approved. Any use of other ciphers or algorithms will result in the module entering the non-FIPS mode of operation. Is it the case that MACs option is commented out or not using FIPS-approved hash algorithms? Limit the MACs to those hash algorithms which are FIPS-approved. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved MACs:
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1
The man page sshd_config(5) contains a list of supported MACs.

Only the following message authentication codes are FIPS 140-2 certified on Oracle Linux 7:
- hmac-sha1
- hmac-sha2-256
- hmac-sha2-512
- hmac-sha1-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- hmac-sha2-512-etm@openssh.com

Any combination of the above MACs will pass this check. Official FIPS 140-2 paperwork for Oracle Linux 7 can be found at https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3028.pdf The rule is parametrized to use the following MACs: .
OL07-00-040400
OL07-00-040410 CCI-000366 medium The Oracle Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive. If a public host key file is modified by an unauthorized user, the SSH service may be compromised. To check the permissions of /etc/ssh/*.pub, run the command: $ ls -l /etc/ssh/*.pub If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/ssh/*.pub has unix mode -rw-r--r--? To properly set the permissions of /etc/ssh/*.pub, run the command:
$ sudo chmod 0644 /etc/ssh/*.pub
OL07-00-040410
OL07-00-040420 CCI-000366 medium The Oracle Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive. If an unauthorized user obtains the private SSH host key file, the host could be impersonated. To check the permissions of /etc/ssh/*_key, run the command: $ ls -l /etc/ssh/*_key If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/ssh/*_key has unix mode -rw-r-----? To properly set the permissions of /etc/ssh/*_key, run the command:
$ sudo chmod 0640 /etc/ssh/*_key
OL07-00-040420
OL07-00-040430 CCI-001813 medium The Oracle Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed. GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. To check if GSSAPIAuthentication is disabled or set correctly, run the following command: $ sudo grep GSSAPIAuthentication /etc/ssh/sshd_config If configured properly, output should be no Is it the case that it is commented out or is not disabled? Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or correct the following line in the /etc/ssh/sshd_config file:
GSSAPIAuthentication no
OL07-00-040430
OL07-00-040440 CCI-001813 medium The Oracle Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed. Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation. To check if KerberosAuthentication is disabled or set correctly, run the following command: $ sudo grep KerberosAuthentication /etc/ssh/sshd_config If configured properly, output should be no Is it the case that it is commented out or is not disabled? Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos. To disable Kerberos authentication, add or correct the following line in the /etc/ssh/sshd_config file:
KerberosAuthentication no
OL07-00-040440
OL07-00-040450 CCI-000366 medium The Oracle Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files. If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. To check if StrictModes is enabled or set correctly, run the following command: $ sudo grep StrictModes /etc/ssh/sshd_config If configured properly, output should be yes Is it the case that it is commented out or is not enabled? SSHs StrictModes option checks file and ownership permissions in the user's home directory .ssh folder before accepting login. If world- writable permissions are found, logon is rejected. To enable StrictModes in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
StrictModes yes
OL07-00-040450
OL07-00-040460 CCI-000366 medium The Oracle Linux operating system must be configured so that the SSH daemon uses privilege separation. SSH daemon privilege separation causes the SSH process to drop root privileges when not needed which would decrease the impact of software vulnerabilities in the unprivileged section. To check if UsePrivilegeSeparation is enabled or set correctly, run the following command: $ sudo grep UsePrivilegeSeparation /etc/ssh/sshd_config If configured properly, output should be . Is it the case that it is commented out or is not enabled? When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
UsePrivilegeSeparation 
OL07-00-040460
OL07-00-040470 CCI-000366 medium The Oracle Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication. If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges. To check if compression is enabled or set correctly, run the following command: $ sudo grep Compression /etc/ssh/sshd_config If configured properly, output should be no or delayed. Is it the case that it is commented out, or is not set to no or delayed? Compression is useful for slow network connections over long distances but can cause performance issues on local LANs. If use of compression is required, it should be enabled only after a user has authenticated; otherwise, it should be disabled. To disable compression or delay compression until after a user has successfully authenticated, add or correct the following line in the /etc/ssh/sshd_config file:
Compression 
OL07-00-040470
OL07-00-040500 CCI-002046 medium The Oracle Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. To verify that maxpoll has been set properly, perform the following: $ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf The output should return maxpoll . Is it the case that it does not exist or maxpoll has not been set to the expected value? The maxpoll should be configured to in /etc/ntp.conf or /etc/chrony.conf to continuously poll time servers. To configure maxpoll in /etc/ntp.conf or /etc/chrony.conf add the following:
maxpoll 
OL07-00-040500
OL07-00-040510 CCI-002385 medium The Oracle Linux operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces. Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.

This can help mitigate simple “ack loop” DoS attacks, wherein a buggy or malicious middlebox or man-in-the-middle can rewrite TCP header fields in manner that causes each endpoint to think that the other is sending invalid TCP segments, thus causing each side to send an unterminating stream of duplicate acknowledgments for invalid segments.
To verify that the operating system protects against or limits the effects of DoS attacks by ensuring implementation of rate-limiting measures on impacted network interfaces, run the following command: # grep 'net.ipv4.tcp_invalid_ratelimit' /etc/sysctl.conf /etc/sysctl.d/* The command should output the following line: /etc/sysctl.conf:net.ipv4.tcp_invalid_ratelimit = The file where the line has been found can differ, but it must be either /etc/sysctl.conf or a file located under the /etc/sysctl.d/ directory. Is it the case that rate limiting of duplicate TCP acknowledgments is not configured? Make sure that the system is configured to limit the maximal rate for sending duplicate acknowledgments in response to incoming TCP packets that are for an existing connection but that are invalid due to any of these reasons: (a) out-of-window sequence number, (b) out-of-window acknowledgment number, or (c) PAWS (Protection Against Wrapped Sequence numbers) check failure This measure protects against or limits effects of DoS attacks against the system. Set the system to implement rate-limiting measures by adding the following line to /etc/sysctl.conf or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
net.ipv4.tcp_invalid_ratelimit = 
Issue the following command to make the changes take effect:
# sysctl --system
OL07-00-040510
OL07-00-040520 CCI-000366 medium The Oracle Linux operating system must enable an application firewall, if available. Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. Run the following command to determine the current status of the firewalld service: $ systemctl is-active firewalld If the service is running, it should return the following: active Is it the case that ? The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service
OL07-00-040520
OL07-00-040530 CCI-000366 low The Oracle Linux operating system must display the date and time of the last successful account logon upon logon. Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. To ensure that last logon/access notification is configured correctly, run the following command: $ grep pam_lastlog.so /etc/pam.d/postlogin The output should show output showfailed. Is it the case that that is not the case? To configure the system to notify users of last logon/access using pam_lastlog, add or correct the pam_lastlog settings in /etc/pam.d/postlogin to read as follows:
session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session     [default=1]   pam_lastlog.so nowtmp showfailed
session     optional      pam_lastlog.so silent noupdate showfailed
OL07-00-040530
OL07-00-040540 CCI-000366 high The Oracle Linux operating system must not contain .shosts files. The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. To verify that there are no .shosts files on the system, run the following command: $ sudo find / -name '.shosts' No output should be returned. Is it the case that these files exist? The ~/.shosts (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location:
$ sudo find / -name '.shosts' -type f -delete
OL07-00-040540
OL07-00-040550 CCI-000366 high The Oracle Linux operating system must not contain shosts.equiv files. The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. To verify that there are no shosts.equiv files on the system, run the following command: $ find / -name shosts.equiv No output should be returned. Is it the case that these files exist? The shosts.equiv file list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location:
$ sudo rm /[path]/[to]/[file]/shosts.equiv
OL07-00-040550
OL07-00-040600 CCI-000366 low At least two name servers must be configured for Oracle Linux operating systems using DNS resolution. To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. To verify that DNS servers have been configured properly, perform the following: $ sudo grep nameserver /etc/resolv.conf The output should return more than one nameserver entry. Is it the case that it does not exist or is not properly configured or less than 2 'nameserver' entries exist? Multiple Domain Name System (DNS) Servers should be configured in /etc/resolv.conf. This provides redundant name resolution services in the event that a domain server crashes. To configure the system to contain as least 2 DNS servers, add a corresponding nameserver ip_address entry in /etc/resolv.conf for each DNS server where ip_address is the IP address of a valid DNS server. For example:
search example.com
nameserver 192.168.0.1
nameserver 192.168.0.2
OL07-00-040600
OL07-00-040610 CCI-000366 medium The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets. Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
The runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_source_route The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.all.accept_source_route\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.all.accept_source_route = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.all.accept_source_route = 0, and that one assignment is returned when $ grep -r net.ipv4.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.accept_source_route = 0
OL07-00-040610
OL07-00-040611 CCI-000366 medium The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces. Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. The runtime status of the net.ipv4.conf.all.rp_filter kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.rp_filter The output of the command should indicate a value of 1. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.all.rp_filter = 1 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.all.rp_filter = 1, and that one assignment is returned when $ grep -r net.ipv4.conf.all.rp_filter /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.rp_filter = 1
OL07-00-040611
OL07-00-040612 CCI-000366 medium The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default. Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. The runtime status of the net.ipv4.conf.default.rp_filter kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.rp_filter The output of the command should indicate a value of 1. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.default.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.default.rp_filter = 1 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.default.rp_filter = 1, and that one assignment is returned when $ grep -r net.ipv4.conf.default.rp_filter /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.rp_filter = 1
OL07-00-040612
OL07-00-040620 CCI-000366 medium The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.
The runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_source_route The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.default.accept_source_route\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.default.accept_source_route = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.default.accept_source_route = 0, and that one assignment is returned when $ grep -r net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.accept_source_route = 0
OL07-00-040620
OL07-00-040630 CCI-000366 medium The Oracle Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
The runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_echo_ignore_broadcasts The output of the command should indicate a value of 1. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.icmp_echo_ignore_broadcasts = 1 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.icmp_echo_ignore_broadcasts = 1, and that one assignment is returned when $ grep -r net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.icmp_echo_ignore_broadcasts = 1
OL07-00-040630
OL07-00-040640 CCI-000366 medium The Oracle Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.
The runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_redirects The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.default.accept_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.default.accept_redirects = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.default.accept_redirects = 0, and that one assignment is returned when $ grep -r net.ipv4.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.accept_redirects = 0
OL07-00-040640
OL07-00-040641 CCI-000366 medium The Oracle Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required."
The runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_redirects The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.all.accept_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.all.accept_redirects = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.all.accept_redirects = 0, and that one assignment is returned when $ grep -r net.ipv4.conf.all.accept_redirects /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.accept_redirects = 0
OL07-00-040641
OL07-00-040650 CCI-000366 medium The Oracle Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default. ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.
The runtime status of the net.ipv4.conf.default.send_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.send_redirects The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.default.send_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.default.send_redirects = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.default.send_redirects = 0, and that one assignment is returned when $ grep -r net.ipv4.conf.default.send_redirects /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.send_redirects = 0
OL07-00-040650
OL07-00-040660 CCI-000366 medium The Oracle Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.
The runtime status of the net.ipv4.conf.all.send_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.send_redirects The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.all.send_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.all.send_redirects = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.all.send_redirects = 0, and that one assignment is returned when $ grep -r net.ipv4.conf.all.send_redirects /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.send_redirects = 0
OL07-00-040660
OL07-00-040670 CCI-000366 medium Network interfaces configured on The Oracle Linux operating system must not be in promiscuous mode. Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems.

If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information Systems Security Manager (ISSM) and restricted to only authorized personnel.
Promiscuous mode of an interface can be disabled with the following command: $ sudo ip link set dev device_name promisc off Is it the case that any network device is in promiscuous mode? The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode:
$ ip link | grep PROMISC
OL07-00-040670
OL07-00-040680 CCI-000366 medium The Oracle Linux operating system must be configured to prevent unrestricted mail relaying. If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity. To verify the system is configured to prevent unrestricted mail relaying, run the following command: $ sudo postconf -n smtpd_client_restrictions The output should return: smtpd_client_restrictions = permit_mynetworks,reject Is it the case that it is not? Modify the
/etc/postfix/main.cf
file to restrict client connections to the local network with the following command:
$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
OL07-00-040680
OL07-00-040690 CCI-000366 high The Oracle Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed. Removing the vsftpd package decreases the risk of its accidental activation. Run the following command to determine if the vsftpd package is installed: $ rpm -q vsftpd Is it the case that the package is installed? The vsftpd package can be removed with the following command:
 $ sudo yum erase vsftpd
OL07-00-040690
OL07-00-040700 CCI-000366 high The Oracle Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support. Removing the tftp-server package decreases the risk of the accidental (or intentional) activation of tftp services.

If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established.
Run the following command to determine if the tftp-server package is installed: $ rpm -q tftp-server Is it the case that the package is installed? The tftp-server package can be removed with the following command:
 $ sudo yum erase tftp-server
OL07-00-040700
OL07-00-040710 CCI-000366 high The Oracle Linux operating system must be configured so that remote X connections for interactive users are encrypted. Non-encrypted X displays allow an attacker to capture keystrokes and to execute commands remotely. To determine how the SSH daemon's X11Forwarding option is set, run the following command: $ sudo grep -i X11Forwarding /etc/ssh/sshd_config If a line indicating yes is returned, then the required value is set. Is it the case that the required value is not set? By default, remote X11 connections are not encrypted when initiated by users. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled.

To enable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config:
X11Forwarding yes
OL07-00-040710
OL07-00-040720 CCI-000366 medium The Oracle Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode. Using the -s option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private. If TFTP is not installed, this is not applicable. To determine if TFTP is installed, run the following command: $ rpm -qa | grep tftp Verify tftp is configured by with the -s option by running the following command: grep "server_args" /etc/xinetd.d/tftp The output should indicate the server_args variable is configured with the -s flag, matching the example below: $ grep "server_args" /etc/xinetd.d/tftp server_args = -s /var/lib/tftpboot Is it the case that this flag is missing? If running the tftp service is necessary, it should be configured to change its root directory at startup. To do so, ensure /etc/xinetd.d/tftp includes -s as a command line argument, as shown in the following example (which is also the default):
server_args = -s /var/lib/tftpboot
OL07-00-040720
OL07-00-040730 CCI-000366 medium The Oracle Linux operating system must not have an X Windows display manager installed unless approved. Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented. To ensure the X Windows package group is removed, run the following command: $ rpm -qi xorg-x11-server-common The output should be: package xorg-x11-server-common is not installed Is it the case that the X Windows package group or xorg-x11-server-common has not be removed? By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command:
$ sudo yum groupremove "X Window System"
$ sudo yum remove xorg-x11-server-common
OL07-00-040730
OL07-00-040740 CCI-000366 medium The Oracle Linux operating system must not be performing packet forwarding unless the system is a router. Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network. The runtime status of the net.ipv4.ip_forward kernel parameter can be queried by running the following command: $ sysctl net.ipv4.ip_forward The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.ip_forward\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.ip_forward = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.ip_forward = 0, and that one assignment is returned when $ grep -r net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d is executed. The ability to forward packets is only appropriate for routers. Is it the case that ? To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.ip_forward=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.ip_forward = 0
OL07-00-040740
OL07-00-040750 CCI-000366 medium The Oracle Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS. When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request. To verify the sec option is configured for all NFS mounts, run the following command: $ mount | grep "sec=" All NFS mounts should show the sec=krb5:krb5i:krb5p setting in parentheses. This is not applicable if NFS is not implemented. Is it the case that the setting is not configured, has the 'sys' option added, or does not have all Kerberos options added? Add the sec=krb5:krb5i:krb5p option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. OL07-00-040750
OL07-00-040800 CCI-000366 high SNMP community strings on the Oracle Linux operating system must be changed from the default. Whether active or not, default simple network management protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, then anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system and network(s). To ensure the default password is not set, run the following command: $ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep -E 'public|private' There should be no output. Is it the case that the default SNMP passwords public and private have not been changed or removed? Edit /etc/snmp/snmpd.conf, remove or change the default community strings of public and private. Once the default community strings have been changed, restart the SNMP service:
$ sudo service snmpd restart
OL07-00-040800
OL07-00-040810 CCI-000366 medium The Oracle Linux operating system access control program must be configured to grant or deny system access to specific hosts and services. In firewalld the default zone is applied only after all the applicable rules in the table are examined for a match. Setting the default zone to drop implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. Inspect the file /etc/firewalld/firewalld.conf to determine the default zone for the firewalld. It should be set to DefaultZone=drop: $ sudo grep DefaultZone /etc/firewalld/firewalld.conf Is it the case that the default zone is not set to DROP? To set the default zone to drop for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in /etc/firewalld/firewalld.conf to be:
DefaultZone=drop
OL07-00-040810
OL07-00-040820 CCI-000366 medium The Oracle Linux operating system must not have unauthorized IP tunnels configured. IP tunneling mechanisms can be used to bypass network filtering. To check for configured IPsec connections (conn), perform the following: grep -rni conn /etc/ipsec.conf /etc/ipsec.d/ Verify any returned results for organizational approval. Is it the case that the IPSec tunnels are not approved? Libreswan provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. As such, IPsec can be used to circumvent certain network requirements such as filtering. Verify that if any IPsec connection (conn) configured in /etc/ipsec.conf and /etc/ipsec.d exists is an approved organizational connection. OL07-00-040820
OL07-00-040830 CCI-000366 medium The Oracle Linux operating system must not forward IPv6 source-routed packets. Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
The runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.all.accept_source_route The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv6.conf.all.accept_source_route\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv6.conf.all.accept_source_route = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv6.conf.all.accept_source_route = 0, and that one assignment is returned when $ grep -r net.ipv6.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_source_route = 0
OL07-00-040830
OL07-00-041001 CCI-001953 medium The Oracle Linux operating system must have the required packages for multifactor authentication installed. Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
To verify the operating system has the packages required for multifactor authentication installed, run the following command: $ sudo yum list installed esc pam_pkcs11 Is it the case that smartcard software is not installed? Configure the operating system to implement multifactor authentication by installing the required packages with the following command: The esc pam_pkcs11 package can be installed with the following command:
$ sudo yum install esc pam_pkcs11
OL07-00-041001
OL07-00-041002 CCI-001954 medium The Oracle Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM). Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. To verify that SSSD is configured for PAM services, run the following command: $ sudo grep services /etc/sssd/sssd.conf If configured properly, output should be similar to services = pam Is it the case that it does not exist or 'pam' is not added to the 'services' option under the 'sssd' section? SSSD should be configured to run SSSD pam services. To configure SSSD to known SSH hosts, add pam to services under the [sssd] section in /etc/sssd/sssd.conf. For example:
[sssd]
services = sudo, autofs, pam
OL07-00-041002
OL07-00-041003 CCI-001954 medium The Oracle Linux operating system must implement certificate status checking for PKI authentication. Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
To verify the operating system implements certificate status checking for PKI authentication, run the following command: $ sudo grep -i cert_policy /etc/pam_pkcs11/pam_pkcs11.conf The output should return multiple lines similiar to the following: cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; Is it the case that ocsp_on is not configured? Configure the operating system to do certificate status checking for PKI authentication. Modify all of the cert_policy lines in /etc/pam_pkcs11/pam_pkcs11.conf to include ocsp_on like so:
cert_policy = ca, ocsp_on, signature;
OL07-00-041003
OL07-00-041010 CCI-002421 medium The Oracle Linux operating system must be configured so that all wireless network adapters are disabled. The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources. Verify that there are no wireless interfaces configured on the system with the following command: $ sudo nmcli device The output should contain the following: wifi disconnected Is it the case that it is not? Deactivating wireless network interfaces should prevent normal usage of the wireless capability.

Configure the system to disable all wireless network interfaces with the following command:
$ sudo nmcli radio wifi off
OL07-00-041010
OL07-00-910055 CCI-001314 medium The Oracle Linux operating system must protect audit information from unauthorized read, modification, or deletion. If users can write to audit logs, audit trails can be modified or destroyed. Run the following command to check the mode of the system audit logs: $ sudo ls -l /var/log/audit Audit logs must be mode 0640 or less permissive. Is it the case that any are more permissive? If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the mode of the audit log files with the following command:
$ sudo chmod 0640 audit_file

Otherwise, change the mode of the audit log files with the following command:
$ sudo chmod 0600 audit_file
OL07-00-910055