xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_cis

Guide to the Secure Configuration of Red Hat Enterprise Linux 9

with profile CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28. This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content.

The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide

This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 9. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation target	6bd1fded-7e25-496f-862d-895caa20a385.testing-farm.us-east-1.aws.redhat.com
Benchmark URL	#scap_org.open-scap_comp_ssg-rhel9-xccdf.xml
Benchmark ID	xccdf_org.ssgproject.content_benchmark_RHEL-9
Benchmark version	0.1.69
Profile ID	xccdf_org.ssgproject.content_profile_cis
Started at	2024-03-08T16:34:42-05:00
Finished at	2024-03-08T16:35:12-05:00
Performed by	root
Test system	cpe:/a:redhat:openscap:1.3.8

CPE Platforms

cpe:/o:redhat:enterprise_linux:9

Addresses

IPv4 127.0.0.1
IPv4 10.31.42.34
IPv6 0:0:0:0:0:0:0:1
IPv6 fe80:0:0:0:c3e:e8ff:feaa:30e1
MAC 00:00:00:00:00:00
MAC 0E:3E:E8:AA:30:E1

Compliance and Scoring

The target system did not satisfy the conditions of 16 rules! Please review rule results and consider applying remediation.

Rule results

322 passed

16 failed

1 other

Severity of failed rules

2 other

1 low

12 medium

1 high

Score

Scoring system	Score	Maximum	Percent
urn:xccdf:scoring:default	94.388229	100.000000	94.39%

Rule Overview

Title	Severity	Result
Guide to the Secure Configuration of Red Hat Enterprise Linux 9 16x fail 1x notchecked
System Settings 12x fail 1x notchecked
Installing and Maintaining Software 1x fail
System and Software Integrity
Software Integrity Checking
Verify Integrity with AIDE
Install AIDE	medium	pass
Build and Test AIDE Database	medium	pass
Configure AIDE to Verify the Audit Tools	medium	pass
Configure Periodic Execution of AIDE	medium	pass
System Cryptographic Policies
Configure System Cryptography Policy	high	pass
Configure SSH to use System Crypto Policy	medium	pass
Disk Partitioning
Ensure /dev/shm is configured	low	pass
Ensure /home Located On Separate Partition	low	pass
Ensure /tmp Located On Separate Partition	low	pass
Ensure /var Located On Separate Partition	low	pass
Ensure /var/log Located On Separate Partition	low	pass
Ensure /var/log/audit Located On Separate Partition	low	pass
Ensure /var/tmp Located On Separate Partition	medium	pass
GNOME Desktop Environment
Configure GNOME Login Screen
Disable the GNOME3 Login User List	medium	notapplicable
Disable XDMCP in GDM	high	notapplicable
GNOME Media Settings
Disable GNOME3 Automounting	medium	notapplicable
Disable GNOME3 Automount Opening	medium	notapplicable
Disable GNOME3 Automount running	low	notapplicable
Configure GNOME Screen Locking
Set GNOME3 Screensaver Inactivity Timeout	medium	notapplicable
Set GNOME3 Screensaver Lock Delay After Activation Period	medium	notapplicable
Ensure Users Cannot Change GNOME3 Screensaver Settings	medium	notapplicable
Ensure Users Cannot Change GNOME3 Session Idle Settings	medium	notapplicable
Remove the GDM Package Group	medium	notapplicable
Make sure that the dconf databases are up-to-date with regards to respective keyfiles	high	notapplicable
Sudo 1x fail
Install sudo Package	medium	pass
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty	medium	pass
Ensure Sudo Logfile Exists - sudo logfile	low	pass
Ensure Users Re-Authenticate for Privilege Escalation - sudo	medium	fail
Require Re-Authentication When Using the sudo Command	medium	pass
Updating Software
Ensure gpgcheck Enabled In Main dnf Configuration	high	pass
Account and Access Control 5x fail
Warning Banners for System Accesses 1x fail
Implement a GUI Warning Banner
Enable GNOME3 Login Warning Banner	medium	notapplicable
Set the GNOME3 Login Warning Banner Text	medium	notapplicable
Modify the System Login Banner	medium	pass
Modify the System Login Banner for Remote Connections	medium	pass
Modify the System Message of the Day Banner	medium	fail
Verify Group Ownership of System Login Banner	medium	pass
Verify Group Ownership of System Login Banner for Remote Connections	medium	pass
Verify Group Ownership of Message of the Day Banner	medium	pass
Verify ownership of System Login Banner	medium	pass
Verify ownership of System Login Banner for Remote Connections	medium	pass
Verify ownership of Message of the Day Banner	medium	pass
Verify permissions on System Login Banner	medium	pass
Verify permissions on System Login Banner for Remote Connections	medium	pass
Verify permissions on Message of the Day Banner	medium	pass
Protect Accounts by Configuring PAM 1x fail
Set Lockouts for Failed Password Attempts
Limit Password Reuse: password-auth	medium	pass
Limit Password Reuse: system-auth	medium	pass
Lock Accounts After Failed Password Attempts	medium	pass
Set Lockout Time for Failed Password Attempts	medium	pass
Set Password Quality Requirements 1x fail
Set Password Quality Requirements with pam_pwquality 1x fail
Ensure PAM Enforces Password Requirements - Minimum Different Categories	medium	pass
Ensure PAM Enforces Password Requirements - Minimum Length	medium	pass
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session	medium	fail
Set Password Hashing Algorithm
Set Password Hashing Algorithm in /etc/login.defs	medium	pass
Set PAM''s Password Hashing Algorithm - password-auth	medium	pass
Set PAM''s Password Hashing Algorithm	medium	pass
Protect Accounts by Restricting Password-Based Login 3x fail
Set Account Expiration Parameters
Set Account Expiration Following Inactivity	medium	pass
Ensure All Accounts on the System Have Unique Names	medium	pass
Set Password Expiration Parameters
Set Password Maximum Age	medium	pass
Set Password Minimum Age	medium	pass
Set Existing Passwords Maximum Age	medium	pass
Set Existing Passwords Minimum Age	medium	pass
Set Existing Passwords Warning Age	medium	pass
Set Password Warning Age	medium	pass
Set existing passwords a period of inactivity before they been locked	medium	pass
Verify Proper Storage and Existence of Password Hashes
Verify All Account Password Hashes are Shadowed	medium	pass
Ensure all users last password change date is in the past	medium	pass
All GIDs referenced in /etc/passwd must be defined in /etc/group	low	pass
Prevent Login to Accounts With Empty Password	high	pass
Ensure There Are No Accounts With Blank or Null Passwords	high	pass
Verify No .forward Files Exist	medium	pass
Verify No netrc Files Exist	medium	pass
Restrict Root Logins 3x fail
Verify Only Root Has UID 0	high	pass
Verify Root Has A Primary GID 0	high	pass
Ensure the Group Used by pam_wheel Module Exists on System and is Empty	medium	fail
Ensure Authentication Required for Single User Mode	medium	fail
Ensure that System Accounts Are Locked	medium	pass
Ensure that System Accounts Do Not Run a Shell Upon Login	medium	pass
Enforce Usage of pam_wheel with Group Parameter for su Authentication	medium	fail
Ensure All Accounts on the System Have Unique User IDs	medium	pass
Ensure All Groups on the System Have Unique Group ID	medium	pass
Secure Session Configuration Files for Login Accounts
Ensure that No Dangerous Directories Exist in Root's Path
Ensure that Root's Path Does Not Include World or Group-Writable Directories	medium	pass
Ensure that Root's Path Does Not Include Relative Paths or Null Directories	unknown	pass
Ensure that Users Have Sensible Umask Values
Ensure the Default Bash Umask is Set Correctly	medium	pass
Ensure the Default Umask is Set Correctly in login.defs	medium	pass
Ensure the Default Umask is Set Correctly in /etc/profile	medium	pass
Set Interactive Session Timeout	medium	pass
User Initialization Files Must Not Run World-Writable Programs	medium	pass
All Interactive Users Home Directories Must Exist	medium	pass
All Interactive User Home Directories Must Be Group-Owned By The Primary Group	medium	pass
All Interactive User Home Directories Must Have mode 0750 Or Less Permissive	medium	pass
Enable authselect	medium	pass
System Accounting with auditd 1x fail
Configure auditd Rules for Comprehensive Auditing 1x fail
Record Events that Modify the System's Discretionary Access Controls
Record Events that Modify the System's Discretionary Access Controls - chmod	medium	pass
Record Events that Modify the System's Discretionary Access Controls - chown	medium	pass
Record Events that Modify the System's Discretionary Access Controls - fchmod	medium	pass
Record Events that Modify the System's Discretionary Access Controls - fchmodat	medium	pass
Record Events that Modify the System's Discretionary Access Controls - fchown	medium	pass
Record Events that Modify the System's Discretionary Access Controls - fchownat	medium	pass
Record Events that Modify the System's Discretionary Access Controls - fremovexattr	medium	pass
Record Events that Modify the System's Discretionary Access Controls - fsetxattr	medium	pass
Record Events that Modify the System's Discretionary Access Controls - lchown	medium	pass
Record Events that Modify the System's Discretionary Access Controls - lremovexattr	medium	pass
Record Events that Modify the System's Discretionary Access Controls - lsetxattr	medium	pass
Record Events that Modify the System's Discretionary Access Controls - removexattr	medium	pass
Record Events that Modify the System's Discretionary Access Controls - setxattr	medium	pass
Record Execution Attempts to Run ACL Privileged Commands
Record Any Attempts to Run chacl	medium	pass
Record Any Attempts to Run setfacl	medium	pass
Record Execution Attempts to Run SELinux Privileged Commands
Record Any Attempts to Run chcon	medium	pass
Record File Deletion Events by User
Ensure auditd Collects File Deletion Events by User - rename	medium	pass
Ensure auditd Collects File Deletion Events by User - renameat	medium	pass
Ensure auditd Collects File Deletion Events by User - unlink	medium	pass
Ensure auditd Collects File Deletion Events by User - unlinkat	medium	pass
Record Unauthorized Access Attempts Events to Files (unsuccessful)
Record Unsuccessful Access Attempts to Files - creat	medium	pass
Record Unsuccessful Access Attempts to Files - ftruncate	medium	pass
Record Unsuccessful Access Attempts to Files - open	medium	pass
Record Unsuccessful Access Attempts to Files - openat	medium	pass
Record Unsuccessful Access Attempts to Files - truncate	medium	pass
Record Information on Kernel Modules Loading and Unloading
Ensure auditd Collects Information on Kernel Module Unloading - create_module	medium	pass
Ensure auditd Collects Information on Kernel Module Unloading - delete_module	medium	pass
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module	medium	pass
Ensure auditd Collects Information on Kernel Module Loading - init_module	medium	pass
Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module	medium	pass
Record Attempts to Alter Logon and Logout Events
Record Attempts to Alter Logon and Logout Events - faillock	medium	pass
Record Attempts to Alter Logon and Logout Events - lastlog	medium	pass
Record Information on the Use of Privileged Commands 1x fail
Ensure auditd Collects Information on the Use of Privileged Commands	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - kmod	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - usermod	medium	pass
Records Events that Modify Date and Time Information
Record attempts to alter time through adjtimex	medium	pass
Record Attempts to Alter Time Through clock_settime	medium	pass
Record attempts to alter time through settimeofday	medium	pass
Record Attempts to Alter Time Through stime	medium	pass
Record Attempts to Alter the localtime File	medium	pass
Make the auditd Configuration Immutable	medium	pass
Record Events that Modify the System's Mandatory Access Controls	medium	pass
Record Events that Modify the System's Mandatory Access Controls in usr/share	medium	pass
Ensure auditd Collects Information on Exporting to Media (successful)	medium	pass
Record Events that Modify the System's Network Environment	medium	pass
Record Attempts to Alter Process and Session Initiation Information	medium	pass
Record Events When Executables Are Run As Another User	medium	pass
Ensure auditd Collects System Administrator Actions	medium	pass
Record Events that Modify User/Group Information - /etc/group	medium	pass
Record Events that Modify User/Group Information - /etc/gshadow	medium	pass
Record Events that Modify User/Group Information - /etc/security/opasswd	medium	pass
Record Events that Modify User/Group Information - /etc/passwd	medium	pass
Record Events that Modify User/Group Information - /etc/shadow	medium	pass
Record Attempts to perform maintenance activities	medium	pass
System Audit Logs Must Have Mode 0750 or Less Permissive	medium	pass
System Audit Logs Must Be Group Owned By Root	medium	pass
Audit Configuration Files Must Be Owned By Group root	medium	pass
Audit Configuration Files Must Be Owned By Root	medium	pass
System Audit Logs Must Be Owned By Root	medium	pass
Audit Configuration Files Permissions are 640 or More Restrictive	medium	pass
System Audit Logs Must Have Mode 0640 or Less Permissive	medium	pass
Configure auditd Data Retention
Configure auditd mail_acct Action on Low Disk Space	medium	pass
Configure auditd admin_space_left Action on Low Disk Space	medium	pass
Configure auditd Max Log File Size	medium	pass
Configure auditd max_log_file_action Upon Reaching Maximum Log Size	medium	pass
Configure auditd space_left Action on Low Disk Space	medium	pass
Ensure the audit Subsystem is Installed	medium	pass
Enable auditd Service	medium	pass
Enable Auditing for Processes Which Start Prior to the Audit Daemon	low	pass
Extend Audit Backlog Limit for the Audit Daemon	low	pass
GRUB2 bootloader configuration 1x fail
Non-UEFI GRUB2 bootloader configuration 1x fail
Verify /boot/grub2/grub.cfg Group Ownership	medium	pass
Verify /boot/grub2/user.cfg Group Ownership	medium	pass
Verify /boot/grub2/grub.cfg User Ownership	medium	pass
Verify /boot/grub2/user.cfg User Ownership	medium	pass
Verify /boot/grub2/grub.cfg Permissions	medium	pass
Verify /boot/grub2/user.cfg Permissions	medium	pass
Set Boot Loader Password in grub2	high	fail
Configure Syslog
Ensure Proper Configuration of Log Files
Ensure Log Files Are Owned By Appropriate Group	medium	pass
Ensure Log Files Are Owned By Appropriate User	medium	pass
Ensure System Log Files Have Correct Permissions	medium	pass
systemd-journald
Enable systemd-journald Service	medium	pass
Ensure journald is configured to compress large log files	medium	pass
Ensure journald is configured to send logs to rsyslog	medium	pass
Ensure journald is configured to write log files to persistent disk	medium	pass
Disable systemd-journal-remote Socket	medium	pass
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server	medium	pass
Ensure rsyslog is Installed	medium	pass
Enable rsyslog Service	medium	pass
Ensure rsyslog Default File Permissions Configured	medium	pass
Network Configuration and Firewalls 4x fail 1x notchecked
firewalld 3x fail
Inspect and Activate Default firewalld Rules
Verify firewalld Enabled	medium	pass
Strengthen the Default Ruleset 3x fail
Configure Firewalld to Restrict Loopback Traffic	medium	fail
Configure Firewalld to Trust Loopback Traffic	medium	fail
Set Default firewalld Zone for Incoming Packets	medium	fail
IPv6
Configure IPv6 Settings if Necessary
Configure Accepting Router Advertisements on All IPv6 Interfaces	medium	pass
Disable Accepting ICMP Redirects for All IPv6 Interfaces	medium	pass
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces	medium	pass
Disable Kernel Parameter for IPv6 Forwarding	medium	pass
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default	medium	pass
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces	medium	pass
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default	medium	pass
Kernel Parameters Which Affect Networking
Network Related Kernel Runtime Parameters for Hosts and Routers
Disable Accepting ICMP Redirects for All IPv4 Interfaces	medium	pass
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces	medium	pass
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces	unknown	pass
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces	medium	pass
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces	medium	pass
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces	medium	pass
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default	medium	pass
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default	unknown	pass
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default	medium	pass
Configure Kernel Parameter for Accepting Secure Redirects By Default	medium	pass
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces	medium	pass
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces	unknown	pass
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces	medium	pass
Network Parameters for Hosts Only
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces	medium	pass
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default	medium	pass
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces	medium	pass
nftables 1x fail 1x notchecked
Install nftables Package	medium	pass
Verify nftables Service is Disabled	medium	fail
Ensure a Table Exists for Nftables	medium	notchecked
Uncommon Network Protocols
Disable TIPC Support	low	pass
Wireless Networking
Disable Wireless Through Software Configuration
Deactivate Wireless Network Interfaces	medium	notapplicable
File Permissions and Masks
Verify Permissions on Important Files and Directories
Verify Permissions on Files with Local Account Information and Credentials
Verify Group Who Owns Backup group File	medium	pass
Verify Group Who Owns Backup gshadow File	medium	pass
Verify Group Who Owns Backup passwd File	medium	pass
Verify User Who Owns Backup shadow File	medium	pass
Verify Group Who Owns group File	medium	pass
Verify Group Who Owns gshadow File	medium	pass
Verify Group Who Owns passwd File	medium	pass
Verify Group Who Owns shadow File	medium	pass
Verify User Who Owns Backup group File	medium	pass
Verify User Who Owns Backup gshadow File	medium	pass
Verify User Who Owns Backup passwd File	medium	pass
Verify Group Who Owns Backup shadow File	medium	pass
Verify User Who Owns group File	medium	pass
Verify User Who Owns gshadow File	medium	pass
Verify User Who Owns passwd File	medium	pass
Verify User Who Owns shadow File	medium	pass
Verify Permissions on Backup group File	medium	pass
Verify Permissions on Backup gshadow File	medium	pass
Verify Permissions on Backup passwd File	medium	pass
Verify Permissions on Backup shadow File	medium	pass
Verify Permissions on group File	medium	pass
Verify Permissions on gshadow File	medium	pass
Verify Permissions on passwd File	medium	pass
Verify Permissions on shadow File	medium	pass
Verify File Permissions Within Some Important Directories
Verify that audit tools are owned by group root	medium	pass
Verify that audit tools are owned by root	medium	pass
Verify that audit tools Have Mode 0755 or less	medium	pass
Verify that All World-Writable Directories Have Sticky Bits Set	medium	pass
Ensure No World-Writable Files Exist	medium	pass
Ensure All Files Are Owned by a Group	medium	pass
Ensure All Files Are Owned by a User	medium	pass
Restrict Dynamic Mounting and Unmounting of Filesystems
Disable Mounting of squashfs	low	pass
Disable Mounting of udf	low	pass
Disable Modprobe Loading of USB Storage Driver	medium	pass
Restrict Partition Mount Options
Add nodev Option to /dev/shm	medium	pass
Add noexec Option to /dev/shm	medium	pass
Add nosuid Option to /dev/shm	medium	pass
Add nodev Option to /home	unknown	pass
Add nosuid Option to /home	medium	pass
Add nodev Option to /tmp	medium	pass
Add noexec Option to /tmp	medium	pass
Add nosuid Option to /tmp	medium	pass
Add nodev Option to /var/log/audit	medium	pass
Add noexec Option to /var/log/audit	medium	pass
Add nosuid Option to /var/log/audit	medium	pass
Add nodev Option to /var/log	medium	pass
Add noexec Option to /var/log	medium	pass
Add nosuid Option to /var/log	medium	pass
Add nodev Option to /var	medium	pass
Add nosuid Option to /var	unknown	pass
Add nodev Option to /var/tmp	medium	pass
Add noexec Option to /var/tmp	medium	pass
Add nosuid Option to /var/tmp	medium	pass
Restrict Programs from Dangerous Execution Patterns
Disable Core Dumps
Disable core dump backtraces	medium	pass
Disable storing core dump	medium	pass
Enable ExecShield
Enable Randomized Layout of Virtual Address Space	medium	pass
SELinux
Install libselinux Package	high	pass
Uninstall mcstrans Package	low	pass
Uninstall setroubleshoot Package	low	pass
Ensure SELinux Not Disabled in /etc/default/grub	medium	pass
Ensure No Daemons are Unconfined by SELinux	medium	pass
Ensure SELinux is Not Disabled	high	pass
Configure SELinux Policy	medium	pass
Ensure SELinux State is Enforcing	high	pass
Services 4x fail
Avahi Server
Disable Avahi Server if Possible
Uninstall avahi Server Package	medium	pass
Cron and At Daemons
Restrict at and cron to Authorized Users if Necessary
Ensure that /etc/at.deny does not exist	medium	pass
Ensure that /etc/cron.deny does not exist	medium	pass
Verify Group Who Owns /etc/at.allow file	medium	pass
Verify Group Who Owns /etc/cron.allow file	medium	pass
Verify User Who Owns /etc/cron.allow file	medium	pass
Verify Permissions on /etc/at.allow file	medium	pass
Verify Permissions on /etc/cron.allow file	medium	pass
Enable cron Service	medium	pass
Verify Group Who Owns cron.d	medium	pass
Verify Group Who Owns cron.daily	medium	pass
Verify Group Who Owns cron.hourly	medium	pass
Verify Group Who Owns cron.monthly	medium	pass
Verify Group Who Owns cron.weekly	medium	pass
Verify Group Who Owns Crontab	medium	pass
Verify Owner on cron.d	medium	pass
Verify Owner on cron.daily	medium	pass
Verify Owner on cron.hourly	medium	pass
Verify Owner on cron.monthly	medium	pass
Verify Owner on cron.weekly	medium	pass
Verify Owner on crontab	medium	pass
Verify Permissions on cron.d	medium	pass
Verify Permissions on cron.daily	medium	pass
Verify Permissions on cron.hourly	medium	pass
Verify Permissions on cron.monthly	medium	pass
Verify Permissions on cron.weekly	medium	pass
Verify Permissions on crontab	medium	pass
DHCP
Disable DHCP Server
Uninstall DHCP Server Package	medium	pass
DNS Server
Disable DNS Server
Uninstall bind Package	low	pass
Uninstall dnsmasq Package	low	pass
FTP Server
Disable vsftpd if Possible
Uninstall vsftpd Package	high	pass
Remove ftp Package	low	pass
Web Server
Disable Apache if Possible
Uninstall httpd Package	unknown	pass
Disable NGINX if Possible
Uninstall nginx Package	unknown	pass
IMAP and POP3 Server
Disable Cyrus IMAP
Uninstall cyrus-imapd Package	unknown	pass
Disable Dovecot
Uninstall dovecot Package	unknown	pass
LDAP
Configure OpenLDAP Clients
Ensure LDAP client is not installed	low	pass
Mail Server Software
Configure SMTP For Mail Clients
Disable Postfix Network Listening	medium	notapplicable
Ensure Mail Transfer Agent is not Listening on any non-loopback Address	medium	pass
NFS and RPC 2x fail
Disable All NFS Services if Possible 1x fail
Disable Services Used Only by NFS 1x fail
Disable rpcbind Service	low	fail
Configure NFS Clients 1x fail
Disable NFS Server Daemons 1x fail
Disable Network File System (nfs)	unknown	fail
Network Time Protocol
Ensure that chronyd is running under chrony user account	medium	pass
A remote time server for Chrony is configured	medium	pass
Obsolete Services
Rlogin, Rsh, and Rexec
Remove Rsh Trust Files	high	pass
Telnet
Uninstall telnet-server Package	high	pass
Remove telnet Clients	low	pass
TFTP Server
Uninstall tftp-server Package	high	pass
Remove tftp Daemon	low	pass
Uninstall rsync Package	medium	pass
Print Support
Uninstall CUPS Package	unknown	pass
Proxy Server
Disable Squid if Possible
Uninstall squid Package	unknown	pass
Samba(SMB) Microsoft Windows File Sharing Server
Disable Samba if Possible
Uninstall Samba Package	unknown	pass
SNMP Server
Disable SNMP Server if Possible
Uninstall net-snmp Package	unknown	pass
SSH Server 2x fail
Configure OpenSSH Server if Necessary 2x fail
Set SSH Client Alive Count Max	medium	pass
Disable Host-Based Authentication	medium	pass
Disable SSH Access via Empty Passwords	high	pass
Disable SSH Support for .rhosts Files	medium	pass
Disable SSH Root Login	medium	fail
Disable SSH TCP Forwarding	medium	pass
Disable X11 Forwarding	medium	pass
Do Not Allow SSH Environment Options	medium	pass
Enable PAM	medium	pass
Enable SSH Warning Banner	medium	pass
Limit Users' SSH Access	unknown	fail
Ensure SSH LoginGraceTime is configured	medium	pass
Set SSH Daemon LogLevel to VERBOSE	medium	pass
Set SSH authentication attempt limit	medium	pass
Set SSH MaxSessions limit	medium	pass
Ensure SSH MaxStartups is configured	medium	pass
Verify Group Who Owns SSH Server config file	medium	pass
Verify Group Ownership on SSH Server Private *_key Key Files	medium	pass
Verify Group Ownership on SSH Server Public *.pub Key Files	medium	pass
Verify Owner on SSH Server config file	medium	pass
Verify Ownership on SSH Server Private *_key Key Files	medium	pass
Verify Ownership on SSH Server Public *.pub Key Files	medium	pass
Verify Permissions on SSH Server config file	medium	pass
Verify Permissions on SSH Server Private *_key Key Files	medium	pass
Verify Permissions on SSH Server Public *.pub Key Files	medium	pass
X Window System
Disable X Windows
Remove the X Windows Package Group	medium	pass

Result Details

Install AIDE

Rule ID	xccdf_org.ssgproject.content_rule_package_aide_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_aide_installed:def:1
Time	2024-03-08T16:34:42-05:00
Severity	medium
Identifiers and References	Identifiers: CCE-90843-4 References: BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1
Description	The `aide` package can be installed with the following command: $ sudo dnf install aide
Rationale	The AIDE package must be installed if it is to be available for integrity checking.

OVAL test results details

package aide is installed oval:ssg-test_package_aide_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
aide	x86_64	(none)	100.el9	0.16	0:0.16-100.el9	199e2f91fd431d51	aide-0:0.16-100.el9.x86_64

Build and Test AIDE Database

Rule ID	xccdf_org.ssgproject.content_rule_aide_build_database
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-aide_build_database:def:1
Time	2024-03-08T16:34:42-05:00
Severity	medium
Identifiers and References	Identifiers: CCE-83438-2 References: BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1
Description	Run the following command to generate a new database: $ sudo /usr/sbin/aide --init By default, the database will be written to the file `/var/lib/aide/aide.db.new.gz`. Storing the database, the configuration file `/etc/aide.conf`, and the binary `/usr/sbin/aide` (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: $ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz To initiate a manual check, run the following command: $ sudo /usr/sbin/aide --check If this check produces any unexpected output, investigate.
Rationale	For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.

OVAL test results details

package aide is installed oval:ssg-test_package_aide_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
aide	x86_64	(none)	100.el9	0.16	0:0.16-100.el9	199e2f91fd431d51	aide-0:0.16-100.el9.x86_64

Testing existence of operational aide database file oval:ssg-test_aide_operational_database_absolute_path:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/var/lib/aide/aide.db.gz	regular	0	0	2383286	`rw-------`

Configure AIDE to Verify the Audit Tools

Rule ID	xccdf_org.ssgproject.content_rule_aide_check_audit_tools
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-aide_check_audit_tools:def:1
Time	2024-03-08T16:34:42-05:00
Severity	medium
Identifiers and References	Identifiers: CCE-87757-1 References: CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, 1.3.3
Description	The operating system file integrity tool must be configured to protect the integrity of the audit tools.
Rationale	Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.

OVAL test results details

package aide is installed oval:ssg-test_package_aide_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
aide	x86_64	(none)	100.el9	0.16	0:0.16-100.el9	199e2f91fd431d51	aide-0:0.16-100.el9.x86_64

auditctl is checked in /etc/aide.conf oval:ssg-test_aide_verify_auditctl:tst:1 true

Following items have been found on the system:

Path	Content
/etc/aide.conf	/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512

auditd is checked in /etc/aide.conf oval:ssg-test_aide_verify_auditd:tst:1 true

Following items have been found on the system:

Path	Content
/etc/aide.conf	/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512

ausearch is checked in /etc/aide.conf oval:ssg-test_aide_verify_ausearch:tst:1 true

Following items have been found on the system:

Path	Content
/etc/aide.conf	/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512

aureport is checked in /etc/aide.conf oval:ssg-test_aide_verify_aureport:tst:1 true

Following items have been found on the system:

Path	Content
/etc/aide.conf	/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512

autrace is checked in /etc/aide.conf oval:ssg-test_aide_verify_autrace:tst:1 true

Following items have been found on the system:

Path	Content
/etc/aide.conf	/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512

rsyslogd is checked in /etc/aide.conf oval:ssg-test_aide_verify_rsyslogd:tst:1 true

Following items have been found on the system:

Path	Content
/etc/aide.conf	/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512

augenrules is checked in /etc/aide.conf oval:ssg-test_aide_verify_augenrules:tst:1 true

Following items have been found on the system:

Path	Content
/etc/aide.conf	/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512

Configure Periodic Execution of AIDE

Rule ID	xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-aide_periodic_cron_checking:def:1
Time	2024-03-08T16:34:42-05:00
Severity	medium
Identifiers and References	Identifiers: CCE-83437-4 References: BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2
Description	At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to `/etc/crontab`: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to `/etc/crontab`: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as `@daily` and `@weekly` is acceptable.
Rationale	By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

OVAL test results details

package aide is installed oval:ssg-test_package_aide_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
aide	x86_64	(none)	100.el9	0.16	0:0.16-100.el9	199e2f91fd431d51	aide-0:0.16-100.el9.x86_64

run aide with cron oval:ssg-test_aide_periodic_cron_checking:tst:1 true

Following items have been found on the system:

Path	Content
/etc/crontab	05 4 * * * root /usr/sbin/aide --check

run aide with cron oval:ssg-test_aide_crond_checking:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_test_aide_crond_checking:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/cron.d	^.*$	^(([0-9][\s][0-9][\s]\[\s]\[\s](\\|([0-7]\|mon\|tue\|wed\|thu\|fri\|sat\|sun)\|[0-7]-[0-7]))\|@(hourly\|daily\|weekly))[\s]root[\s]\/usr\/sbin\/aide[\s]\-\-check.*$	1

run aide with cron oval:ssg-test_aide_var_cron_checking:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_aide_var_cron_checking:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/var/spool/cron/root	^(([0-9][\s][0-9][\s]\[\s]\[\s](\\|([0-7]\|mon\|tue\|wed\|thu\|fri\|sat\|sun)\|[0-7]-[0-7]))\|@(hourly\|daily\|weekly))[\s](root)?[\s]\/usr\/sbin\/aide[\s]\-\-check.*$	1

run aide with cron.(daily|weekly) oval:ssg-test_aide_crontabs_checking:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_aide_crontabs_checking:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
^/etc/cron.(daily\|weekly)$	^.*$	^[^#]\/usr\/sbin\/aide\s+\-\-check\s$	1

Configure System Cryptography Policy

Rule ID	xccdf_org.ssgproject.content_rule_configure_crypto_policy
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-configure_crypto_policy:def:1
Time	2024-03-08T16:34:42-05:00
Severity	high
Identifiers and References	Identifiers: CCE-83450-7 References: A.5.SEC-RHEL4, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10
Description	To configure the system cryptography policy to use ciphers only from the `DEFAULT` policy, run the following command: $ sudo update-crypto-policies --set DEFAULT The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the `/etc/crypto-policies/back-ends` are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.
Rationale	Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.
Warnings	warning The system needs to be rebooted for these changes to take effect. warning System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.

OVAL test results details

check for crypto policy correctly configured in /etc/crypto-policies/config oval:ssg-test_configure_crypto_policy:tst:1 true

Following items have been found on the system:

Path	Content
/etc/crypto-policies/config	DEFAULT

check for crypto policy correctly configured in /etc/crypto-policies/state/current oval:ssg-test_configure_crypto_policy_current:tst:1 true

Following items have been found on the system:

Path	Content
/etc/crypto-policies/state/current	DEFAULT

Check if update-crypto-policies has been run oval:ssg-test_crypto_policies_updated:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-variable_crypto_policies_config_file_timestamp:var:1	1709801564

Check if /etc/crypto-policies/back-ends/nss.config exists oval:ssg-test_crypto_policy_nss_config:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/etc/crypto-policies/back-ends/nss.config	symbolic link	0	0	42	`rwxrwxrwx`

Configure SSH to use System Crypto Policy

Rule ID	xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-configure_ssh_crypto_policy:def:1
Time	2024-03-08T16:34:42-05:00
Severity	medium
Identifiers and References	Identifiers: CCE-83445-7 References: A.5.SEC-RHEL6, A.11.SEC-RHEL6, CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, 5.2.14
Description	Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the `CRYPTO_POLICY` variable is either commented or not set at all in the `/etc/sysconfig/sshd`.
Rationale	Overriding the system crypto policy makes the behavior of the SSH service violate expectations, and makes system configuration more fragmented.

OVAL test results details

Check that the SSH configuration mandates usage of system-wide crypto policies. oval:ssg-test_configure_ssh_crypto_policy:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_configure_ssh_crypto_policy:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysconfig/sshd	^\s(?i)CRYPTO_POLICY\s=.*$	1

Ensure /dev/shm is configured

Rule ID	xccdf_org.ssgproject.content_rule_partition_for_dev_shm
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-partition_for_dev_shm:def:1
Time	2024-03-08T16:34:42-05:00
Severity	low
Identifiers and References	Identifiers: CCE-86283-9 References: 1.1.8.1
Description	The `/dev/shm` is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) can access. If `/dev/shm` is not configured, tmpfs will be mounted to /dev/shm by systemd.
Rationale	Any user can upload and execute files inside the `/dev/shm` similar to the `/tmp` partition. Configuring `/dev/shm` allows an administrator to set the noexec option on the mount, making /dev/shm useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.

OVAL test results details

/dev/shm on own partition oval:ssg-testdev_shm_partition:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/dev/shm	tmpfs		tmpfs	rw	seclabel	nosuid	nodev	noexec	inode64	450753	0	450753

Ensure /home Located On Separate Partition

Rule ID	xccdf_org.ssgproject.content_rule_partition_for_home
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-partition_for_home:def:1
Time	2024-03-08T16:34:42-05:00
Severity	low
Identifiers and References	Identifiers: CCE-83468-9 References: BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.7.1
Description	If user home directories will be stored locally, create a separate partition for `/home` at installation time (or migrate it later using LVM). If `/home` will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.
Rationale	Ensuring that `/home` is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.

OVAL test results details

/home on own partition oval:ssg-testhome_partition:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/home	/dev/mapper/rootvg-homelv	b0d67ecb-7668-482f-8df5-5f82c446a486	xfs	rw	seclabel	nosuid	nodev	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	245760	9989	235771

Ensure /tmp Located On Separate Partition

Rule ID	xccdf_org.ssgproject.content_rule_partition_for_tmp
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-partition_for_tmp:def:1
Time	2024-03-08T16:34:42-05:00
Severity	low
Identifiers and References	Identifiers: CCE-90845-9 References: BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.2.1
Description	The `/tmp` directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
Rationale	The `/tmp` partition is used as temporary storage by many programs. Placing `/tmp` in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

OVAL test results details

/tmp on own partition oval:ssg-testtmp_partition:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/tmp	/dev/mapper/rootvg-tmplv	9005a527-1e18-4ac1-9a7c-acc64406fe43	xfs	rw	seclabel	nosuid	nodev	noexec	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	245760	10002	235758

Ensure /var Located On Separate Partition

Rule ID	xccdf_org.ssgproject.content_rule_partition_for_var
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-partition_for_var:def:1
Time	2024-03