################################################################################
DOCUMENT         : Oracle_Linux_8_STIG
VERSION          : 002.005.013
CHECKSUM         : 80019d6162791c1847f22e19b0e1417018c7b6bee1a537a0dbe224499e76ad74
MANUAL QUESTIONS : 62

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 62
TITLE            : CAT I, V-248525, SV-248525r1016496, SRG-OS-000185-GPOS-00079
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:1101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:1101
RULE             : All OL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.
QUESTION_TEXT    : Verify OL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. 
 
If there is a documented and approved reason for not having data-at-rest encryption at the operating system level, such as encryption provided by a hypervisor or a disk storage array in a virtualized environment, this requirement is not applicable.
  
Verify all system partitions are encrypted with the following command: 
 
     $ sudo blkid

     /dev/mapper/ol-root:  UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS"
 
Every persistent disk partition present must be of type "crypto_LUKS".
 
If any partitions other than the boot partition or pseudo file systems (such as "/proc" or "/sys") are not listed, ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding.

References:
CCI-001199
CCI-002475
CCI-002476
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 62
TITLE            : CAT II, V-248523, SV-248523r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:701
RULE             : OL 8 vendor-packaged system security patches and updates must be installed and up to date.
QUESTION_TEXT    : Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). 
 
Obtain the list of available package security updates from Oracle. The URL for updates is https://linux.oracle.com/errata/. It is important to note that updates provided by Oracle may not be present on the system if the underlying packages are not installed. 
 
Check that the available package security updates have been installed on the system with the following command: 
 
$ sudo yum history list | more 
 
Loaded plugins: langpacks, product-id, subscription-manager 
ID | Command line | Date and time | Action(s) | Altered 
------------------------------------------------------------------------------- 
70 | install aide | 2020-03-05 10:58 | Install | 1 
69 | update -y | 2020-03-04 14:34 | Update | 18 EE 
68 | install vlc | 2020-02-21 17:12 | Install | 21 
67 | update -y | 2020-02-21 17:04 | Update | 7 EE 
 
If package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding. 
 
Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. 
 
If the operating system is not in compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 62
TITLE            : CAT II, V-248526, SV-248526r958390, SRG-OS-000023-GPOS-00006
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:1301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:1301
RULE             : OL 8 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via an SSH logon.
QUESTION_TEXT    : Verify that any publicly accessible connection to the operating system displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system.

Check for the location of the banner file being used with the following command:

$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*banner'

banner /etc/issue

This command will return the banner keyword and the name of the file that contains the SSH banner (in this case "/etc/issue").

If the line is commented out, this is a finding.

If conflicting results are returned, this is a finding.

View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DOD Notice and Consent Banner:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.

If the text in the file does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.

References:
CCI-000048
CCI-001384
CCI-001385
CCI-001386
CCI-001387
CCI-001388
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

QUESTION         : 4 of 62
TITLE            : CAT II, V-248531, SV-248531r1015027, SRG-OS-000066-GPOS-00034
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:2301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:2301
RULE             : OL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
QUESTION_TEXT    : Verify OL 8, for PKI-based authentication, has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

Note: If the system administrator (SA) demonstrates the use of an approved alternate multifactor authentication method, this requirement is Not Applicable.

Check that the system has a valid DOD root CA installed with the following command:

$ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3
Validity
Not Before: Mar 20 18:46:41 2012 GMT
Not After : Dec 30 18:46:41 2029 GMT
Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption

If the root ca file is not a DOD-issued certificate with a valid date installed in the "/etc/sssd/pki/sssd_auth_ca_db.pem" location, this is a finding.

References:
CCI-000185
CCI-004068
CCI-001991
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 4 *******************************

QUESTION         : 5 of 62
TITLE            : CAT II, V-248532, SV-248532r958450, SRG-OS-000067-GPOS-00035
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:2501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:2501
RULE             : OL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.
QUESTION_TEXT    : Verify the SSH private key files have a passcode. 
 
For each private key stored on the system, use the following command: 
 
$ sudo ssh-keygen -y -f /path/to/file 
 
If the contents of the key are displayed, this is a finding.

References:
CCI-000186
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 5 *******************************

QUESTION         : 6 of 62
TITLE            : CAT II, V-248538, SV-248538r958472, SRG-OS-000080-GPOS-00048
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:3501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:3501
RULE             : OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.
QUESTION_TEXT    : For systems that use BIOS, this is Not Applicable.

Verify that a unique name is set as the "superusers" account:

$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
set superusers="[someuniqueUserNamehere]"
export superusers

If "superusers" is identical to any OS account name or is missing a name, this is a finding.

References:
CCI-000213
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 6 *******************************

QUESTION         : 7 of 62
TITLE            : CAT II, V-248539, SV-248539r958472, SRG-OS-000080-GPOS-00048
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:3701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:3701
RULE             : OL 8 operating systems booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.
QUESTION_TEXT    : For systems that use UEFI, this is Not Applicable.

Verify that a unique name is set as the "superusers" account:

$ sudo grep -iw "superusers" /boot/grub2/grub.cfg
set superusers="[someuniqueUserNamehere]"
export superusers

If "superusers" is identical to any OS account name or is missing a name, this is a finding.

References:
CCI-000213
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 7 *******************************

QUESTION         : 8 of 62
TITLE            : CAT II, V-248561, SV-248561r958510, SRG-OS-000125-GPOS-00065
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:7901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:7901
RULE             : The OL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.
QUESTION_TEXT    : Verify the SSH server is configured to use only MACs employing FIPS 140-2-approved algorithms with the following command:

     $ sudo grep -i macs /etc/crypto-policies/back-ends/opensshserver.config

     -oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

If the MACs entries in the "opensshserver.config" file have any hashes other than shown here, the order differs from the example above, or they are missing or commented out, this is a finding.

References:
CCI-000877
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 8 *******************************

QUESTION         : 9 of 62
TITLE            : CAT II, V-248562, SV-248562r958510, SRG-OS-000125-GPOS-00065
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:8101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:8101
RULE             : The OL 8 SSH server must be configured to use only ciphers employing FIPS 140-2 validated cryptographic algorithms.
QUESTION_TEXT    : Verify the OL 8 SSH server is configured to use only ciphers employing FIPS 140-2 approved algorithms with the following command: 
  
     $ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config 
 
     CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com'
 
If the cipher entries in the "opensshserver.config" file have any ciphers other than shown here, the order differs from the example above, or they are missing or commented out, this is a finding.

References:
CCI-000877
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 9 *******************************

QUESTION         : 10 of 62
TITLE            : CAT II, V-248564, SV-248564r1069146, SRG-OS-000250-GPOS-00093
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:8501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:8501
RULE             : The OL 8 operating system must implement DoD-approved encryption in the OpenSSL package.
QUESTION_TEXT    : Verify the OpenSSL library is configured to use only ciphers employing FIPS 140-2-approved algorithms:

Verify that systemwide crypto policies are in effect:

$ sudo grep -i opensslcnf.config /etc/pki/tls/openssl.cnf

.include /etc/crypto-policies/back-ends/opensslcnf.config

If the "opensslcnf.config" is not defined in the "/etc/pki/tls/openssl.cnf" file, this is a finding.

Verify which systemwide crypto policy is in use:

$ sudo fips-mode-setup --check

FIPS mode is enabled.

If the systemwide crypto policy is set to anything other than "FIPS", this is a finding.

References:
CCI-001453
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 10 *******************************

QUESTION         : 11 of 62
TITLE            : CAT II, V-248566, SV-248566r991554, SRG-OS-000250-GPOS-00093
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:8901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:8901
RULE             : The OL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package.
QUESTION_TEXT    : Verify the GnuTLS library is configured to only allow DoD-approved SSL/TLS versions: 
 
$ sudo grep -io +vers.* /etc/crypto-policies/back-ends/gnutls.config 
 
+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM 
 
If the "gnutls.config" does not list "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" to disable unapproved SSL/TLS versions, this is a finding.

References:
CCI-001453
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 11 *******************************

QUESTION         : 12 of 62
TITLE            : CAT II, V-248573, SV-248573r1069152, SRG-OS-000363-GPOS-00150
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:10301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:10301
RULE             : The OL 8 file integrity tool must notify the system administrator (SA) when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.
QUESTION_TEXT    : Verify the operating system routinely checks the baseline configuration for unauthorized changes and notifies the SA when anomalies in the operation of any security functions are discovered.

Check that OL 8 routinely executes a file integrity scan for changes to the system baseline. The command used in the example will use a daily occurrence.

Check the cron directories for scripts controlling the execution and notification of results of the file integrity application. For example, if AIDE is installed on the system, use the following commands:

To search for an aide script:

$ sudo ls -al /etc/cron.* | grep aide
-rwxr-xr-x 1 root root 29 Nov 22 2015 aide

To search for scheduled cron jobs:

$ sudo grep -r aide /etc/cron*
/etc/cron.d/aide:0 0 * * * root /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil

Check the contents of script files:

$ sudo more /etc/cron.d/aide
#!/bin/bash
/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil

If the file integrity application does not exist, a script file controlling the execution of the file integrity application does not exist, or the file integrity application does not notify designated personnel of changes, this is a finding.

References:
CCI-001744
CCI-002699
CCI-002702
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 12 *******************************

QUESTION         : 13 of 62
TITLE            : CAT II, V-248576, SV-248576r1015033, SRG-OS-000366-GPOS-00153
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:10901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:10901
RULE             : OL 8 must prevent the loading of a new kernel for later execution.
QUESTION_TEXT    : Note: For OL 8 systems using the Oracle Unbreakable Enterprise Kernel (UEK) Release 6 or above and with secureboot enabled, this requirement is Not Applicable.

Verify the operating system is configured to disable kernel image loading with the following commands.

Check the status of the "kernel.kexec_load_disabled" kernel parameter:

$ sudo sysctl kernel.kexec_load_disabled

kernel.kexec_load_disabled = 1

If "kernel.kexec_load_disabled" is not set to "1" or is missing, this is a finding.

Check that the configuration files are present to enable this kernel parameter:

$ sudo grep -r kernel.kexec_load_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf

/etc/sysctl.d/99-sysctl.conf:kernel.kexec_load_disabled = 1

If "kernel.kexec_load_disabled" is not set to "1" or is missing or commented out, this is a finding.

If conflicting results are returned, this is a finding.

References:
CCI-003992
CCI-001749
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 13 *******************************

QUESTION         : 14 of 62
TITLE            : CAT II, V-248587, SV-248587r1015038, SRG-OS-000375-GPOS-00160
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:13101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:13101
RULE             : OL 8 must implement certificate status checking for multifactor authentication.
QUESTION_TEXT    : Verify the operating system implements certificate status checking for multifactor authentication.

Note: If the system administrator (SA) demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.

Determine if Online Certificate Status Protocol (OCSP) is enabled and using the proper digest value on the system with the following command:

$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v "^#"

certificate_verification = ocsp_dgst=sha1

If the certificate_verification line is missing from the [sssd] section, or is missing "ocsp_dgst=sha1", ask the administrator to indicate what type of multifactor authentication is being used and how the system implements certificate status checking. If there is no evidence of certificate status checking being used, this is a finding.

References:
CCI-004046
CCI-001954
CCI-004047
CCI-001948
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 14 *******************************

QUESTION         : 15 of 62
TITLE            : CAT II, V-248588, SV-248588r958816, SRG-OS-000376-GPOS-00161
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:13301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:13301
RULE             : OL 8 must accept Personal Identity Verification (PIV) credentials.
QUESTION_TEXT    : Verify OL 8 accepts PIV credentials. 
 
Check that the "opensc" package is installed on the system with the following command: 
 
$ sudo yum list installed opensc 
 
opensc.x86_64     0.19.0-5.el8     @anaconda 
 
Check that "opensc" accepts PIV cards with the following command: 
 
$ sudo opensc-tool --list-drivers | grep -i piv 
 
  PIV-II     Personal Identity Verification Card 
 
If the "opensc" package is not installed and the "opensc-tool" driver list does not include "PIV-II", this is a finding.

References:
CCI-001953
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 15 *******************************

QUESTION         : 16 of 62
TITLE            : CAT II, V-248593, SV-248593r1069159, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:14301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:14301
RULE             : OL 8 must not let Meltdown and Spectre exploit critical vulnerabilities in modern processors.
QUESTION_TEXT    : Verify OL 8 is configured to enable mitigations with the following command:

$ grubby --info=/boot/vmlinuz-$(uname -r) | grep mitigations

If the "mitigations" parameter is set to "off" (mitigations=off), this is a finding.

Note: The default behavior of the kernel is to enable mitigations for vulnerabilities like Meltdown and Spectre based on hardware and system requirements. Therefore, if the "mitigation" parameter is not present or if it is set to on this is not a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 16 *******************************

QUESTION         : 17 of 62
TITLE            : CAT II, V-248620, SV-248620r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:19301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:19301
RULE             : OL 8 file systems that contain user home directories must not execute binary files.
QUESTION_TEXT    : Verify that file systems containing user home directories are mounted with the "noexec" option.
 
Find the file system(s) that contain the user home directories with the following command: 
 
$ sudo awk -F: '($3>=1000)&&($1!="nobody"){print $1,$3,$6}' /etc/passwd 
 
smithj 1001 /home/smithj 
robinst 1002 /home/robinst 
 
Check the file systems that are mounted at boot time with the following command: 
 
$ sudo more /etc/fstab 
 
UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid,nodev,noexec 0 2 
 
If a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "noexec" option set, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 17 *******************************

QUESTION         : 18 of 62
TITLE            : CAT II, V-248621, SV-248621r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:19501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:19501
RULE             : OL 8 file systems must not interpret character or block special devices from untrusted file systems.
QUESTION_TEXT    : Verify that file systems used for removable media are mounted with the "nodev" option with the following command: 
 
$ sudo more /etc/fstab 
 
UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 
 
If a file system found in "/etc/fstab" refers to removable media and it does not have the "nodev" option set, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 18 *******************************

QUESTION         : 19 of 62
TITLE            : CAT II, V-248622, SV-248622r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:19701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:19701
RULE             : OL 8 file systems must not execute binary files on removable media.
QUESTION_TEXT    : Verify that file systems used for removable media are mounted with the "noexec" option with the following command: 
 
$ sudo more /etc/fstab 
 
UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 
 
If a file system found in "/etc/fstab" refers to removable media and it does not have the "noexec" option set, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 19 *******************************

QUESTION         : 20 of 62
TITLE            : CAT II, V-248623, SV-248623r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:19901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:19901
RULE             : OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
QUESTION_TEXT    : Verify that file systems used for removable media are mounted with the "nosuid" option with the following command: 
 
$ sudo more /etc/fstab 
 
UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 
 
If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 20 *******************************

QUESTION         : 21 of 62
TITLE            : CAT II, V-248627, SV-248627r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:20701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:20701
RULE             : Local OL 8 initialization files must not execute world-writable programs.
QUESTION_TEXT    : Verify that local initialization files do not execute world-writable programs. 
 
Check the system for world-writable files. 
 
The following command will discover and print world-writable files. Run it once for each local partition [PART]: 
 
$ sudo find [PART] -xdev -type f -perm -0002 -print 
 
For all files listed, check for their presence in the local initialization files with the following commands: 
 
Note: The example will be for a system that is configured to create users' home directories in the "/home" directory. 
 
$ sudo grep <file> /home/*/.* 
 
If any local initialization files are found to reference world-writable files, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 21 *******************************

QUESTION         : 22 of 62
TITLE            : CAT II, V-248628, SV-248628r991562, SRG-OS-000269-GPOS-00103
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:20901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:20901
RULE             : OL 8 must disable kernel dumps unless needed.
QUESTION_TEXT    : Verify that kernel core dumps are disabled unless needed with the following command:

$ sudo systemctl status kdump.service

kdump.service - Crash recovery kernel arming
Loaded: loaded (/usr/lib/systemd/system/kdump.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code)since Mon 2020-05-04 16:08:09 EDT; 3min ago
Main PID: 1130 (code=exited, status=0/FAILURE)

If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO).

If the service is active and is not documented, this is a finding.

References:
CCI-001665
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 22 *******************************

QUESTION         : 23 of 62
TITLE            : CAT II, V-248635, SV-248635r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:22301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:22301
RULE             : Executable search paths within the initialization files of all local interactive OL 8 users must only contain paths that resolve to the system default or the user's home directory.
QUESTION_TEXT    : Verify that all local interactive user initialization files' executable search path statements do not contain statements that will reference a working directory other than the users' home directory with the following commands: 
 
Note: The example will be for the "smithj" user, which has a home directory of "/home/smithj". 
 
$ sudo grep -i path /home/smithj/.* 
 
/home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin 
/home/smithj/.bash_profile:export PATH 
 
If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 23 *******************************

QUESTION         : 24 of 62
TITLE            : CAT II, V-248640, SV-248640r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:23301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:23301
RULE             : All OL 8 local interactive user home directory files must have mode "0750" or less permissive.
QUESTION_TEXT    : Verify all files and directories contained in a local interactive user home directory, excluding local initialization files, have a mode of "0750".

Files that begin with a "." are excluded from this requirement.

Note: The example will be for the user "smithj", who has a home directory of "/home/smithj".

$ sudo ls -lLR /home/smithj
-rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1
-rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2
-rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3

If any files or directories are found with a mode more permissive than "0750", this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 24 *******************************

QUESTION         : 25 of 62
TITLE            : CAT II, V-248642, SV-248642r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:23701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:23701
RULE             : OL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
QUESTION_TEXT    : Verify all files and directories in a local interactive user home directory are group-owned by a group that the user is a member.

Check the group owner of all files and directories in a local interactive user's home directory with the following command:

Note: The example will be for the user "smithj", who has a home directory of "/home/smithj".

$ sudo ls -lLR /<home directory>/<users home directory>/
-rw-r--r-- 1 smithj smithj  18 Mar  5 17:06 file1
-rw-r--r-- 1 smithj smithj 193 Mar  5 17:06 file2
-rw-r--r-- 1 smithj sa        231 Mar  5 17:06 file3

If any files found with a group-owner different from the home directory user private group, determine if the user is a member of that group with the following command:

$ sudo grep smithj /etc/group
sa:x:100:juan,shelley,bob,smithj 
smithj:x:521:smithj

If any files or directories are group owned by a group that the directory owner is not a member of, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 25 *******************************

QUESTION         : 26 of 62
TITLE            : CAT II, V-248643, SV-248643r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:23901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:23901
RULE             : All OL 8 local interactive user home directories defined in the "/etc/passwd" file must exist.
QUESTION_TEXT    : Verify that the assigned home directory of all local interactive users on OL 8 exists with the following command: 
 
$ sudo ls -ld $(awk -F: '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) 
 
drwxr-xr-x 2 smithj admin 4096 Jun 5 12:41 smithj 
 
Note: This may miss interactive users that have been assigned a privileged User ID (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. 
 
Check that all referenced home directories exist with the following command: 
 
$ sudo pwck -r 
 
user 'smithj': directory '/home/smithj' does not exist 
 
If any home directories referenced in "/etc/passwd" are returned as not defined, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 26 *******************************

QUESTION         : 27 of 62
TITLE            : CAT II, V-248651, SV-248651r958364, SRG-OS-000002-GPOS-00002
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:25501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:25501
RULE             : OL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less.
QUESTION_TEXT    : Verify that temporary accounts have been provisioned with an expiration date of 72 hours. 
 
For every existing temporary account, run the following command to obtain its account expiration information. 
 
$ sudo chage -l system_account_name 
 
Verify each of these accounts has an expiration date set within 72 hours. 
 
If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.

References:
CCI-000016
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 27 *******************************

QUESTION         : 28 of 62
TITLE            : CAT II, V-248668, SV-248668r958388, SRG-OS-000021-GPOS-00005
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:28901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:28901
RULE             : OL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
QUESTION_TEXT    : Note: This check applies to OL versions 8.2 or newer, if the system is OL version 8.0 or 8.1, this check is not applicable.

Verify the pam_faillock.so module is present in the "/etc/pam.d/password-auth" file:

$ sudo grep pam_faillock.so /etc/pam.d/password-auth

auth               required                            pam_faillock.so preauth
auth               required                            pam_faillock.so authfail
account          required                            pam_faillock.so

If the pam_faillock.so module is not present in the "/etc/pam.d/password-auth" file with the "preauth" line listed before pam_unix.so, this is a finding.

References:
CCI-000044
CCI-002238
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 28 *******************************

QUESTION         : 29 of 62
TITLE            : CAT II, V-248669, SV-248669r958388, SRG-OS-000021-GPOS-00005
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:29101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:29101
RULE             : OL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
QUESTION_TEXT    : If the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_faillock module is not configured for use, this requirement is not applicable.

Note: This check applies to OL versions 8.2 or newer. If the system is OL version 8.0 or 8.1, this check is not applicable.

Verify the location of the non-default tally directory for the pam_faillock module with the following command:

$ sudo grep -w dir /etc/security/faillock.conf

dir = /var/log/faillock

Check the security context type of the non-default tally directory with the following command:

$ sudo ls -Zd /var/log/faillock

unconfined_u:object_r:faillog_t:s0 /var/log/faillock

If the security context type of the non-default tally directory is not "faillog_t", this is a finding.

References:
CCI-000044
CCI-002238
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 29 *******************************

QUESTION         : 30 of 62
TITLE            : CAT II, V-248670, SV-248670r958388, SRG-OS-000021-GPOS-00005
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:29301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:29301
RULE             : OL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.
QUESTION_TEXT    : If the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_faillock module is not configured for use, this requirement is not applicable.

Note: This check applies to OL versions 8.0 and 8.1. If the system is OL version 8.2 or newer, this check is not applicable.

Verify the location of the non-default tally directory for the pam_faillock module with the following command:

$ sudo grep -w dir /etc/pam.d/password-auth

auth   required   pam_faillock.so preauth dir=/var/log/faillock
auth   required   pam_faillock.so authfail dir=/var/log/faillock

Check the security context type of the non-default tally directory with the following command:

$ sudo ls -Zd /var/log/faillock

unconfined_u:object_r:faillog_t:s0 /var/log/faillock

If the security context type of the non-default tally directory is not "faillog_t", this is a finding.

References:
CCI-000044
CCI-002238
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 30 *******************************

QUESTION         : 31 of 62
TITLE            : CAT II, V-248672, SV-248672r958402, SRG-OS-000029-GPOS-00010
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:29701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:29701
RULE             : OL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated.
QUESTION_TEXT    : Note: This requirement assumes the use of the OL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated with the following command:

$ sudo gsettings get org.gnome.desktop.screensaver lock-delay

uint32 5

If the "uint32" setting is missing, or is not set to "5" or less, this is a finding.

References:
CCI-000057
CCI-000060
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 31 *******************************

QUESTION         : 32 of 62
TITLE            : CAT II, V-248678, SV-248678r1015045, SRG-OS-000028-GPOS-00009
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:30101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:30101
RULE             : OL 8 must enable a user session lock until that user reestablishes access using established identification and authentication procedures for command line sessions.
QUESTION_TEXT    : Verify OL 8 has the "vlock" package installed by running the following command: 
 
$ sudo grep vlock /usr/bin/* 
 
Binary file /usr/bin/vlock matches 
 
If "vlock" is not installed, this is a finding.

References:
CCI-000056
CCI-000057
CCI-000058
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 32 *******************************

QUESTION         : 33 of 62
TITLE            : CAT II, V-248680, SV-248680r958402, SRG-OS-000029-GPOS-00010
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:30501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:30501
RULE             : OL 8 must automatically lock graphical user sessions after 15 minutes of inactivity.
QUESTION_TEXT    : Note: This requirement assumes the use of the OL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. 
 
Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces with the following commands: 
 
$ sudo gsettings get org.gnome.desktop.session idle-delay 
 
uint32 900 
 
If "idle-delay" is set to "0" or a value greater than "900", this is a finding.

References:
CCI-000057
CCI-000060
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 33 *******************************

QUESTION         : 34 of 62
TITLE            : CAT II, V-248683, SV-248683r958402, SRG-OS-000029-GPOS-00010
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:30901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:30901
RULE             : OL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
QUESTION_TEXT    : Note: This requirement assumes the use of the OL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. 

Verify the operating system prevents a user from overriding settings for graphical user interfaces. 
 
Determine which profile the system database is using with the following command: 
 
$ sudo grep system-db /etc/dconf/profile/user 
 
system-db:local 
 
Check that graphical settings are locked from non-privileged user modification with the following command. 
 
Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. 
 
$ sudo grep -i idle /etc/dconf/db/local.d/locks/* 
 
/org/gnome/desktop/screensaver/idle-delay 
 
If the command does not return at least the example result, this is a finding.

References:
CCI-000057
CCI-000060
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 34 *******************************

QUESTION         : 35 of 62
TITLE            : CAT II, V-248685, SV-248685r958452, SRG-OS-000068-GPOS-00036
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:31301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:31301
RULE             : OL 8 must map the authenticated identity to the user or group account for PKI-based authentication.
QUESTION_TEXT    : Verify the certificate of the user or group is mapped to the corresponding user or group in the "sssd.conf" file with the following command:

Note: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.

$ sudo cat /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = pam, sudo, ssh
domains = testing.test

[pam]
pam_cert_auth = True

[domain/testing.test]
id_provider = ldap

[certmap/testing.test/rule_name]
matchrule =<SAN>.*EDIPI@mil
maprule = (userCertificate;binary={cert!bin})
domains = testing.test

If the "certmap" section does not exist, this is a finding.

References:
CCI-000187
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 35 *******************************

QUESTION         : 36 of 62
TITLE            : CAT II, V-248702, SV-248702r1015060, SRG-OS-000105-GPOS-00052
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:34501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:34501
RULE             : OL 8 must implement multifactor authentication for access to interactive accounts.
QUESTION_TEXT    : Verify OL 8 uses multifactor authentication for local access to accounts.

Note: If the system administrator (SA) demonstrates the use of an approved alternate multifactor authentication method, this requirement is Not Applicable.

Check that the "pam_cert_auth" setting is set to "true" in the "/etc/sssd/sssd.conf" file.

Check that the "try_cert_auth" or "require_cert_auth" options are configured in both "/etc/pam.d/system-auth" and "/etc/pam.d/smartcard-auth" files with the following command:

     $ sudo grep -ir cert_auth /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf /etc/pam.d/*

     /etc/sssd/sssd.conf:pam_cert_auth = True
     /etc/pam.d/smartcard-auth:auth sufficient pam_sss.so try_cert_auth
     /etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth

If "pam_cert_auth" is not set to "true" in "/etc/sssd/sssd.conf", this is a finding.

If "pam_sss.so" is not set to "try_cert_auth" or "require_cert_auth" in both the "/etc/pam.d/smartcard-auth" and "/etc/pam.d/system-auth" files, this is a finding.

References:
CCI-000765
CCI-000766
CCI-004047
CCI-000767
CCI-000768
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 36 *******************************

QUESTION         : 37 of 62
TITLE            : CAT II, V-248703, SV-248703r1015061, SRG-OS-000118-GPOS-00060
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:34701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:34701
RULE             : The OL 8 system-auth file must disable access to the system for account identifiers (individuals, groups, roles, and devices) with 35 days of inactivity.
QUESTION_TEXT    : Verify the account identifiers (individuals, groups, roles, and devices) are disabled after 35 days of inactivity by checking the account inactivity value with the following command: 
 
$ sudo grep 'inactive\|pam_unix' /etc/pam.d/system-auth | grep -w auth
 
auth      required      pam_lastlog.so inactive=35
auth      sufficient     pam_unix.so 

If the pam_lastlog.so module is listed below the pam_unix.so module in the "system-auth" file, this is a finding.

If the value of "inactive" is set to zero, a negative number, or is greater than 35, this is a finding.

If the line is commented out or missing, ask the administrator to indicate how the system disables access for account identifiers. If there is no evidence that the system is disabling access for account identifiers after 35 days of inactivity, this is a finding.

References:
CCI-003627
CCI-003628
CCI-000795
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 37 *******************************

QUESTION         : 38 of 62
TITLE            : CAT II, V-248704, SV-248704r1015062, SRG-OS-000118-GPOS-00060
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:34901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:34901
RULE             : The OL 8 password-auth file must disable access to the system for account identifiers (individuals, groups, roles, and devices) with 35 days of inactivity.
QUESTION_TEXT    : Verify the account identifiers (individuals, groups, roles, and devices) are disabled after 35 days of inactivity by checking the account inactivity value with the following command: 
 
$ sudo grep 'inactive\|pam_unix' /etc/pam.d/password-auth | grep -w auth
 
auth      required      pam_lastlog.so inactive=35
auth      sufficient     pam_unix.so 

If the pam_lastlog.so module is listed below the pam_unix.so module in the "password-auth" file, this is a finding.

If the value of "inactive" is set to zero, a negative number, or is greater than 35, this is a finding.

If the line is commented out or missing, ask the administrator to indicate how the system disables access for account identifiers. If there is no evidence that the system is disabling access for account identifiers after 35 days of inactivity, this is a finding.

References:
CCI-003627
CCI-003628
CCI-000795
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 38 *******************************

QUESTION         : 39 of 62
TITLE            : CAT II, V-248708, SV-248708r958508, SRG-OS-000123-GPOS-00064
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:35701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:35701
RULE             : OL 8 must automatically expire temporary accounts within 72 hours.
QUESTION_TEXT    : Verify temporary accounts have been provisioned with an expiration date of 72 hours.

For every existing temporary account, run the following command to obtain its account expiration information:

     $ sudo chage -l <temporary_account_name> | grep -i "account expires"

Verify each of these accounts has an expiration date set within 72 hours.
If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.

References:
CCI-001682
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 39 *******************************

QUESTION         : 40 of 62
TITLE            : CAT II, V-248713, SV-248713r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:36701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:36701
RULE             : OL 8 must not have unnecessary accounts.
QUESTION_TEXT    : Verify all accounts on the system are assigned to an active system, application, or user account. 
 
Obtain the list of authorized system accounts from the Information System Security Officer (ISSO). 
 
Check the system accounts on the system with the following command: 
 
$ sudo more /etc/passwd 
 
root:x:0:0:root:/root:/bin/bash 
bin:x:1:1:bin:/bin:/sbin/nologin 
daemon:x:2:2:daemon:/sbin:/sbin/nologin 
sync:x:5:0:sync:/sbin:/bin/sync 
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown 
halt:x:7:0:halt:/sbin:/sbin/halt 
games:x:12:100:games:/usr/games:/sbin/nologin 
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin 
 
Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. 
 
If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 40 *******************************

QUESTION         : 41 of 62
TITLE            : CAT II, V-248720, SV-248720r991590, SRG-OS-000480-GPOS-00228
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:38101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:38101
RULE             : OL 8 must set the umask value to 077 for all local interactive user accounts.
QUESTION_TEXT    : Verify that the default umask for all local interactive users is "077".

Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file.

Check all local interactive user initialization files for interactive users with the following command:

Note: The example is for a system that is configured to create users home directories in the "/home" directory.

$ sudo grep -ir ^umask /home | grep -v '.bash_history'

If any local interactive user initialization files are found to have a umask statement that has a value less restrictive than "077", this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 41 *******************************

QUESTION         : 42 of 62
TITLE            : CAT II, V-248721, SV-248721r991590, SRG-OS-000480-GPOS-00228
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:38301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:38301
RULE             : OL 8 must define default permissions for logon and non-logon shells.
QUESTION_TEXT    : Verify that the umask default for installed shells is "077".

Check for the value of the "UMASK" parameter in the "/etc/bashrc", "/etc/csh.cshrc", and "/etc/profile" files with the following command:

Note: If the value of the "UMASK" parameter is set to "000" in the "/etc/bashrc", "/etc/csh.cshrc", or the "/etc/profile" files, the Severity is raised to a CAT I.

$ sudo  grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile

/etc/bashrc: umask 077
/etc/bashrc: umask 077
/etc/csh.cshrc: umask 077 
/etc/csh.cshrc: umask 077
/etc/profile: umask 077
/etc/profile: umask 077

If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 42 *******************************

QUESTION         : 43 of 62
TITLE            : CAT II, V-248723, SV-248723r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:38701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:38701
RULE             : Cron logging must be implemented in OL 8.
QUESTION_TEXT    : Verify that "rsyslog" is configured to log cron events with the following command: 
 
Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files. 
 
$ sudo grep cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf 
 
cron.* /var/log/cron 
 
If the command does not return a response, check for cron logging all facilities by inspecting the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files. 
 
Look for the following entry: 
 
*.* /var/log/messages 
 
If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 43 *******************************

QUESTION         : 44 of 62
TITLE            : CAT II, V-248801, SV-248801r958412, SRG-OS-000037-GPOS-00015
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:50101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:50101
RULE             : OL 8 must generate audit records for any attempted modifications to the "faillock" log file.
QUESTION_TEXT    : Verify OL 8 generates an audit record for any attempted modifications to the "faillock" file.  
 
Determine where the faillock tallies are stored with the following commands: 
 
For OL versions 8.0 and 8.1: 
 
$ sudo grep -i pam_faillock.so /etc/pam.d/system-auth 
 
auth required pam_faillock.so preauth dir=/var/log/faillock silent deny=3 fail_interval=900 even_deny_root 
 
For OL versions 8.2 and newer: 
 
$ sudo grep dir /etc/security/faillock.conf 
 
dir=/var/log/faillock 
 
Using the location of the faillock log file, check that the following calls are being audited by running the following command to check the file system rules in "/etc/audit/audit.rules": 
 
$ sudo grep -w faillock /etc/audit/audit.rules 
 
-w /var/log/faillock -p wa -k logins 
 
If the command does not return a line or the line is commented out, this is a finding.

References:
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 44 *******************************

QUESTION         : 45 of 62
TITLE            : CAT II, V-248805, SV-248805r991579, SRG-OS-000471-GPOS-00215
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:50901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:50901
RULE             : OL 8 must enable Linux audit logging for the USBGuard daemon.
QUESTION_TEXT    : Verify OL 8 enables Linux audit logging of the USBGuard daemon with the following commands. 
 
Note: If the USBGuard daemon is not installed and enabled, this requirement is not applicable. 
 
$ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf 
 
AuditBackend=LinuxAudit 
 
If the "AuditBackend" entry does not equal "LinuxAudit", is missing, or the line is commented out, this is a finding.

References:
CCI-000172
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 45 *******************************

QUESTION         : 46 of 62
TITLE            : CAT II, V-248811, SV-248811r958752, SRG-OS-000341-GPOS-00132
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:52101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:52101
RULE             : OL 8 must allocate audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.
QUESTION_TEXT    : Verify OL 8 allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. 
 
Determine to which partition the audit records are being written with the following command: 
 
$ sudo grep -iw log_file /etc/audit/auditd.conf 
log_file = /var/log/audit/audit.log 
 
Check the size of the partition to which audit records are written (with the example being "/var/log/audit/") with the following command: 
 
$ sudo df -h /var/log/audit/ 
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit 
 
If the audit records are not written to a partition made specifically for audit records ("/var/log/audit" is a separate partition), determine the amount of space being used by other files in the partition with the following command: 
 
$ sudo du -sh [audit_partition] 
1.8G /var/log/audit 
 
If the audit record partition is not allocated for sufficient storage capacity, this is a finding. 
 
Note: The partition size needed to capture a week of audit records is based on the activity level of the system and the total storage capacity available. Typically 10.0 GB of storage space for audit records should be sufficient.

References:
CCI-001849
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 46 *******************************

QUESTION         : 47 of 62
TITLE            : CAT II, V-248814, SV-248814r958754, SRG-OS-000342-GPOS-00133
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:52701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:52701
RULE             : The OL 8 audit records must be offloaded onto a different system or storage media from the system being audited.
QUESTION_TEXT    : Verify the audit system offloads audit records onto a different system or media from the system being audited with the following command: 
 
     $ sudo grep @@ /etc/rsyslog.conf /etc/rsyslog.d/*.conf 
 
     /etc/rsyslog.conf:*.* @@[logaggregationserver.example.mil]:[port] 
 
If a remote server is not configured or the line is commented out, ask the system administrator to indicate how the audit logs are offloaded to a different system or media.  
 
If there is no evidence that the audit logs are being offloaded to another system or media, this is a finding.

References:
CCI-001851
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 47 *******************************

QUESTION         : 48 of 62
TITLE            : CAT II, V-248816, SV-248816r958754, SRG-OS-000342-GPOS-00133
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:53101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:53101
RULE             : OL 8 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited.
QUESTION_TEXT    : Verify the operating system encrypts audit records offloaded onto a different system or media from the system being audited with the following commands: 
 
$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf 
 
/etc/rsyslog.conf:$DefaultNetstreamDriver gtls 
 
If the value of the "$DefaultNetstreamDriver" option is not set to "gtls" or the line is commented out, this is a finding. 
 
$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf 
 
/etc/rsyslog.conf:$ActionSendStreamDriverMode 1 
 
If the value of the "$ActionSendStreamDriverMode" option is not set to "1" or the line is commented out, this is a finding. 
 
If neither of the definitions above are set, ask the System Administrator to indicate how the audit logs are offloaded to a different system or media.  
 
If there is no evidence that the transfer of the audit logs being offloaded to another system or media is encrypted, this is a finding.

References:
CCI-001851
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 48 *******************************

QUESTION         : 49 of 62
TITLE            : CAT II, V-248820, SV-248820r1038944, SRG-OS-000355-GPOS-00143
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:53901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:53901
RULE             : OL 8 must compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
QUESTION_TEXT    : Verify OL 8 is comparing internal information system clocks at least every 24 hours with an NTP server with the following command: 
 
$ sudo grep maxpoll /etc/chrony.conf 
 
server [ntp.server.name] iburst maxpoll 16 
 
If the "maxpoll" option is set to a number greater than "16" or the line is commented out, this is a finding.

References:
CCI-001890
CCI-004923
CCI-004926
CCI-001891
CCI-002046
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 49 *******************************

QUESTION         : 50 of 62
TITLE            : CAT II, V-248828, SV-248828r958478, SRG-OS-000095-GPOS-00049
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:55501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:55501
RULE             : OL 8 must cover or disable the built-in or attached camera when not in use.
QUESTION_TEXT    : If the device or operating system does not have a camera installed, this requirement is not applicable.

This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.

This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.

For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding.

For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use.

If the built-in camera is not protected with a camera cover or is not physically disabled, this is a finding.

If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands:

Verify the operating system disables the ability to load the uvcvideo kernel module.

     $ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "/bin/false"
     install uvcvideo /bin/false

If the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use, this is a finding.

Verify the camera is disabled via blacklist with the following command:

     $ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "blacklist"
     blacklist uvcvideo

If the command does not return any output or the output is not "blacklist uvcvideo", and the collaborative computing device has not been authorized for use, this is a finding.

References:
CCI-000381
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 50 *******************************

QUESTION         : 51 of 62
TITLE            : CAT II, V-248835, SV-248835r958480, SRG-OS-000096-GPOS-00050
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:56901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:56901
RULE             : OL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
QUESTION_TEXT    : Inspect the firewall configuration and running services to verify it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited. 
 
Check which services are currently active with the following command: 
 
$ sudo firewall-cmd --list-all 
 
custom (active) 
target: DROP 
icmp-block-inversion: no 
interfaces: ens33 
sources:  
services: dhcpv6-client dns http https ldaps rpc-bind ssh 
ports:  
masquerade: no 
forward-ports:  
icmp-blocks:  
rich rules:  
 
Ask the System Administrator for the site or program PPSM Component Local Service Assessment (CLSA). Verify the services allowed by the firewall match the PPSM CLSA.  
 
If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.

References:
CCI-000382
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 51 *******************************

QUESTION         : 52 of 62
TITLE            : CAT II, V-248839, SV-248839r958672, SRG-OS-000297-GPOS-00115
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:57501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:57501
RULE             : An OL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
QUESTION_TEXT    : Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands: 
 
     $ sudo firewall-cmd --state 
     running 
 
     $ sudo firewall-cmd --get-active-zones 
     [custom] 
     interfaces: ens33 
 
     $ sudo firewall-cmd --info-zone=[custom] | grep target 
     target: DROP 
 
If no zones are active on the OL 8 interfaces or if the target is set to an option other than "DROP", this is a finding.

If the "firewalld" package is not installed, ask the System Administrator if an alternate firewall (such as iptables) is installed and in use, and how is it configured to employ a deny-all, allow-by-exception policy. 

If the alternate firewall is not configured to employ a deny-all, allow-by-exception policy, this is a finding.

If no firewall is installed, this is a finding.

References:
CCI-002314
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 52 *******************************

QUESTION         : 53 of 62
TITLE            : CAT II, V-248842, SV-248842r991568, SRG-OS-000299-GPOS-00117
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:58101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:58101
RULE             : OL 8 wireless network adapters must be disabled.
QUESTION_TEXT    : Verify there are no wireless interfaces configured on the system with the following command. 
 
Note: This requirement is not applicable for systems that do not have physical wireless network radios. 
 
$ sudo nmcli device status 
 
DEVICE TYPE STATE CONNECTION 
virbr0 bridge connected virbr0 
wlp7s0 wifi connected wifiSSID 
enp6s0 ethernet disconnected -- 
p2p-dev-wlp7s0 wifi-p2p disconnected -- 
lo loopback unmanaged -- 
virbr0-nic tun unmanaged -- 
 
If a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO), this is a finding.

References:
CCI-001443
CCI-001444
CCI-002418
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 53 *******************************

QUESTION         : 54 of 62
TITLE            : CAT II, V-248861, SV-248861r958804, SRG-OS-000368-GPOS-00154
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:61901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:61901
RULE             : The OL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
QUESTION_TEXT    : Verify the OL 8 "fapolicyd" employs a deny-all, permit-by-exception policy.

Check that "fapolicyd" is in enforcement mode with the following command:

$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf

permissive = 0

Check that fapolicyd employs a deny-all policy on system mounts with the following commands:

For OL 8.4 systems and older:
$ sudo tail /etc/fapolicyd/fapolicyd.rules

For OL 8.5 systems and newer:
$ sudo tail /etc/fapolicyd/compiled.rules

allow exe=/usr/bin/python3.7 : ftype=text/x-python
deny_audit perm=any pattern=ld_so : all
deny perm=any all : all

If fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy, this is a finding.

References:
CCI-001764
CCI-001774
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 54 *******************************

QUESTION         : 55 of 62
TITLE            : CAT II, V-248863, SV-248863r958820, SRG-OS-000378-GPOS-00163
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:62301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:62301
RULE             : OL 8 must block unauthorized peripherals before establishing a connection.
QUESTION_TEXT    : Verify the USBGuard has a policy configured with the following command:

$ sudo usbguard list-rules

If the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked.

If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.

References:
CCI-001958
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 55 *******************************

QUESTION         : 56 of 62
TITLE            : CAT II, V-248907, SV-248907r958726, SRG-OS-000324-GPOS-00125
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:71101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:71101
RULE             : OL 8 must prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.
QUESTION_TEXT    : Verify the operating system prevents nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. 
 
Obtain a list of authorized users (other than system administrator and guest accounts) for the system. 
 
Check the list against the system by using the following command: 
 
     $ sudo semanage login -l | more 

     Login Name    SELinux User    MLS/MCS Range    Service

     __default__   user_u                 s0-s0:c0.c1023        *
     root                   unconfined_u  s0-s0:c0.c1023        *
     system_u        system_u           s0-s0:c0.c1023        *
     joe                     staff_u                s0-s0:c0.c1023        *
 
All administrators must be mapped to the "sysadm_u", "staff_u", or an appropriately tailored confined role as defined by the organization. 
 
All authorized nonadministrative users must be mapped to the "user_u" role. 
 
If they are not mapped in this way, this is a finding.

References:
CCI-002235
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 56 *******************************

QUESTION         : 57 of 62
TITLE            : CAT II, V-252655, SV-252655r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:72301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:72301
RULE             : OL 8 must specify the default "include" directory for the /etc/sudoers file.
QUESTION_TEXT    : Note: If the "include" and "includedir" directives are not present in the /etc/sudoers file, this requirement is not applicable.

Verify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command:

     $ sudo grep include /etc/sudoers

     #includedir /etc/sudoers.d

If the results are not "/etc/sudoers.d" or additional files or directories are specified, this is a finding.

Verify the operating system does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command:

     $ sudo grep -Er include /etc/sudoers.d

If results are returned, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 57 *******************************

QUESTION         : 58 of 62
TITLE            : CAT II, V-252662, SV-252662r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:73501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:73501
RULE             : OL 8 must not enable IPv4 packet forwarding unless the system is a router.
QUESTION_TEXT    : Verify OL 8 is not performing IPv4 packet forwarding, unless the system is a router.

Check that IPv4 forwarding is disabled using the following command:

$ sudo sysctl net.ipv4.conf.all.forwarding

net.ipv4.conf.all.forwarding = 0

If the IPv4 forwarding value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

Check that the configuration files are present to enable this network parameter:

$ sudo grep -r net.ipv4.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf

/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.forwarding = 0

If "net.ipv4.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding.

If conflicting results are returned, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 58 *******************************

QUESTION         : 59 of 62
TITLE            : CAT II, V-256978, SV-256978r1015073, SRG-OS-000366-GPOS-00153
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:74101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:74101
RULE             : OL 8 must ensure cryptographic verification of vendor software packages.
QUESTION_TEXT    : Confirm Oracle package-signing key is installed on the system and verify its fingerprint matches vendor value.

Note: The GPG key is defined in key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-oracle" by default.

List Oracle GPG keys installed on the system:

     $ sudo rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey | grep -i "oracle"

     gpg(Oracle OSS group (Open Source Software group) <build@oss.oracle.com>)

If Oracle GPG key is not installed, this is a finding.

List key fingerprint of installed Oracle GPG key:

     $ sudo gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle

If key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-oracle" is missing, this is a finding.

Example output:

     pub   rsa4096/AD986DA3 2019-04-09 [SC] [expires: 2039-04-04]
           Key fingerprint = 76FD 3DB1 3AB6 7410 B89D  B10E 8256 2EA9 AD98 6DA3
     uid                   Oracle OSS group (Open Source Software group) <build@oss.oracle.com>
     sub   rsa4096/D95DC12B 2019-04-09 [E] [expires: 2039-04-04]

Compare key fingerprint of installed Oracle GPG key with fingerprint listed for OL 8 on Oracle verification webpage at https://linux.oracle.com/security/gpg/#gpg.

If key fingerprint does not match, this is a finding.

References:
CCI-003992
CCI-001749
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 59 *******************************

QUESTION         : 60 of 62
TITLE            : CAT III, V-248599, SV-248599r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:15501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:15501
RULE             : OL 8 must enable the hardware random number generator entropy gatherer service.
QUESTION_TEXT    : Note: For OL versions 8.4 and above running with kernel FIPS mode enabled as specified by OL08-00-010020, this requirement is Not Applicable.

Check that OL 8 has enabled the hardware random number generator entropy gatherer service.

Verify the rngd service is enabled and active with the following commands: 
 
     $ sudo systemctl is-enabled rngd 
      enabled 
 
     $ sudo systemctl is-active rngd 
     active 
 
If the service is not "enabled" and "active", this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 60 *******************************

QUESTION         : 61 of 62
TITLE            : CAT III, V-248896, SV-248896r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:68901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:68901
RULE             : The OL 8 file integrity tool must be configured to verify extended attributes.
QUESTION_TEXT    : Verify the file integrity tool is configured to verify extended attributes. 
 
If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. 
 
Note: AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory. 
 
Use the following command to determine if the file is in another location: 
 
$ sudo find / -name aide.conf 
 
Check the "aide.conf" file to determine if the "xattrs" rule has been added to the rule list being applied to the files and directories selection lists. 
 
An example rule that includes the "xattrs" rule follows: 
 
All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux 
/bin All # apply the custom rule to the files in bin 
/sbin All # apply the same custom rule to the files in sbin 
 
If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 61 *******************************

QUESTION         : 62 of 62
TITLE            : CAT III, V-248897, SV-248897r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol8os:testaction:69101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol8os:question:69101
RULE             : The OL 8 file integrity tool must be configured to verify Access Control Lists (ACLs).
QUESTION_TEXT    : Verify the file integrity tool is configured to verify ACLs. 

Use the following command to determine if the file is in a location other than "/etc/aide/aide.conf": 
 
     $ sudo find / -name aide.conf 
 
Check the "aide.conf" file to determine if the "acl" rule has been added to the rule list being applied to the files and directories selection lists with the following command: 
 
     $ sudo grep -E "[+]?acl" /etc/aide.conf 
 
     VarFile = OwnerMode+n+l+X+acl 
 
If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file or is commented out, or ACLs are not being checked by another file integrity tool, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 62 *******************************

