################################################################################
DOCUMENT         : RHEL_8_STIG
VERSION          : 002.004.016
CHECKSUM         : 25dbcfa346d5ad935096dc09a0c48ebcc49d20479c32b4778dc0294d4be30891
MANUAL QUESTIONS : 37

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 37
TITLE            : CAT I, V-230224, SV-230224r1044787, SRG-OS-000185-GPOS-00079
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:701
RULE             : All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
QUESTION_TEXT    : Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. 

If there is a documented and approved reason for not having data-at-rest encryption at the operating system level, such as encryption provided by a hypervisor or a disk storage array in a virtualized environment, this requirement is not applicable.

Verify all system partitions are encrypted with the following command:

     $ sudo blkid

     /dev/mapper/rhel-root:  UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS"

Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. 

If there is no evidence that these partitions are encrypted, this is a finding.

References:
CCI-001199
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 37
TITLE            : CAT II, V-230222, SV-230222r1017041, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:301
RULE             : RHEL 8 vendor packaged system security patches and updates must be installed and up to date.
QUESTION_TEXT    : Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO).

Obtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.

Check that the available package security updates have been installed on the system with the following command:

$ sudo yum history list | more

Loaded plugins: langpacks, product-id, subscription-manager
ID | Command line | Date and time | Action(s) | Altered
-------------------------------------------------------------------------------
70 | install aide | 2020-03-05 10:58 | Install | 1 
69 | update -y | 2020-03-04 14:34 | Update | 18 EE
68 | install vlc | 2020-02-21 17:12 | Install | 21 
67 | update -y | 2020-02-21 17:04 | Update | 7 EE

If package updates have not been performed on the system within the timeframe the site/program documentation requires, this is a finding.

Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.

If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 37
TITLE            : CAT II, V-230229, SV-230229r1017048, SRG-OS-000066-GPOS-00034
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:1701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:1701
RULE             : RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
QUESTION_TEXT    : Verify RHEL 8 for PKI-based authentication has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

Note: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.

Check that the system has a valid DoD root CA installed with the following command:

$ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem

Certificate:
   Data:
      Version: 3 (0x2)
      Serial Number: 1 (0x1)
      Signature Algorithm: sha256WithRSAEncryption
      Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3
      Validity
         Not Before: Mar 20 18:46:41 2012 GMT
         Not After   : Dec 30 18:46:41 2029 GMT
      Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3
      Subject Public Key Info:
         Public Key Algorithm: rsaEncryption

If the root ca file is not a DoD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location, this is a finding.

References:
CCI-000185
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

QUESTION         : 4 of 37
TITLE            : CAT II, V-230230, SV-230230r1069287, SRG-OS-000067-GPOS-00035
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:1901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:1901
RULE             : RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.
QUESTION_TEXT    : Verify the SSH private key files have a passcode.

For each private key stored on the system, use the following command:

$ sudo ssh-keygen -y -f /path/to/file
Enter passphrase:

If the contents of the key are displayed, this is a finding.

References:
CCI-000186
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 4 *******************************

QUESTION         : 5 of 37
TITLE            : CAT II, V-230263, SV-230263r1017083, SRG-OS-000363-GPOS-00150
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:8301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:8301
RULE             : The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.
QUESTION_TEXT    : Verify the operating system routinely checks the baseline configuration for unauthorized changes and notifies the system administrator when anomalies in the operation of any security functions are discovered.

Check that RHEL 8 routinely executes a file integrity scan for changes to the system baseline. The command used in the example will use a daily occurrence.

Check the cron directories for scripts controlling the execution and notification of results of the file integrity application. For example, if AIDE is installed on the system, use the following commands:

     $ sudo ls -al /etc/cron.* | grep aide

     -rwxr-xr-x 1 root root 29 Nov 22 2015 aide

     $ sudo grep aide /etc/crontab /var/spool/cron/root

     /etc/crontab: 30 04 * * * root /usr/sbin/aide
     /var/spool/cron/root: 30 04 * * * root /usr/sbin/aide

     $ sudo more /etc/cron.daily/aide

     #!/bin/bash
     /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil

If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, or the file integrity application does not notify designated personnel of changes, this is a finding.

References:
CCI-001744
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 5 *******************************

QUESTION         : 6 of 37
TITLE            : CAT II, V-230302, SV-230302r1017112, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:15701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:15701
RULE             : RHEL 8 must prevent code from being executed on file systems that contain user home directories.
QUESTION_TEXT    : Verify file systems that contain user home directories are mounted with the "noexec" option.

Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is automatically a finding as the "noexec" option cannot be used on the "/" system.

Find the file system(s) that contain the user home directories with the following command:

$ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6}' /etc/passwd

smithj:1001: /home/smithj
robinst:1002: /home/robinst

Check the file systems that are mounted at boot time with the following command:

$ sudo more /etc/fstab

UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid,nodev,noexec 0 2

If a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "noexec" option set, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 6 *******************************

QUESTION         : 7 of 37
TITLE            : CAT II, V-230303, SV-230303r1017113, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:15901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:15901
RULE             : RHEL 8 must prevent special devices on file systems that are used with removable media.
QUESTION_TEXT    : Verify file systems that are used for removable media are mounted with the "nodev" option with the following command:

$ sudo more /etc/fstab

UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0

If a file system found in "/etc/fstab" refers to removable media and it does not have the "nodev" option set, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 7 *******************************

QUESTION         : 8 of 37
TITLE            : CAT II, V-230304, SV-230304r1017114, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:16101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:16101
RULE             : RHEL 8 must prevent code from being executed on file systems that are used with removable media.
QUESTION_TEXT    : Verify file systems that are used for removable media are mounted with the "noexec" option with the following command:

$ sudo more /etc/fstab

UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0

If a file system found in "/etc/fstab" refers to removable media and it does not have the "noexec" option set, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 8 *******************************

QUESTION         : 9 of 37
TITLE            : CAT II, V-230305, SV-230305r1017115, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:16301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:16301
RULE             : RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
QUESTION_TEXT    : Verify file systems that are used for removable media are mounted with the "nosuid" option with the following command:

$ sudo more /etc/fstab

UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0

If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 9 *******************************

QUESTION         : 10 of 37
TITLE            : CAT II, V-230309, SV-230309r1017119, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:17101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:17101
RULE             : Local RHEL 8 initialization files must not execute world-writable programs.
QUESTION_TEXT    : Verify that local initialization files do not execute world-writable programs.

Check the system for world-writable files.

The following command will discover and print world-writable files. Run it once for each local partition [PART]: 

$ sudo find [PART] -xdev -type f -perm -0002 -print

For all files listed, check for their presence in the local initialization files with the following commands:

Note: The example will be for a system that is configured to create user home directories in the "/home" directory.

$ sudo grep <file> /home/*/.*

If any local initialization files are found to reference world-writable files, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 10 *******************************

QUESTION         : 11 of 37
TITLE            : CAT II, V-230310, SV-230310r1017120, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:17301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:17301
RULE             : RHEL 8 must disable kernel dumps unless needed.
QUESTION_TEXT    : Verify that kernel core dumps are disabled unless needed with the following command:

$ sudo systemctl status kdump.service

kdump.service - Crash recovery kernel arming
Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled; vendor preset: enabled)
Active: active (exited) since Mon 2020-05-04 16:08:09 EDT; 3min ago
Main PID: 1130 (code=exited, status=0/SUCCESS)

If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO).

If the service is active and is not documented, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 11 *******************************

QUESTION         : 12 of 37
TITLE            : CAT II, V-230317, SV-230317r1069320, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:18701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:18701
RULE             : Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory.
QUESTION_TEXT    : Verify that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands:

$ sudo grep -irw path= /home/*/.*

/home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin

If any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 12 *******************************

QUESTION         : 13 of 37
TITLE            : CAT II, V-230331, SV-230331r1017143, SRG-OS-000002-GPOS-00002
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:21501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:21501
RULE             : RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less.
QUESTION_TEXT    : Verify that temporary accounts have been provisioned with an expiration date of 72 hours.

For every existing temporary account, run the following command to obtain its account expiration information.

$ sudo chage -l system_account_name

Verify each of these accounts has an expiration date set within 72 hours.

If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.

References:
CCI-000016
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 13 *******************************

QUESTION         : 14 of 37
TITLE            : CAT II, V-230352, SV-230352r1017165, SRG-OS-000029-GPOS-00010
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:25101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:25101
RULE             : RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity.
QUESTION_TEXT    : Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces with the following commands:

This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

$ sudo gsettings get org.gnome.desktop.session idle-delay

uint32 900

If "idle-delay" is set to "0" or a value greater than "900", this is a finding.

References:
CCI-000057
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 14 *******************************

QUESTION         : 15 of 37
TITLE            : CAT II, V-230374, SV-230374r1069293, SRG-OS-000123-GPOS-00064
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:29101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:29101
RULE             : RHEL 8 must automatically expire temporary accounts within 72 hours.
QUESTION_TEXT    : Note: If temporary accounts do not exist or are not used this is not applicable.

Verify temporary accounts have been provisioned with an expiration date of 72 hours.

For every existing temporary account, run the following command to obtain its account expiration information:

     $ sudo chage -l <temporary_account_name> | grep -i "account expires"

Verify each of these accounts has an expiration date set within 72 hours.
If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.

References:
CCI-001682
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 15 *******************************

QUESTION         : 16 of 37
TITLE            : CAT II, V-230379, SV-230379r1017190, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:30101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:30101
RULE             : RHEL 8 must not have unnecessary accounts.
QUESTION_TEXT    : Verify that there are no unauthorized interactive user accounts with the following command:

$ less /etc/passwd

root:x:0:0:root:/root:/bin/bash
...
games:x:12:100:games:/usr/games:/sbin/nologin
scsaustin:x:1001:1001:scsaustin:/home/scsaustin:/bin/bash
djohnson:x:1002:1002:djohnson:/home/djohnson:/bin/bash

Interactive user account, generally will have a user identifier (UID) of 1000 or greater, a home directory in a specific partition, and an interactive shell.

Obtain the list of interactive user accounts authorized to be on the system from the system administrator or information system security officer (ISSO) and compare it to the list of local interactive user accounts on the system.

If there are unauthorized local user accounts on the system, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 16 *******************************

QUESTION         : 17 of 37
TITLE            : CAT II, V-230385, SV-230385r1017194, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:31301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:31301
RULE             : RHEL 8 must define default permissions for logon and non-logon shells.
QUESTION_TEXT    : Verify that the umask default for installed shells is "077".

Check for the value of the "UMASK" parameter in the "/etc/bashrc", "/etc/csh.cshrc" and "/etc/profile" files with the following command:

Note: If the value of the "UMASK" parameter is set to "000" in the "/etc/bashrc" the "/etc/csh.cshrc" or the "/etc/profile" files, the Severity is raised to a CAT I.

# grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile

/etc/bashrc:          umask 077
/etc/bashrc:          umask 077
/etc/csh.cshrc:      umask 077   
/etc/csh.cshrc:      umask 077
/etc/profile:      umask 077   
/etc/profile:      umask 077

If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 17 *******************************

QUESTION         : 18 of 37
TITLE            : CAT II, V-230476, SV-230476r958752, SRG-OS-000341-GPOS-00132
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:45301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:45301
RULE             : RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.
QUESTION_TEXT    : Verify RHEL 8 allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.

Determine to which partition the audit records are being written with the following command:

$ sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Check the size of the partition to which audit records are written (with the example being /var/log/audit/) with the following command:

$ sudo df -h /var/log/audit/
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit

If the audit records are not written to a partition made specifically for audit records (/var/log/audit is a separate partition), determine the amount of space being used by other files in the partition with the following command:

$ sudo du -sh [audit_partition]
1.8G /var/log/audit

If the audit record partition is not allocated for sufficient storage capacity, this is a finding.

Note: The partition size needed to capture a week of audit records is based on the activity level of the system and the total storage capacity available. Typically 10.0 GB of storage space for audit records should be sufficient.

References:
CCI-001849
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 18 *******************************

QUESTION         : 19 of 37
TITLE            : CAT II, V-230484, SV-230484r1038944, SRG-OS-000355-GPOS-00143
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:46901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:46901
RULE             : RHEL 8 must securely compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
QUESTION_TEXT    : Verify RHEL 8 is securely comparing internal information system clocks at least every 24 hours with an NTP server with the following commands:

$ sudo grep maxpoll /etc/chrony.conf

server 0.us.pool.ntp.mil iburst maxpoll 16

If the "maxpoll" option is set to a number greater than 16 or the line is commented out, this is a finding.

Verify the "chrony.conf" file is configured to an authoritative DoD time source by running the following command:

$ sudo grep -i server /etc/chrony.conf
server 0.us.pool.ntp.mil 

If the parameter "server" is not set or is not set to an authoritative DoD time source, this is a finding.

References:
CCI-001891
CCI-004923
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 19 *******************************

QUESTION         : 20 of 37
TITLE            : CAT II, V-230493, SV-230493r1017276, SRG-OS-000095-GPOS-00049
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:48501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:48501
RULE             : RHEL 8 must cover or disable the built-in or attached camera when not in use.
QUESTION_TEXT    : If the device or operating system does not have a camera installed, this requirement is not applicable.

This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.

This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.

For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding.

For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.

If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands:

Verify the operating system disables the ability to load the uvcvideo kernel module.

     $ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "/bin/false"
     install uvcvideo /bin/false

If the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use, this is a finding.

Verify the camera is disabled via blacklist with the following command:

     $ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "blacklist"
     blacklist uvcvideo

If the command does not return any output or the output is not "blacklist uvcvideo", and the collaborative computing device has not been authorized for use, this is a finding.

References:
CCI-000381
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 20 *******************************

QUESTION         : 21 of 37
TITLE            : CAT II, V-230500, SV-230500r1101900, SRG-OS-000096-GPOS-00050
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:49901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:49901
RULE             : RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
QUESTION_TEXT    : Inspect the firewall configuration and running services to verify it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited.

Check which services are currently active with the following command:

$ firewall-cmd --list-all-zones | grep -e "active" -e "services"

custom (active)
target: DROP
icmp-block-inversion: no
interfaces: ens33
sources: 
services: dhcpv6-client dns http https ldaps rpc-bind ssh
ports: 
masquerade: no
forward-ports: 
icmp-blocks: 
rich rules: 

Ask the system administrator (SA) for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. 

If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.

References:
CCI-000382
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 21 *******************************

QUESTION         : 22 of 37
TITLE            : CAT II, V-230504, SV-230504r958672, SRG-OS-000297-GPOS-00115
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:50501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:50501
RULE             : A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
QUESTION_TEXT    : Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:

     $ sudo  firewall-cmd --state
     running

     $ sudo firewall-cmd --get-active-zones
     [custom]
     interfaces: ens33

     $ sudo firewall-cmd --info-zone=[custom] | grep target
     target: DROP

If no zones are active on the RHEL 8 interfaces or if the target is set to a different option other than "DROP", this is a finding.

If the "firewalld" package is not installed, ask the System Administrator if an alternate firewall (such as iptables) is installed and in use, and how is it configured to employ a deny-all, allow-by-exception policy. 

If the alternate firewall is not configured to employ a deny-all, allow-by-exception policy, this is a finding.

If no firewall is installed, this is a finding.

References:
CCI-002314
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 22 *******************************

QUESTION         : 23 of 37
TITLE            : CAT II, V-230506, SV-230506r1017286, SRG-OS-000299-GPOS-00117
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:50901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:50901
RULE             : RHEL 8 wireless network adapters must be disabled.
QUESTION_TEXT    : Verify there are no wireless interfaces configured on the system with the following command:

Note: This requirement is Not Applicable for systems that do not have physical wireless network radios.

$ sudo nmcli device status

DEVICE                    TYPE            STATE                    CONNECTION
virbr0                      bridge         connected             virbr0
wlp7s0                    wifi              connected            wifiSSID
enp6s0                    ethernet     disconnected        --
p2p-dev-wlp7s0     wifi-p2p     disconnected        --
lo                             loopback    unmanaged           --
virbr0-nic                tun              unmanaged          --

If a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO), this is a finding.

References:
CCI-001444
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 23 *******************************

QUESTION         : 24 of 37
TITLE            : CAT II, V-230524, SV-230524r1014813, SRG-OS-000378-GPOS-00163
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:54501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:54501
RULE             : RHEL 8 must block unauthorized peripherals before establishing a connection.
QUESTION_TEXT    : Verify the USBGuard has a policy configured with the following command:

$ sudo usbguard list-rules

If the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked.
If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.

If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked.
If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.

If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding.

References:
CCI-001958
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 24 *******************************

QUESTION         : 25 of 37
TITLE            : CAT II, V-244521, SV-244521r1017327, SRG-OS-000080-GPOS-00048
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:62901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:62901
RULE             : RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.
QUESTION_TEXT    : For systems that use BIOS, this is Not Applicable.

Verify that a unique name is set as the "superusers" account:

$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
set superusers="[someuniquestringhere]"
export superusers

If "superusers" is identical to any OS account name or is missing a name, this is a finding.

References:
CCI-000213
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 25 *******************************

QUESTION         : 26 of 37
TITLE            : CAT II, V-244522, SV-244522r1017328, SRG-OS-000080-GPOS-00048
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:63101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:63101
RULE             : RHEL 8 operating systems booted with a BIOS must require  a unique superusers name upon booting into single-user and maintenance modes.
QUESTION_TEXT    : For systems that use UEFI, this is Not Applicable.

Verify that a unique name is set as the "superusers" account:

$ sudo grep -iw "superusers" /boot/grub2/grub.cfg
set superusers="[someuniquestringhere]"
export superusers

If "superusers" is identical to any OS account name or is missing a name, this is a finding.

References:
CCI-000213
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 26 *******************************

QUESTION         : 27 of 37
TITLE            : CAT II, V-244532, SV-244532r1101906, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:65101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:65101
RULE             : RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
QUESTION_TEXT    : Verify all files and directories in a local interactive user home directory are group-owned by a group that the user is a member.

Check the group owner of all files and directories in a local interactive user's home directory with the following command:

Note: The example will be for the user "smithj", who has a home directory of "/home/smithj".

$ sudo ls -lLR /<home directory>/<users home directory>/
-rw-r--r-- 1 smithj smithj  18 Mar  5 17:06 file1
-rw-r--r-- 1 smithj smithj 193 Mar  5 17:06 file2
-rw-r--r-- 1 smithj sa        231 Mar  5 17:06 file3

If any files are found with a group owner different from the home directory user private group, check to see if the user is a member of that group with the following command:

$ sudo grep smithj /etc/group
sa:x:100:juan,shelley,bob,smithj 
smithj:x:521:smithj

If any files or directories are group owned by a group that the directory owner is not a member of verify that it is documented with the information system security officer (ISSO). If it is not, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 27 *******************************

QUESTION         : 28 of 37
TITLE            : CAT II, V-244535, SV-244535r1017342, SRG-OS-000029-GPOS-00010
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:65701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:65701
RULE             : RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated.
QUESTION_TEXT    : Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated with the following command:

Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

$ sudo gsettings get org.gnome.desktop.screensaver lock-delay

uint32 5

If the "uint32" setting is missing, or is not set to "5" or less, this is a finding.

References:
CCI-000057
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 28 *******************************

QUESTION         : 29 of 37
TITLE            : CAT II, V-244538, SV-244538r1069324, SRG-OS-000029-GPOS-00010
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:66101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:66101
RULE             : RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
QUESTION_TEXT    : Verify the operating system prevents a user from overriding settings for graphical user interfaces. 

Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

Determine which profile the system database is using with the following command:

$ sudo grep system-db /etc/dconf/profile/user

system-db:local

Check that graphical settings are locked from non-privileged user modification with the following command:

Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.

$ sudo grep -i idle /etc/dconf/db/local.d/locks/*

/org/gnome/desktop/session/idle-delay

If the command does not return at least the example result, this is a finding.

References:
CCI-000057
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 29 *******************************

QUESTION         : 30 of 37
TITLE            : CAT II, V-244546, SV-244546r1017349, SRG-OS-000368-GPOS-00154
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:67501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:67501
RULE             : The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
QUESTION_TEXT    : Verify the RHEL 8 "fapolicyd" employs a deny-all, permit-by-exception policy.

Check that "fapolicyd" is in enforcement mode with the following command:

$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf

permissive = 0

Check that fapolicyd employs a deny-all policy on system mounts with the following commands:

For RHEL 8.4 systems and older:
$ sudo tail /etc/fapolicyd/fapolicyd.rules

For RHEL 8.5 systems and newer:
$ sudo tail /etc/fapolicyd/compiled.rules

allow exe=/usr/bin/python3.7 : ftype=text/x-python
deny_audit perm=any pattern=ld_so : all
deny perm=any all : all

If fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy, this is a finding.

References:
CCI-001764
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 30 *******************************

QUESTION         : 31 of 37
TITLE            : CAT II, V-250315, SV-250315r1017356, SRG-OS-000021-GPOS-00005
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:69301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:69301
RULE             : RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
QUESTION_TEXT    : If the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_faillock module is not configured for use, this requirement is not applicable.

Note: This check applies to RHEL versions 8.2 or newer. If the system is RHEL version 8.0 or 8.1, this check is not applicable.

Verify the location of the non-default tally directory for the pam_faillock module with the following command:

$ sudo grep -w dir /etc/security/faillock.conf

dir = /var/log/faillock

Check the security context type of the non-default tally directory with the following command:

$ sudo ls -Zd /var/log/faillock

unconfined_u:object_r:faillog_t:s0 /var/log/faillock

If the security context type of the non-default tally directory is not "faillog_t", this is a finding.

References:
CCI-000044
CCI-002238
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 31 *******************************

QUESTION         : 32 of 37
TITLE            : CAT II, V-250317, SV-250317r1017358, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:69701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:69701
RULE             : RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.
QUESTION_TEXT    : Verify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router.

Check that IPv4 forwarding is disabled using the following command:

$ sudo sysctl net.ipv4.conf.all.forwarding

net.ipv4.conf.all.forwarding = 0
If the IPv4 forwarding value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

Check that the configuration files are present to enable this network parameter.

$ sudo grep -r net.ipv4.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf

/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.forwarding = 0

If "net.ipv4.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding.

If conflicting results are returned, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 32 *******************************

QUESTION         : 33 of 37
TITLE            : CAT II, V-254520, SV-254520r1069331, SRG-OS-000324-GPOS-00125
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:71901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:71901
RULE             : RHEL 8 must prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.
QUESTION_TEXT    : Verify the operating system prevents nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. 
 
Obtain a list of authorized users (other than system administrator and guest accounts) for the system. 
 
Check the list against the system by using the following command: 
 
     $ sudo semanage login -l | more
 
     Login Name    SELinux User    MLS/MCS Range    Service

     __default__   user_u                 s0-s0:c0.c1023        *
     root                   unconfined_u  s0-s0:c0.c1023        *
     system_u        system_u           s0-s0:c0.c1023        *
     joe                     staff_u                s0-s0:c0.c1023        *
 
All administrators must be mapped to the "sysadm_u", "staff_u", or an appropriately tailored confined role as defined by the organization. 
 
All authorized nonadministrative users must be mapped to the "user_u" role. 
 
If they are not mapped in this way, this is a finding.

References:
CCI-002235
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 33 *******************************

QUESTION         : 34 of 37
TITLE            : CAT II, V-256973, SV-256973r1017373, SRG-OS-000366-GPOS-00153
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:72301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:72301
RULE             : RHEL 8 must ensure cryptographic verification of vendor software packages.
QUESTION_TEXT    : Confirm Red Hat package-signing keys are installed on the system and verify their fingerprints match vendor values.

Note: For RHEL 8 software packages, Red Hat uses GPG keys labeled "release key 2" and "auxiliary key 2". The keys are defined in key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" by default.

List Red Hat GPG keys installed on the system:

     $ sudo rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey | grep -i "red hat"

     gpg(Red Hat, Inc. (release key 2) <security@redhat.com>)
     gpg(Red Hat, Inc. (auxiliary key) <security@redhat.com>)

If Red Hat GPG keys "release key 2" and "auxiliary key 2" are not installed, this is a finding.

Note: The "auxiliary key 2" appears as "auxiliary key" on a RHEL 8 system.

List key fingerprints of installed Red Hat GPG keys:

     $ sudo gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

If key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" is missing, this is a finding.

Example output:

     pub   rsa4096/FD431D51 2009-10-22 [SC]
           Key fingerprint = 567E 347A D004 4ADE 55BA  8A5F 199E 2F91 FD43 1D51
     uid                   Red Hat, Inc. (release key 2) <security@redhat.com>
     pub   rsa4096/D4082792 2018-06-27 [SC]
           Key fingerprint = 6A6A A7C9 7C88 90AE C6AE  BFE2 F76F 66C3 D408 2792
     uid                   Red Hat, Inc. (auxiliary key) <security@redhat.com>
     sub   rsa4096/1B5584D3 2018-06-27 [E]
	   
Compare key fingerprints of installed Red Hat GPG keys with fingerprints listed for RHEL 8 on Red Hat "Product Signing Keys" webpage at https://access.redhat.com/security/team/key.

If key fingerprints do not match, this is a finding.

References:
CCI-001749
CCI-003992
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 34 *******************************

QUESTION         : 35 of 37
TITLE            : CAT II, V-272484, SV-272484r1069340, SRG-OS-000445-GPOS-00199
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:73501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:73501
RULE             : RHEL 8 must elevate the SELinux context when an administrator calls the sudo command.
QUESTION_TEXT    : Verify the operating system elevates the SELinux context when an administrator calls the sudo command with the following command:

This command must be run as root:

# grep -r sysadm_r /etc/sudoers /etc/sudoers.d
%{designated_group_or_user_name} ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL

If conflicting results are returned, this is a finding.

If a designated sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to "sysadm_t" and "sysadm_r" with the use of the sudo command, this is a finding.

References:
CCI-002235
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 35 *******************************

QUESTION         : 36 of 37
TITLE            : CAT III, V-230551, SV-230551r1017313, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:59701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:59701
RULE             : The RHEL 8 file integrity tool must be configured to verify extended attributes.
QUESTION_TEXT    : Verify the file integrity tool is configured to verify extended attributes.

If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.

Note: AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory.

Use the following command to determine if the file is in another location:

$ sudo find / -name aide.conf

Check the "aide.conf" file to determine if the "xattrs" rule has been added to the rule list being applied to the files and directories selection lists.

An example rule that includes the "xattrs" rule follows:

All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
/bin All # apply the custom rule to the files in bin 
/sbin All # apply the same custom rule to the files in sbin 

If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 36 *******************************

QUESTION         : 37 of 37
TITLE            : CAT III, V-230552, SV-230552r1101902, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel8os:testaction:59901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel8os:question:59901
RULE             : The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs).
QUESTION_TEXT    : Verify the file integrity tool is configured to verify ACLs.

Note: AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory.

If AIDE is not installed, ask the system administrator (SA) how file integrity checks are performed on the system.

Use the following command to determine if the file is in a location other than "/etc/aide/aide.conf":

$ sudo find / -name aide.conf

Use the following command to review the "aide.conf" file to determine if the "acl" rule has been added to the rule list being applied to the files and directories selection lists:

$ sudo cat /etc/aide.conf | more

If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, is commented out, or ACLs are not being checked by another file integrity tool, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 37 *******************************

