################################################################################
DOCUMENT         : RHEL_9_STIG
VERSION          : 002.005.007
CHECKSUM         : 1a9ec49f9e925389725236cfd75dd365ea21f22ec1e2cccd81bab3680f5f43a2
MANUAL QUESTIONS : 41

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 41
TITLE            : CAT I, V-257789, SV-257789r1102056, SRG-OS-000080-GPOS-00048
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:2301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:2301
RULE             : RHEL 9 must require a unique superusers name upon booting into single-user and maintenance modes.
QUESTION_TEXT    : Verify the boot loader superuser account has been set with the following command:

$ sudo grep -A1 "superusers" /etc/grub2.cfg 

set superusers="<accountname>"
export superusers
password_pbkdf2 <accountname> ${GRUB2_PASSWORD}
 
Verify <accountname> is not a common name such as root, admin, or administrator.

If superusers contains easily guessable usernames, this is a finding.

References:
CCI-000213
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 41
TITLE            : CAT I, V-257879, SV-257879r1045454, SRG-OS-000405-GPOS-00184
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:20101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:20101
RULE             : RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
QUESTION_TEXT    : Note: If there is a documented and approved reason for not having data-at-rest encryption at the operating system level, such as encryption provided by a hypervisor or a disk storage array in a virtualized environment, this requirement is Not Applicable.

Verify RHEL 9 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. 

Note: If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable.

List all block devices in tree-like format:

$ sudo lsblk --tree

NAME                       MAJ:MIN  RM   SIZE     RO    TYPE    MOUNTPOINTS
zram0                      252:0    0    8G       0     disk    [SWAP]
nvme0n1                    259:0    0    476.9G   0     disk
|-nvme0n1p1                259:1    0    1G       0     part    /boot/efi
|-nvme0n1p2                259:2    0    1G       0     part    /boot
|-nvme0n1p3                259:3    0    474.9G   0     part
  |-luks-<encrypted_id>    253:0    0    474.9G   0     crypt
    |-rhel-root            253:1    0    16G      0     lvm     /
    |-rhel-varcache        253:2    0    8G       0     lvm     /var/cache
    |-rhel-vartmp          253:3    0    4G       0     lvm     /var/tmp
    |-rhel-varlog          253:4    0    4G       0     lvm     /var/log
    |-rhel-home            253:5    0    64G      0     lvm     /home
    |-rhel-varlogaudit     253:6    0    4G       0     lvm     /var/log/audit

Verify that the block device tree for each persistent filesystem, excluding the /boot and /boot/efi filesystems, has at least one parent block device of type "crypt", and that the encryption type is LUKS:

$ sudo cryptsetup status luks-b74f6910-2547-4399-86b2-8b0252d926d7
/dev/mapper/luks-b74f6910-2547-4399-86b2-8b0252d926d7 is active and is in use.
  type:    LUKS2
  cipher:  aes-xts-plain64
  keysize: 512 bits
  key location: keyring
  device:  /dev/nvme0n1p3
  sector size:  512
  offset:  32768 sectors
  size:    995986063 sectors
  mode:    read/write

If there are persistent filesystems (other than /boot or /boot/efi) whose block device trees do not have a crypt block device of type LUKS, ask the administrator to indicate how persistent filesystems are encrypted. 

If there is no evidence that persistent filesystems are encrypted, this is a finding.

References:
CCI-001199
CCI-002475
CCI-002476
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 41
TITLE            : CAT II, V-257778, SV-257778r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:301
RULE             : RHEL 9 vendor packaged system security patches and updates must be installed and up to date.
QUESTION_TEXT    : Verify RHEL 9 security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by organizational policy.

Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.

Check that the available package security updates have been installed on the system with the following command:

$ dnf history list | more

    ID | Command line | Date and time | Action(s) | Altered    
-------------------------------------------------------------------------------    
   70 | install aide | 2023-03-05 10:58 | Install | 1    
   69 | update -y | 2023-03-04 14:34 | Update | 18 EE    
   68 | install vlc | 2023-02-21 17:12 | Install | 21   
   67 | update -y | 2023-02-21 17:04 | Update | 7 EE 

Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.

If the system is in noncompliance with the organizational patching policy, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

QUESTION         : 4 of 41
TITLE            : CAT II, V-257779, SV-257779r958390, SRG-OS-000023-GPOS-00006
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:501
RULE             : RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.
QUESTION_TEXT    : Verify RHEL 9 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the operating system via a command line user logon.

Check that a banner is displayed at the command line login screen with the following command:

$ sudo cat /etc/issue

If the banner is set correctly it will return the following text:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

If the banner text does not match the Standard Mandatory DOD Notice and Consent Banner exactly, or the line is commented out, this is a finding.

References:
CCI-000048
CCI-001384
CCI-001385
CCI-001386
CCI-001387
CCI-001388
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 4 *******************************

QUESTION         : 5 of 41
TITLE            : CAT II, V-257857, SV-257857r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:15701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:15701
RULE             : RHEL 9 must prevent code from being executed on file systems that are used with removable media.
QUESTION_TEXT    : Verify file systems that are used for removable media are mounted with the "noexec" option with the following command:

$ more /etc/fstab

UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0

If a file system found in "/etc/fstab" refers to removable media and it does not have the "noexec" option set, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 5 *******************************

QUESTION         : 6 of 41
TITLE            : CAT II, V-257858, SV-257858r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:15901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:15901
RULE             : RHEL 9 must prevent special devices on file systems that are used with removable media.
QUESTION_TEXT    : Verify file systems that are used for removable media are mounted with the "nodev" option with the following command:

$ more /etc/fstab

UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0

If a file system found in "/etc/fstab" refers to removable media and it does not have the "nodev" option set, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 6 *******************************

QUESTION         : 7 of 41
TITLE            : CAT II, V-257859, SV-257859r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:16101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:16101
RULE             : RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
QUESTION_TEXT    : Verify file systems that are used for removable media are mounted with the "nosuid" option with the following command:

$ more /etc/fstab

UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0

If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 7 *******************************

QUESTION         : 8 of 41
TITLE            : CAT II, V-257928, SV-257928r1044992, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:29901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:29901
RULE             : All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user.
QUESTION_TEXT    : Verify that world writable directories are owned by root, a system account, or an application account with the following command. It will discover and print world-writable directories that are not owned by root.  Run it once for each local partition [PART]:

$ sudo find  PART  -xdev -type d -perm -0002 -uid +0 -print 

If there is output, this is a finding.

References:
CCI-001090
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 8 *******************************

QUESTION         : 9 of 41
TITLE            : CAT II, V-257929, SV-257929r958524, SRG-OS-000138-GPOS-00069
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:30101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:30101
RULE             : A sticky bit must be set on all RHEL 9 public directories.
QUESTION_TEXT    : Verify that all world-writable directories have the sticky bit set.

Determine if all world-writable directories have the sticky bit set by running the following command:

$ sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null

drwxrwxrwt 7 root root 4096 Jul 26 11:19 /tmp

If any of the returned directories are world-writable and do not have the sticky bit set, this is a finding.

References:
CCI-001090
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 9 *******************************

QUESTION         : 10 of 41
TITLE            : CAT II, V-257932, SV-257932r1014838, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:30701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:30701
RULE             : RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
QUESTION_TEXT    : Verify that all system device files are correctly labeled to prevent unauthorized modification.

List all device files on the system that are incorrectly labeled with the following commands:

Note: Device files are normally found under "/dev", but applications may place device files in other directories and may necessitate a search of the entire system.

# find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"

# find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"

Note: There are device files, such as "/dev/vmci", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the "device_t" label to operate. These device files are not a finding.

If there is output from either of these commands, other than already noted, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 10 *******************************

QUESTION         : 11 of 41
TITLE            : CAT II, V-257937, SV-257937r1106310, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:31501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:31501
RULE             : The RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
QUESTION_TEXT    : Verify the RHEL 9 firewalld is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:

Ensure firewalld is running:
$ sudo firewall-cmd --state
running

Identify active zones:
$ sudo firewall-cmd --get-active-zones
drop
  interfaces: ens192

Check what rules are applied in that zone:
$ sudo firewall-cmd --list-all --zone=$(firewall-cmd --get-default-zone)
drop (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: ens192
  sources:
  services: ssh
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

If no zones are active on the RHEL 9 interfaces or if runtime and permanent targets are set to a different option other than "DROP", this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 11 *******************************

QUESTION         : 12 of 41
TITLE            : CAT II, V-257940, SV-257940r1106312, SRG-OS-000096-GPOS-00050
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:31901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:31901
RULE             : RHEL 9 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
QUESTION_TEXT    : Inspect the firewall configuration and running services to verify it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited.

Check which services are currently active with the following command:

$ sudo firewall-cmd --list-all-zones | grep -e "active" -e "services"

Ask the system administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. 

If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.

References:
CCI-000382
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 12 *******************************

QUESTION         : 13 of 41
TITLE            : CAT II, V-257945, SV-257945r1038944, SRG-OS-000355-GPOS-00143
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:32901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:32901
RULE             : RHEL 9 must securely compare internal information system clocks at least every 24 hours.
QUESTION_TEXT    : Verify RHEL 9 is securely comparing internal information system clocks at least every 24 hours with an NTP server with the following commands:

$ sudo grep maxpoll /etc/chrony.conf

server 0.us.pool.ntp.mil iburst maxpoll 16

If the "maxpoll" option is set to a number greater than 16 or the line is commented out, this is a finding.

Verify the "chrony.conf" file is configured to an authoritative DOD time source by running the following command:

$ sudo grep -i server /etc/chrony.conf
server 0.us.pool.ntp.mil 

If the parameter "server" is not set or is not set to an authoritative DOD time source, this is a finding.

References:
CCI-001890
CCI-004923
CCI-004926
CCI-001891
CCI-002046
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 13 *******************************

QUESTION         : 14 of 41
TITLE            : CAT II, V-257950, SV-257950r1045006, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:33901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:33901
RULE             : RHEL 9 must not have unauthorized IP tunnels configured.
QUESTION_TEXT    : Verify that RHEL 9 does not have unauthorized IP tunnels configured.

Determine if the "IPsec" service is active with the following command:

$ systemctl is-active ipsec

Inactive

If the "IPsec" service is active, check for configured IPsec connections ("conn"), with the following command:

$ sudo grep -rni conn /etc/ipsec.conf /etc/ipsec.d/ 

Verify any returned results are documented with the ISSO.

If the IPsec tunnels are active and not approved, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 14 *******************************

QUESTION         : 15 of 41
TITLE            : CAT II, V-257999, SV-257999r1082182, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:42901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:42901
RULE             : RHEL 9 SSH server configuration files' permissions must not be modified.
QUESTION_TEXT    : Verify the permissions of the "/etc/ssh/sshd_config" file with the following command:

$ sudo rpm --verify openssh-server

If the command returns any output, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 15 *******************************

QUESTION         : 16 of 41
TITLE            : CAT II, V-258028, SV-258028r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:48501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:48501
RULE             : RHEL 9 effective dconf policy must match the policy keyfiles.
QUESTION_TEXT    : Check the last modification time of the local databases, comparing it to the last modification time of the related keyfiles. The following command will check every dconf database and compare its modification time to the related system keyfiles:

Note: This requirement assumes the use of the RHEL 9 default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

$ function dconf_needs_update { for db in $(find /etc/dconf/db -maxdepth 1 -type f); do db_mtime=$(stat -c %Y "$db"); keyfile_mtime=$(stat -c %Y "$db".d/* | sort -n | tail -1); if [ -n "$db_mtime" ] && [ -n "$keyfile_mtime" ] && [ "$db_mtime" -lt "$keyfile_mtime" ]; then echo "$db needs update"; return 1; fi; done; }; dconf_needs_update

If the command has any output, then a dconf database needs to be updated, and this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 16 *******************************

QUESTION         : 17 of 41
TITLE            : CAT II, V-258040, SV-258040r991568, SRG-OS-000299-GPOS-00117
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:50901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:50901
RULE             : RHEL 9 wireless network adapters must be disabled.
QUESTION_TEXT    : Verify there are no wireless interfaces configured on the system with the following command:

Note: This requirement is Not Applicable for systems that do not have physical wireless network radios.

$ nmcli device status

DEVICE                    TYPE            STATE                    CONNECTION
virbr0                      bridge         connected             virbr0
wlp7s0                    wifi              connected            wifiSSID
enp6s0                    ethernet     disconnected        --
p2p-dev-wlp7s0     wifi-p2p     disconnected        --
lo                             loopback    unmanaged           --
virbr0-nic                tun              unmanaged          --

If a wireless interface is configured and has not been documented and approved by the information system security officer (ISSO), this is a finding.

References:
CCI-001443
CCI-001444
CCI-002418
CCI-002421
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 17 *******************************

QUESTION         : 18 of 41
TITLE            : CAT II, V-258044, SV-258044r1045135, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:51701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:51701
RULE             : RHEL 9 must set the umask value to 077 for all local interactive user accounts.
QUESTION_TEXT    : Verify that the default umask for all local interactive users is "077".

Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file.

Check all local interactive user initialization files for interactive users with the following command:

Note: The example is for a system that is configured to create users home directories in the "/home" directory.

$ sudo find /home -maxdepth 2 -type f -name ".[^.]*" -exec grep -iH -d skip --exclude=.bash_history umask {} \;

/home/wadea/.bash_history:grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile
/home/wadea/.bash_history:grep -i umask /etc/login.defs

If any local interactive user initialization files are found to have a umask statement that sets a value less restrictive than "077", this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 18 *******************************

QUESTION         : 19 of 41
TITLE            : CAT II, V-258047, SV-258047r1101951, SRG-OS-000123-GPOS-00064
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:52301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:52301
RULE             : RHEL 9 must automatically expire temporary accounts within 72 hours.
QUESTION_TEXT    : Verify temporary accounts have been provisioned with an expiration date of 72 hours.

For every existing temporary account, run the following command to obtain its account expiration information:

$ sudo chage -l <temporary_account_name> | grep -i "account expires"

Verify each of these accounts has an expiration date set within 72 hours. 

If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.

References:
CCI-000016
CCI-001682
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 19 *******************************

QUESTION         : 20 of 41
TITLE            : CAT II, V-258050, SV-258050r1045137, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:52901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:52901
RULE             : Executable search paths within the initialization files of all local interactive RHEL 9 users must only contain paths that resolve to the system default or the users home directory.
QUESTION_TEXT    : Verify that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands:

$ sudo find /home -maxdepth 2 -type f -name ".[^.]*" -exec grep -iH path= {} \;

PATH="$HOME/.local/bin:$HOME/bin:$PATH"

If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, and this is not documented with the ISSO as an operational requirement, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 20 *******************************

QUESTION         : 21 of 41
TITLE            : CAT II, V-258052, SV-258052r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:53301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:53301
RULE             : All RHEL 9 local interactive user home directories defined in the /etc/passwd file must exist.
QUESTION_TEXT    : Verify the assigned home directories of all interactive users on the system exist with the following command:

$ sudo pwck -r 

user 'mailnull': directory 'var/spool/mqueue' does not exist

The output should not return any interactive users.

If users home directory does not exist, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 21 *******************************

QUESTION         : 22 of 41
TITLE            : CAT II, V-258053, SV-258053r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:53501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:53501
RULE             : All RHEL 9 local interactive user home directories must be group-owned by the home directory owner's primary group.
QUESTION_TEXT    : Verify the assigned home directory of all local interactive users is group-owned by that user's primary GID with the following command:

Note: This may miss local interactive users that have been assigned a privileged user identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory "/home/wadea" is used as an example.

$ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)

drwxr-x--- 2 wadea admin 4096 Jun 5 12:41 wadea

Check the user's primary group with the following command:

$ sudo grep $(grep wadea /etc/passwd | awk -F: ‘{print $4}') /etc/group

admin:x:250:wadea,jonesj,jacksons

If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 22 *******************************

QUESTION         : 23 of 41
TITLE            : CAT II, V-258058, SV-258058r1045148, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:54501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:54501
RULE             : RHEL 9 must not have unauthorized accounts.
QUESTION_TEXT    : Verify that there are no unauthorized interactive user accounts with the following command:

$ less /etc/passwd  

root:x:0:0:root:/root:/bin/bash
...
games:x:12:100:games:/usr/games:/sbin/nologin
scsaustin:x:1001:1001:scsaustin:/home/scsaustin:/bin/bash
djohnson:x:1002:1002:djohnson:/home/djohnson:/bin/bash

Interactive user accounts generally will have a user identifier (UID) of 1000 or greater, a home directory in a specific partition, and an interactive shell.

Obtain the list of interactive user accounts authorized to be on the system from the system administrator or information system security officer (ISSO) and compare it to the list of local interactive user accounts on the system.

If there are unauthorized local user accounts on the system, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 23 *******************************

QUESTION         : 24 of 41
TITLE            : CAT II, V-258062, SV-258062r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:55301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:55301
RULE             : Local RHEL 9 initialization files must not execute world-writable programs.
QUESTION_TEXT    : Verify that local initialization files do not execute world-writable programs with the following command:

Note: The example will be for a system that is configured to create user home directories in the "/home" directory.

$ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \; 

If any local initialization files are found to reference world-writable files, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 24 *******************************

QUESTION         : 25 of 41
TITLE            : CAT II, V-258096, SV-258096r1045191, SRG-OS-000021-GPOS-00005
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:60701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:60701
RULE             : RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
QUESTION_TEXT    : Verify the pam_faillock.so module is present in the "/etc/pam.d/password-auth" file:

$ grep pam_faillock.so /etc/pam.d/password-auth

auth required pam_faillock.so preauth
auth required pam_faillock.so authfail
account required pam_faillock.so

If the pam_faillock.so module is not present in the "/etc/pam.d/password-auth" file with the "preauth" line listed before pam_unix.so, this is a finding.

If the system administrator (SA) can demonstrate that the required configuration is contained in a PAM configuration file included or substacked from the system-auth file, this is not a finding.

References:
CCI-000044
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 25 *******************************

QUESTION         : 26 of 41
TITLE            : CAT II, V-258127, SV-258127r958450, SRG-OS-000067-GPOS-00035
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:66501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:66501
RULE             : RHEL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key.
QUESTION_TEXT    : Verify the SSH private key files have a passcode.

For each private key stored on the system, use the following command:

$ sudo ssh-keygen -y -f /path/to/file

If the contents of the key are displayed, this is a finding.

References:
CCI-000186
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 26 *******************************

QUESTION         : 27 of 41
TITLE            : CAT II, V-258131, SV-258131r1015125, SRG-OS-000066-GPOS-00034
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:67101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:67101
RULE             : RHEL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
QUESTION_TEXT    : Verify RHEL 9 for PKI-based authentication has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

Check that the system has a valid DOD root CA installed with the following command:

$ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem

Example output:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3
        Validity
        Not Before: Mar 20 18:46:41 2012 GMT
        Not After: Dec 30 18:46:41 2029 GMT
        Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption

If the root CA file is not a DOD-issued certificate with a valid date and installed in the "/etc/sssd/pki/sssd_auth_ca_db.pem" location, this is a finding.

References:
CCI-000185
CCI-004068
CCI-001991
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 27 *******************************

QUESTION         : 28 of 41
TITLE            : CAT II, V-258132, SV-258132r1045260, SRG-OS-000068-GPOS-00036
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:67301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:67301
RULE             : RHEL 9 must map the authenticated identity to the user or group account for PKI-based authentication.
QUESTION_TEXT    : Verify the certificate of the user or group is mapped to the corresponding user or group in the "sssd.conf" file with the following command:

$ sudo find /etc/sssd/sssd.conf /etc/sssd/conf.d/ -type f -exec cat {} \;
 
[certmap/testing.test/rule_name]
matchrule =<SAN>.*EDIPI@mil
maprule = (userCertificate;binary={cert!bin})
domains = testing.test

If the certmap section does not exist, ask the system administrator (SA) to indicate how certificates are mapped to accounts. 

If there is no evidence of certificate mapping, this is a finding.

References:
CCI-000187
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 28 *******************************

QUESTION         : 29 of 41
TITLE            : CAT II, V-258134, SV-258134r1101983, SRG-OS-000363-GPOS-00150
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:67701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:67701
RULE             : RHEL 9 must have the AIDE package installed.
QUESTION_TEXT    : Verify the file integrity tool is configured to verify ACLs.

Note: AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory.

If AIDE is not installed, ask the system administrator (SA) how file integrity checks are performed on the system.

Use the following command to determine if the file is in a location other than "/etc/aide/aide.conf":

$ sudo find / -name aide.conf

Use the following command to review the "aide.conf" file to determine if the "acl" rule has been added to the rule list being applied to the files and directories selection lists:

$ sudo cat /etc/aide.conf | more

If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, is commented out, or ACLs are not being checked by another file integrity tool, this is a finding.

References:
CCI-001744
CCI-002696
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 29 *******************************

QUESTION         : 30 of 41
TITLE            : CAT II, V-258135, SV-258135r1045267, SRG-OS-000363-GPOS-00150
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:67901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:67901
RULE             : RHEL 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.
QUESTION_TEXT    : Verify that RHEL 9 routinely executes a file integrity scan for changes to the system baseline. The command used in the example will use a daily occurrence.

Check the cron directories for scripts controlling the execution and notification of results of the file integrity application. For example, if AIDE is installed on the system, use the following commands:

$ sudo ls -al /etc/cron.* | grep aide

-rwxr-xr-x 1 root root 29 Nov 22 2015 aide

$ sudo grep aide /etc/crontab /var/spool/cron/root

/etc/crontab: 30 04 * * * root usr/sbin/aide
/var/spool/cron/root: 30 04 * * * root usr/sbin/aide

$ sudo more /etc/cron.daily/aide

#!/bin/bash
/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil

If the file integrity application does not exist, a script file controlling the execution of the file integrity application does not exist, or the file integrity application does not notify designated personnel of changes, this is a finding.

References:
CCI-001744
CCI-002699
CCI-002702
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 30 *******************************

QUESTION         : 31 of 41
TITLE            : CAT II, V-258136, SV-258136r1045270, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:68101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:68101
RULE             : RHEL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.
QUESTION_TEXT    : Verify that AIDE is configured to use FIPS 140-3 file hashing with the following command:

$ sudo grep sha512 /etc/aide.conf 

All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux

If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-3-approved cryptographic hashes for validating file contents and directories, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 31 *******************************

QUESTION         : 32 of 41
TITLE            : CAT II, V-258150, SV-258150r1045296, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:70701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:70701
RULE             : RHEL 9 must use cron logging.
QUESTION_TEXT    : Verify that "rsyslog" is configured to log cron events with the following command:

Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files.

$ grep -s cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf

/etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none /var/log/messages
/etc/rsyslog.conf:cron.* /var/log/cron

If the command does not return a response, check for cron logging all facilities with the following command:

$ logger -p local0.info "Test message for all facilities."

Check the logs for the test message with:

$ sudo tail /var/log/messages

If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 32 *******************************

QUESTION         : 33 of 41
TITLE            : CAT II, V-270174, SV-270174r1044831, SRG-OS-000023-GPOS-00006
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:88101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:88101
RULE             : RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
QUESTION_TEXT    : Note: This requirement assumes the use of the RHEL 9 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

Verify RHEL 9 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the operating system via a graphical user logon.

Check that the operating system displays the exact Standard Mandatory DOD Notice and Consent Banner text with the command:

$ gsettings get org.gnome.login-screen banner-message-text

banner-message-text=
'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '

Note: The "\n " characters are for formatting only. They will not be displayed on the graphical interface.

If the banner does not match the Standard Mandatory DOD Notice and Consent Banner exactly, this is a finding.

References:
CCI-000048
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 33 *******************************

QUESTION         : 34 of 41
TITLE            : CAT II, V-270175, SV-270175r1044964, SRG-OS-000080-GPOS-00048
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:88301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:88301
RULE             : RHEL 9 "/etc/audit/" must be owned by root.
QUESTION_TEXT    : Verify the ownership of the "/etc/audit/" directory with the following command:

$ sudo stat -c "%U %n" /etc/audit/

root /etc/audit/

If the "/etc/audit/" directory does not have an owner of "root", this is a finding.

References:
CCI-000162
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 34 *******************************

QUESTION         : 35 of 41
TITLE            : CAT II, V-270177, SV-270177r1051237, SRG-OS-000250-GPOS-00093
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:88701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:88701
RULE             : The RHEL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
QUESTION_TEXT    : Verify the SSH client is configured to use only ciphers employing FIPS 140-3 approved algorithms.

To verify the ciphers in the systemwide SSH configuration file, use the following command:

$ grep -i Ciphers /etc/crypto-policies/back-ends/openssh.config 

Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr

If the cipher entries in the "openssh.config" file have any ciphers other than "aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr", or they are missing or commented out, this is a finding.

References:
CCI-001453
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 35 *******************************

QUESTION         : 36 of 41
TITLE            : CAT II, V-270178, SV-270178r1051243, SRG-OS-000250-GPOS-00093
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:88901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:88901
RULE             : The RHEL 9 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
QUESTION_TEXT    : Verify the SSH client is configured to use only MACs employing FIPS 140-3 approved algorithms.

To verify the MACs in the systemwide SSH configuration file, use the following command:

$ grep -i MACs /etc/crypto-policies/back-ends/openssh.config

MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512

If the MACs entries in the "openssh.config" file have any hashes other than "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512", or they are missing or commented out, this is a finding.

References:
CCI-001453
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 36 *******************************

QUESTION         : 37 of 41
TITLE            : CAT II, V-270180, SV-270180r1045182, SRG-OS-000368-GPOS-00154
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:89101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:89101
RULE             : The RHEL 9 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
QUESTION_TEXT    : Verify the RHEL 9 "fapolicyd" employs a deny-all, permit-by-exception policy.

Check that "fapolicyd" is in enforcement mode with the following command:

$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf

permissive = 0

Check that "fapolicyd" employs a deny-all policy on system mounts with the following commands:

$ sudo tail /etc/fapolicyd/compiled.rules

allow exe=/usr/bin/python3.7 : ftype=text/x-python
deny_audit perm=any pattern=ld_so : all
deny perm=any all : all

If "fapolicyd" is not running in enforcement mode with a deny-all, permit-by-exception policy, this is a finding.

References:
CCI-001764
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 37 *******************************

QUESTION         : 38 of 41
TITLE            : CAT II, V-272488, SV-272488r1082178, SRG-OS-000304-GPOS-00121
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:89301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:89301
RULE             : RHEL 9 must have the Postfix package installed.
QUESTION_TEXT    : Verify that RHEL 9 has the Postfix package installed with the following command:

$ sudo dnf list --installed postfix

Example output:

postfix.x86_64                             2:3.5.25-1.el9 

If the "postfix" package is not installed, this is a finding.

References:
CCI-000015
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 38 *******************************

QUESTION         : 39 of 41
TITLE            : CAT II, V-272496, SV-272496r1082184, SRG-OS-000445-GPOS-00199
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:89501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:89501
RULE             : RHEL 9 must elevate the SELinux context when an administrator calls the sudo command.
QUESTION_TEXT    : Verify that RHEL 9 elevates the SELinux context when an administrator calls the sudo command with the following command:

This command must be run as root:

# grep -r sysadm_r /etc/sudoers /etc/sudoers.d
%{designated_group_or_user_name} ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL

If conflicting results are returned, this is a finding.

If a designated sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to "sysadm_t" and "sysadm_r" with the use of the sudo command, this is a finding.

References:
SV-70979
V-56719
CCI-002235
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 39 *******************************

QUESTION         : 40 of 41
TITLE            : CAT III, V-258138, SV-258138r1045274, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:68501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:68501
RULE             : RHEL 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).
QUESTION_TEXT    : Verify that AIDE is verifying ACLs with the following command:

$ sudo grep acl /etc/aide.conf

All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux

If the "acl" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 40 *******************************

QUESTION         : 41 of 41
TITLE            : CAT III, V-258139, SV-258139r1045276, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.rhel9os:testaction:68701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.rhel9os:question:68701
RULE             : RHEL 9 must be configured so that the file integrity tool verifies extended attributes.
QUESTION_TEXT    : Verify that AIDE is configured to verify extended attributes with the following command:

$ sudo grep xattrs /etc/aide.conf

All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux

If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 41 *******************************

