################################################################################
DOCUMENT         : TOSS_4_STIG
VERSION          : 002.003.002
CHECKSUM         : 10eabd37b0540caddc4cee7c6f89a94a507dbb6d2e782b4a83c9591bd4313205
MANUAL QUESTIONS : 51

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 51
TITLE            : CAT I, V-253109, SV-253109r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:39501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:39501
RULE             : The x86 Ctrl-Alt-Delete key sequence must be disabled on TOSS.
QUESTION_TEXT    : Verify TOSS is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command:

$ sudo systemctl status ctrl-alt-del.target

ctrl-alt-del.target
Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.)
Active: inactive (dead)

If the "ctrl-alt-del.target" is loaded and not masked, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 51
TITLE            : CAT II, V-252911, SV-252911r958390, SRG-OS-000023-GPOS-00006
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:101
RULE             : TOSS must display the Standard Mandatory DoD Notice and Consent Banner or equivalent US Government Agency Notice and Consent Banner before granting local or remote access to the system.
QUESTION_TEXT    : Verify TOSS displays the Standard Mandatory DoD Notice and Consent Banner or equivalent US Government Agency Notice and Consent Banner before granting access to the system.

Check that TOSS displays a banner at the command line login screen with the following command:

$ sudo cat /etc/issue

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

If the system has a graphical logon capability and does not display a graphical logon banner, this is a finding.

If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner or equivalent US Government Agency Notice and Consent Banner, this is a finding.

References:
CCI-000048
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 51
TITLE            : CAT II, V-252912, SV-252912r1016298, SRG-OS-000066-GPOS-00034
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:301
RULE             : TOSS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
QUESTION_TEXT    : Verify TOSS for PKI-based authentication has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

Check that the system has a valid DOD root CA installed with the following command:

Note: If the system does not support PKI authentication, this requirement is Not Applicable.

$ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = U.S. Government, OU = DOD, OU = PKI, CN = DOD Root CA 3
Validity
Not Before: Mar 20 18:46:41 2012 GMT
Not After : Dec 30 18:46:41 2029 GMT
Subject: C = US, O = U.S. Government, OU = DOD, OU = PKI, CN = DOD Root CA 3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption

If the root ca file is not a DOD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location, this is a finding.

References:
CCI-000185
CCI-004068
CCI-001991
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

QUESTION         : 4 of 51
TITLE            : CAT II, V-252913, SV-252913r958450, SRG-OS-000067-GPOS-00035
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:501
RULE             : TOSS, for PKI-based authentication, must enforce authorized access to the corresponding private key.
QUESTION_TEXT    : Verify the operating system, for PKI-based authentication, enforces authorized access to the corresponding private key.

If the system does not allow PKI authentication, this requirement is Not Applicable. 

Verify the SSH private key files have a passphrase.

For each private key stored on the system, use the following command:

$ sudo ssh-keygen -y -f /path/to/file

If the contents of the key are displayed, and use of un-passphrased SSH keys is not documented with the Information System Security Officer (ISSO), this is a finding.

References:
CCI-000186
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 4 *******************************

QUESTION         : 5 of 51
TITLE            : CAT II, V-252920, SV-252920r958518, SRG-OS-000134-GPOS-00068
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:1901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:1901
RULE             : TOSS must use a Linux Security Module configured to enforce limits on system services.
QUESTION_TEXT    : Verify that TOSS verifies the correct operation of all security functions.

Check if "SELinux" is active and in "Enforcing" mode with the following command:

$ sudo getenforce
Enforcing

If "SELinux" is not active or not in "Enforcing" mode, this is a finding.

References:
CCI-001084
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 5 *******************************

QUESTION         : 6 of 51
TITLE            : CAT II, V-252921, SV-252921r958524, SRG-OS-000138-GPOS-00069
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:2101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:2101
RULE             : TOSS must prevent unauthorized and unintended information transfer via shared system resources.
QUESTION_TEXT    : Check to see that all public directories are owned by root or a system account with the following command:

$ sudo find / -type d -perm -0002 -exec ls -lLd {} \;

drwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp

If any of the returned directories are not owned by root or a system account, this is a finding.

References:
CCI-001090
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 6 *******************************

QUESTION         : 7 of 51
TITLE            : CAT II, V-252924, SV-252924r991554, SRG-OS-000250-GPOS-00093
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:2701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:2701
RULE             : The TOSS operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
QUESTION_TEXT    : Verify the SSH daemon is configured to use only ciphers employing FIPS 140-2-approved algorithms:

Verify that system-wide crypto policies are in effect:

$ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd

# CRYPTO_POLICY=

If the "CRYPTO_POLICY" is uncommented, this is a finding.

Verify which system-wide crypto policy is in use:

$ sudo update-crypto-policies --show

FIPS

Check that the ciphers in the back-end configurations are FIPS 140-2-approved algorithms with the following command:

$ sudo grep -i ciphers /etc/crypto-policies/back-ends/openssh.config /etc/crypto-policies/back-ends/opensshserver.config

/etc/crypto-policies/back-ends/openssh.config:Ciphers aes256-ctr,aes192-ctr,aes128-ctr
/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr'
/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr'

If the cipher entries in the "openssh.config" and "opensshserver.config" files have any ciphers other than "aes256-ctr,aes192-ctr,aes128-ctr", the order differs from the example above, if they are missing, or commented out, this is a finding.

References:
CCI-001453
CCI-003123
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 7 *******************************

QUESTION         : 8 of 51
TITLE            : CAT II, V-252925, SV-252925r991554, SRG-OS-000250-GPOS-00093
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:2901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:2901
RULE             : The TOSS operating system must implement DoD-approved TLS encryption in the GnuTLS package.
QUESTION_TEXT    : Verify the GnuTLS library is configured to only allow DoD-approved SSL/TLS Versions:

$ sudo grep -io +vers.* /etc/crypto-policies/back-ends/gnutls.config

+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM

If the "gnutls.config" does not list "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" to disable unapproved SSL/TLS versions, this is a finding.

References:
CCI-001453
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 8 *******************************

QUESTION         : 9 of 51
TITLE            : CAT II, V-252928, SV-252928r1038944, SRG-OS-000355-GPOS-00143
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:3501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:3501
RULE             : TOSS must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
QUESTION_TEXT    : If the system is not networked, this requirement is Not Applicable. 

The system clock must be configured to compare the system clock at least every 24 hours to the authoritative time source. 

Check the value of "maxpoll" in the "/etc/chrony/chrony.conf" file with the following command: 

$ sudo grep maxpoll /etc/chrony/chrony.conf 
server tick.usno.navy.mil iburst maxpoll 16

If "maxpoll" is not set to "16" or does not exist, this is a finding. 

Verify that the "chrony.conf" file is configured to an authoritative DOD time source by running the following command: 

$ grep -i server /etc/chrony.conf 
server tick.usno.navy.mil iburst maxpoll 16
server tock.usno.navy.mil iburst maxpoll 16
server ntp2.usno.navy.mil iburst maxpoll 16

If the parameter "server" is not set, is not set to an authoritative DOD time source, or is commented out, this is a finding.

References:
CCI-001890
CCI-004923
CCI-004926
CCI-001891
CCI-002046
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 9 *******************************

QUESTION         : 10 of 51
TITLE            : CAT II, V-252929, SV-252929r958794, SRG-OS-000363-GPOS-00150
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:3701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:3701
RULE             : The TOSS file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.
QUESTION_TEXT    : Verify the operating system routinely checks the baseline configuration for unauthorized changes and notifies the system administrator when anomalies in the operation of any security functions are discovered.

Check to see if AIDE is installed on the system with the following command:

$ sudo yum list installed aide

If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.

Check that TOSS routinely executes a file integrity scan for changes to the system baseline. The command used in the example will use a daily occurrence.

Check the cron directories for scripts controlling the execution and notification of results of the file integrity application. For example, if AIDE is installed on the system, use the following commands:

$ sudo ls -al /etc/cron.* | grep aide

-rwxr-xr-x 1 root root 29 Nov 22 2015 aide

$ sudo grep aide /etc/crontab /var/spool/cron/root

/etc/crontab: 30 04 * * * root usr/sbin/aide
/var/spool/cron/root: 30 04 * * * root usr/sbin/aide

$ sudo more /etc/cron.daily/aide

#!/bin/bash
/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil

Here the use of /bin/mail is one example of how to notify designated personnel. There may be other methods available to a system, such as notifications from an external log aggregation service (e.g., SIEM).

If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, or the file integrity application does not notify designated personnel of changes, this is a finding.

References:
CCI-001744
CCI-002699
CCI-002702
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 10 *******************************

QUESTION         : 11 of 51
TITLE            : CAT II, V-252935, SV-252935r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:4901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:4901
RULE             : For TOSS systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
QUESTION_TEXT    : Determine whether the system is using local or DNS name resolution with the following command:

$ sudo grep hosts /etc/nsswitch.conf

hosts: files dns

If the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty.

Verify the "/etc/resolv.conf" file is empty with the following command:

$ sudo ls -al /etc/resolv.conf

-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf

If local host authentication is being used and the "/etc/resolv.conf" file is not empty, this is a finding.

If the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, verify the operating system is configured to use two or more name servers for DNS resolution.

Determine the name servers used by the system with the following command:

$ sudo grep nameserver /etc/resolv.conf

nameserver 192.168.1.2
nameserver 192.168.1.3

If less than two lines are returned that are not commented out, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 11 *******************************

QUESTION         : 12 of 51
TITLE            : CAT II, V-252936, SV-252936r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:5101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:5101
RULE             : The debug-shell systemd service must be disabled on TOSS.
QUESTION_TEXT    : Verify TOSS is configured to mask the debug-shell systemd service with the following command:

$ sudo systemctl status debug-shell.service

debug-shell.service
Loaded: masked (Reason: Unit debug-shell.service is masked.)
Active: inactive (dead)

If the "debug-shell.service" is loaded and not masked, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 12 *******************************

QUESTION         : 13 of 51
TITLE            : CAT II, V-252941, SV-252941r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:6101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:6101
RULE             : TOSS must not be performing packet forwarding unless the system is a router.
QUESTION_TEXT    : Verify TOSS is not performing packet forwarding unless the system is a router. If the system is a router (sometimes called a gateway) this requirement is Not Applicable.

Note: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version.

Check to see if IP forwarding is enabled using the following commands:

$ sudo sysctl net.ipv4.ip_forward

net.ipv4.ip_forward = 0

$ sudo sysctl net.ipv6.conf.all.forwarding

net.ipv6.conf.all.forwarding = 0

If IP forwarding value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 13 *******************************

QUESTION         : 14 of 51
TITLE            : CAT II, V-252948, SV-252948r1016304, SRG-OS-000028-GPOS-00009
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:7501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:7501
RULE             : TOSS must retain a user's session lock until that user reestablishes access using established identification and authentication procedures.
QUESTION_TEXT    : Verify TOSS retains a user's session lock until that user reestablishes access using established identification and authentication procedures with the following command:

Note: This requirement assumes the use of the TOSS default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

$ sudo gsettings get org.gnome.desktop.screensaver lock-enabled
true

If the setting is "false", this is a finding.

References:
CCI-000056
CCI-000057
CCI-000060
CCI-000058
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 14 *******************************

QUESTION         : 15 of 51
TITLE            : CAT II, V-252949, SV-252949r958402, SRG-OS-000029-GPOS-00010
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:7701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:7701
RULE             : TOSS must automatically lock graphical user sessions after 15 minutes of inactivity.
QUESTION_TEXT    : Verify TOSS initiates a session lock after at most a 15-minute period of inactivity for graphical user interfaces with the following commands:

Note: This requirement assumes the use of the TOSS default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

$ sudo gsettings get org.gnome.desktop.session idle-delay
uint32 900

If "idle-delay" is set to "0" or a value greater than "900", this is a finding.

References:
CCI-000057
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 15 *******************************

QUESTION         : 16 of 51
TITLE            : CAT II, V-252950, SV-252950r958452, SRG-OS-000068-GPOS-00036
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:7901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:7901
RULE             : TOSS must map the authenticated identity to the user or group account for PKI-based authentication.
QUESTION_TEXT    : Verify the certificate of the user or group is mapped to the corresponding user or group in the "sssd.conf" file with the following command:

Note: If the system does not support PKI authentication, this requirement is Not Applicable.

$ sudo cat /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = pam, sudo, ssh
domains = testing.test

[pam]
pam_cert_auth = True

[domain/testing.test]
id_provider = ldap

[certmap/testing.test/rule_name]
matchrule =<SAN>.*EDIPI@mil
maprule = (userCertificate;binary={cert!bin})
domains = testing.test

If the certmap section does not exist, ask the System Administrator to indicate how certificates are mapped to accounts. If there is no evidence of certificate mapping, this is a finding.

References:
CCI-000187
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 16 *******************************

QUESTION         : 17 of 51
TITLE            : CAT II, V-252951, SV-252951r958482, SRG-OS-000104-GPOS-00051
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:8101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:8101
RULE             : TOSS duplicate User IDs (UIDs) must not exist for interactive users.
QUESTION_TEXT    : Verify that TOSS contains no duplicate User IDs (UIDs) for interactive users.

Check that the operating system contains no duplicate UIDs for interactive users with the following command:

$ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd

If output is produced, and the accounts listed are interactive user accounts, this is a finding.

References:
CCI-000764
CCI-000804
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 17 *******************************

QUESTION         : 18 of 51
TITLE            : CAT II, V-252952, SV-252952r1016305, SRG-OS-000105-GPOS-00052
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:8301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:8301
RULE             : TOSS must use multifactor authentication for network and local access to privileged and nonprivileged accounts.
QUESTION_TEXT    : Verify the operating system uses multifactor authentication for network access to privileged accounts. If it does not, this is a finding.

Note: This requirement is applicable to any externally accessible nodes of the TOSS system. For compute or other intra-cluster only accessible nodes, this requirement is Not Applicable.

One possible method for meeting this requirement is to require smart card logon for access to interactive accounts.

Check that the "pam_cert_auth" setting is set to "true" in the "/etc/sssd/sssd.conf" file.

Check that the "try_cert_auth" or "require_cert_auth" options are configured in both "/etc/pam.d/system-auth" and "/etc/pam.d/smartcard-auth" files with the following command:

$ sudo grep cert_auth /etc/sssd/sssd.conf /etc/pam.d/*

/etc/sssd/sssd.conf:pam_cert_auth = True
/etc/pam.d/smartcard-auth:auth sufficient pam_sss.so try_cert_auth
/etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth

If "pam_cert_auth" is not set to "true" in "/etc/sssd/sssd.conf", this is a finding.

If "pam_sss.so" is not set to "try_cert_auth" or "require_cert_auth" in both the "/etc/pam.d/smartcard-auth" and "/etc/pam.d/system-auth" files, this is a finding.

References:
CCI-000765
CCI-000766
CCI-004047
CCI-000767
CCI-000768
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 18 *******************************

QUESTION         : 19 of 51
TITLE            : CAT II, V-252954, SV-252954r958508, SRG-OS-000123-GPOS-00064
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:8701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:8701
RULE             : TOSS must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.
QUESTION_TEXT    : Verify emergency accounts have been provisioned with an expiration date of 72 hours.

For every existing emergency account, run the following command to obtain its account expiration information.

$ sudo chage -l system_account_name

Verify each of these accounts has an expiration date set within 72 hours. If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.

If there are no emergency accounts configured, this requirement is Not Applicable.

References:
CCI-001682
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 19 *******************************

QUESTION         : 20 of 51
TITLE            : CAT II, V-252956, SV-252956r991568, SRG-OS-000299-GPOS-00117
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:9101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:9101
RULE             : TOSS must protect wireless access to the system using authentication of users and/or devices.
QUESTION_TEXT    : Verify there are no wireless interfaces configured on the system with the following command:

Note: This requirement is Not Applicable for systems that do not have physical wireless network radios.

$ sudo nmcli device status
DEVICE TYPE STATE CONNECTION
virbr0 bridge connected virbr0
wlp7s0 wifi connected wifiSSID
enp6s0 ethernet disconnected --
p2p-dev-wlp7s0 wifi-p2p disconnected --
lo loopback unmanaged --
virbr0-nic tun unmanaged --

If a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO), this is a finding.

References:
CCI-001443
CCI-001444
CCI-002418
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 20 *******************************

QUESTION         : 21 of 51
TITLE            : CAT II, V-252961, SV-252961r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:10101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:10101
RULE             : All TOSS local interactive user home directories must be group-owned by the home directory owner's primary group.
QUESTION_TEXT    : Verify the assigned home directory of all local interactive users is group-owned by that user's primary GID with the following command:

Note: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory "/home/smithj" is used as an example.

$ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)

drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj

Check the user's primary group with the following command:

$ sudo grep $(grep smithj /etc/passwd | awk -F: '{print $4}') /etc/group

admin:x:250:smithj,jonesj,jacksons

If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 21 *******************************

QUESTION         : 22 of 51
TITLE            : CAT II, V-252962, SV-252962r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:10301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:10301
RULE             : All TOSS local interactive users must have a home directory assigned in the /etc/passwd file.
QUESTION_TEXT    : Verify local interactive users on TOSS have a home directory assigned with the following command:

$ sudo pwck -r

user 'lp': directory '/var/spool/lpd' does not exist
user 'news': directory '/var/spool/news' does not exist
user 'uucp': directory '/var/spool/uucp' does not exist
user 'www-data': directory '/var/www' does not exist

Ask the System Administrator (SA) if any users found without home directories are local interactive users. If the SA is unable to provide a response, check for users with a User Identifier (UID) of 1000 or greater with the following command:

$ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd

If any interactive users do not have a home directory assigned, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 22 *******************************

QUESTION         : 23 of 51
TITLE            : CAT II, V-252964, SV-252964r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:10701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:10701
RULE             : TOSS must disable the user list at logon for graphical user interfaces.
QUESTION_TEXT    : Verify the operating system disables the user logon list for graphical user interfaces with the following command:

Note: This requirement assumes the use of the TOSS default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

$ sudo gsettings get org.gnome.login-screen disable-user-list
true

If the setting is "false", this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 23 *******************************

QUESTION         : 24 of 51
TITLE            : CAT II, V-252967, SV-252967r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:11301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:11301
RULE             : TOSS must not have unnecessary accounts.
QUESTION_TEXT    : Verify all accounts on the system are assigned to an active system, application, or user account.

Obtain the list of authorized system accounts from the Information System Security Officer (ISSO).

Check the system accounts on the system with the following command:

$ sudo more /etc/passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin

Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. 

If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 24 *******************************

QUESTION         : 25 of 51
TITLE            : CAT II, V-252969, SV-252969r991592, SRG-OS-000480-GPOS-00230
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:11701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:11701
RULE             : All TOSS local interactive user home directories must have mode 0770 or less permissive.
QUESTION_TEXT    : Verify the operating system limits the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.

Ensure that the user permissions on all user home directories is set to 770 permissions with the following command:

$ find $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) -maxdepth 0 -not -perm 770 -ls

If there is any output, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 25 *******************************

QUESTION         : 26 of 51
TITLE            : CAT II, V-252970, SV-252970r991592, SRG-OS-000480-GPOS-00230
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:11901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:11901
RULE             : All TOSS local interactive user home directories must be owned by root.
QUESTION_TEXT    : Check that all user home directories are owned by the root user with the following command:

$ find $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) -maxdepth 0 -not -user root -ls

If there is any output, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 26 *******************************

QUESTION         : 27 of 51
TITLE            : CAT II, V-252971, SV-252971r991592, SRG-OS-000480-GPOS-00230
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:12101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:12101
RULE             : All TOSS local interactive user home directories must be owned by the user's primary group.
QUESTION_TEXT    : Check that all user home directories are owned by the user's primary group with the following command:

$ awk -F: '($3>=1000)&&($7 !~ /nologin/)&&("stat -c '%g' " $6 | getline dir_group)&&(dir_group!=$4){print $1,$6}' /etc/passwd
admin /home/admin

Check each user's primary group with the following command (example command is for the "admin" user):

$ sudo grep "^admin" /etc/group
admin:x:250:smithj,jonesj,jacksons

If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 27 *******************************

QUESTION         : 28 of 51
TITLE            : CAT II, V-253023, SV-253023r991567, SRG-OS-000278-GPOS-00108
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:22501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:22501
RULE             : TOSS must use cryptographic mechanisms to protect the integrity of audit tools.
QUESTION_TEXT    : Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools.

If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.

Check the selection lines to ensure AIDE is configured to add/check with the following command:

$ sudo egrep '(\/usr\/sbin\/(audit|au|rsys))' /etc/aide.conf

/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512

If any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.

If any of the audit tools are not installed on the system, the corresponding AIDE rule is not applicable.

References:
CCI-001496
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 28 *******************************

QUESTION         : 29 of 51
TITLE            : CAT II, V-253031, SV-253031r958752, SRG-OS-000341-GPOS-00132
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:24101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:24101
RULE             : TOSS must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
QUESTION_TEXT    : Verify TOSS allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.

If logs are immediately sent to a central audit record storage facility, this requirement is Not Applicable.

Determine to which partition the audit records are being written with the following command:

$ sudo grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Check the size of the partition to which audit records are written (with the example being /var/log/audit/) with the following command:

$ sudo df -h /var/log/audit/audit.log
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit

If the audit records are not written to a partition made specifically for audit records (/var/log/audit is a separate partition), determine the amount of space being used by other files in the partition with the following command:

$ sudo du -sh [audit_partition]
1.8G /var/log/audit

If the audit record partition is not allocated for sufficient storage capacity, this is a finding.

Note: The partition size needed to capture a week of audit records is based on the activity level of the system and the total storage capacity available. Typically, 10.0 GB of storage space for audit records should be sufficient.

References:
CCI-001849
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 29 *******************************

QUESTION         : 30 of 51
TITLE            : CAT II, V-253032, SV-253032r958754, SRG-OS-000342-GPOS-00133
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:24301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:24301
RULE             : The TOSS audit records must be offloaded onto a different system or storage media from the system being audited.
QUESTION_TEXT    : Verify the audit system offloads audit records onto a different system or media from the system being audited with the following command:

$ sudo grep @@ /etc/rsyslog.conf /etc/rsyslog.d/*.conf

/etc/rsyslog.conf:*.* @@[remoteloggingserver]:[port]

If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are offloaded to a different system or media. 

If there is no evidence that the audit logs are being offloaded to another system or media, this is a finding.

References:
CCI-001851
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 30 *******************************

QUESTION         : 31 of 51
TITLE            : CAT II, V-253070, SV-253070r958478, SRG-OS-000095-GPOS-00049
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:31701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:31701
RULE             : TOSS must cover or disable the built-in or attached camera when not in use.
QUESTION_TEXT    : If the device or operating system does not have a camera installed, this requirement is Not Applicable.

This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.

This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.

For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding.

For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.

If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands:

Determine if the camera is disabled via blacklist with the following command:

$ sudo grep blacklist /etc/modprobe.d/*

/etc/modprobe.d/blacklist.conf:blacklist uvcvideo

Determine if a camera driver is in use with the following command:

$ sudo dmesg | grep -i video

[ 44.630131] ACPI: Video Device [VGA]
[ 46.655714] input: Video Bus as /devices/LNXSYSTM:00/LNXSYBUS:00/LNXVIDEO:00/input/input7
[ 46.670133] videodev: Linux video capture interface: v2.00
[ 47.226424] uvcvideo: Found UVC 1.00 device WebCam (0402:7675)
[ 47.235752] usbcore: registered new interface driver uvcvideo
[ 47.235756] USB Video Class driver (1.1.1)

If the camera driver blacklist is missing, a camera driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding.

References:
CCI-000381
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 31 *******************************

QUESTION         : 32 of 51
TITLE            : CAT II, V-253081, SV-253081r958480, SRG-OS-000096-GPOS-00050
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:33901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:33901
RULE             : TOSS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
QUESTION_TEXT    : Inspect the firewall configuration and running services to verify it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited.

Check which services are currently active with the following command:

$ sudo firewall-cmd --list-all-zones

custom (active)
target: DROP
icmp-block-inversion: no
interfaces: ens33
sources: 
services: dhcpv6-client dns http https ldaps rpc-bind ssh
ports: 
masquerade: no
forward-ports: 
icmp-blocks: 
rich rules: 

Ask the System Administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. 

If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.

References:
CCI-000382
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 32 *******************************

QUESTION         : 33 of 51
TITLE            : CAT II, V-253085, SV-253085r958552, SRG-OS-000185-GPOS-00079
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:34701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:34701
RULE             : All TOSS local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
QUESTION_TEXT    : Verify TOSS prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. 

If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable.

Verify all local system partitions are encrypted with the following command:

$ sudo blkid

/dev/mapper/rhel-root: UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS"

Every persistent disk partition present must be of TYPE "crypto_LUKS." If any partitions other than pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that all local disk partitions are encrypted, this is a finding.

References:
CCI-001199
CCI-002475
CCI-002476
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 33 *******************************

QUESTION         : 34 of 51
TITLE            : CAT II, V-253086, SV-253086r991560, SRG-OS-000259-GPOS-00100
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:34901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:34901
RULE             : TOSS must limit privileges to change software resident within software libraries.
QUESTION_TEXT    : Verify the system commands contained in the following directories are owned by "root" or an appropriate system account with the following command:

$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -exec ls -l {} \;

If any system commands are returned which are not owned by an appropriate system account, this is a finding.

Verify the system-wide shared library files are owned by "root" or an appropriate system account with the following command:

$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls -l {} \;

If any system wide shared library file is returned which is not owned by an appropriate system account, this is a finding.

References:
CCI-001499
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 34 *******************************

QUESTION         : 35 of 51
TITLE            : CAT II, V-253090, SV-253090r958816, SRG-OS-000376-GPOS-00161
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:35701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:35701
RULE             : TOSS must accept Personal Identity Verification (PIV) credentials.
QUESTION_TEXT    : Verify TOSS accepts PIV credentials.

Check that the "opensc" package is installed on the system with the following command:

$ sudo yum list installed opensc

opensc.x86_64 0.20.0-4.el8 @anaconda

Check that "opensc" accepts PIV cards with the following command:

$ sudo opensc-tool --list-drivers | grep -i piv

PIV-II Personal Identity Verification Card

If the "opensc" package is not installed and the "opensc-tool" driver list does not include "PIV-II", this is a finding.

References:
CCI-001953
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 35 *******************************

QUESTION         : 36 of 51
TITLE            : CAT II, V-253091, SV-253091r958848, SRG-OS-000393-GPOS-00173
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:35901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:35901
RULE             : TOSS must implement DoD-approved encryption in the OpenSSL package.
QUESTION_TEXT    : Verify the OpenSSL library is configured to use only ciphers employing FIPS 140-2-approved algorithms:

Verify that system-wide crypto policies are in effect:

$ sudo grep -i opensslcnf.config /etc/pki/tls/openssl.cnf

.include /etc/crypto-policies/back-ends/opensslcnf.config

If the "opensslcnf.config" is not defined in the "/etc/pki/tls/openssl.cnf" file, this is a finding.

Verify which system-wide crypto policy is in use:

$ sudo update-crypto-policies --show

FIPS:OSPP

If the system-wide crypto policy is set to anything other than "FIPS" or "FIPS:OSPP", this is a finding.

References:
CCI-002890
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 36 *******************************

QUESTION         : 37 of 51
TITLE            : CAT II, V-253093, SV-253093r958928, SRG-OS-000433-GPOS-00192
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:36301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:36301
RULE             : TOSS must implement non-executable data to protect its memory from unauthorized code execution.
QUESTION_TEXT    : Verify the NX (no-execution) bit flag is set on the system.

Check that the no-execution bit flag is set with the following commands:

$ sudo dmesg | grep NX

[ 0.000000] NX (Execute Disable) protection: active

If "dmesg" does not show "NX (Execute Disable) protection" active, check the cpuinfo settings with the following command: 

$ sudo less /proc/cpuinfo | grep -i flags
flags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc

If "flags" does not contain the "nx" flag, this is a finding.

References:
CCI-002824
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 37 *******************************

QUESTION         : 38 of 51
TITLE            : CAT II, V-253099, SV-253099r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:37501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:37501
RULE             : All TOSS local files and directories must have a valid group owner.
QUESTION_TEXT    : Verify all local files and directories on TOSS have a valid group with the following command:

Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.

$ sudo find / -fstype xfs -nogroup

If any files on the system do not have an assigned group, this is a finding.

Note: Command may produce error messages from the /proc and /sys directories.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 38 *******************************

QUESTION         : 39 of 51
TITLE            : CAT II, V-253100, SV-253100r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:37701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:37701
RULE             : All TOSS local files and directories must have a valid owner.
QUESTION_TEXT    : Verify all local files and directories on TOSS have a valid owner with the following command:

Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.

$ sudo find / -fstype xfs -nouser

If any files on the system do not have an assigned owner, this is a finding.

Note: Command may produce error messages from the /proc and /sys directories.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 39 *******************************

QUESTION         : 40 of 51
TITLE            : CAT II, V-253101, SV-253101r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:37901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:37901
RULE             : Cron logging must be implemented in TOSS.
QUESTION_TEXT    : Verify that "rsyslog" is configured to log cron events with the following command:

Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files.

$ sudo grep -r cron /etc/rsyslog.conf /etc/rsyslog.d

/etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none                          /var/log/messages
/etc/rsyslog.conf:# Log cron stuff
/etc/rsyslog.conf:cron.*                                                                                                    /var/log/cron

If the command does not return a response, check for cron logging all facilities with the following command.

$ sudo grep -r /var/log/messages /etc/rsyslog.conf /etc/rsyslog.d

/etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none                          /var/log/messages

If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 40 *******************************

QUESTION         : 41 of 51
TITLE            : CAT II, V-253103, SV-253103r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:38301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:38301
RULE             : The graphical display manager must not be installed on TOSS unless approved.
QUESTION_TEXT    : Verify that the system is configured to boot to the command line:

$ systemctl get-default
multi-user.target

If the system default target is not set to "multi-user.target" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding.

Verify that a graphical user interface is not installed:

$ rpm -qa | grep xorg | grep server

Ask the System Administrator if use of a graphical user interface is an operational requirement.

If the use of a graphical user interface on the system is not documented with the ISSO, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 41 *******************************

QUESTION         : 42 of 51
TITLE            : CAT II, V-253115, SV-253115r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:40701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:40701
RULE             : TOSS must enable the hardware random number generator entropy gatherer service.
QUESTION_TEXT    : Check that TOSS has enabled the hardware random number generator entropy gatherer service.

Verify the rngd service is enabled and active with the following commands:

$ sudo systemctl is-enabled rngd

enabled

$ sudo systemctl is-active rngd

active

If the service is not "enable and "active", this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 42 *******************************

QUESTION         : 43 of 51
TITLE            : CAT II, V-253119, SV-253119r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:41501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:41501
RULE             : TOSS must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
QUESTION_TEXT    : Verify TOSS ignores IPv6 ICMP redirect messages.

Note: If IPv6 is disabled on the system, this requirement is Not Applicable.

Check the value of the "accept_redirects" variables with the following command:

$ sudo sysctl net.ipv6.conf.all.accept_redirects

net.ipv6.conf.all.accept_redirects = 0

If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 43 *******************************

QUESTION         : 44 of 51
TITLE            : CAT II, V-253123, SV-253123r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:42301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:42301
RULE             : TOSS must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
QUESTION_TEXT    : Verify TOSS does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.

Note: If IPv4 is disabled on the system, this requirement is Not Applicable.

Check the value of the "default send_redirects" variables with the following command:

$ sudo sysctl net.ipv4.conf.default.send_redirects

net.ipv4.conf.default.send_redirects=0

If the returned line does not have a value of "0", or a line is not returned, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 44 *******************************

QUESTION         : 45 of 51
TITLE            : CAT II, V-253126, SV-253126r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:42901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:42901
RULE             : TOSS must not forward IPv6 source-routed packets by default.
QUESTION_TEXT    : Verify TOSS does not accept IPv6 source-routed packets by default.

Note: If IPv6 is disabled on the system, this requirement is Not Applicable.

Check the value of the accept source route variable with the following command:

$ sudo sysctl net.ipv6.conf.default.accept_source_route

net.ipv6.conf.default.accept_source_route = 0

If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 45 *******************************

QUESTION         : 46 of 51
TITLE            : CAT II, V-253129, SV-253129r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:43501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:43501
RULE             : TOSS must not send Internet Control Message Protocol (ICMP) redirects.
QUESTION_TEXT    : Verify TOSS does not IPv4 ICMP redirect messages.

Note: If IPv4 is disabled on the system, this requirement is Not Applicable.

Check the value of the "all send_redirects" variables with the following command:

$ sudo sysctl net.ipv4.conf.all.send_redirects

net.ipv4.conf.all.send_redirects = 0

If the returned line does not have a value of "0", or a line is not returned, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 46 *******************************

QUESTION         : 47 of 51
TITLE            : CAT II, V-253132, SV-253132r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:44101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:44101
RULE             : TOSS must restrict exposed kernel pointer addresses access.
QUESTION_TEXT    : Verify TOSS restricts exposed kernel pointer addresses access with the following commands:

$ sudo sysctl kernel.kptr_restrict

kernel.kptr_restrict = 1

If the returned line does not have a value of "1", or a line is not returned, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 47 *******************************

QUESTION         : 48 of 51
TITLE            : CAT II, V-253135, SV-253135r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:44701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:44701
RULE             : TOSS network interfaces must not be in promiscuous mode.
QUESTION_TEXT    : Verify network interfaces are not in promiscuous mode unless approved by the ISSO and documented.

Check for the status with the following command:

$ sudo ip link | grep -i promisc

If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 48 *******************************

QUESTION         : 49 of 51
TITLE            : CAT III, V-252923, SV-252923r958586, SRG-OS-000228-GPOS-00088
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:2501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:2501
RULE             : TOSS must display the Standard Mandatory DoD Notice and Consent Banner or equivalent US Government Agency Notice and Consent Banner before granting local or remote access to the system via a ssh logon.
QUESTION_TEXT    : Verify that TOSS displays the Standard Mandatory DoD Notice and Consent Banner or equivalent US Government Agency Notice and Consent Banner before granting access to the system when connecting from outside of the cluster.

Check for the location of the banner file being used with the following command:

$ sudo grep -i banner /etc/ssh/sshd_config
banner /etc/issue

This command will return the banner keyword and the name of the file that contains the ssh banner (in this case "/etc/issue").

If the line is commented out, this is a finding.

For nodes of the cluster that are only privately (within the cluster) accessible, this requirement is Not Applicable.

View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DoD Notice and Consent Banner:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

If the system has a graphical logon capability and does not display a graphical logon banner, this is a finding.

If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner or equivalent US Government Agency Notice and Consent Banner, this is a finding.

References:
CCI-001384
CCI-001385
CCI-001386
CCI-001387
CCI-001388
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 49 *******************************

QUESTION         : 50 of 51
TITLE            : CAT III, V-253104, SV-253104r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:38501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:38501
RULE             : The TOSS file integrity tool must be configured to verify Access Control Lists (ACLs).
QUESTION_TEXT    : Verify the file integrity tool is configured to verify ACLs.

Note: AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory.

If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.

Use the following command to determine if the file is in a location other than "/etc/aide/aide.conf":

$ sudo find / -name aide.conf

Check the "aide.conf" file to determine if the "acl" rule has been added to the rule list being applied to the files and directories selection lists with the following command:

$ sudo egrep "[+]?acl" /etc/aide.conf

VarFile = OwnerMode+n+l+X+acl

If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, is commented out, or ACLs are not being checked by another file integrity tool, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 50 *******************************

QUESTION         : 51 of 51
TITLE            : CAT III, V-253105, SV-253105r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.toss4os:testaction:38701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.toss4os:question:38701
RULE             : The TOSS file integrity tool must be configured to verify extended attributes.
QUESTION_TEXT    : Verify the file integrity tool is configured to verify extended attributes.

If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.

Note: AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory.

Use the following command to determine if the file is in another location:

$ sudo find / -name aide.conf

Check the "aide.conf" file to determine if the "xattrs" rule has been added to the rule list being applied to the files and directories selection lists.

An example rule that includes the "xattrs" rule follows:

All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
/bin All # apply the custom rule to the files in bin 
/sbin All # apply the same custom rule to the files in sbin 

If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 51 *******************************

