################################################################################
DOCUMENT         : Oracle_Linux_9_STIG
VERSION          : 001.002.003
CHECKSUM         : 4ff21b4c0749f84402a3c7610340a19e0064a7f1b0a20abd30c74c0eedbc29de
MANUAL QUESTIONS : 46

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 46
TITLE            : CAT I, V-271451, SV-271451r1137691, SRG-OS-000080-GPOS-00048
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:4101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:4101
RULE             : OL 9 must require a unique superuser's name upon booting into single-user and maintenance modes.
QUESTION_TEXT    : Verify that OL 9 requires a unique username for the grub superuser account.

Verify the boot loader superuser account has been set with the following command:

$ sudo grep -A1 "superusers" /etc/grub2.cfg 
    set superusers="<superusers-account>"
    export superusers
    password_pbkdf2 root ${GRUB2_PASSWORD}
 
The <superusers-account> is the actual account name different from common names like root, admin, or administrator.

If superusers contains easily guessable usernames, this is a finding.

References:
CCI-000213
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 46
TITLE            : CAT I, V-271756, SV-271756r1091980, SRG-OS-000405-GPOS-00184
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:64501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:64501
RULE             : OL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
QUESTION_TEXT    : Note: If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable.

Verify that OL 9 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. 

Verify all system partitions are encrypted with the following command:

$ sudo blkid
/dev/map per/ol-root:  UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS"

Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) or temporary file systems (that are tmpfs) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding.

References:
CCI-002476
CCI-001199
CCI-002475
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 46
TITLE            : CAT II, V-271431, SV-271431r1092616, SRG-OS-000780-GPOS-00240
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:101
RULE             : The OL 9 operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest.
QUESTION_TEXT    : Note: If there is a documented and approved reason for not having data at rest encryption, this requirement is Not Applicable.

Verify that OL 9 prevents unauthorized disclosure or modification of all information requiring at rest protection by using disk encryption.

Determine the partition layout for the system with the following command: 
 
$ sudo fdisk -l 
(..) 
Disk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors 
Units: sectors of 1 * 512 = 512 bytes 
Sector size (logical/physical): 512 bytes / 512 bytes 
I/O size (minimum/optimal): 512 bytes / 512 bytes 
Disklabel type: gpt 
Disk identifier: 83298450-B4E3-4B19-A9E4-7DF147A5FEFB 
 
Device       Start      End  Sectors Size Type 
/dev/vda1     2048     4095     2048   1M BIOS boot 
/dev/vda2     4096  2101247  2097152   1G Linux filesystem 
/dev/vda3  2101248 31455231 29353984  14G Linux filesystem 
(...) 
 
Verify that the system partitions are all encrypted with the following command: 
 
$ sudo more /etc/crypttab 
 
Every persistent disk partition present must have an entry in the file. 
 
If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.

References:
CCI-004910
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

QUESTION         : 4 of 46
TITLE            : CAT II, V-271439, SV-271439r1091029, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:1701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:1701
RULE             : OL 9 vendor packaged system security patches and updates must be installed and up to date.
QUESTION_TEXT    : Verify that OL 9 security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by organizational policy.

Obtain the list of available package security updates from Oracle. The URL for updates is https://linux.oracle.com/errata/. It is important to note that updates provided by Oracle may not be present on the system if the underlying packages are not installed.

Check that the available package security updates have been installed on the system with the following command:

$ dnf history list | more

    ID | Command line | Date and time | Action(s) | Altered    
-------------------------------------------------------------------------------    
   70 | install aide | 2023-03-05 10:58 | Install | 1    
   69 | update -y | 2023-03-04 14:34 | Update | 18 EE    
   68 | install vlc | 2023-02-21 17:12 | Install | 21   
   67 | update -y | 2023-02-21 17:04 | Update | 7 EE 

Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.

If the system is in noncompliance with the organizational patching policy, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 4 *******************************

QUESTION         : 5 of 46
TITLE            : CAT II, V-271455, SV-271455r1091077, SRG-OS-000023-GPOS-00006
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:4901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:4901
RULE             : OL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.
QUESTION_TEXT    : Verify that OL 9 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the operating system via a command line user logon.

Check that a banner is displayed at the command line login screen with the following command:

$ cat /etc/issue

If the banner is set correctly it will return the following text:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

If the banner text does not match the Standard Mandatory DOD Notice and Consent Banner exactly, or the line is commented out, this is a finding.

References:
CCI-000048
CCI-001384
CCI-001385
CCI-001386
CCI-001387
CCI-001388
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 5 *******************************

QUESTION         : 6 of 46
TITLE            : CAT II, V-271471, SV-271471r1091125, SRG-OS-000096-GPOS-00050
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:8101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:8101
RULE             : OL 9 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
QUESTION_TEXT    : Verify OL 9 is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited. 

Inspect the firewall configuration and running services to verify which services are currently active with the following command:

$ sudo firewall-cmd --list-all-zones
custom (active)
target: DROP
icmp-block-inversion: no
interfaces: ens33
sources: 
services: dhcpv6-client dns http https ldaps rpc-bind ssh
ports: 
masquerade: no
forward-ports: 
icmp-blocks: 
rich rules: 

Ask the system administrator for the site or program PPSM Component Local Service Assessment (CLSA). Verify the services allowed by the firewall match the PPSM CLSA. 

If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.

References:
CCI-000382
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 6 *******************************

QUESTION         : 7 of 46
TITLE            : CAT II, V-271472, SV-271472r1091128, SRG-OS-000096-GPOS-00050
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:8301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:8301
RULE             : OL 9 must control remote access methods.
QUESTION_TEXT    : Verify that OL 9 controls remote access methods.

Inspect the list of enabled firewall ports and verify they are configured correctly by running the following command:

$ sudo firewall-cmd --list-all 

Ask the system administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. 

If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), or there are no firewall rules configured, this is a finding.

References:
CCI-000382
CCI-002314
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 7 *******************************

QUESTION         : 8 of 46
TITLE            : CAT II, V-271473, SV-271473r1091131, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:8501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:8501
RULE             : OL 9 must be configured so that the firewall employs a deny-all, allow-by-exception policy for allowing connections to other systems.
QUESTION_TEXT    : Verify that OL 9 is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:

$ sudo  firewall-cmd --state
running

$ sudo firewall-cmd --get-active-zones
public
   interfaces: ens33

$ sudo firewall-cmd --info-zone=public | grep target
   target: DROP

$ sudo firewall-cmd --permanent --info-zone=public | grep target
   target: DROP

If no zones are active on the OL 9 interfaces or if runtime and permanent targets are set to a different option other than "DROP", this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 8 *******************************

QUESTION         : 9 of 46
TITLE            : CAT II, V-271478, SV-271478r1092620, SRG-OS-000396-GPOS-00176
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:9501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:9501
RULE             : OL 9 must implement a FIPS 140-3 compliant system-wide cryptographic policy.
QUESTION_TEXT    : Verify that OL 9 is set to use a modified FIPS compliant systemwide crypto-policy.
 
$ update-crypto-policies --show
FIPS
 
If the system wide crypto policy is not set to "FIPS", this is a finding.

Note: If subpolicies have been configured, they will be listed in a colon-separated list starting with FIPS as follows:

FIPS:<SUBPOLICY-NAME>:<SUBPOLICY-NAME>.

Verify the current minimum crypto-policy configuration with the following commands:
 
$ grep -E 'rsa_size|hash' /etc/crypto-policies/state/CURRENT.pol
hash = SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-256
min_rsa_size = 2048
 
If the "hash" values do not include at least the following FIPS 140-3 compliant algorithms "SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-256", this is a finding.

If there are algorithms that include "SHA1" or a hash value less than "256" this is a finding.

If the "min_rsa_size" is not set to a value of at least 2048, this is a finding.
 
If these commands do not return any output, this is a finding.

References:
CCI-002450
CCI-002890
CCI-003123
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 9 *******************************

QUESTION         : 10 of 46
TITLE            : CAT II, V-271479, SV-271479r1092621, SRG-OS-000396-GPOS-00176
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:9701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:9701
RULE             : OL 9 must not allow the cryptographic policy to be overridden.
QUESTION_TEXT    : Verify that OL 9 cryptographic policies are not overridden.

Verify that the configured policy matches the generated policy with the following command:

$ sudo update-crypto-policies --check && echo PASS
The configured policy matches the generated policy
PASS

If the last line is not "PASS", this is a finding.

List all of the crypto backends configured on the system with the following command:

$ ls -l /etc/crypto-policies/back-ends/ 
lrwxrwxrwx. 1 root root  40 Nov 13 16:29 bind.config -> /usr/share/crypto-policies/FIPS/bind.txt
lrwxrwxrwx. 1 root root  42 Nov 13 16:29 gnutls.config -> /usr/share/crypto-policies/FIPS/gnutls.txt
lrwxrwxrwx. 1 root root  40 Nov 13 16:29 java.config -> /usr/share/crypto-policies/FIPS/java.txt
lrwxrwxrwx. 1 root root  46 Nov 13 16:29 javasystem.config -> /usr/share/crypto-policies/FIPS/javasystem.txt
lrwxrwxrwx. 1 root root  40 Nov 13 16:29 krb5.config -> /usr/share/crypto-policies/FIPS/krb5.txt
lrwxrwxrwx. 1 root root  45 Nov 13 16:29 libreswan.config -> /usr/share/crypto-policies/FIPS/libreswan.txt
lrwxrwxrwx. 1 root root  42 Nov 13 16:29 libssh.config -> /usr/share/crypto-policies/FIPS/libssh.txt
-rw-r--r--. 1 root root 398 Nov 13 16:29 nss.config
lrwxrwxrwx. 1 root root  43 Nov 13 16:29 openssh.config -> /usr/share/crypto-policies/FIPS/openssh.txt
lrwxrwxrwx. 1 root root  49 Nov 13 16:29 opensshserver.config -> /usr/share/crypto-policies/FIPS/opensshserver.txt
lrwxrwxrwx. 1 root root  46 Nov 13 16:29 opensslcnf.config -> /usr/share/crypto-policies/FIPS/opensslcnf.txt
lrwxrwxrwx. 1 root root  43 Nov 13 16:29 openssl.config -> /usr/share/crypto-policies/FIPS/openssl.txt
lrwxrwxrwx. 1 root root  48 Nov 13 16:29 openssl_fips.config -> /usr/share/crypto-policies/FIPS/openssl_fips.txt

If the paths do not point to the respective files under /usr/share/crypto-policies/FIPS path, this is a finding.

Note: nss.config should not be hyperlinked.

References:
CCI-002450
CCI-002890
CCI-003123
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 10 *******************************

QUESTION         : 11 of 46
TITLE            : CAT II, V-271480, SV-271480r1091152, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:9901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:9901
RULE             : OL 9 must be configured so that the cryptographic hashes of system files match vendor values.
QUESTION_TEXT    : Verify that OL 9 is configured so that the cryptographic hashes of system files match vendor values.
 
List files on the system that have file hashes different from what is expected by the RPM database with the following command:

$ sudo rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' 

If there is output, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 11 *******************************

QUESTION         : 12 of 46
TITLE            : CAT II, V-271492, SV-271492r1091188, SRG-OS-000705-GPOS-00150
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:12301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:12301
RULE             : OL 9 must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.
QUESTION_TEXT    : Verify that OL 9 has the packages required for multifactor authentication installed with the following command: 
 
$ dnf list --installed libpam-pkcs11 
 
ii  libpam-pkcs11    0.6.12-2build3   amd64    Fully featured PAM module for using PKCS#11 smart cards 
 
If the "libpam-pkcs11" package is not installed, this is a finding.

References:
CCI-004047
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 12 *******************************

QUESTION         : 13 of 46
TITLE            : CAT II, V-271497, SV-271497r1092471, SRG-OS-000363-GPOS-00150
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:13301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:13301
RULE             : OL 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator (SA) when anomalies in the operation of any security functions are discovered.
QUESTION_TEXT    : Verify that OL 9 routinely executes a file integrity scan for changes to the system baseline. The command used in the example will use a daily occurrence.

Check the cron directories for scripts controlling the execution and notification of results of the file integrity application. For example, if Advanced Intrusion Detection Environment (AIDE) is installed on the system, use the following commands:

$ ls -al /etc/cron.* | grep aide
-rwxr-xr-x 1 root root 29 Nov 22 2015 aide

$ sudo grep aide /etc/crontab /var/spool/cron/root
/etc/crontab: 30 04 * * * root usr/sbin/aide
/var/spool/cron/root: 30 04 * * * root usr/sbin/aide

$ more /etc/cron.daily/aide
#!/bin/bash
/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil

If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, or the file integrity application does not notify designated personnel of changes, this is a finding.

References:
CCI-001744
CCI-002699
CCI-002702
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 13 *******************************

QUESTION         : 14 of 46
TITLE            : CAT II, V-271498, SV-271498r1091206, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:13501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:13501
RULE             : OL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.
QUESTION_TEXT    : Verify that OL 9 uses a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.

Verify that AIDE is configured to use FIPS 140-3 file hashing with the following command:

$ sudo grep sha512 /etc/aide.conf 
All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux

If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-3-approved cryptographic hashes for validating file contents and directories, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 14 *******************************

QUESTION         : 15 of 46
TITLE            : CAT II, V-271526, SV-271526r1092460, SRG-OS-000366-GPOS-00153
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:19101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:19101
RULE             : OL 9 must ensure cryptographic verification of vendor software packages.
QUESTION_TEXT    : Verify that OL 9 ensures cryptographic verification of vendor software packages by confirming that Oracle package-signing keys are installed on the system, and verify their fingerprints match vendor values.

Note: For OL 9 software packages, Oracle uses GPG keys labeled "release key 1" and "auxiliary key 1". The keys are defined in key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-oracle" by default.

List Oracle GPG keys installed on the system:

$ sudo rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey | grep -i "oracle"

Oracle Linux (release key 1) <secalert_us@oracle.com> public key
Oracle Linux (backup key 1) <secalert_us@oracle.com> public key

If Oracle GPG keys "release key 1" and "backup key 1" are not installed, this is a finding.

List key fingerprints of installed Oracle GPG keys:

$ sudo gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle

If key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-oracle" is missing, this is a finding.

pub   rsa4096/8D8B756F 2022-01-19 [SC] [expires: 2042-01-14]
      Key fingerprint = 3E6D 826D 3FBA B389 C2F3  8E34 BC4D 06A0 8D8B 756F
uid                   Oracle Linux (release key 1) <secalert_us@oracle.com>
sub   rsa4096/2E708C25 2022-01-19 [E] [expires: 2041-06-01]
pub   rsa4096/8B4EFBE6 2022-01-19 [SC] [expires: 2042-01-14]
      Key fingerprint = 9822 3175 9C74 6706 5D0C  E9B2 A7DD 0708 8B4E FBE6
uid                   Oracle Linux (backup key 1) <secalert_us@oracle.com>
sub   rsa4096/DA900791 2022-01-19 [E] [expires: 2041-06-02]

Compare key fingerprints of installed Oracle GPG keys with fingerprints listed for OL 9 on Oracle verification webpage at https://linux.oracle.com/security/gpg/#gpg.

If key fingerprints do not match, this is a finding.

References:
CCI-003992
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 15 *******************************

QUESTION         : 16 of 46
TITLE            : CAT II, V-271605, SV-271605r1091527, SRG-OS-000067-GPOS-00035
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:34901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:34901
RULE             : OL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key.
QUESTION_TEXT    : Verify that OL 9 SSH private key files have a passcode.

For each private key stored on the system, use the following command:

$ sudo ssh-keygen -y -f /path/to/file

If the contents of the key are displayed, this is a finding.

References:
CCI-000186
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 16 *******************************

QUESTION         : 17 of 46
TITLE            : CAT II, V-271606, SV-271606r1091530, SRG-OS-000068-GPOS-00036
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:35101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:35101
RULE             : OL 9 must map the authenticated identity to the user or group account for PKI-based authentication.
QUESTION_TEXT    : Verify that OL 9 maps the authenticated identity to the certificate of the user or group to the corresponding user or group in the "sssd.conf" file with the following command:

$ sudo cat /etc/sssd/sssd.conf 
[certmap/testing.test/rule_name]
matchrule =<SAN>.*EDIPI@mil
maprule = (userCertificate;binary={cert!bin})
domains = testing.test

If the certmap section does not exist, ask the system administrator (SA) to indicate how certificates are mapped to accounts. If there is no evidence of certificate mapping, this is a finding.

References:
CCI-000187
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 17 *******************************

QUESTION         : 18 of 46
TITLE            : CAT II, V-271644, SV-271644r1091644, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:42501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:42501
RULE             : OL 9 must prevent code from being executed on file systems that are used with removable media.
QUESTION_TEXT    : Verify that OL 9 file systems that are used for removable media are mounted with the "noexec" option with the following command:

$ more /etc/fstab
UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0

If a file system found in "/etc/fstab" refers to removable media and it does not have the "noexec" option set, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 18 *******************************

QUESTION         : 19 of 46
TITLE            : CAT II, V-271645, SV-271645r1091647, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:42701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:42701
RULE             : OL 9 must prevent special devices on file systems that are used with removable media.
QUESTION_TEXT    : Verify that OL 9 file systems that are used for removable media are mounted with the "nodev" option with the following command:

$ more /etc/fstab
UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0

If a file system found in "/etc/fstab" refers to removable media and it does not have the "nodev" option set, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 19 *******************************

QUESTION         : 20 of 46
TITLE            : CAT II, V-271646, SV-271646r1091650, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:42901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:42901
RULE             : OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
QUESTION_TEXT    : Verify that OL 9 file systems that are used for removable media are mounted with the "nosuid" option with the following command:

$ more /etc/fstab
UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0

If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 20 *******************************

QUESTION         : 21 of 46
TITLE            : CAT II, V-271671, SV-271671r1091725, SRG-OS-000368-GPOS-00154
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:47901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:47901
RULE             : OL 9 must disable the graphical user interface autorun function unless required.
QUESTION_TEXT    : This requirement assumes the use of the OL 9 default graphical user interface—the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

Verify that OL 9 disables the graphical user interface autorun function with the following command:

$ gsettings get org.gnome.desktop.media-handling autorun-never 
true

If "autorun-never" is set to "false", and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

References:
CCI-001764
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 21 *******************************

QUESTION         : 22 of 46
TITLE            : CAT II, V-271672, SV-271672r1092631, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:48101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:48101
RULE             : OL 9 must disable the user list at logon for graphical user interfaces.
QUESTION_TEXT    : This requirement assumes the use of the OL 9 default graphical user interface—the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

Verify that OL 9 disables the user logon list for graphical user interfaces with the following command:

$ gsettings get org.gnome.login-screen disable-user-list
true

If the setting is "false", this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 22 *******************************

QUESTION         : 23 of 46
TITLE            : CAT II, V-271676, SV-271676r1091740, SRG-OS-000031-GPOS-00012
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:48701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:48701
RULE             : OL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
QUESTION_TEXT    : This requirement assumes the use of the OL 9 default graphical user interface—the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

Verify that OL 9 configures the screensaver to be blank with the following command:

$ gsettings get org.gnome.desktop.screensaver picture-uri 

If properly configured, the output should be "''".

To ensure that users cannot set the screensaver background, run the following: 

$ grep picture-uri /etc/dconf/db/local.d/locks/* 

If properly configured, the output should be "/org/gnome/desktop/screensaver/picture-uri".

If it is not set or configured properly, this is a finding.

References:
CCI-000060
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 23 *******************************

QUESTION         : 24 of 46
TITLE            : CAT II, V-271677, SV-271677r1091743, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:48901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:48901
RULE             : OL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.
QUESTION_TEXT    : This requirement assumes the use of the OL 9 default graphical user interface—the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

Verify that OL 9 is configured to ignore the Ctrl-Alt-Del sequence in the GNOME desktop with the following command:

$ gsettings get org.gnome.settings-daemon.plugins.media-keys logout 
"['']"

If the GNOME desktop is configured to shut down when Ctrl-Alt-Del is pressed, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 24 *******************************

QUESTION         : 25 of 46
TITLE            : CAT II, V-271689, SV-271689r1091779, SRG-OS-000023-GPOS-00006
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:51301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:51301
RULE             : OL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
QUESTION_TEXT    : This requirement assumes the use of the OL 9 default graphical user interface—the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

Verify that OL 9 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the operating system via a graphical user logon.

Check that the operating system displays the exact Standard Mandatory DOD Notice and Consent Banner text with the command:

$ gsettings get org.gnome.login-screen banner-message-text

banner-message-text=
'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'

Note: The "\n " characters are for formatting only. They will not be displayed on the graphical interface.

If the banner does not match the Standard Mandatory DOD Notice and Consent Banner exactly, this is a finding.

References:
CCI-000048
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 25 *******************************

QUESTION         : 26 of 46
TITLE            : CAT II, V-271692, SV-271692r1091788, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:51901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:51901
RULE             : OL 9 effective dconf policy must match the policy keyfiles.
QUESTION_TEXT    : This requirement assumes the use of the OL 9 default graphical user interface—the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

Verify that OL 9 effective dconf policy matches the policy keyfiles.

Check the last modification time of the local databases, comparing it to the last modification time of the related keyfiles. The following command will check every dconf database and compare its modification time to the related system keyfiles:

$ function dconf_needs_update { for db in $(find /etc/dconf/db -maxdepth 1 -type f); do db_mtime=$(stat -c %Y "$db"); keyfile_mtime=$(stat -c %Y "$db".d/* | sort -n | tail -1); if [ -n "$db_mtime" ] && [ -n "$keyfile_mtime" ] && [ "$db_mtime" -lt "$keyfile_mtime" ]; then echo "$db needs update"; return 1; fi; done; }; dconf_needs_update

If the command has any output, then a dconf database needs to be updated, and this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 26 *******************************

QUESTION         : 27 of 46
TITLE            : CAT II, V-271699, SV-271699r1091809, SRG-OS-000355-GPOS-00143
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:53301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:53301
RULE             : OL 9 must securely compare internal information system clocks at least every 24 hours.
QUESTION_TEXT    : Verify that OL 9 securely compares internal information system clocks at least every 24 hours with an NTP server with the following command:

$ grep maxpoll /etc/chrony.conf
server 0.us.pool.ntp.mil iburst maxpoll 16

If the "maxpoll" option is set to a number greater than 16 or the line is commented out, this is a finding.

Verify the "chrony.conf" file is configured to an authoritative DOD time source by running the following command:

$ grep -i server /etc/chrony.conf
server 0.us.pool.ntp.mil 

If the parameter "server" is not set or is not set to an authoritative DOD time source, this is a finding.

References:
CCI-004923
CCI-004926
CCI-001890
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 27 *******************************

QUESTION         : 28 of 46
TITLE            : CAT II, V-271701, SV-271701r1091815, SRG-OS-000378-GPOS-00163
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:53701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:53701
RULE             : OL 9 must block unauthorized peripherals before establishing a connection.
QUESTION_TEXT    : Verify that OL 9 USBGuard has a policy configured with the following command:

$ usbguard list-rules
allow id 1d6b:0001 serial

If the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked.

If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.

References:
CCI-001958
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 28 *******************************

QUESTION         : 29 of 46
TITLE            : CAT II, V-271744, SV-271744r1091944, SRG-OS-000046-GPOS-00022
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:62101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:62101
RULE             : OL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.
QUESTION_TEXT    : Verify that OL 9 is configured to notify the appropriate interactive users in the event of an audit processing failure.

Find the alias maps that are being used with the following command:

$ postconf alias_maps 
alias_maps = hash:/etc/aliases

Query the Postfix alias maps for an alias for the root user with the following command:

$ postmap -q root hash:/etc/aliases
isso

If an alias is not set, this is a finding.

References:
CCI-000139
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 29 *******************************

QUESTION         : 30 of 46
TITLE            : CAT II, V-271760, SV-271760r1091992, SRG-OS-000433-GPOS-00192
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:65301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:65301
RULE             : OL 9 must implement nonexecutable data to protect its memory from unauthorized code execution.
QUESTION_TEXT    : Verify that OL 9 ExecShield is enabled on 64-bit systems with the following command:

$ sudo dmesg | grep '[NX|DX]*protection' 
[ 0.000000] NX (Execute Disable) protection: active

If "dmesg" does not show "NX (Execute Disable) protection" active, this is a finding.

References:
CCI-002824
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 30 *******************************

QUESTION         : 31 of 46
TITLE            : CAT II, V-271764, SV-271764r1092004, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:65901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:65901
RULE             : OL 9 Trivial File Transfer Protocol (TFTP) daemon must be configured to operate in secure mode if the TFTP server is required. 
QUESTION_TEXT    : Verify that OL 9 TFTP daemon is configured to operate in secure mode.

Check if a TFTP server is installed with the following command:

$ sudo dnf list --installed tftp-server
Installed Packages
tftp-server.x86_64                                       5.2-38.el9                                       @ol9_appstream

Note: If a TFTP server is not installed, this requirement is Not Applicable.

If a TFTP server is installed, check for the server arguments with the following command: 

$ systemctl cat tftp | grep ExecStart
ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot

If the "ExecStart" line does not have a "-s" option, and a subdirectory is not assigned, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 31 *******************************

QUESTION         : 32 of 46
TITLE            : CAT II, V-271769, SV-271769r1092019, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:66501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:66501
RULE             : OL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
QUESTION_TEXT    : Verify that OL 9 configures all system device files to be correctly labeled to prevent unauthorized modification.

List all device files on the system that are incorrectly labeled with the following commands:

Note: Device files are normally found under "/dev", but applications may place device files in other directories and may necessitate a search of the entire system.

$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"

$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"

Note: There are device files, such as "/dev/dtrace/helper" or "/dev/vmci", that are used for system trace capabilities or when the operating system is a host virtual machine. They will not be owned by a user on the system and require the "device_t" label to operate. These device files are not a finding.

If there is output from either of these commands, other than already noted, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 32 *******************************

QUESTION         : 33 of 46
TITLE            : CAT II, V-271770, SV-271770r1092022, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:66701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:66701
RULE             : OL 9 must not have unauthorized accounts.
QUESTION_TEXT    : Verify that OL 9 prohibits unauthorized interactive user accounts with the following command:

$ less /etc/passwd  
root:x:0:0:root:/root:/bin/bash
...
games:x:12:100:games:/usr/games:/sbin/nologin
scsaustin:x:1001:1001:scsaustin:/home/scsaustin:/bin/bash
djohnson:x:1002:1002:djohnson:/home/djohnson:/bin/bash

Interactive user account, generally will have a user identifier (UID) of 1000 or greater, a home directory in a specific partition, and an interactive shell.

Obtain the list of interactive user accounts authorized to be on the system from the system administrator or information system security officer (ISSO) and compare it to the list of local interactive user accounts on the system.

If there are unauthorized local user accounts on the system, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 33 *******************************

QUESTION         : 34 of 46
TITLE            : CAT II, V-271781, SV-271781r1092055, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:68901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:68901
RULE             : OL 9 local files and directories must have a valid owner.
QUESTION_TEXT    : Verify that OL 9 local files and directories on OL 9 have a valid owner with the following command:

$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser

If any files on the system do not have an assigned owner, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 34 *******************************

QUESTION         : 35 of 46
TITLE            : CAT II, V-271783, SV-271783r1092061, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:69301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:69301
RULE             : OL 9 local interactive user home directories must be group-owned by the home directory owner's primary group.
QUESTION_TEXT    : Verify that OL 9 configures assigned home directories of all local interactive users to be group-owned by that user's primary GID with the following command:

Note: This may miss local interactive users that have been assigned a privileged user identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory "/home/wadea" is used as an example.

$ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
drwxr-x--- 2 wadea admin 4096 Jun 5 12:41 wadea

Check the user's primary group with the following command:

$ sudo grep $(grep wadea /etc/passwd | awk -F: '{print $4}') /etc/group
admin:x:250:wadea,jonesj,jacksons

If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 35 *******************************

QUESTION         : 36 of 46
TITLE            : CAT II, V-271785, SV-271785r1155290, SRG-OS-000138-GPOS-00069
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:69701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:69701
RULE             : OL 9 world-writable directories must be owned by root, sys, bin, or an application user.
QUESTION_TEXT    : Verify OL 9 world writable directories are owned by root, a system account, or an application account with the following command:

$ sudo find / -xdev -type d -perm -0002 -uid +999 -exec stat -c "%U, %u, %A, %n" {} \; 2>/dev/null

If there is output that indicates world-writable directories are owned by any account other than root or an approved system account, this is a finding.

References:
CCI-001090
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 36 *******************************

QUESTION         : 37 of 46
TITLE            : CAT II, V-271843, SV-271843r1094969, SRG-OS-000123-GPOS-00064
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:81301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:81301
RULE             : OL 9 must automatically expire temporary accounts within 72 hours.
QUESTION_TEXT    : Verify that OL 9 configures temporary accounts to be provisioned with an expiration date of 72 hours.

For every existing temporary account, run the following command to obtain its account expiration information:

$ chage -l <temporary_account_name> | grep -i "account expires"

Verify each of these accounts has an expiration date set within 72 hours. 

If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.

References:
CCI-001682
CCI-000016
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 37 *******************************

QUESTION         : 38 of 46
TITLE            : CAT II, V-271844, SV-271844r1092244, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:81501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:81501
RULE             : OL 9 local interactive user home directories defined in the /etc/passwd file must exist.
QUESTION_TEXT    : Verify that OL 9 assigned home directories of all interactive users on the system exist with the following command:

$ sudo pwck -r 

The output should not return any interactive users.

If users home directory does not exist, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 38 *******************************

QUESTION         : 39 of 46
TITLE            : CAT II, V-271847, SV-271847r1092253, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:82101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:82101
RULE             : OL 9 must be configured so that executable search paths within the initialization files of all local interactive users must only contain paths that resolve to the system default or the users home directory.
QUESTION_TEXT    : Verify that OL 9 local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands:

$ sudo grep -i path= /home/*/.*
/home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin

If any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 39 *******************************

QUESTION         : 40 of 46
TITLE            : CAT II, V-271848, SV-271848r1092256, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:82301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:82301
RULE             : OL 9 must set the umask value to 077 for all local interactive user accounts.
QUESTION_TEXT    : Verify that OL 9 configures the default umask for all local interactive users to be "077".

Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file.

Check all local interactive user initialization files for interactive users with the following command:

Note: The example is for a system that is configured to create users home directories in the "/home" directory.

$ grep -ri umask /home/
/home/wadea/.bash_history:grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile
/home/wadea/.bash_history:grep -i umask /etc/login.defs

If any local interactive user initialization files are found to have a umask statement that sets a value less restrictive than "077", this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 40 *******************************

QUESTION         : 41 of 46
TITLE            : CAT II, V-271853, SV-271853r1092271, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:83301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:83301
RULE             : OL 9 must use cron logging.
QUESTION_TEXT    : Verify that OL 9 rsyslog is configured to log cron events with the following command:

Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files.

$ grep -s cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf
/etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none                          /var/log/messages
/etc/rsyslog.conf:cron.*                                                           /var/log/cron             

If the command does not return a response, check for cron logging all facilities with the following command:

$ grep -s /var/log/messages /etc/rsyslog.conf /etc/rsyslog.d/*.conf
/etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none                          /var/log/messages

If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 41 *******************************

QUESTION         : 42 of 46
TITLE            : CAT II, V-271859, SV-271859r1092289, SRG-OS-000299-GPOS-00117
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:84501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:84501
RULE             : OL 9 wireless network adapters must be disabled.
QUESTION_TEXT    : Note: For systems that do not have physical wireless network radios, this requirement is Not Applicable.

Verify that OL 9 allows no wireless interfaces to be configured on the system with the following command:

$ nmcli device status
DEVICE           TYPE       STATE         CONNECTION
virbr0           bridge     connected     virbr0
wlp7s0           wifi       connected     wifiSSID
enp6s0           ethernet   disconnected  --
p2p-dev-wlp7s0   wifi-p2p   disconnected  --
lo               loopback   unmanaged     --
virbr0-nic       tun        unmanaged     --

If a wireless interface is configured and has not been documented and approved by the information system security officer (ISSO), this is a finding.

References:
CCI-001444
CCI-001443
CCI-002421
CCI-002418
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 42 *******************************

QUESTION         : 43 of 46
TITLE            : CAT II, V-271863, SV-271863r1092639, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:85301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:85301
RULE             : OL 9 must not have unauthorized IP tunnels configured.
QUESTION_TEXT    : Verify that OL 9 does not have unauthorized IP tunnels configured.

Determine if the IPsec service is active with the following command:

$ systemctl status ipsec
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: inactive (dead)

If the IPsec service is active, check for configured IPsec connections ("conn"), with the following command:

$ grep -rni conn /etc/ipsec.conf /etc/ipsec.d/ 

Verify any returned results are documented with the ISSO.

If the IPsec tunnels are active and not approved, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 43 *******************************

QUESTION         : 44 of 46
TITLE            : CAT II, V-271901, SV-271901r1092415, SRG-OS-000403-GPOS-00182
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:90101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:90101
RULE             : OL 9 must only allow the use of DOD PKI-established certificate authorities for authentication in the establishment of protected sessions to OL 9.
QUESTION_TEXT    : Verify OL 9 only allows the use of DOD PKI-established certificate authorities using the following command:

$ trust list

pkcs11:id=%7C%42%96%AE%DE%4B%48%3B%FA%92%F8%9E%8C%CF%6D%8B%A9%72%37%95;type=cert
    type: certificate
    label: ISRG Root X2
    trust: anchor
    category: authority

If any nonapproved CAs are returned, this is a finding.

References:
CCI-002470
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 44 *******************************

QUESTION         : 45 of 46
TITLE            : CAT III, V-271499, SV-271499r1091209, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:13701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:13701
RULE             : OL 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).
QUESTION_TEXT    : Verify that OL 9 is configured so that AIDE is verifying ACLs with the following command:

$ sudo grep acl /etc/aide.conf 
All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux

If the "acl" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 45 *******************************

QUESTION         : 46 of 46
TITLE            : CAT III, V-271500, SV-271500r1091212, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ol9os:testaction:13901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ol9os:question:13901
RULE             : OL 9 must be configured so that the file integrity tool verifies extended attributes.
QUESTION_TEXT    : Verify that OL 9 is configured so that AIDE is configured to verify extended attributes with the following command:

$ sudo grep xattrs /etc/aide.conf 
All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux

If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 46 *******************************

