xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_cis_server_l1

Guide to the Secure Configuration of Red Hat Enterprise Linux 8

with profile CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server
This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the Center for Internet Security® Red Hat Enterprise Linux 8 Benchmark™, v2.0.0, released 2022-02-23. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content.

The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide

This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 8. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation target	opa.mydomain.com
Benchmark URL	#scap_org.open-scap_comp_ssg-rhel8-xccdf.xml
Benchmark ID	xccdf_org.ssgproject.content_benchmark_RHEL-8
Benchmark version	0.1.66
Profile ID	xccdf_org.ssgproject.content_profile_cis_server_l1
Started at	2026-03-23T19:57:54+01:00
Finished at	2026-03-23T20:00:01+01:00
Performed by	sysadmin
Test system	cpe:/a:redhat:openscap:1.3.6

CPE Platforms

cpe:/o:redhat:enterprise_linux:8.7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:8.0
cpe:/o:redhat:enterprise_linux:8.1
cpe:/o:redhat:enterprise_linux:8.10
cpe:/o:redhat:enterprise_linux:8.2
cpe:/o:redhat:enterprise_linux:8.3
cpe:/o:redhat:enterprise_linux:8.4
cpe:/o:redhat:enterprise_linux:8.5
cpe:/o:redhat:enterprise_linux:8.6
cpe:/o:redhat:enterprise_linux:8.8
cpe:/o:redhat:enterprise_linux:8.9

Addresses

IPv4 127.0.0.1
IPv4 192.168.56.103
IPv4 10.0.3.15
MAC 00:00:00:00:00:00
MAC 08:00:27:9A:AD:FE
MAC 08:00:27:81:AE:01

Compliance and Scoring

The target system did not satisfy the conditions of 92 rules! Please review rule results and consider applying remediation.

Rule results

139 passed

92 failed

1 other

Severity of failed rules

5 other

3 low

82 medium

2 high

Score

Scoring system	Score	Maximum	Percent
urn:xccdf:scoring:default	80.554634	100.000000	80.55%

Rule Overview

Title	Severity	Result
Guide to the Secure Configuration of Red Hat Enterprise Linux 8 92x fail 1x notchecked
System Settings 73x fail 1x notchecked
Installing and Maintaining Software 7x fail
System and Software Integrity 3x fail
Software Integrity Checking 3x fail
Verify Integrity with AIDE 3x fail
Install AIDE	medium	fail
Build and Test AIDE Database	medium	fail
Configure Periodic Execution of AIDE	medium	fail
System Cryptographic Policies
Configure System Cryptography Policy	high	pass
Configure SSH to use System Crypto Policy	medium	pass
Disk Partitioning 1x fail
Ensure /tmp Located On Separate Partition	low	fail
GNOME Desktop Environment
Configure GNOME Login Screen
Disable the GNOME3 Login User List	medium	notapplicable
Disable XDMCP in GDM	high	notapplicable
GNOME Media Settings
Disable GNOME3 Automounting	medium	notapplicable
Disable GNOME3 Automount Opening	medium	notapplicable
Make sure that the dconf databases are up-to-date with regards to respective keyfiles	high	notapplicable
Sudo 3x fail
Install sudo Package	medium	pass
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty	medium	fail
Ensure Sudo Logfile Exists - sudo logfile	low	fail
The operating system must require Re-Authentication when using the sudo command. Ensure sudo timestamp_timeout is appropriate - sudo timestamp_timeout	medium	fail
Updating Software
Ensure gpgcheck Enabled In Main yum Configuration	high	pass
Account and Access Control 21x fail
Warning Banners for System Accesses 2x fail
Implement a GUI Warning Banner
Enable GNOME3 Login Warning Banner	medium	notapplicable
Set the GNOME3 Login Warning Banner Text	medium	notapplicable
Modify the System Login Banner	medium	fail
Modify the System Login Banner for Remote Connections	medium	fail
Modify the System Message of the Day Banner	medium	pass
Verify Group Ownership of System Login Banner	medium	pass
Verify Group Ownership of System Login Banner for Remote Connections	medium	pass
Verify Group Ownership of Message of the Day Banner	medium	pass
Verify ownership of System Login Banner	medium	pass
Verify ownership of System Login Banner for Remote Connections	medium	pass
Verify ownership of Message of the Day Banner	medium	pass
Verify permissions on System Login Banner	medium	pass
Verify permissions on System Login Banner for Remote Connections	medium	pass
Verify permissions on Message of the Day Banner	medium	pass
Protect Accounts by Configuring PAM 6x fail
Set Lockouts for Failed Password Attempts 4x fail
Limit Password Reuse: password-auth	medium	fail
Limit Password Reuse: system-auth	medium	fail
Lock Accounts After Failed Password Attempts	medium	fail
Set Lockout Time for Failed Password Attempts	medium	fail
Set Password Quality Requirements 2x fail
Set Password Quality Requirements with pam_pwquality 2x fail
Ensure PAM Enforces Password Requirements - Minimum Different Categories	medium	fail
Ensure PAM Enforces Password Requirements - Minimum Length	medium	fail
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session	medium	pass
Set Password Hashing Algorithm
Set PAM''s Password Hashing Algorithm - password-auth	medium	pass
Set PAM''s Password Hashing Algorithm	medium	pass
Protect Physical Console Access
Require Authentication for Emergency Systemd Target	medium	pass
Require Authentication for Single User Mode	medium	pass
Protect Accounts by Restricting Password-Based Login 7x fail
Set Account Expiration Parameters 1x fail
Set Account Expiration Following Inactivity	medium	fail
Ensure All Accounts on the System Have Unique Names	medium	pass
Set Password Expiration Parameters 4x fail
Set Password Maximum Age	medium	fail
Set Password Minimum Age	medium	fail
Set Existing Passwords Maximum Age	medium	fail
Set Existing Passwords Minimum Age	medium	fail
Set Password Warning Age	medium	pass
Verify Proper Storage and Existence of Password Hashes
All GIDs referenced in /etc/passwd must be defined in /etc/group	low	pass
Ensure There Are No Accounts With Blank or Null Passwords	high	pass
Verify No netrc Files Exist	medium	pass
Restrict Root Logins 2x fail
Verify Only Root Has UID 0	high	pass
Verify Root Has A Primary GID 0	high	pass
Ensure that System Accounts Do Not Run a Shell Upon Login	medium	fail
Enforce usage of pam_wheel for su authentication	medium	fail
Ensure All Accounts on the System Have Unique User IDs	medium	pass
Ensure All Groups on the System Have Unique Group ID	medium	pass
Ensure All Groups on the System Have Unique Group Names	medium	pass
Secure Session Configuration Files for Login Accounts 5x fail
Ensure that No Dangerous Directories Exist in Root's Path
Ensure that Root's Path Does Not Include World or Group-Writable Directories	medium	pass
Ensure that Root's Path Does Not Include Relative Paths or Null Directories	unknown	pass
Ensure that Users Have Sensible Umask Values 3x fail
Ensure the Default Bash Umask is Set Correctly	medium	fail
Ensure the Default Umask is Set Correctly in login.defs	medium	fail
Ensure the Default Umask is Set Correctly in /etc/profile	medium	fail
Set Interactive Session Timeout	medium	fail
User Initialization Files Must Not Run World-Writable Programs	medium	fail
All Interactive Users Home Directories Must Exist	medium	pass
All Interactive User Home Directories Must Be Group-Owned By The Primary User	medium	pass
All Interactive User Home Directories Must Be Owned By The Primary User	medium	pass
All Interactive User Home Directories Must Have mode 0750 Or Less Permissive	medium	pass
Enable authselect	medium	fail
GRUB2 bootloader configuration 1x fail
Non-UEFI GRUB2 bootloader configuration 1x fail
Verify /boot/grub2/grub.cfg Group Ownership	medium	pass
Verify /boot/grub2/user.cfg Group Ownership	medium	pass
Verify /boot/grub2/grub.cfg User Ownership	medium	pass
Verify /boot/grub2/user.cfg User Ownership	medium	pass
Verify /boot/grub2/grub.cfg Permissions	medium	pass
Verify /boot/grub2/user.cfg Permissions	medium	pass
Set Boot Loader Password in grub2	high	fail
UEFI GRUB2 bootloader configuration
Verify the UEFI Boot Loader grub.cfg Group Ownership	medium	notapplicable
Verify /boot/efi/EFI/redhat/user.cfg Group Ownership	medium	notapplicable
Verify the UEFI Boot Loader grub.cfg User Ownership	medium	notapplicable
Verify /boot/efi/EFI/redhat/user.cfg User Ownership	medium	notapplicable
Verify the UEFI Boot Loader grub.cfg Permissions	medium	notapplicable
Verify /boot/efi/EFI/redhat/user.cfg Permissions	medium	notapplicable
Set the UEFI Boot Loader Password	high	notapplicable
Configure Syslog 3x fail
Ensure Proper Configuration of Log Files
Ensure System Log Files Have Correct Permissions	medium	pass
systemd-journald 3x fail
Enable systemd-journald Service	medium	pass
Ensure journald is configured to compress large log files	medium	fail
Ensure journald is configured to send logs to rsyslog	medium	fail
Ensure journald is configured to write log files to persistent disk	medium	fail
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server	medium	pass
Ensure rsyslog is Installed	medium	pass
Enable rsyslog Service	medium	pass
Network Configuration and Firewalls 18x fail 1x notchecked
firewalld 2x fail
Inspect and Activate Default firewalld Rules 1x fail
Install firewalld Package	medium	pass
Verify firewalld Enabled	medium	fail
Strengthen the Default Ruleset 1x fail
Set Default firewalld Zone for Incoming Packets	medium	fail
iptables and ip6tables 1x notchecked
Inspect and Activate Default Rules 1x notchecked
Set Default ip6tables Policy for Incoming Packets	medium	notchecked
IPv6
Configure IPv6 Settings if Necessary
Configure Accepting Router Advertisements on All IPv6 Interfaces	medium	pass
Disable Accepting ICMP Redirects for All IPv6 Interfaces	medium	pass
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces	medium	pass
Disable Kernel Parameter for IPv6 Forwarding	medium	pass
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default	medium	pass
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces	medium	pass
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default	medium	pass
Kernel Parameters Which Affect Networking 16x fail
Network Related Kernel Runtime Parameters for Hosts and Routers 13x fail
Disable Accepting ICMP Redirects for All IPv4 Interfaces	medium	fail
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces	medium	fail
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces	unknown	fail
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces	medium	fail
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces	medium	fail
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces	medium	fail
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default	medium	fail
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default	unknown	fail
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default	medium	fail
Configure Kernel Parameter for Accepting Secure Redirects By Default	medium	fail
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces	medium	fail
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces	unknown	fail
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces	medium	fail
Network Parameters for Hosts Only 3x fail
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces	medium	fail
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default	medium	fail
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces	medium	fail
nftables
Install nftables Package	medium	pass
Wireless Networking
Disable Wireless Through Software Configuration
Deactivate Wireless Network Interfaces	medium	notapplicable
File Permissions and Masks 23x fail
Verify Permissions on Important Files and Directories 4x fail
Verify Permissions on Files with Local Account Information and Credentials
Verify Group Who Owns Backup group File	medium	pass
Verify Group Who Owns Backup gshadow File	medium	pass
Verify Group Who Owns Backup passwd File	medium	pass
Verify User Who Owns Backup shadow File	medium	pass
Verify Group Who Owns group File	medium	pass
Verify Group Who Owns gshadow File	medium	pass
Verify Group Who Owns passwd File	medium	pass
Verify Group Who Owns shadow File	medium	pass
Verify User Who Owns Backup group File	medium	pass
Verify User Who Owns Backup gshadow File	medium	pass
Verify User Who Owns Backup passwd File	medium	pass
Verify Group Who Owns Backup shadow File	medium	pass
Verify User Who Owns group File	medium	pass
Verify User Who Owns gshadow File	medium	pass
Verify User Who Owns passwd File	medium	pass
Verify User Who Owns shadow File	medium	pass
Verify Permissions on Backup group File	medium	pass
Verify Permissions on Backup gshadow File	medium	pass
Verify Permissions on Backup passwd File	medium	pass
Verify Permissions on Backup shadow File	medium	pass
Verify Permissions on group File	medium	pass
Verify Permissions on gshadow File	medium	pass
Verify Permissions on passwd File	medium	pass
Verify Permissions on shadow File	medium	pass
Verify that All World-Writable Directories Have Sticky Bits Set	medium	fail
Ensure No World-Writable Files Exist	medium	fail
Ensure All Files Are Owned by a Group	medium	fail
Ensure All Files Are Owned by a User	medium	fail
Restrict Dynamic Mounting and Unmounting of Filesystems 2x fail
Disable the Automounter	medium	pass
Disable Mounting of cramfs	low	fail
Disable Modprobe Loading of USB Storage Driver	medium	fail
Restrict Partition Mount Options 14x fail
Add nodev Option to /dev/shm	medium	pass
Add noexec Option to /dev/shm	medium	fail
Add nosuid Option to /dev/shm	medium	pass
Add grpquota Option to /home	medium	fail
Add nodev Option to /home	unknown	fail
Add nosuid Option to /home	medium	fail
Add usrquota Option to /home	medium	fail
Add nodev Option to /tmp	medium	notapplicable
Add noexec Option to /tmp	medium	notapplicable
Add nosuid Option to /tmp	medium	notapplicable
Add nodev Option to /var/log/audit	medium	fail
Add noexec Option to /var/log/audit	medium	fail
Add nosuid Option to /var/log/audit	medium	fail
Add nodev Option to /var/log	medium	fail
Add noexec Option to /var/log	medium	fail
Add nosuid Option to /var/log	medium	fail
Add nodev Option to /var	medium	fail
Add noexec Option to /var	medium	fail
Add nosuid Option to /var	unknown	fail
Add nodev Option to /var/tmp	medium	notapplicable
Add noexec Option to /var/tmp	medium	notapplicable
Add nosuid Option to /var/tmp	medium	notapplicable
Restrict Programs from Dangerous Execution Patterns 3x fail
Disable Core Dumps 2x fail
Disable core dump backtraces	medium	fail
Disable storing core dump	medium	fail
Enable ExecShield 1x fail
Enable Randomized Layout of Virtual Address Space	medium	fail
SELinux
Install libselinux Package	high	pass
Uninstall mcstrans Package	low	pass
Uninstall setroubleshoot Package	low	pass
Ensure SELinux Not Disabled in /etc/default/grub	medium	pass
Ensure No Daemons are Unconfined by SELinux	medium	pass
Configure SELinux Policy	medium	pass
Services 19x fail
Cron and At Daemons 7x fail
Restrict at and cron to Authorized Users if Necessary 1x fail
Ensure that /etc/at.deny does not exist	medium	pass
Ensure that /etc/cron.deny does not exist	medium	fail
Verify Group Who Owns /etc/at.allow file	medium	pass
Verify Group Who Owns /etc/cron.allow file	medium	pass
Verify User Who Owns /etc/cron.allow file	medium	pass
Verify Permissions on /etc/at.allow file	medium	pass
Verify Permissions on /etc/cron.allow file	medium	pass
Enable cron Service	medium	pass
Verify Group Who Owns cron.d	medium	pass
Verify Group Who Owns cron.daily	medium	pass
Verify Group Who Owns cron.hourly	medium	pass
Verify Group Who Owns cron.monthly	medium	pass
Verify Group Who Owns cron.weekly	medium	pass
Verify Group Who Owns Crontab	medium	pass
Verify Owner on cron.d	medium	pass
Verify Owner on cron.daily	medium	pass
Verify Owner on cron.hourly	medium	pass
Verify Owner on cron.monthly	medium	pass
Verify Owner on cron.weekly	medium	pass
Verify Owner on crontab	medium	pass
Verify Permissions on cron.d	medium	fail
Verify Permissions on cron.daily	medium	fail
Verify Permissions on cron.hourly	medium	fail
Verify Permissions on cron.monthly	medium	fail
Verify Permissions on cron.weekly	medium	fail
Verify Permissions on crontab	medium	fail
DHCP
Disable DHCP Server
Uninstall DHCP Server Package	medium	pass
DNS Server
Disable DNS Server
Uninstall bind Package	low	pass
FTP Server
Disable vsftpd if Possible
Uninstall vsftpd Package	high	pass
Web Server
Disable Apache if Possible
Uninstall httpd Package	unknown	pass
IMAP and POP3 Server
Disable Dovecot
Uninstall dovecot Package	unknown	pass
LDAP
Configure OpenLDAP Clients
Ensure LDAP client is not installed	low	pass
Mail Server Software
Configure SMTP For Mail Clients
Disable Postfix Network Listening	medium	notapplicable
NFS and RPC
Disable All NFS Services if Possible
Disable Services Used Only by NFS
Disable rpcbind Service	low	pass
Configure NFS Clients
Disable NFS Server Daemons
Disable Network File System (nfs)	unknown	pass
Network Time Protocol
Ensure that chronyd is running under chrony user account	medium	pass
A remote time server for Chrony is configured	medium	pass
Obsolete Services
Xinetd
Uninstall xinetd Package	low	pass
NIS
Remove NIS Client	unknown	pass
Uninstall ypserv Package	high	pass
Rlogin, Rsh, and Rexec
Uninstall rsh Package	unknown	pass
Remove Rsh Trust Files	high	pass
Chat/Messaging Services
Uninstall talk Package	medium	pass
Telnet
Uninstall telnet-server Package	high	pass
Remove telnet Clients	low	pass
TFTP Server
Uninstall tftp-server Package	high	pass
Remove tftp Daemon	low	pass
Uninstall rsync Package	medium	pass
Print Support
Uninstall CUPS Package	unknown	pass
Proxy Server
Disable Squid if Possible
Uninstall squid Package	unknown	pass
Samba(SMB) Microsoft Windows File Sharing Server
Disable Samba if Possible
Uninstall Samba Package	unknown	pass
SNMP Server
Disable SNMP Server if Possible
Uninstall net-snmp Package	unknown	pass
SSH Server 12x fail
Configure OpenSSH Server if Necessary 12x fail
Set SSH Client Alive Count Max	medium	fail
Disable Host-Based Authentication	medium	fail
Disable SSH Access via Empty Passwords	high	fail
Disable SSH Support for .rhosts Files	medium	fail
Disable SSH Root Login	medium	fail
Do Not Allow SSH Environment Options	medium	fail
Enable PAM	medium	pass
Enable SSH Warning Banner	medium	fail
Ensure SSH LoginGraceTime is configured	medium	fail
Set SSH Daemon LogLevel to VERBOSE	medium	fail
Set SSH authentication attempt limit	medium	fail
Set SSH MaxSessions limit	medium	fail
Ensure SSH MaxStartups is configured	medium	fail
Verify Group Who Owns SSH Server config file	medium	pass
Verify Owner on SSH Server config file	medium	pass
Verify Permissions on SSH Server config file	medium	pass
Verify Permissions on SSH Server Private *_key Key Files	medium	pass
Verify Permissions on SSH Server Public *.pub Key Files	medium	pass
X Window System
Disable X Windows
Remove the X Windows Package Group	medium	pass

Result Details

Install AIDE

Rule ID xccdf_org.ssgproject.content_rule_package_aide_installed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-package_aide_installed:def:1

Time 2026-03-23T19:57:54+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80844-4

References: BP28(R51), 1.3.1, 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, SV-251710r880730_rule

Description

The aide package can be installed with the following command:

$ sudo yum install aide

Rationale

The AIDE package must be installed if it is to be available for integrity checking.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "aide" ; then
    yum install -y "aide"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

- name: Ensure aide is installed
  package:
    name: aide
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80844-4
  - CJIS-5.10.1.3
  - DISA-STIG-RHEL-08-010359
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_aide_installed

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

include install_aide

class install_aide {
  package { 'aide':
    ensure => 'installed',
  }
}

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable


package --add=aide

Remediation OSBuild Blueprint snippet ⇲


[[packages]]
name = "aide"
version = "*"

OVAL test results details

package aide is installed oval:ssg-test_package_aide_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_aide_installed:obj:1 of type rpminfo_object

Name
aide

Build and Test AIDE Database

Rule ID xccdf_org.ssgproject.content_rule_aide_build_database

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-aide_build_database:def:1

Time 2026-03-23T19:57:54+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80675-2

References: BP28(R51), 1.3.1, 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, SV-251710r880730_rule

Description

Run the following command to generate a new database:

$ sudo /usr/sbin/aide --init

By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows:

$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

To initiate a manual check, run the following command:

$ sudo /usr/sbin/aide --check

If this check produces any unexpected output, investigate.

Rationale

For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "aide" ; then
    yum install -y "aide"
fi

/usr/sbin/aide --init
/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Ensure AIDE is installed
  package:
    name: '{{ item }}'
    state: present
  with_items:
  - aide
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80675-2
  - CJIS-5.10.1.3
  - DISA-STIG-RHEL-08-010359
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - aide_build_database
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Build and Test AIDE Database
  command: /usr/sbin/aide --init
  changed_when: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80675-2
  - CJIS-5.10.1.3
  - DISA-STIG-RHEL-08-010359
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - aide_build_database
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check whether the stock AIDE Database exists
  stat:
    path: /var/lib/aide/aide.db.new.gz
  register: aide_database_stat
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80675-2
  - CJIS-5.10.1.3
  - DISA-STIG-RHEL-08-010359
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - aide_build_database
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Stage AIDE Database
  copy:
    src: /var/lib/aide/aide.db.new.gz
    dest: /var/lib/aide/aide.db.gz
    backup: true
    remote_src: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (aide_database_stat.stat.exists is defined and aide_database_stat.stat.exists)
  tags:
  - CCE-80675-2
  - CJIS-5.10.1.3
  - DISA-STIG-RHEL-08-010359
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - aide_build_database
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

OVAL test results details

package aide is installed oval:ssg-test_package_aide_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_aide_installed:obj:1 of type rpminfo_object

Name
aide

Testing existence of new aide database file oval:ssg-test_aide_build_new_database_absolute_path:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_aide_build_new_database_absolute_path:obj:1 of type file_object

Filepath
Referenced variable has no values (oval:ssg-variable_aide_build_new_database_absolute_path:var:1).

Testing existence of operational aide database file oval:ssg-test_aide_operational_database_absolute_path:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_aide_operational_database_absolute_path:obj:1 of type file_object

Filepath
Referenced variable has no values (oval:ssg-variable_aide_operational_database_absolute_path:var:1)

Configure Periodic Execution of AIDE

Rule ID xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-aide_periodic_cron_checking:def:1

Time 2026-03-23T19:57:55+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80676-0

References: BP28(R51), 1.3.2, 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201

Description

At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:

05 4 * * * root /usr/sbin/aide --check

To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:

05 4 * * 0 root /usr/sbin/aide --check

AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable.

Rationale

By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "aide" ; then
    yum install -y "aide"
fi

if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then
    echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
else
    sed -i '\!^.* --check.*$!d' /etc/crontab
    echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Ensure AIDE is installed
  package:
    name: '{{ item }}'
    state: present
  with_items:
  - aide
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80676-0
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - PCI-DSS-Req-11.5
  - aide_periodic_cron_checking
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set cron package name - RedHat
  set_fact:
    cron_pkg_name: cronie
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_os_family == "RedHat" or ansible_os_family == "Suse"
  tags:
  - CCE-80676-0
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - PCI-DSS-Req-11.5
  - aide_periodic_cron_checking
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set cron package name - Debian
  set_fact:
    cron_pkg_name: cron
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_os_family == "Debian"
  tags:
  - CCE-80676-0
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - PCI-DSS-Req-11.5
  - aide_periodic_cron_checking
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Install cron
  package:
    name: '{{ cron_pkg_name }}'
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80676-0
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - PCI-DSS-Req-11.5
  - aide_periodic_cron_checking
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Periodic Execution of AIDE
  cron:
    name: run AIDE check
    minute: 5
    hour: 4
    weekday: 0
    user: root
    job: /usr/sbin/aide --check
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80676-0
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - PCI-DSS-Req-11.5
  - aide_periodic_cron_checking
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

OVAL test results details

package aide is installed oval:ssg-test_package_aide_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_aide_installed:obj:1 of type rpminfo_object

Name
aide

run aide with cron oval:ssg-test_aide_periodic_cron_checking:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_test_aide_periodic_cron_checking:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/crontab	^(([0-9][\s][0-9][\s]\[\s]\[\s](\\|([0-7]\|mon\|tue\|wed\|thu\|fri\|sat\|sun)\|[0-7]-[0-7]))\|@(hourly\|daily\|weekly))[\s]root[\s]\/usr\/sbin\/aide[\s]\-\-check.*$	1

run aide with cron oval:ssg-test_aide_crond_checking:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_test_aide_crond_checking:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/cron.d	^.*$	^(([0-9][\s][0-9][\s]\[\s]\[\s](\\|([0-7]\|mon\|tue\|wed\|thu\|fri\|sat\|sun)\|[0-7]-[0-7]))\|@(hourly\|daily\|weekly))[\s]root[\s]\/usr\/sbin\/aide[\s]\-\-check.*$	1

run aide with cron oval:ssg-test_aide_var_cron_checking:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_aide_var_cron_checking:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/var/spool/cron/root	^(([0-9][\s][0-9][\s]\[\s]\[\s](\\|([0-7]\|mon\|tue\|wed\|thu\|fri\|sat\|sun)\|[0-7]-[0-7]))\|@(hourly\|daily\|weekly))[\s](root)?[\s]\/usr\/sbin\/aide[\s]\-\-check.*$	1

run aide with cron.(daily|weekly) oval:ssg-test_aide_crontabs_checking:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_aide_crontabs_checking:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
^/etc/cron.(daily\|weekly)$	^.*$	^\s\/usr\/sbin\/aide[\s]\-\-check.*$	1

Configure System Cryptography Policy

Rule ID	xccdf_org.ssgproject.content_rule_configure_crypto_policy
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-configure_crypto_policy:def:1
Time	2026-03-23T19:57:55+01:00
Severity	high
Identifiers and References	Identifiers: CCE-80935-0 References: 1.10, 1.11, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, SV-230223r877398_rule
Description	To configure the system cryptography policy to use ciphers only from the `DEFAULT` policy, run the following command: $ sudo update-crypto-policies --set DEFAULT The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the `/etc/crypto-policies/back-ends` are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.
Rationale	Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.
Warnings	warning The system needs to be rebooted for these changes to take effect. warning System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.

OVAL test results details

check for crypto policy correctly configured in /etc/crypto-policies/config oval:ssg-test_configure_crypto_policy:tst:1 true

Following items have been found on the system:

Path	Content
/etc/crypto-policies/config	DEFAULT

check for crypto policy correctly configured in /etc/crypto-policies/state/current oval:ssg-test_configure_crypto_policy_current:tst:1 true

Following items have been found on the system:

Path	Content
/etc/crypto-policies/state/current	DEFAULT

Check if update-crypto-policies has been run oval:ssg-test_crypto_policies_updated:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-variable_crypto_policies_config_file_timestamp:var:1	1759686302

Check if /etc/crypto-policies/back-ends/nss.config exists oval:ssg-test_crypto_policy_nss_config:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/etc/crypto-policies/back-ends/nss.config	symbolic link	0	0	42	`rwxrwxrwx`

Configure SSH to use System Crypto Policy

Rule ID	xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-configure_ssh_crypto_policy:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80939-2 References: 5.2.14, CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, SRG-OS-000250-GPOS-00093, RHEL-08-010287, SV-244526r877394_rule
Description	Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the `CRYPTO_POLICY` variable is either commented or not set at all in the `/etc/sysconfig/sshd`.
Rationale	Overriding the system crypto policy makes the behavior of the SSH service violate expectations, and makes system configuration more fragmented.

OVAL test results details

Check that the SSH configuration mandates usage of system-wide crypto policies. oval:ssg-test_configure_ssh_crypto_policy:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_configure_ssh_crypto_policy:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysconfig/sshd	^\s(?i)CRYPTO_POLICY\s=.*$	1

Ensure /tmp Located On Separate Partition

Rule ID xccdf_org.ssgproject.content_rule_partition_for_tmp

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-partition_for_tmp:def:1

Time 2026-03-23T19:57:55+01:00

Severity low

Identifiers and References

Identifiers: CCE-80851-9

References: BP28(R12), 1.1.2.1, 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010543, SV-230295r627750_rule

Description

The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale

The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	enable


part /tmp

Remediation OSBuild Blueprint snippet ⇲


[[customizations.filesystem]]
mountpoint = "/tmp"
size = 1073741824

OVAL test results details

/tmp on own partition oval:ssg-testtmp_partition:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_mounttmp_own_partition:obj:1 of type partition_object

Mount point
/tmp

Disable the GNOME3 Login User List

Rule ID	xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86195-5 References: 1.8.3, CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, RHEL-08-020032, SV-244536r743857_rule
Description	In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled by setting `disable-user-list` to `true`. To disable, add or edit `disable-user-list` to `/etc/dconf/db/gdm.d/00-security-settings`. For example: [org/gnome/login-screen] disable-user-list=true Once the setting has been added, add a lock to `/etc/dconf/db/gdm.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/login-screen/disable-user-list After the settings have been set, run `dconf update`.
Rationale	Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in.

Disable XDMCP in GDM

Rule ID	xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T19:57:55+01:00
Severity	high
Identifiers and References	Identifiers: CCE-86007-2 References: 1.8.4
Description	XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g. XDMCP Gnome docs. To disable XDMCP support in Gnome, set `Enable` to `false` under the `[xdmcp]` configuration section in `/etc/gdm/custom.conf`. For example: [xdmcp] Enable=false
Rationale	XDMCP provides unencrypted remote access through the Gnome Display Manager (GDM) which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using XDMCP, the privileged user password could be compromised due to typed XEvents and keystrokes will traversing over the network in clear text.

Disable GNOME3 Automounting

Rule ID	xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-89904-7 References: 1.8.5, 12, 16, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, 3.1.7, CCI-000366, CCI-000778, CCI-001958, 4.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.AC-6, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227
Description	The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount within GNOME3, add or set `automount` to `false` in `/etc/dconf/db/local.d/00-security-settings`. For example: [org/gnome/desktop/media-handling] automount=false Once the settings have been added, add a lock to `/etc/dconf/db/local.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/desktop/media-handling/automount After the settings have been set, run `dconf update`.
Rationale	Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media.

Disable GNOME3 Automount Opening

Rule ID	xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83693-2 References: 1.8.5, 12, 16, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, 3.1.7, CCI-000366, CCI-000778, CCI-001958, 4.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.AC-6, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227
Description	The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount-open within GNOME3, add or set `automount-open` to `false` in `/etc/dconf/db/local.d/00-security-settings`. For example: [org/gnome/desktop/media-handling] automount-open=false Once the settings have been added, add a lock to `/etc/dconf/db/local.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/desktop/media-handling/automount-open After the settings have been set, run `dconf update`.
Rationale	Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media.

Make sure that the dconf databases are up-to-date with regards to respective keyfiles

Rule ID	xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T19:57:55+01:00
Severity	high
Identifiers and References	Identifiers: CCE-81003-6 References: 1.8.2, 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227
Description	By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the dconf update command. More specifically, content present in the following directories: /etc/dconf/db/gdm.d /etc/dconf/db/local.d
Rationale	Unlike text-based keyfiles, the binary database is impossible to check by OVAL. Therefore, in order to evaluate dconf configuration, both have to be true at the same time - configuration files have to be compliant, and the database needs to be more recent than those keyfiles, which gives confidence that it reflects them.

Install sudo Package

Rule ID	xccdf_org.ssgproject.content_rule_package_sudo_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_sudo_installed:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82214-8 References: BP28(R19), 5.3.1, 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125
Description	The `sudo` package can be installed with the following command: $ sudo yum install sudo
Rationale	`sudo` is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done.

OVAL test results details

package sudo is installed oval:ssg-test_package_sudo_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
sudo	x86_64	(none)	8.el8_7.1	1.8.29	0:1.8.29-8.el8_7.1	199e2f91fd431d51	sudo-0:1.8.29-8.el8_7.1.x86_64

Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty

Rule ID xccdf_org.ssgproject.content_rule_sudo_add_use_pty

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sudo_add_use_pty:def:1

Time 2026-03-23T19:57:55+01:00

Severity medium

Identifiers and References

Identifiers: CCE-83798-9

References: BP28(R58), 5.3.2, Req-10.2.1.5

Description

The sudo use_pty tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the use_pty tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining access to the user's terminal after the main program has finished executing.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict


if /usr/sbin/visudo -qcf /etc/sudoers; then
    cp /etc/sudoers /etc/sudoers.bak
    if ! grep -P '^[\s]*Defaults[\s]*\buse_pty\b.*$' /etc/sudoers; then
        # sudoers file doesn't define Option use_pty
        echo "Defaults use_pty" >> /etc/sudoers
    fi
    
    # Check validity of sudoers and cleanup bak
    if /usr/sbin/visudo -qcf /etc/sudoers; then
        rm -f /etc/sudoers.bak
    else
        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
        mv /etc/sudoers.bak /etc/sudoers
        false
    fi
else
    echo "Skipping remediation, /etc/sudoers failed to validate"
    false
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Ensure use_pty is enabled in /etc/sudoers
  lineinfile:
    path: /etc/sudoers
    regexp: ^[\s]*Defaults.*\buse_pty\b.*$
    line: Defaults use_pty
    validate: /usr/sbin/visudo -cf %s
  tags:
  - CCE-83798-9
  - PCI-DSS-Req-10.2.1.5
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_add_use_pty

OVAL test results details

use_pty exists in /etc/sudoers or /etc/sudoers.d/ oval:ssg-test_use_pty_sudoers:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_use_pty_sudoers:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/sudoers(\|\.d/.*)$	^[\s]Defaults[\s]\buse_pty.*$	1

Ensure Sudo Logfile Exists - sudo logfile

Rule ID xccdf_org.ssgproject.content_rule_sudo_custom_logfile

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sudo_custom_logfile:def:1

Time 2026-03-23T19:57:55+01:00

Severity low

Identifiers and References

Identifiers: CCE-83601-5

References: 5.3.3, Req-10.2.1.5

Description

A custom log sudo file can be configured with the 'logfile' tag. This rule configures a sudo custom logfile at the default location suggested by CIS, which uses /var/log/sudo.log.

Rationale

A sudo log file simplifies auditing of sudo commands.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict



var_sudo_logfile='/var/log/sudo.log'


if /usr/sbin/visudo -qcf /etc/sudoers; then
    cp /etc/sudoers /etc/sudoers.bak
    if ! grep -P '^[\s]*Defaults[\s]*\blogfile=("(?:\\"|\\\\|[^"\\\n])*"\B|[^"](?:(?:\\,|\\"|\\ |\\\\|[^", \\\n])*)\b)\b.*$' /etc/sudoers; then
        # sudoers file doesn't define Option logfile
        echo "Defaults logfile=${var_sudo_logfile}" >> /etc/sudoers
    else
        # sudoers file defines Option logfile, remediate if appropriate value is not set
        if ! grep -P "^[\s]*Defaults.*\blogfile=${var_sudo_logfile}\b.*$" /etc/sudoers; then
            
            escaped_variable=${var_sudo_logfile//$'/'/$'\/'}
            sed -Ei "s/(^[\s]*Defaults.*\blogfile=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
        fi
    fi
    
    # Check validity of sudoers and cleanup bak
    if /usr/sbin/visudo -qcf /etc/sudoers; then
        rm -f /etc/sudoers.bak
    else
        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
        mv /etc/sudoers.bak /etc/sudoers
        false
    fi
else
    echo "Skipping remediation, /etc/sudoers failed to validate"
    false
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: XCCDF Value var_sudo_logfile # promote to variable
  set_fact:
    var_sudo_logfile: !!str /var/log/sudo.log
  tags:
    - always

- name: Ensure logfile is enabled with the appropriate value in /etc/sudoers
  lineinfile:
    path: /etc/sudoers
    regexp: ^[\s]*Defaults\s(.*)\blogfile=[-]?.+\b(.*)$
    line: Defaults \1logfile={{ var_sudo_logfile }}\2
    validate: /usr/sbin/visudo -cf %s
    backrefs: true
  register: edit_sudoers_logfile_option
  tags:
  - CCE-83601-5
  - PCI-DSS-Req-10.2.1.5
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_custom_logfile

- name: Enable logfile option with appropriate value in /etc/sudoers
  lineinfile:
    path: /etc/sudoers
    line: Defaults logfile={{ var_sudo_logfile }}
    validate: /usr/sbin/visudo -cf %s
  when: edit_sudoers_logfile_option is defined and not edit_sudoers_logfile_option.changed
  tags:
  - CCE-83601-5
  - PCI-DSS-Req-10.2.1.5
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_custom_logfile

OVAL test results details

logfile exists in /etc/sudoers or /etc/sudoers.d/ oval:ssg-test_logfile_sudoers:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_logfile_sudoers:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/sudoers(\|\.d/.*)$	^[\s]Defaults[\s]\blogfile=("(?:\\"\|\\\\\|[^"\\\n])"\B\|[^"](?:(?:\\,\|\\"\|\\ \|\\\\\|[^", \\\n]))\b).*$	1

The operating system must require Re-Authentication when using the sudo command. Ensure sudo timestamp_timeout is appropriate - sudo timestamp_timeout

Rule ID xccdf_org.ssgproject.content_rule_sudo_require_reauthentication

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sudo_require_reauthentication:def:1

Time 2026-03-23T19:57:55+01:00

Severity medium

Identifiers and References

Identifiers: CCE-87838-9

References: 5.3.6, CCI-002038, IA-11, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010384, SV-237643r861088_rule

Description

The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. The default timestamp_timeout value is 5 minutes. The timestamp_timeout should be configured by making sure that the timestamp_timeout tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.

Rationale

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict



var_sudo_timestamp_timeout='5'


if grep -Px '^[\s]*Defaults.*timestamp_timeout[\s]*=.*' /etc/sudoers.d/*; then
    find /etc/sudoers.d/ -type f -exec sed -Ei "/^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=.*/d" {} \;
fi

if /usr/sbin/visudo -qcf /etc/sudoers; then
    cp /etc/sudoers /etc/sudoers.bak
    if ! grep -P '^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*[-]?\w+.*$' /etc/sudoers; then
        # sudoers file doesn't define Option timestamp_timeout
        echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers
    else
        # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set
        if ! grep -P "^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*${var_sudo_timestamp_timeout}.*$" /etc/sudoers; then
            
            sed -Ei "s/(^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=)[[:blank:]]*[-]?\w+(.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers
        fi
    fi
    
    # Check validity of sudoers and cleanup bak
    if /usr/sbin/visudo -qcf /etc/sudoers; then
        rm -f /etc/sudoers.bak
    else
        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
        mv /etc/sudoers.bak /etc/sudoers
        false
    fi
else
    echo "Skipping remediation, /etc/sudoers failed to validate"
    false
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: XCCDF Value var_sudo_timestamp_timeout # promote to variable
  set_fact:
    var_sudo_timestamp_timeout: !!str 5
  tags:
    - always

- name: Find out if /etc/sudoers.d/* files contain 'Defaults timestamp_timeout' to
    be deduplicated
  find:
    path: /etc/sudoers.d
    patterns: '*'
    contains: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=.*
  register: sudoers_d_defaults_timestamp_timeout
  tags:
  - CCE-87838-9
  - DISA-STIG-RHEL-08-010384
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_reauthentication

- name: Remove found occurrences of 'Defaults timestamp_timeout' from /etc/sudoers.d/*
    files
  lineinfile:
    path: '{{ item.path }}'
    regexp: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=.*
    state: absent
  with_items: '{{ sudoers_d_defaults_timestamp_timeout.files }}'
  tags:
  - CCE-87838-9
  - DISA-STIG-RHEL-08-010384
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_reauthentication

- name: Ensure timestamp_timeout is enabled with the appropriate value in /etc/sudoers
  lineinfile:
    path: /etc/sudoers
    regexp: ^[\s]*Defaults\s(.*)\btimestamp_timeout[\s]*=[\s]*[-]?\w+\b(.*)$
    line: Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2
    validate: /usr/sbin/visudo -cf %s
    backrefs: true
  register: edit_sudoers_timestamp_timeout_option
  tags:
  - CCE-87838-9
  - DISA-STIG-RHEL-08-010384
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_reauthentication

- name: Enable timestamp_timeout option with appropriate value in /etc/sudoers
  lineinfile:
    path: /etc/sudoers
    line: Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }}
    validate: /usr/sbin/visudo -cf %s
  when: edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed
  tags:
  - CCE-87838-9
  - DISA-STIG-RHEL-08-010384
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_reauthentication

OVAL test results details

check correct configuration in /etc/sudoers oval:ssg-test_sudo_timestamp_timeout:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sudo_timestamp_timeout:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/sudoers(\.d/.*)?$	^[\s]Defaults[\s]+timestamp_timeout[\s]=[\s]*([-]?[\d]+)$	1

Ensure gpgcheck Enabled In Main yum Configuration

Rule ID	xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-ensure_gpgcheck_globally_activated:def:1
Time	2026-03-23T19:57:55+01:00
Severity	high
Identifiers and References	Identifiers: CCE-80790-9 References: BP28(R15), 1.2.3, 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, RHEL-08-010370, SV-230264r880711_rule, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650
Description	The `gpgcheck` option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in `/etc/yum.conf` in the `[main]` section: gpgcheck=1
Rationale	Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).

OVAL test results details

check value of gpgcheck in /etc/yum.conf oval:ssg-test_ensure_gpgcheck_globally_activated:tst:1 true

Following items have been found on the system:

Path	Content
/etc/yum.conf	gpgcheck=1

Enable GNOME3 Login Warning Banner

Rule ID	xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80768-5 References: 1.8.2, 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(b), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, RHEL-08-010049, SV-244519r743806_rule
Description	In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting `banner-message-enable` to `true`. To enable, add or edit `banner-message-enable` to `/etc/dconf/db/gdm.d/00-security-settings`. For example: [org/gnome/login-screen] banner-message-enable=true Once the setting has been added, add a lock to `/etc/dconf/db/gdm.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/login-screen/banner-message-enable After the settings have been set, run `dconf update`. The banner text must also be set.
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

Set the GNOME3 Login Warning Banner Text

Rule ID	xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80770-1 References: 1.8.2, 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, RHEL-08-010050, SV-230226r743916_rule
Description	In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on the login screen by setting `banner-message-text` to `'APPROVED_BANNER'` where APPROVED_BANNER is the approved banner for your environment. To enable, add or edit `banner-message-text` to `/etc/dconf/db/gdm.d/00-security-settings`. For example: [org/gnome/login-screen] banner-message-text='APPROVED_BANNER' Once the setting has been added, add a lock to `/etc/dconf/db/gdm.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/login-screen/banner-message-text After the settings have been set, run `dconf update`. When entering a warning banner that spans several lines, remember to begin and end the string with `'` and use `\n` for new lines.
Rationale	An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.

Modify the System Login Banner

Rule ID xccdf_org.ssgproject.content_rule_banner_etc_issue

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-banner_etc_issue:def:1

Time 2026-03-23T19:57:55+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80763-6

References: 1.7.2, 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, RHEL-08-010060, SV-230227r627750_rule, SRG-OS-000023-VMM-000060, SRG-OS-000024-VMM-000070

Description

To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.

-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.

OR:

I've read & consent to terms in IS user agreem't.

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

login_banner_text='^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$'


# Multiple regexes transform the banner regex into a usable banner
# 0 - Remove anchors around the banner text
login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
# 1 - Keep only the first banners if there are multiple
#    (dod_banners contains the long and short banner)
login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/\n/g')
# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example).
login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g')
formatted=$(echo "$login_banner_text" | fold -sw 80)

cat <<EOF >/etc/issue
$formatted
EOF

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	false
Strategy:	unknown

- name: XCCDF Value login_banner_text # promote to variable
  set_fact:
    login_banner_text: !!str ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
  tags:
    - always

- name: Modify the System Login Banner - ensure correct banner
  copy:
    dest: /etc/issue
    content: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
      "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
      "\n") | regex_replace("\\", "") | wordwrap() }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80763-6
  - DISA-STIG-RHEL-08-010060
  - NIST-800-171-3.1.9
  - NIST-800-53-AC-8(a)
  - NIST-800-53-AC-8(c)
  - banner_etc_issue
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - unknown_strategy

OVAL test results details

correct banner in /etc/issue oval:ssg-test_banner_etc_issue:tst:1 false

Following items have been found on the system:

Path	Content
/etc/issue	\S Kernel \r on an \m

Modify the System Login Banner for Remote Connections

Rule ID xccdf_org.ssgproject.content_rule_banner_etc_issue_net

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-banner_etc_issue_net:def:1

Time 2026-03-23T19:57:55+01:00

Severity medium

Identifiers and References

Identifiers: CCE-86147-6

References: 1.7.3, CCI-000048, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088

Description

To configure the system login banner edit /etc/issue.net. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.

-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.

OR:

I've read & consent to terms in IS user agreem't.

Rationale

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

login_banner_text='^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$'


# Multiple regexes transform the banner regex into a usable banner
# 0 - Remove anchors around the banner text
login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
# 1 - Keep only the first banners if there are multiple
#    (dod_banners contains the long and short banner)
login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/\n/g')
# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example).
login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g')
formatted=$(echo "$login_banner_text" | fold -sw 80)

cat <<EOF >/etc/issue.net
$formatted
EOF

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	false
Strategy:	unknown

- name: XCCDF Value login_banner_text # promote to variable
  set_fact:
    login_banner_text: !!str ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
  tags:
    - always

- name: Modify the System Login Banner for Remote Connections - ensure correct banner
  copy:
    dest: /etc/issue.net
    content: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
      "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
      "\n") | regex_replace("\\", "") | wordwrap() }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-86147-6
  - banner_etc_issue_net
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - unknown_strategy

OVAL test results details

correct banner in /etc/issue.net oval:ssg-test_banner_etc_issue_net:tst:1 false

Following items have been found on the system:

Path	Content
/etc/issue.net	\S Kernel \r on an \m

Modify the System Message of the Day Banner

Rule ID	xccdf_org.ssgproject.content_rule_banner_etc_motd
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-banner_etc_motd:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83496-0 References: 1.7.1
Description	To configure the system message banner edit `/etc/motd`. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR: `I've read & consent to terms in IS user agreem't.`
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

OVAL test results details

correct banner in /etc/motd oval:ssg-test_banner_etc_motd:tst:1 true

Following items have been found on the system:

Path	Content
/etc/motd

Verify Group Ownership of System Login Banner

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_etc_issue:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83708-8 References: 1.7.5
Description	To properly set the group owner of `/etc/issue`, run the command: $ sudo chgrp root /etc/issue
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper group ownership will ensure that only root user can modify the banner.

OVAL test results details

Testing group ownership of /etc/issue oval:ssg-test_file_groupowner_etc_issue_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_etc_issue_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/issue	oval:ssg-symlink_file_groupowner_etc_issue_uid_0:ste:1	oval:ssg-state_file_groupowner_etc_issue_gid_0_0:ste:1

Verify Group Ownership of System Login Banner for Remote Connections

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue_net
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_etc_issue_net:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86051-0 References: 1.7.6
Description	To properly set the group owner of `/etc/issue.net`, run the command: $ sudo chgrp root /etc/issue.net
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper group ownership will ensure that only root user can modify the banner.

OVAL test results details

Testing group ownership of /etc/issue.net oval:ssg-test_file_groupowner_etc_issue_net_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_etc_issue_net_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/issue.net	oval:ssg-symlink_file_groupowner_etc_issue_net_uid_0:ste:1	oval:ssg-state_file_groupowner_etc_issue_net_gid_0_0:ste:1

Verify Group Ownership of Message of the Day Banner

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_etc_motd
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_etc_motd:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83728-6 References: 1.7.4
Description	To properly set the group owner of `/etc/motd`, run the command: $ sudo chgrp root /etc/motd
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper group ownership will ensure that only root user can modify the banner.

OVAL test results details

Testing group ownership of /etc/motd oval:ssg-test_file_groupowner_etc_motd_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_etc_motd_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/motd	oval:ssg-symlink_file_groupowner_etc_motd_uid_0:ste:1	oval:ssg-state_file_groupowner_etc_motd_gid_0_0:ste:1

Verify ownership of System Login Banner

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_etc_issue
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_etc_issue:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83718-7 References: 1.7.5
Description	To properly set the owner of `/etc/issue`, run the command: $ sudo chown root /etc/issue
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper ownership will ensure that only root user can modify the banner.

OVAL test results details

Testing user ownership of /etc/issue oval:ssg-test_file_owner_etc_issue_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_etc_issue_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/issue	oval:ssg-symlink_file_owner_etc_issue_uid_0:ste:1	oval:ssg-state_file_owner_etc_issue_uid_0_0:ste:1

Verify ownership of System Login Banner for Remote Connections

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_etc_issue_net:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86054-4 References: 1.7.6
Description	To properly set the owner of `/etc/issue.net`, run the command: $ sudo chown root /etc/issue.net
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper ownership will ensure that only root user can modify the banner.

OVAL test results details

Testing user ownership of /etc/issue.net oval:ssg-test_file_owner_etc_issue_net_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_etc_issue_net_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/issue.net	oval:ssg-symlink_file_owner_etc_issue_net_uid_0:ste:1	oval:ssg-state_file_owner_etc_issue_net_uid_0_0:ste:1

Verify ownership of Message of the Day Banner

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_etc_motd
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_etc_motd:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83738-5 References: 1.7.4
Description	To properly set the owner of `/etc/motd`, run the command: $ sudo chown root /etc/motd
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper ownership will ensure that only root user can modify the banner.

OVAL test results details

Testing user ownership of /etc/motd oval:ssg-test_file_owner_etc_motd_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_etc_motd_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/motd	oval:ssg-symlink_file_owner_etc_motd_uid_0:ste:1	oval:ssg-state_file_owner_etc_motd_uid_0_0:ste:1

Verify permissions on System Login Banner

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_etc_issue
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_etc_issue:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83348-3 References: 1.7.5
Description	To properly set the permissions of `/etc/issue`, run the command: $ sudo chmod 0644 /etc/issue
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper permissions will ensure that only root user can modify the banner.

OVAL test results details

Testing mode of /etc/issue oval:ssg-test_file_permissions_etc_issue_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_etc_issue_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/issue	oval:ssg-exclude_symlinks__etc_issue:ste:1	oval:ssg-state_file_permissions_etc_issue_0_mode_0644or_stricter_:ste:1

Verify permissions on System Login Banner for Remote Connections

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_etc_issue_net
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_etc_issue_net:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86047-8 References: 1.7.6
Description	To properly set the permissions of `/etc/issue.net`, run the command: $ sudo chmod 0644 /etc/issue.net
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper permissions will ensure that only root user can modify the banner.

OVAL test results details

Testing mode of /etc/issue.net oval:ssg-test_file_permissions_etc_issue_net_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_etc_issue_net_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/issue.net	oval:ssg-exclude_symlinks__etc_issue_net:ste:1	oval:ssg-state_file_permissions_etc_issue_net_0_mode_0644or_stricter_:ste:1

Verify permissions on Message of the Day Banner

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_etc_motd
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_etc_motd:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83338-4 References: 1.7.4
Description	To properly set the permissions of `/etc/motd`, run the command: $ sudo chmod 0644 /etc/motd
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper permissions will ensure that only root user can modify the banner.

OVAL test results details

Testing mode of /etc/motd oval:ssg-test_file_permissions_etc_motd_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_etc_motd_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/motd	oval:ssg-exclude_symlinks__etc_motd:ste:1	oval:ssg-state_file_permissions_etc_motd_0_mode_0644or_stricter_:ste:1

Limit Password Reuse: password-auth

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_password_pam_pwhistory_remember_password_auth:def:1

Time 2026-03-23T19:57:55+01:00

Severity medium

Identifiers and References

Identifiers: CCE-83478-8

References: BP28(R18), 5.5.3, 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, RHEL-08-020220, SV-230368r810414_rule, SRG-OS-000077-VMM-000440

Description

Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_pwhistory PAM module.

On systems with newer versions of authselect, the pam_pwhistory PAM module can be enabled via authselect feature:

authselect enable-feature with-pwhistory

Otherwise, it should be enabled using an authselect custom profile.

Newer systems also have the /etc/security/pwhistory.conf file for setting pam_pwhistory module options. This file should be used whenever available. Otherwise, the pam_pwhistory module options can be set in PAM files.

The value for remember option must be equal or greater than 5

Rationale

Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.

Warnings

warning If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report.

warning Newer versions of authselect contain an authselect feature to easily and properly enable pam_pwhistory.so module. If this feature is not yet available in your system, an authselect custom profile must be used to avoid integrity issues in PAM files. If a custom profile was created and used in the system before this authselect feature was available, the new feature can't be used with this custom profile and the remediation will fail. In this case, the custom profile should be recreated or manually updated.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

var_password_pam_remember='5'
var_password_pam_remember_control_flag='requisite,required'


var_password_pam_remember_control_flag="$(echo $var_password_pam_remember_control_flag | cut -d \, -f 1)"

if [ -f /usr/bin/authselect ]; then
    if authselect list-features minimal | grep -q with-pwhistory; then
        if ! authselect check; then
        echo "
        authselect integrity check failed. Remediation aborted!
        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
        It is not recommended to manually edit the PAM files when authselect tool is available.
        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
        exit 1
        fi
        authselect enable-feature with-pwhistory

        authselect apply-changes -b
    else
        
        if ! authselect check; then
        echo "
        authselect integrity check failed. Remediation aborted!
        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
        It is not recommended to manually edit the PAM files when authselect tool is available.
        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
        exit 1
        fi

        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
        # If not already in use, a custom profile is created preserving the enabled features.
        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
            authselect create-profile hardening -b $CURRENT_PROFILE
            CURRENT_PROFILE="custom/hardening"
            
            authselect apply-changes -b --backup=before-hardening-custom-profile
            authselect select $CURRENT_PROFILE
            for feature in $ENABLED_FEATURES; do
                authselect enable-feature $feature;
            done
            
            authselect apply-changes -b --backup=after-hardening-custom-profile
        fi
        PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth")
        PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"

        authselect apply-changes -b
        if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
            # Line matching group + control + module was not found. Check group + module.
            if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
                # The control is updated only if one single line matches.
                sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "$PAM_FILE_PATH"
            else
                LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
                if [ ! -z $LAST_MATCH_LINE ]; then
                    sed -i --follow-symlinks $LAST_MATCH_LINE' a password     '"$var_password_pam_remember_control_flag"'    pam_pwhistory.so' "$PAM_FILE_PATH"
                else
                    echo 'password    '"$var_password_pam_remember_control_flag"'    pam_pwhistory.so' >> "$PAM_FILE_PATH"
                fi
            fi
        fi
    fi
else
    if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/password-auth"; then
        # Line matching group + control + module was not found. Check group + module.
        if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/password-auth")" -eq 1 ]; then
            # The control is updated only if one single line matches.
            sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "/etc/pam.d/password-auth"
        else
            LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/password-auth" | tail -n 1 | cut -d: -f 1)
            if [ ! -z $LAST_MATCH_LINE ]; then
                sed -i --follow-symlinks $LAST_MATCH_LINE' a password     '"$var_password_pam_remember_control_flag"'    pam_pwhistory.so' "/etc/pam.d/password-auth"
            else
                echo 'password    '"$var_password_pam_remember_control_flag"'    pam_pwhistory.so' >> "/etc/pam.d/password-auth"
            fi
        fi
    fi
fi

PWHISTORY_CONF="/etc/security/pwhistory.conf"
if [ -f $PWHISTORY_CONF ]; then
    regex="^\s*remember\s*="
    line="remember = $var_password_pam_remember"
    if ! grep -q $regex $PWHISTORY_CONF; then
        echo $line >> $PWHISTORY_CONF
    else
        sed -i --follow-symlinks 's|^\s*\(remember\s*=\s*\)\(\S\+\)|\1'"$var_password_pam_remember"'|g' $PWHISTORY_CONF
    fi
    if [ -e "/etc/pam.d/password-auth" ] ; then
        PAM_FILE_PATH="/etc/pam.d/password-auth"
        if [ -f /usr/bin/authselect ]; then
            
            if ! authselect check; then
            echo "
            authselect integrity check failed. Remediation aborted!
            This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
            It is not recommended to manually edit the PAM files when authselect tool is available.
            In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
            exit 1
            fi

            CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
            # If not already in use, a custom profile is created preserving the enabled features.
            if [[ ! $CURRENT_PROFILE == custom/* ]]; then
                ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
                authselect create-profile hardening -b $CURRENT_PROFILE
                CURRENT_PROFILE="custom/hardening"
                
                authselect apply-changes -b --backup=before-hardening-custom-profile
                authselect select $CURRENT_PROFILE
                for feature in $ENABLED_FEATURES; do
                    authselect enable-feature $feature;
                done
                
                authselect apply-changes -b --backup=after-hardening-custom-profile
            fi
            PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth")
            PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"

            authselect apply-changes -b
        fi
        
    if grep -qP '^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b' "$PAM_FILE_PATH"; then
        sed -i -E --follow-symlinks 's/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
    fi
        if [ -f /usr/bin/authselect ]; then
            
            authselect apply-changes -b
        fi
    else
        echo "/etc/pam.d/password-auth was not found" >&2
    fi
else
    PAM_FILE_PATH="/etc/pam.d/password-auth"
    if [ -f /usr/bin/authselect ]; then
        
        if ! authselect check; then
        echo "
        authselect integrity check failed. Remediation aborted!
        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
        It is not recommended to manually edit the PAM files when authselect tool is available.
        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
        exit 1
        fi

        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
        # If not already in use, a custom profile is created preserving the enabled features.
        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
            authselect create-profile hardening -b $CURRENT_PROFILE
            CURRENT_PROFILE="custom/hardening"
            
            authselect apply-changes -b --backup=before-hardening-custom-profile
            authselect select $CURRENT_PROFILE
            for feature in $ENABLED_FEATURES; do
                authselect enable-feature $feature;
            done
            
            authselect apply-changes -b --backup=after-hardening-custom-profile
        fi
        PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth")
        PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"

        authselect apply-changes -b
    fi
    if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
        # Line matching group + control + module was not found. Check group + module.
        if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
            # The control is updated only if one single line matches.
            sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH"
        else
            echo 'password    '"requisite"'    pam_pwhistory.so' >> "$PAM_FILE_PATH"
        fi
    fi
    # Check the option
    if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*\sremember\b' "$PAM_FILE_PATH"; then
        sed -i -E --follow-symlinks '/\s*password\s+'"requisite"'\s+pam_pwhistory.so.*/ s/$/ remember='"$var_password_pam_remember"'/' "$PAM_FILE_PATH"
    else
        sed -i -E --follow-symlinks 's/(\s*password\s+'"requisite"'\s+pam_pwhistory.so\s+.*)('"remember"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_remember"' \3/' "$PAM_FILE_PATH"
    fi
    if [ -f /usr/bin/authselect ]; then
        
        authselect apply-changes -b
    fi
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	false
Strategy:	configure

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83478-8
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020220
  - NIST-800-171-3.5.8
  - NIST-800-53-IA-5(1)(e)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.5
  - accounts_password_pam_pwhistory_remember_password_auth
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
- name: XCCDF Value var_password_pam_remember # promote to variable
  set_fact:
    var_password_pam_remember: !!str 5
  tags:
    - always
- name: XCCDF Value var_password_pam_remember_control_flag # promote to variable
  set_fact:
    var_password_pam_remember_control_flag: !!str requisite,required
  tags:
    - always

- name: 'Limit Password Reuse: password-auth - Check if system relies on authselect
    tool'
  ansible.builtin.stat:
    path: /usr/bin/authselect
  register: result_authselect_present
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83478-8
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020220
  - NIST-800-171-3.5.8
  - NIST-800-53-IA-5(1)(e)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.5
  - accounts_password_pam_pwhistory_remember_password_auth
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

- name: 'Limit Password Reuse: password-auth - Collect the available authselect features'
  ansible.builtin.command:
    cmd: authselect list-features minimal
  register: result_authselect_available_features
  changed_when: false
  when:
  - '"pam" in ansible_facts.packages'
  - result_authselect_present.stat.exists
  tags:
  - CCE-83478-8
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020220
  - NIST-800-171-3.5.8
  - NIST-800-53-IA-5(1)(e)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.5
  - accounts_password_pam_pwhistory_remember_password_auth
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

- name: 'Limit Password Reuse: password-auth - Enable pam_pwhistory.so using authselect
    feature'
  block:

  - name: 'Limit Password Reuse: password-auth - Check integrity of authselect current
      profile'
    ansible.builtin.command:
      cmd: authselect check
    register: result_authselect_check_cmd
    changed_when: false
    ignore_errors: true

  - name: 'Limit Password Reuse: password-auth - Informative message based on the
      authselect integrity check result'
    ansible.builtin.assert:
      that:
      - result_authselect_check_cmd is success
      fail_msg:
      - authselect integrity check failed. Remediation aborted!
      - This remediation could not be applied because an authselect profile was not
        selected or the selected profile is not intact.
      - It is not recommended to manually edit the PAM files when authselect tool
        is available.
      - In cases where the default authselect profile does not cover a specific demand,
        a custom authselect profile is recommended.
      success_msg:
      - authselect integrity check passed

  - name: 'Limit Password Reuse: password-auth - Get authselect current features'
    ansible.builtin.shell:
      cmd: authselect current | tail -n+3 | awk '{ print $2 }'
    register: result_authselect_features
    changed_when: false
    when:
    - result_authselect_check_cmd is success

  - name: 'Limit Password Reuse: password-auth - Ensure "with-pwhistory" feature is
      enabled using authselect tool'
    ansible.builtin.command:
      cmd: authselect enable-feature with-pwhistory
    register: result_authselect_enable_feature_cmd
    when:
    - result_authselect_check_cmd is success
    - result_authselect_features.stdout is not search("with-pwhistory")

  - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
    ansible.builtin.command:
      cmd: authselect apply-changes -b
    when:
    - result_authselect_enable_feature_cmd is not skipped
    - result_authselect_enable_feature_cmd is success
  when:
  - '"pam" in ansible_facts.packages'
  - result_authselect_present.stat.exists
  - result_authselect_available_features.stdout is search("with-pwhistory")
  tags:
  - CCE-83478-8
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020220
  - NIST-800-171-3.5.8
  - NIST-800-53-IA-5(1)(e)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.5
  - accounts_password_pam_pwhistory_remember_password_auth
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

- name: 'Limit Password Reuse: password-auth - Enable pam_pwhistory.so in appropriate
    PAM files'
  block:

  - name: 'Limit Password Reuse: password-auth - Define the PAM file to be edited
      as a local fact'
    ansible.builtin.set_fact:
      pam_file_path: /etc/pam.d/password-auth

  - name: 'Limit Password Reuse: password-auth - Check if system relies on authselect
      tool'
    ansible.builtin.stat:
      path: /usr/bin/authselect
    register: result_authselect_present

  - name: 'Limit Password Reuse: password-auth - Ensure authselect custom profile
      is used if authselect is present'
    block:

    - name: 'Limit Password Reuse: password-auth - Check integrity of authselect current
        profile'
      ansible.builtin.command:
        cmd: authselect check
      register: result_authselect_check_cmd
      changed_when: false
      ignore_errors: true

    - name: 'Limit Password Reuse: password-auth - Informative message based on the
        authselect integrity check result'
      ansible.builtin.assert:
        that:
        - result_authselect_check_cmd is success
        fail_msg:
        - authselect integrity check failed. Remediation aborted!
        - This remediation could not be applied because an authselect profile was
          not selected or the selected profile is not intact.
        - It is not recommended to manually edit the PAM files when authselect tool
          is available.
        - In cases where the default authselect profile does not cover a specific
          demand, a custom authselect profile is recommended.
        success_msg:
        - authselect integrity check passed

    - name: 'Limit Password Reuse: password-auth - Get authselect current profile'
      ansible.builtin.shell:
        cmd: authselect current -r | awk '{ print $1 }'
      register: result_authselect_profile
      changed_when: false
      when:
      - result_authselect_check_cmd is success

    - name: 'Limit Password Reuse: password-auth - Define the current authselect profile
        as a local fact'
      ansible.builtin.set_fact:
        authselect_current_profile: '{{ result_authselect_profile.stdout }}'
        authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
      when:
      - result_authselect_profile is not skipped
      - result_authselect_profile.stdout is match("custom/")

    - name: 'Limit Password Reuse: password-auth - Define the new authselect custom
        profile as a local fact'
      ansible.builtin.set_fact:
        authselect_current_profile: '{{ result_authselect_profile.stdout }}'
        authselect_custom_profile: custom/hardening
      when:
      - result_authselect_profile is not skipped
      - result_authselect_profile.stdout is not match("custom/")

    - name: 'Limit Password Reuse: password-auth - Get authselect current features
        to also enable them in the custom profile'
      ansible.builtin.shell:
        cmd: authselect current | tail -n+3 | awk '{ print $2 }'
      register: result_authselect_features
      changed_when: false
      when:
      - result_authselect_profile is not skipped
      - authselect_current_profile is not match("custom/")

    - name: 'Limit Password Reuse: password-auth - Check if any custom profile with
        the same name was already created'
      ansible.builtin.stat:
        path: /etc/authselect/{{ authselect_custom_profile }}
      register: result_authselect_custom_profile_present
      changed_when: false
      when:
      - authselect_current_profile is not match("custom/")

    - name: 'Limit Password Reuse: password-auth - Create an authselect custom profile
        based on the current profile'
      ansible.builtin.command:
        cmd: authselect create-profile hardening -b {{ authselect_current_profile
          }}
      when:
      - result_authselect_check_cmd is success
      - authselect_current_profile is not match("custom/")
      - not result_authselect_custom_profile_present.stat.exists

    - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
      ansible.builtin.command:
        cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
      when:
      - result_authselect_check_cmd is success
      - result_authselect_profile is not skipped
      - authselect_current_profile is not match("custom/")
      - authselect_custom_profile is not match(authselect_current_profile)

    - name: 'Limit Password Reuse: password-auth - Ensure the authselect custom profile
        is selected'
      ansible.builtin.command:
        cmd: authselect select {{ authselect_custom_profile }}
      register: result_pam_authselect_select_profile
      when:
      - result_authselect_check_cmd is success
      - result_authselect_profile is not skipped
      - authselect_current_profile is not match("custom/")
      - authselect_custom_profile is not match(authselect_current_profile)

    - name: 'Limit Password Reuse: password-auth - Restore the authselect features
        in the custom profile'
      ansible.builtin.command:
        cmd: authselect enable-feature {{ item }}
      loop: '{{ result_authselect_features.stdout_lines }}'
      register: result_pam_authselect_restore_features
      when:
      - result_authselect_profile is not skipped
      - result_authselect_features is not skipped
      - result_pam_authselect_select_profile is not skipped

    - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
      ansible.builtin.command:
        cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
      when:
      - result_authselect_check_cmd is success
      - result_authselect_profile is not skipped
      - result_pam_authselect_restore_features is not skipped

    - name: 'Limit Password Reuse: password-auth - Change the PAM file to be edited
        according to the custom authselect profile'
      ansible.builtin.set_fact:
        pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
          | basename }}
    when:
    - result_authselect_present.stat.exists

  - name: 'Limit Password Reuse: password-auth - Check if expected PAM module line
      is present in {{ pam_file_path }}'
    ansible.builtin.lineinfile:
      path: '{{ pam_file_path }}'
      regexp: ^\s*password\s+{{ var_password_pam_remember_control_flag.split(",")[0]
        }}\s+pam_pwhistory.so\s*.*
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_line_present

  - name: 'Limit Password Reuse: password-auth - Include or update the PAM module
      line in {{ pam_file_path }}'
    block:

    - name: 'Limit Password Reuse: password-auth - Check if required PAM module line
        is present in {{ pam_file_path }} with different control'
      ansible.builtin.lineinfile:
        path: '{{ pam_file_path }}'
        regexp: ^\s*password\s+.*\s+pam_pwhistory.so\s*
        state: absent
      check_mode: true
      changed_when: false
      register: result_pam_line_other_control_present

    - name: 'Limit Password Reuse: password-auth - Ensure the correct control for
        the required PAM module line in {{ pam_file_path }}'
      ansible.builtin.replace:
        dest: '{{ pam_file_path }}'
        regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
        replace: \1{{ var_password_pam_remember_control_flag.split(",")[0] }} \2
      register: result_pam_module_edit
      when:
      - result_pam_line_other_control_present.found == 1

    - name: 'Limit Password Reuse: password-auth - Ensure the required PAM module
        line is included in {{ pam_file_path }}'
      ansible.builtin.lineinfile:
        dest: '{{ pam_file_path }}'
        insertafter: ^password.*requisite.*pam_pwquality\.so
        line: password    {{ var_password_pam_remember_control_flag.split(",")[0]
          }}    pam_pwhistory.so
      register: result_pam_module_add
      when:
      - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
        > 1

    - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
      ansible.builtin.command:
        cmd: authselect apply-changes -b
      when: |
        result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
    when:
    - result_pam_line_present.found is defined
    - result_pam_line_present.found == 0
  when:
  - '"pam" in ansible_facts.packages'
  - |
    (result_authselect_available_features.stdout is defined and result_authselect_available_features.stdout is not search("with-pwhistory")) or result_authselect_available_features is not defined
  tags:
  - CCE-83478-8
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020220
  - NIST-800-171-3.5.8
  - NIST-800-53-IA-5(1)(e)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.5
  - accounts_password_pam_pwhistory_remember_password_auth
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

- name: 'Limit Password Reuse: password-auth - Check the presence of /etc/security/pwhistory.conf
    file'
  ansible.builtin.stat:
    path: /etc/security/pwhistory.conf
  register: result_pwhistory_conf_check
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83478-8
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020220
  - NIST-800-171-3.5.8
  - NIST-800-53-IA-5(1)(e)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.5
  - accounts_password_pam_pwhistory_remember_password_auth
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

- name: 'Limit Password Reuse: password-auth - pam_pwhistory.so parameters are configured
    in /etc/security/pwhistory.conf file'
  block:

  - name: 'Limit Password Reuse: password-auth - Ensure the pam_pwhistory.so remember
      parameter in /etc/security/pwhistory.conf'
    ansible.builtin.lineinfile:
      path: /etc/security/pwhistory.conf
      regexp: ^\s*remember\s*=
      line: remember = {{ var_password_pam_remember }}
      state: present

  - name: 'Limit Password Reuse: password-auth - Ensure the pam_pwhistory.so remember
      parameter is removed from PAM files'
    block:

    - name: 'Limit Password Reuse: password-auth - Check if /etc/pam.d/password-auth
        file is present'
      ansible.builtin.stat:
        path: /etc/pam.d/password-auth
      register: result_pam_file_present

    - name: 'Limit Password Reuse: password-auth - Check the proper remediation for
        the system'
      block:

      - name: 'Limit Password Reuse: password-auth - Define the PAM file to be edited
          as a local fact'
        ansible.builtin.set_fact:
          pam_file_path: /etc/pam.d/password-auth

      - name: 'Limit Password Reuse: password-auth - Check if system relies on authselect
          tool'
        ansible.builtin.stat:
          path: /usr/bin/authselect
        register: result_authselect_present

      - name: 'Limit Password Reuse: password-auth - Ensure authselect custom profile
          is used if authselect is present'
        block:

        - name: 'Limit Password Reuse: password-auth - Check integrity of authselect
            current profile'
          ansible.builtin.command:
            cmd: authselect check
          register: result_authselect_check_cmd
          changed_when: false
          ignore_errors: true

        - name: 'Limit Password Reuse: password-auth - Informative message based on
            the authselect integrity check result'
          ansible.builtin.assert:
            that:
            - result_authselect_check_cmd is success
            fail_msg:
            - authselect integrity check failed. Remediation aborted!
            - This remediation could not be applied because an authselect profile
              was not selected or the selected profile is not intact.
            - It is not recommended to manually edit the PAM files when authselect
              tool is available.
            - In cases where the default authselect profile does not cover a specific
              demand, a custom authselect profile is recommended.
            success_msg:
            - authselect integrity check passed

        - name: 'Limit Password Reuse: password-auth - Get authselect current profile'
          ansible.builtin.shell:
            cmd: authselect current -r | awk '{ print $1 }'
          register: result_authselect_profile
          changed_when: false
          when:
          - result_authselect_check_cmd is success

        - name: 'Limit Password Reuse: password-auth - Define the current authselect
            profile as a local fact'
          ansible.builtin.set_fact:
            authselect_current_profile: '{{ result_authselect_profile.stdout }}'
            authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
          when:
          - result_authselect_profile is not skipped
          - result_authselect_profile.stdout is match("custom/")

        - name: 'Limit Password Reuse: password-auth - Define the new authselect custom
            profile as a local fact'
          ansible.builtin.set_fact:
            authselect_current_profile: '{{ result_authselect_profile.stdout }}'
            authselect_custom_profile: custom/hardening
          when:
          - result_authselect_profile is not skipped
          - result_authselect_profile.stdout is not match("custom/")

        - name: 'Limit Password Reuse: password-auth - Get authselect current features
            to also enable them in the custom profile'
          ansible.builtin.shell:
            cmd: authselect current | tail -n+3 | awk '{ print $2 }'
          register: result_authselect_features
          changed_when: false
          when:
          - result_authselect_profile is not skipped
          - authselect_current_profile is not match("custom/")

        - name: 'Limit Password Reuse: password-auth - Check if any custom profile
            with the same name was already created'
          ansible.builtin.stat:
            path: /etc/authselect/{{ authselect_custom_profile }}
          register: result_authselect_custom_profile_present
          changed_when: false
          when:
          - authselect_current_profile is not match("custom/")

        - name: 'Limit Password Reuse: password-auth - Create an authselect custom
            profile based on the current profile'
          ansible.builtin.command:
            cmd: authselect create-profile hardening -b {{ authselect_current_profile
              }}
          when:
          - result_authselect_check_cmd is success
          - authselect_current_profile is not match("custom/")
          - not result_authselect_custom_profile_present.stat.exists

        - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are
            applied'
          ansible.builtin.command:
            cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
          when:
          - result_authselect_check_cmd is success
          - result_authselect_profile is not skipped
          - authselect_current_profile is not match("custom/")
          - authselect_custom_profile is not match(authselect_current_profile)

        - name: 'Limit Password Reuse: password-auth - Ensure the authselect custom
            profile is selected'
          ansible.builtin.command:
            cmd: authselect select {{ authselect_custom_profile }}
          register: result_pam_authselect_select_profile
          when:
          - result_authselect_check_cmd is success
          - result_authselect_profile is not skipped
          - authselect_current_profile is not match("custom/")
          - authselect_custom_profile is not match(authselect_current_profile)

        - name: 'Limit Password Reuse: password-auth - Restore the authselect features
            in the custom profile'
          ansible.builtin.command:
            cmd: authselect enable-feature {{ item }}
          loop: '{{ result_authselect_features.stdout_lines }}'
          register: result_pam_authselect_restore_features
          when:
          - result_authselect_profile is not skipped
          - result_authselect_features is not skipped
          - result_pam_authselect_select_profile is not skipped

        - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are
            applied'
          ansible.builtin.command:
            cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
          when:
          - result_authselect_check_cmd is success
          - result_authselect_profile is not skipped
          - result_pam_authselect_restore_features is not skipped

        - name: 'Limit Password Reuse: password-auth - Change the PAM file to be edited
            according to the custom authselect profile'
          ansible.builtin.set_fact:
            pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
              | basename }}
        when:
        - result_authselect_present.stat.exists

      - name: 'Limit Password Reuse: password-auth - Ensure the "remember" option
          from "pam_pwhistory.so" is not present in {{ pam_file_path }}'
        ansible.builtin.replace:
          dest: '{{ pam_file_path }}'
          regexp: (.*password.*pam_pwhistory.so.*)\bremember\b=?[0-9a-zA-Z]*(.*)
          replace: \1\2
        register: result_pam_option_removal

      - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are
          applied'
        ansible.builtin.command:
          cmd: authselect apply-changes -b
        when:
        - result_authselect_present.stat.exists
        - result_pam_option_removal is changed
      when:
      - result_pam_file_present.stat.exists
  when:
  - '"pam" in ansible_facts.packages'
  - result_pwhistory_conf_check.stat.exists
  tags:
  - CCE-83478-8
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020220
  - NIST-800-171-3.5.8
  - NIST-800-53-IA-5(1)(e)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.5
  - accounts_password_pam_pwhistory_remember_password_auth
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

- name: 'Limit Password Reuse: password-auth - pam_pwhistory.so parameters are configured
    in PAM files'
  block:

  - name: 'Limit Password Reuse: password-auth - Define the PAM file to be edited
      as a local fact'
    ansible.builtin.set_fact:
      pam_file_path: /etc/pam.d/password-auth

  - name: 'Limit Password Reuse: password-auth - Check if system relies on authselect
      tool'
    ansible.builtin.stat:
      path: /usr/bin/authselect
    register: result_authselect_present

  - name: 'Limit Password Reuse: password-auth - Ensure authselect custom profile
      is used if authselect is present'
    block:

    - name: 'Limit Password Reuse: password-auth - Check integrity of authselect current
        profile'
      ansible.builtin.command:
        cmd: authselect check
      register: result_authselect_check_cmd
      changed_when: false
      ignore_errors: true

    - name: 'Limit Password Reuse: password-auth - Informative message based on the
        authselect integrity check result'
      ansible.builtin.assert:
        that:
        - result_authselect_check_cmd is success
        fail_msg:
        - authselect integrity check failed. Remediation aborted!
        - This remediation could not be applied because an authselect profile was
          not selected or the selected profile is not intact.
        - It is not recommended to manually edit the PAM files when authselect tool
          is available.
        - In cases where the default authselect profile does not cover a specific
          demand, a custom authselect profile is recommended.
        success_msg:
        - authselect integrity check passed

    - name: 'Limit Password Reuse: password-auth - Get authselect current profile'
      ansible.builtin.shell:
        cmd: authselect current -r | awk '{ print $1 }'
      register: result_authselect_profile
      changed_when: false
      when:
      - result_authselect_check_cmd is success

    - name: 'Limit Password Reuse: password-auth - Define the current authselect profile
        as a local fact'
      ansible.builtin.set_fact:
        authselect_current_profile: '{{ result_authselect_profile.stdout }}'
        authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
      when:
      - result_authselect_profile is not skipped
      - result_authselect_profile.stdout is match("custom/")

    - name: 'Limit Password Reuse: password-auth - Define the new authselect custom
        profile as a local fact'
      ansible.builtin.set_fact:
        authselect_current_profile: '{{ result_authselect_profile.stdout }}'
        authselect_custom_profile: custom/hardening
      when:
      - result_authselect_profile is not skipped
      - result_authselect_profile.stdout is not match("custom/")

    - name: 'Limit Password Reuse: password-auth - Get authselect current features
        to also enable them in the custom profile'
      ansible.builtin.shell:
        cmd: authselect current | tail -n+3 | awk '{ print $2 }'
      register: result_authselect_features
      changed_when: false
      when:
      - result_authselect_profile is not skipped
      - authselect_current_profile is not match("custom/")

    - name: 'Limit Password Reuse: password-auth - Check if any custom profile with
        the same name was already created'
      ansible.builtin.stat:
        path: /etc/authselect/{{ authselect_custom_profile }}
      register: result_authselect_custom_profile_present
      changed_when: false
      when:
      - authselect_current_profile is not match("custom/")

    - name: 'Limit Password Reuse: password-auth - Create an authselect custom profile
        based on the current profile'
      ansible.builtin.command:
        cmd: authselect create-profile hardening -b {{ authselect_current_profile
          }}
      when:
      - result_authselect_check_cmd is success
      - authselect_current_profile is not match("custom/")
      - not result_authselect_custom_profile_present.stat.exists

    - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
      ansible.builtin.command:
        cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
      when:
      - result_authselect_check_cmd is success
      - result_authselect_profile is not skipped
      - authselect_current_profile is not match("custom/")
      - authselect_custom_profile is not match(authselect_current_profile)

    - name: 'Limit Password Reuse: password-auth - Ensure the authselect custom profile
        is selected'
      ansible.builtin.command:
        cmd: authselect select {{ authselect_custom_profile }}
      register: result_pam_authselect_select_profile
      when:
      - result_authselect_check_cmd is success
      - result_authselect_profile is not skipped
      - authselect_current_profile is not match("custom/")
      - authselect_custom_profile is not match(authselect_current_profile)

    - name: 'Limit Password Reuse: password-auth - Restore the authselect features
        in the custom profile'
      ansible.builtin.command:
        cmd: authselect enable-feature {{ item }}
      loop: '{{ result_authselect_features.stdout_lines }}'
      register: result_pam_authselect_restore_features
      when:
      - result_authselect_profile is not skipped
      - result_authselect_features is not skipped
      - result_pam_authselect_select_profile is not skipped

    - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
      ansible.builtin.command:
        cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
      when:
      - result_authselect_check_cmd is success
      - result_authselect_profile is not skipped
      - result_pam_authselect_restore_features is not skipped

    - name: 'Limit Password Reuse: password-auth - Change the PAM file to be edited
        according to the custom authselect profile'
      ansible.builtin.set_fact:
        pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
          | basename }}
    when:
    - result_authselect_present.stat.exists

  - name: 'Limit Password Reuse: password-auth - Check if expected PAM module line
      is present in {{ pam_file_path }}'
    ansible.builtin.lineinfile:
      path: '{{ pam_file_path }}'
      regexp: ^\s*password\s+requisite\s+pam_pwhistory.so\s*.*
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_line_present

  - name: 'Limit Password Reuse: password-auth - Include or update the PAM module
      line in {{ pam_file_path }}'
    block:

    - name: 'Limit Password Reuse: password-auth - Check if required PAM module line
        is present in {{ pam_file_path }} with different control'
      ansible.builtin.lineinfile:
        path: '{{ pam_file_path }}'
        regexp: ^\s*password\s+.*\s+pam_pwhistory.so\s*
        state: absent
      check_mode: true
      changed_when: false
      register: result_pam_line_other_control_present

    - name: 'Limit Password Reuse: password-auth - Ensure the correct control for
        the required PAM module line in {{ pam_file_path }}'
      ansible.builtin.replace:
        dest: '{{ pam_file_path }}'
        regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
        replace: \1requisite \2
      register: result_pam_module_edit
      when:
      - result_pam_line_other_control_present.found == 1

    - name: 'Limit Password Reuse: password-auth - Ensure the required PAM module
        line is included in {{ pam_file_path }}'
      ansible.builtin.lineinfile:
        dest: '{{ pam_file_path }}'
        line: password    requisite    pam_pwhistory.so
      register: result_pam_module_add
      when:
      - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
        > 1

    - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
      ansible.builtin.command:
        cmd: authselect apply-changes -b
      when: |
        result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
    when:
    - result_pam_line_present.found is defined
    - result_pam_line_present.found == 0

  - name: 'Limit Password Reuse: password-auth - Check if the required PAM module
      option is present in {{ pam_file_path }}'
    ansible.builtin.lineinfile:
      path: '{{ pam_file_path }}'
      regexp: ^\s*password\s+requisite\s+pam_pwhistory.so\s*.*\sremember\b
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_module_remember_option_present

  - name: 'Limit Password Reuse: password-auth - Ensure the "remember" PAM option
      for "pam_pwhistory.so" is included in {{ pam_file_path }}'
    ansible.builtin.lineinfile:
      path: '{{ pam_file_path }}'
      backrefs: true
      regexp: ^(\s*password\s+requisite\s+pam_pwhistory.so.*)
      line: \1 remember={{ var_password_pam_remember }}
      state: present
    register: result_pam_remember_add
    when:
    - result_pam_module_remember_option_present.found == 0

  - name: 'Limit Password Reuse: password-auth - Ensure the required value for "remember"
      PAM option from "pam_pwhistory.so" in {{ pam_file_path }}'
    ansible.builtin.lineinfile:
      path: '{{ pam_file_path }}'
      backrefs: true
      regexp: ^(\s*password\s+requisite\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
      line: \1\2={{ var_password_pam_remember }} \3
    register: result_pam_remember_edit
    when:
    - result_pam_module_remember_option_present.found > 0

  - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
    ansible.builtin.command:
      cmd: authselect apply-changes -b
    when:
    - result_authselect_present.stat.exists
    - (result_pam_remember_add is defined and result_pam_remember_add.changed) or
      (result_pam_remember_edit is defined and result_pam_remember_edit.changed)
  when:
  - '"pam" in ansible_facts.packages'
  - not result_pwhistory_conf_check.stat.exists
  tags:
  - CCE-83478-8
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020220
  - NIST-800-171-3.5.8
  - NIST-800-53-IA-5(1)(e)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.5
  - accounts_password_pam_pwhistory_remember_password_auth
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

OVAL test results details

Check pam_pwhistory.so presence in /etc/pam.d/password-auth oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

requisite

required

requisite,required

^\s*password\s+(?:requisite)\s+pam_pwhistory\.so.*$

^\s*password\s+(?:required)\s+pam_pwhistory\.so.*$

/etc/pam.d/password-auth

Check remember parameter is present and correct in /etc/pam.d/password-auth oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth_pamd:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth_pamd:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$

/etc/pam.d/password-auth

Check the absence of remember parameter in /etc/security/pwhistory.conf oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth_no_pwhistory_conf:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth_param_conf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^\sremember\s=\s*([0-9]+)	^/etc/security/pwhistory.conf$	1

Check remember parameter is absent in /etc/pam.d/password-auth oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth_no_pamd:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth_pamd:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^\spassword\b.\bpam_pwhistory\.so\b.\bremember=([0-9]).*$	/etc/pam.d/password-auth	1

Check remember parameter is present and correct in /etc/security/pwhistory.conf oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth_pwhistory_conf:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth_param_conf:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

^\s*remember\s*=\s*([0-9]+)

^/etc/security/pwhistory.conf$

Limit Password Reuse: system-auth

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_password_pam_pwhistory_remember_system_auth:def:1

Time 2026-03-23T19:57:55+01:00

Severity medium

Identifiers and References

Identifiers: CCE-83480-4

Description

authselect enable-feature with-pwhistory

Rationale

Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.

Warnings

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

var_password_pam_remember='5'
var_password_pam_remember_control_flag='requisite,required'


var_password_pam_remember_control_flag="$(echo $var_password_pam_remember_control_flag | cut -d \, -f 1)"

if [ -f /usr/bin/authselect ]; then
    if authselect list-features minimal | grep -q with-pwhistory; then
        if ! authselect check; then
        echo "
        authselect integrity check failed. Remediation aborted!
        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
        It is not recommended to manually edit the PAM files when authselect tool is available.
        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
        exit 1
        fi
        authselect enable-feature with-pwhistory

        authselect apply-changes -b
    else
        
        if ! authselect check; then
        echo "
        authselect integrity check failed. Remediation aborted!
        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
        It is not recommended to manually edit the PAM files when authselect tool is available.
        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
        exit 1
        fi

        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
        # If not already in use, a custom profile is created preserving the enabled features.
        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
            authselect create-profile hardening -b $CURRENT_PROFILE
            CURRENT_PROFILE="custom/hardening"
            
            authselect apply-changes -b --backup=before-hardening-custom-profile
            authselect select $CURRENT_PROFILE
            for feature in $ENABLED_FEATURES; do
                authselect enable-feature $feature;
            done
            
            authselect apply-changes -b --backup=after-hardening-custom-profile
        fi
        PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth")
        PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"

        authselect apply-changes -b
        if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
            # Line matching group + control + module was not found. Check group + module.
            if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
                # The control is updated only if one single line matches.
                sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "$PAM_FILE_PATH"
            else
                LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
                if [ ! -z $LAST_MATCH_LINE ]; then
                    sed -i --follow-symlinks $LAST_MATCH_LINE' a password     '"$var_password_pam_remember_control_flag"'    pam_pwhistory.so' "$PAM_FILE_PATH"
                else
                    echo 'password    '"$var_password_pam_remember_control_flag"'    pam_pwhistory.so' >> "$PAM_FILE_PATH"
                fi
            fi
        fi
    fi
else
    if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/system-auth"; then
        # Line matching group + control + module was not found. Check group + module.
        if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then
            # The control is updated only if one single line matches.
            sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "/etc/pam.d/system-auth"
        else
            LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/system-auth" | tail -n 1 | cut -d: -f 1)
            if [ ! -z $LAST_MATCH_LINE ]; then
                sed -i --follow-symlinks $LAST_MATCH_LINE' a password     '"$var_password_pam_remember_control_flag"'    pam_pwhistory.so' "/etc/pam.d/system-auth"
            else
                echo 'password    '"$var_password_pam_remember_control_flag"'    pam_pwhistory.so' >> "/etc/pam.d/system-auth"
            fi
        fi
    fi
fi

PWHISTORY_CONF="/etc/security/pwhistory.conf"
if [ -f $PWHISTORY_CONF ]; then
    regex="^\s*remember\s*="
    line="remember = $var_password_pam_remember"
    if ! grep -q $regex $PWHISTORY_CONF; then
        echo $line >> $PWHISTORY_CONF
    else
        sed -i --follow-symlinks 's|^\s*\(remember\s*=\s*\)\(\S\+\)|\1'"$var_password_pam_remember"'|g' $PWHISTORY_CONF
    fi
    if [ -e "/etc/pam.d/system-auth" ] ; then
        PAM_FILE_PATH="/etc/pam.d/system-auth"
        if [ -f /usr/bin/authselect ]; then
            
            if ! authselect check; then
            echo "
            authselect integrity check failed. Remediation aborted!
            This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
            It is not recommended to manually edit the PAM files when authselect tool is available.
            In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
            exit 1
            fi

            CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
            # If not already in use, a custom profile is created preserving the enabled features.
            if [[ ! $CURRENT_PROFILE == custom/* ]]; then
                ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
                authselect create-profile hardening -b $CURRENT_PROFILE
                CURRENT_PROFILE="custom/hardening"
                
                authselect apply-changes -b --backup=before-hardening-custom-profile
                authselect select $CURRENT_PROFILE
                for feature in $ENABLED_FEATURES; do
                    authselect enable-feature $feature;
                done
                
                authselect apply-changes -b --backup=after-hardening-custom-profile
            fi
            PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth")
            PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"

            authselect apply-changes -b
        fi
        
    if grep -qP '^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b' "$PAM_FILE_PATH"; then
        sed -i -E --follow-symlinks 's/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
    fi
        if [ -f /usr/bin/authselect ]; then
            
            authselect apply-changes -b
        fi
    else
        echo "/etc/pam.d/system-auth was not found" >&2
    fi
else
    PAM_FILE_PATH="/etc/pam.d/system-auth"
    if [ -f /usr/bin/authselect ]; then
        
        if ! authselect check; then
        echo "
        authselect integrity check failed. Remediation aborted!
        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
        It is not recommended to manually edit the PAM files when authselect tool is available.
        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
        exit 1
        fi

        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
        # If not already in use, a custom profile is created preserving the enabled features.
        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
            authselect create-profile hardening -b $CURRENT_PROFILE
            CURRENT_PROFILE="custom/hardening"
            
            authselect apply-changes -b --backup=before-hardening-custom-profile
            authselect select $CURRENT_PROFILE
            for feature in $ENABLED_FEATURES; do
                authselect enable-feature $feature;
            done
            
            authselect apply-changes -b --backup=after-hardening-custom-profile
        fi
        PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth")
        PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"

        authselect apply-changes -b
    fi
    if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
        # Line matching group + control + module was not found. Check group + module.
        if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
            # The control is updated only if one single line matches.
            sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH"
        else
            echo 'password    '"requisite"'    pam_pwhistory.so' >> "$PAM_FILE_PATH"
        fi
    fi
    # Check the option
    if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*\sremember\b' "$PAM_FILE_PATH"; then
        sed -i -E --follow-symlinks '/\s*password\s+'"requisite"'\s+pam_pwhistory.so.*/ s/$/ remember='"$var_password_pam_remember"'/' "$PAM_FILE_PATH"
    else
        sed -i -E --follow-symlinks 's/(\s*password\s+'"requisite"'\s+pam_pwhistory.so\s+.*)('"remember"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_remember"' \3/' "$PAM_FILE_PATH"
    fi
    if [ -f /usr/bin/authselect ]; then
        
        authselect apply-changes -b
    fi
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	false
Strategy:	configure

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83480-4
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020221
  - NIST-800-171-3.5.8
  - NIST-800-53-IA-5(1)(e)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.5
  - accounts_password_pam_pwhistory_remember_system_auth
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
- name: XCCDF Value var_password_pam_remember # promote to variable
  set_fact:
    var_password_pam_remember: !!str 5
  tags:
    - always
- name: XCCDF Value var_password_pam_remember_control_flag # promote to variable
  set_fact:
    var_password_pam_remember_control_flag: !!str requisite,required
  tags:
    - always

- name: 'Limit Password Reuse: system-auth - Check if system relies on authselect
    tool'
  ansible.builtin.stat:
    path: /usr/bin/authselect
  register: result_authselect_present
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83480-4
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020221
  - NIST-800-171-3.5.8
  - NIST-800-53-IA-5(1)(e)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.5
  - accounts_password_pam_pwhistory_remember_system_auth
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

- name: 'Limit Password Reuse: system-auth - Collect the available authselect features'
  ansible.builtin.command:
    cmd: authselect list-features minimal
  register: result_authselect_available_features
  changed_when: false
  when:
  - '"pam" in ansible_facts.packages'
  - result_authselect_present.stat.exists
  tags:
  - CCE-83480-4
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020221
  - NIST-800-171-3.5.8
  - NIST-800-53-IA-5(1)(e)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.5
  - accounts_password_pam_pwhistory_remember_system_auth
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

- name: 'Limit Password Reuse: system-auth - Enable pam_pwhistory.so using authselect
    feature'
  block:

  - name: 'Limit Password Reuse: system-auth - Check integrity of authselect current
      profile'
    ansible.builtin.command:
      cmd: authselect check
    register: result_authselect_check_cmd
    changed_when: false
    ignore_errors: true

  - name: 'Limit Password Reuse: system-auth - Informative message based on the authselect
      integrity check result'
    ansible.builtin.assert:
      that:
      - result_authselect_check_cmd is success
      fail_msg:
      - authselect integrity check failed. Remediation aborted!
      - This remediation could not be applied because an authselect profile was not
        selected or the selected profile is not intact.
      - It is not recommended to manually edit the PAM files when authselect tool
        is available.
      - In cases where the default authselect profile does not cover a specific demand,
        a custom authselect profile is recommended.
      success_msg:
      - authselect integrity check passed

  - name: 'Limit Password Reuse: system-auth - Get authselect current features'
    ansible.builtin.shell:
      cmd: authselect current | tail -n+3 | awk '{ print $2 }'
    register: result_authselect_features
    changed_when: false
    when:
    - result_authselect_check_cmd is success

  - name: 'Limit Password Reuse: system-auth - Ensure "with-pwhistory" feature is
      enabled using authselect tool'
    ansible.builtin.command:
      cmd: authselect enable-feature with-pwhistory
    register: result_authselect_enable_feature_cmd
    when:
    - result_authselect_check_cmd is success
    - result_authselect_features.stdout is not search("with-pwhistory")

  - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
    ansible.builtin.command:
      cmd: authselect apply-changes -b
    when:
    - result_authselect_enable_feature_cmd is not skipped
    - result_authselect_enable_feature_cmd is success
  when:
  - '"pam" in ansible_facts.packages'
  - result_authselect_present.stat.exists
  - result_authselect_available_features.stdout is search("with-pwhistory")
  tags:
  - CCE-83480-4
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020221
  - NIST-800-171-3.5.8
  - NIST-800-53-IA-5(1)(e)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.5
  - accounts_password_pam_pwhistory_remember_system_auth
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

- name: 'Limit Password Reuse: system-auth - Enable pam_pwhistory.so in appropriate
    PAM files'
  block:

  - name: 'Limit Password Reuse: system-auth - Define the PAM file to be edited as
      a local fact'
    ansible.builtin.set_fact:
      pam_file_path: /etc/pam.d/system-auth

  - name: 'Limit Password Reuse: system-auth - Check if system relies on authselect
      tool'
    ansible.builtin.stat:
      path: /usr/bin/authselect
    register: result_authselect_present

  - name: 'Limit Password Reuse: system-auth - Ensure authselect custom profile is
      used if authselect is present'
    block:

    - name: 'Limit Password Reuse: system-auth - Check integrity of authselect current
        profile'
      ansible.builtin.command:
        cmd: authselect check
      register: result_authselect_check_cmd
      changed_when: false
      ignore_errors: true

    - name: 'Limit Password Reuse: system-auth - Informative message based on the
        authselect integrity check result'
      ansible.builtin.assert:
        that:
        - result_authselect_check_cmd is success
        fail_msg:
        - authselect integrity check failed. Remediation aborted!
        - This remediation could not be applied because an authselect profile was
          not selected or the selected profile is not intact.
        - It is not recommended to manually edit the PAM files when authselect tool
          is available.
        - In cases where the default authselect profile does not cover a specific
          demand, a custom authselect profile is recommended.
        success_msg:
        - authselect integrity check passed

    - name: 'Limit Password Reuse: system-auth - Get authselect current profile'
      ansible.builtin.shell:
        cmd: authselect current -r | awk '{ print $1 }'
      register: result_authselect_profile
      changed_when: false
      when:
      - result_authselect_check_cmd is success

    - name: 'Limit Password Reuse: system-auth - Define the current authselect profile
        as a local fact'
      ansible.builtin.set_fact:
        authselect_current_profile: '{{ result_authselect_profile.stdout }}'
        authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
      when:
      - result_authselect_profile is not skipped
      - result_authselect_profile.stdout is match("custom/")

    - name: 'Limit Password Reuse: system-auth - Define the new authselect custom
        profile as a local fact'
      ansible.builtin.set_fact:
        authselect_current_profile: '{{ result_authselect_profile.stdout }}'
        authselect_custom_profile: custom/hardening
      when:
      - result_authselect_profile is not skipped
      - result_authselect_profile.stdout is not match("custom/")

    - name: 'Limit Password Reuse: system-auth - Get authselect current features to
        also enable them in the custom profile'
      ansible.builtin.shell:
        cmd: authselect current | tail -n+3 | awk '{ print $2 }'
      register: result_authselect_features
      changed_when: false
      when:
      - result_authselect_profile is not skipped
      - authselect_current_profile is not match("custom/")

    - name: 'Limit Password Reuse: system-auth - Check if any custom profile with
        the same name was already created'
      ansible.builtin.stat:
        path: /etc/authselect/{{ authselect_custom_profile }}
      register: result_authselect_custom_profile_present
      changed_when: false
      when:
      - authselect_current_profile is not match("custom/")

    - name: 'Limit Password Reuse: system-auth - Create an authselect custom profile
        based on the current profile'
      ansible.builtin.command:
        cmd: authselect create-profile hardening -b {{ authselect_current_profile
          }}
      when:
      - result_authselect_check_cmd is success
      - authselect_current_profile is not match("custom/")
      - not result_authselect_custom_profile_present.stat.exists

    - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
      ansible.builtin.command:
        cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
      when:
      - result_authselect_check_cmd is success
      - result_authselect_profile is not skipped
      - authselect_current_profile is not match("custom/")
      - authselect_custom_profile is not match(authselect_current_profile)

    - name: 'Limit Password Reuse: system-auth - Ensure the authselect custom profile
        is selected'
      ansible.builtin.command:
        cmd: authselect select {{ authselect_custom_profile }}
      register: result_pam_authselect_select_profile
      when:
      - result_authselect_check_cmd is success
      - result_authselect_profile is not skipped
      - authselect_current_profile is not match("custom/")
      - authselect_custom_profile is not match(authselect_current_profile)

    - name: 'Limit Password Reuse: system-auth - Restore the authselect features in
        the custom profile'
      ansible.builtin.command:
        cmd: authselect enable-feature {{ item }}
      loop: '{{ result_authselect_features.stdout_lines }}'
      register: result_pam_authselect_restore_features
      when:
      - result_authselect_profile is not skipped
      - result_authselect_features is not skipped
      - result_pam_authselect_select_profile is not skipped

    - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
      ansible.builtin.command:
        cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
      when:
      - result_authselect_check_cmd is success
      - result_authselect_profile is not skipped
      - result_pam_authselect_restore_features is not skipped

    - name: 'Limit Password Reuse: system-auth - Change the PAM file to be edited
        according to the custom authselect profile'
      ansible.builtin.set_fact:
        pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
          | basename }}
    when:
    - result_authselect_present.stat.exists

  - name: 'Limit Password Reuse: system-auth - Check if expected PAM module line is
      present in {{ pam_file_path }}'
    ansible.builtin.lineinfile:
      path: '{{ pam_file_path }}'
      regexp: ^\s*password\s+{{ var_password_pam_remember_control_flag.split(",")[0]
        }}\s+pam_pwhistory.so\s*.*
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_line_present

  - name: 'Limit Password Reuse: system-auth - Include or update the PAM module line
      in {{ pam_file_path }}'
    block:

    - name: 'Limit Password Reuse: system-auth - Check if required PAM module line
        is present in {{ pam_file_path }} with different control'
      ansible.builtin.lineinfile:
        path: '{{ pam_file_path }}'
        regexp: ^\s*password\s+.*\s+pam_pwhistory.so\s*
        state: absent
      check_mode: true
      changed_when: false
      register: result_pam_line_other_control_present

    - name: 'Limit Password Reuse: system-auth - Ensure the correct control for the
        required PAM module line in {{ pam_file_path }}'
      ansible.builtin.replace:
        dest: '{{ pam_file_path }}'
        regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
        replace: \1{{ var_password_pam_remember_control_flag.split(",")[0] }} \2
      register: result_pam_module_edit
      when:
      - result_pam_line_other_control_present.found == 1

    - name: 'Limit Password Reuse: system-auth - Ensure the required PAM module line
        is included in {{ pam_file_path }}'
      ansible.builtin.lineinfile:
        dest: '{{ pam_file_path }}'
        insertafter: ^password.*requisite.*pam_pwquality\.so
        line: password    {{ var_password_pam_remember_control_flag.split(",")[0]
          }}    pam_pwhistory.so
      register: result_pam_module_add
      when:
      - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
        > 1

    - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
      ansible.builtin.command:
        cmd: authselect apply-changes -b
      when: |
        result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
    when:
    - result_pam_line_present.found is defined
    - result_pam_line_present.found == 0
  when:
  - '"pam" in ansible_facts.packages'
  - |
    (result_authselect_available_features.stdout is defined and result_authselect_available_features.stdout is not search("with-pwhistory")) or result_authselect_available_features is not defined
  tags:
  - CCE-83480-4
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020221
  - NIST-800-171-3.5.8
  - NIST-800-53-IA-5(1)(e)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.5
  - accounts_password_pam_pwhistory_remember_system_auth
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

- name: 'Limit Password Reuse: system-auth - Check the presence of /etc/security/pwhistory.conf
    file'
  ansible.builtin.stat:
    path: /etc/security/pwhistory.conf
  register: result_pwhistory_conf_check
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83480-4
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020221
  - NIST-800-171-3.5.8
  - NIST-800-53-IA-5(1)(e)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.5
  - accounts_password_pam_pwhistory_remember_system_auth
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

- name: 'Limit Password Reuse: system-auth - pam_pwhistory.so parameters are configured
    in /etc/security/pwhistory.conf file'
  block:

  - name: 'Limit Password Reuse: system-auth - Ensure the pam_pwhistory.so remember
      parameter in /etc/security/pwhistory.conf'
    ansible.builtin.lineinfile:
      path: /etc/security/pwhistory.conf
      regexp: ^\s*remember\s*=
      line: remember = {{ var_password_pam_remember }}
      state: present

  - name: 'Limit Password Reuse: system-auth - Ensure the pam_pwhistory.so remember
      parameter is removed from PAM files'
    block:

    - name: 'Limit Password Reuse: system-auth - Check if /etc/pam.d/system-auth file
        is present'
      ansible.builtin.stat:
        path: /etc/pam.d/system-auth
      register: result_pam_file_present

    - name: 'Limit Password Reuse: system-auth - Check the proper remediation for
        the system'
      block:

      - name: 'Limit Password Reuse: system-auth - Define the PAM file to be edited
          as a local fact'
        ansible.builtin.set_fact:
          pam_file_path: /etc/pam.d/system-auth

      - name: 'Limit Password Reuse: system-auth - Check if system relies on authselect
          tool'
        ansible.builtin.stat:
          path: /usr/bin/authselect
        register: result_authselect_present

      - name: 'Limit Password Reuse: system-auth - Ensure authselect custom profile
          is used if authselect is present'
        block:

        - name: 'Limit Password Reuse: system-auth - Check integrity of authselect
            current profile'
          ansible.builtin.command:
            cmd: authselect check
          register: result_authselect_check_cmd
          changed_when: false
          ignore_errors: true

        - name: 'Limit Password Reuse: system-auth - Informative message based on
            the authselect integrity check result'
          ansible.builtin.assert:
            that:
            - result_authselect_check_cmd is success
            fail_msg:
            - authselect integrity check failed. Remediation aborted!
            - This remediation could not be applied because an authselect profile
              was not selected or the selected profile is not intact.
            - It is not recommended to manually edit the PAM files when authselect
              tool is available.
            - In cases where the default authselect profile does not cover a specific
              demand, a custom authselect profile is recommended.
            success_msg:
            - authselect integrity check passed

        - name: 'Limit Password Reuse: system-auth - Get authselect current profile'
          ansible.builtin.shell:
            cmd: authselect current -r | awk '{ print $1 }'
          register: result_authselect_profile
          changed_when: false
          when:
          - result_authselect_check_cmd is success

        - name: 'Limit Password Reuse: system-auth - Define the current authselect
            profile as a local fact'
          ansible.builtin.set_fact:
            authselect_current_profile: '{{ result_authselect_profile.stdout }}'
            authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
          when:
          - result_authselect_profile is not skipped
          - result_authselect_profile.stdout is match("custom/")

        - name: 'Limit Password Reuse: system-auth - Define the new authselect custom
            profile as a local fact'
          ansible.builtin.set_fact:
            authselect_current_profile: '{{ result_authselect_profile.stdout }}'
            authselect_custom_profile: custom/hardening
          when:
          - result_authselect_profile is not skipped
          - result_authselect_profile.stdout is not match("custom/")

        - name: 'Limit Password Reuse: system-auth - Get authselect current features
            to also enable them in the custom profile'
          ansible.builtin.shell:
            cmd: authselect current | tail -n+3 | awk '{ print $2 }'
          register: result_authselect_features
          changed_when: false
          when:
          - result_authselect_profile is not skipped
          - authselect_current_profile is not match("custom/")

        - name: 'Limit Password Reuse: system-auth - Check if any custom profile with
            the same name was already created'
          ansible.builtin.stat:
            path: /etc/authselect/{{ authselect_custom_profile }}
          register: result_authselect_custom_profile_present
          changed_when: false
          when:
          - authselect_current_profile is not match("custom/")

        - name: 'Limit Password Reuse: system-auth - Create an authselect custom profile
            based on the current profile'
          ansible.builtin.command:
            cmd: authselect create-profile hardening -b {{ authselect_current_profile
              }}
          when:
          - result_authselect_check_cmd is success
          - authselect_current_profile is not match("custom/")
          - not result_authselect_custom_profile_present.stat.exists

        - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are
            applied'
          ansible.builtin.command:
            cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
          when:
          - result_authselect_check_cmd is success
          - result_authselect_profile is not skipped
          - authselect_current_profile is not match("custom/")
          - authselect_custom_profile is not match(authselect_current_profile)

        - name: 'Limit Password Reuse: system-auth - Ensure the authselect custom
            profile is selected'
          ansible.builtin.command:
            cmd: authselect select {{ authselect_custom_profile }}
          register: result_pam_authselect_select_profile
          when:
          - result_authselect_check_cmd is success
          - result_authselect_profile is not skipped
          - authselect_current_profile is not match("custom/")
          - authselect_custom_profile is not match(authselect_current_profile)

        - name: 'Limit Password Reuse: system-auth - Restore the authselect features
            in the custom profile'
          ansible.builtin.command:
            cmd: authselect enable-feature {{ item }}
          loop: '{{ result_authselect_features.stdout_lines }}'
          register: result_pam_authselect_restore_features
          when:
          - result_authselect_profile is not skipped
          - result_authselect_features is not skipped
          - result_pam_authselect_select_profile is not skipped

        - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are
            applied'
          ansible.builtin.command:
            cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
          when:
          - result_authselect_check_cmd is success
          - result_authselect_profile is not skipped
          - result_pam_authselect_restore_features is not skipped

        - name: 'Limit Password Reuse: system-auth - Change the PAM file to be edited
            according to the custom authselect profile'
          ansible.builtin.set_fact:
            pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
              | basename }}
        when:
        - result_authselect_present.stat.exists

      - name: 'Limit Password Reuse: system-auth - Ensure the "remember" option from
          "pam_pwhistory.so" is not present in {{ pam_file_path }}'
        ansible.builtin.replace:
          dest: '{{ pam_file_path }}'
          regexp: (.*password.*pam_pwhistory.so.*)\bremember\b=?[0-9a-zA-Z]*(.*)
          replace: \1\2
        register: result_pam_option_removal

      - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
        ansible.builtin.command:
          cmd: authselect apply-changes -b
        when:
        - result_authselect_present.stat.exists
        - result_pam_option_removal is changed
      when:
      - result_pam_file_present.stat.exists
  when:
  - '"pam" in ansible_facts.packages'
  - result_pwhistory_conf_check.stat.exists
  tags:
  - CCE-83480-4
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020221
  - NIST-800-171-3.5.8
  - NIST-800-53-IA-5(1)(e)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.5
  - accounts_password_pam_pwhistory_remember_system_auth
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

- name: 'Limit Password Reuse: system-auth - pam_pwhistory.so parameters are configured
    in PAM files'
  block:

  - name: 'Limit Password Reuse: system-auth - Define the PAM file to be edited as
      a local fact'
    ansible.builtin.set_fact:
      pam_file_path: /etc/pam.d/system-auth

  - name: 'Limit Password Reuse: system-auth - Check if system relies on authselect
      tool'
    ansible.builtin.stat:
      path: /usr/bin/authselect
    register: result_authselect_present

  - name: 'Limit Password Reuse: system-auth - Ensure authselect custom profile is
      used if authselect is present'
    block:

    - name: 'Limit Password Reuse: system-auth - Check integrity of authselect current
        profile'
      ansible.builtin.command:
        cmd: authselect check
      register: result_authselect_check_cmd
      changed_when: false
      ignore_errors: true

    - name: 'Limit Password Reuse: system-auth - Informative message based on the
        authselect integrity check result'
      ansible.builtin.assert:
        that:
        - result_authselect_check_cmd is success
        fail_msg:
        - authselect integrity check failed. Remediation aborted!
        - This remediation could not be applied because an authselect profile was
          not selected or the selected profile is not intact.
        - It is not recommended to manually edit the PAM files when authselect tool
          is available.
        - In cases where the default authselect profile does not cover a specific
          demand, a custom authselect profile is recommended.
        success_msg:
        - authselect integrity check passed

    - name: 'Limit Password Reuse: system-auth - Get authselect current profile'
      ansible.builtin.shell:
        cmd: authselect current -r | awk '{ print $1 }'
      register: result_authselect_profile
      changed_when: false
      when:
      - result_authselect_check_cmd is success

    - name: 'Limit Password Reuse: system-auth - Define the current authselect profile
        as a local fact'
      ansible.builtin.set_fact:
        authselect_current_profile: '{{ result_authselect_profile.stdout }}'
        authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
      when:
      - result_authselect_profile is not skipped
      - result_authselect_profile.stdout is match("custom/")

    - name: 'Limit Password Reuse: system-auth - Define the new authselect custom
        profile as a local fact'
      ansible.builtin.set_fact:
        authselect_current_profile: '{{ result_authselect_profile.stdout }}'
        authselect_custom_profile: custom/hardening
      when:
      - result_authselect_profile is not skipped
      - result_authselect_profile.stdout is not match("custom/")

    - name: 'Limit Password Reuse: system-auth - Get authselect current features to
        also enable them in the custom profile'
      ansible.builtin.shell:
        cmd: authselect current | tail -n+3 | awk '{ print $2 }'
      register: result_authselect_features
      changed_when: false
      when:
      - result_authselect_profile is not skipped
      - authselect_current_profile is not match("custom/")

    - name: 'Limit Password Reuse: system-auth - Check if any custom profile with
        the same name was already created'
      ansible.builtin.stat:
        path: /etc/authselect/{{ authselect_custom_profile }}
      register: result_authselect_custom_profile_present
      changed_when: false
      when:
      - authselect_current_profile is not match("custom/")

    - name: 'Limit Password Reuse: system-auth - Create an authselect custom profile
        based on the current profile'
      ansible.builtin.command:
        cmd: authselect create-profile hardening -b {{ authselect_current_profile
          }}
      when:
      - result_authselect_check_cmd is success
      - authselect_current_profile is not match("custom/")
      - not result_authselect_custom_profile_present.stat.exists

    - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
      ansible.builtin.command:
        cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
      when:
      - result_authselect_check_cmd is success
      - result_authselect_profile is not skipped
      - authselect_current_profile is not match("custom/")
      - authselect_custom_profile is not match(authselect_current_profile)

    - name: 'Limit Password Reuse: system-auth - Ensure the authselect custom profile
        is selected'
      ansible.builtin.command:
        cmd: authselect select {{ authselect_custom_profile }}
      register: result_pam_authselect_select_profile
      when:
      - result_authselect_check_cmd is success
      - result_authselect_profile is not skipped
      - authselect_current_profile is not match("custom/")
      - authselect_custom_profile is not match(authselect_current_profile)

    - name: 'Limit Password Reuse: system-auth - Restore the authselect features in
        the custom profile'
      ansible.builtin.command:
        cmd: authselect enable-feature {{ item }}
      loop: '{{ result_authselect_features.stdout_lines }}'
      register: result_pam_authselect_restore_features
      when:
      - result_authselect_profile is not skipped
      - result_authselect_features is not skipped
      - result_pam_authselect_select_profile is not skipped

    - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
      ansible.builtin.command:
        cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
      when:
      - result_authselect_check_cmd is success
      - result_authselect_profile is not skipped
      - result_pam_authselect_restore_features is not skipped

    - name: 'Limit Password Reuse: system-auth - Change the PAM file to be edited
        according to the custom authselect profile'
      ansible.builtin.set_fact:
        pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
          | basename }}
    when:
    - result_authselect_present.stat.exists

  - name: 'Limit Password Reuse: system-auth - Check if expected PAM module line is
      present in {{ pam_file_path }}'
    ansible.builtin.lineinfile:
      path: '{{ pam_file_path }}'
      regexp: ^\s*password\s+requisite\s+pam_pwhistory.so\s*.*
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_line_present

  - name: 'Limit Password Reuse: system-auth - Include or update the PAM module line
      in {{ pam_file_path }}'
    block:

    - name: 'Limit Password Reuse: system-auth - Check if required PAM module line
        is present in {{ pam_file_path }} with different control'
      ansible.builtin.lineinfile:
        path: '{{ pam_file_path }}'
        regexp: ^\s*password\s+.*\s+pam_pwhistory.so\s*
        state: absent
      check_mode: true
      changed_when: false
      register: result_pam_line_other_control_present

    - name: 'Limit Password Reuse: system-auth - Ensure the correct control for the
        required PAM module line in {{ pam_file_path }}'
      ansible.builtin.replace:
        dest: '{{ pam_file_path }}'
        regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
        replace: \1requisite \2
      register: result_pam_module_edit
      when:
      - result_pam_line_other_control_present.found == 1

    - name: 'Limit Password Reuse: system-auth - Ensure the required PAM module line
        is included in {{ pam_file_path }}'
      ansible.builtin.lineinfile:
        dest: '{{ pam_file_path }}'
        line: password    requisite    pam_pwhistory.so
      register: result_pam_module_add
      when:
      - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
        > 1

    - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
      ansible.builtin.command:
        cmd: authselect apply-changes -b
      when: |
        result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
    when:
    - result_pam_line_present.found is defined
    - result_pam_line_present.found == 0

  - name: 'Limit Password Reuse: system-auth - Check if the required PAM module option
      is present in {{ pam_file_path }}'
    ansible.builtin.lineinfile:
      path: '{{ pam_file_path }}'
      regexp: ^\s*password\s+requisite\s+pam_pwhistory.so\s*.*\sremember\b
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_module_remember_option_present

  - name: 'Limit Password Reuse: system-auth - Ensure the "remember" PAM option for
      "pam_pwhistory.so" is included in {{ pam_file_path }}'
    ansible.builtin.lineinfile:
      path: '{{ pam_file_path }}'
      backrefs: true
      regexp: ^(\s*password\s+requisite\s+pam_pwhistory.so.*)
      line: \1 remember={{ var_password_pam_remember }}
      state: present
    register: result_pam_remember_add
    when:
    - result_pam_module_remember_option_present.found == 0

  - name: 'Limit Password Reuse: system-auth - Ensure the required value for "remember"
      PAM option from "pam_pwhistory.so" in {{ pam_file_path }}'
    ansible.builtin.lineinfile:
      path: '{{ pam_file_path }}'
      backrefs: true
      regexp: ^(\s*password\s+requisite\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
      line: \1\2={{ var_password_pam_remember }} \3
    register: result_pam_remember_edit
    when:
    - result_pam_module_remember_option_present.found > 0

  - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
    ansible.builtin.command:
      cmd: authselect apply-changes -b
    when:
    - result_authselect_present.stat.exists
    - (result_pam_remember_add is defined and result_pam_remember_add.changed) or
      (result_pam_remember_edit is defined and result_pam_remember_edit.changed)
  when:
  - '"pam" in ansible_facts.packages'
  - not result_pwhistory_conf_check.stat.exists
  tags:
  - CCE-83480-4
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020221
  - NIST-800-171-3.5.8
  - NIST-800-53-IA-5(1)(e)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.5
  - accounts_password_pam_pwhistory_remember_system_auth
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

OVAL test results details

Check pam_pwhistory.so presence in /etc/pam.d/system-auth oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

requisite

required

requisite,required

^\s*password\s+(?:requisite)\s+pam_pwhistory\.so.*$

^\s*password\s+(?:required)\s+pam_pwhistory\.so.*$

/etc/pam.d/system-auth

Check remember parameter is present and correct in /etc/pam.d/system-auth oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth_pamd:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth_pamd:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$

/etc/pam.d/system-auth

Check the absence of remember parameter in /etc/security/pwhistory.conf oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth_no_pwhistory_conf:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth_param_conf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^\sremember\s=\s*([0-9]+)	^/etc/security/pwhistory.conf$	1

Check remember parameter is absent in /etc/pam.d/system-auth oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth_no_pamd:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth_pamd:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^\spassword\b.\bpam_pwhistory\.so\b.\bremember=([0-9]).*$	/etc/pam.d/system-auth	1

Check remember parameter is present and correct in /etc/security/pwhistory.conf oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth_pwhistory_conf:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth_param_conf:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

^\s*remember\s*=\s*([0-9]+)

^/etc/security/pwhistory.conf$

Lock Accounts After Failed Password Attempts

Rule ID xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_passwords_pam_faillock_deny:def:1

Time 2026-03-23T19:57:55+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80667-9

References: BP28(R18), 5.4.2, 5.5.2, 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020011, SV-230333r743966_rule, SRG-OS-000021-VMM-000050

Description

This rule configures the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version.

Rationale

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.

Warnings

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

var_accounts_passwords_pam_faillock_deny='3'


if [ -f /usr/bin/authselect ]; then
    if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
It is not recommended to manually edit the PAM files when authselect tool is available.
In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
exit 1
fi
authselect enable-feature with-faillock

authselect apply-changes -b
else
    
AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
for pam_file in "${AUTH_FILES[@]}"
do
    if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth        required      pam_faillock.so preauth silent' "$pam_file"
        sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth        required      pam_faillock.so authfail' "$pam_file"
        sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account     required      pam_faillock.so' "$pam_file"
    fi
    sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required     \3/g' "$pam_file"
done

fi

AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")

FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
    regex="^\s*deny\s*="
    line="deny = $var_accounts_passwords_pam_faillock_deny"
    if ! grep -q $regex $FAILLOCK_CONF; then
        echo $line >> $FAILLOCK_CONF
    else
        sed -i --follow-symlinks 's|^\s*\(deny\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_deny"'|g' $FAILLOCK_CONF
    fi
    for pam_file in "${AUTH_FILES[@]}"
    do
        if [ -e "$pam_file" ] ; then
            PAM_FILE_PATH="$pam_file"
            if [ -f /usr/bin/authselect ]; then
                
                if ! authselect check; then
                echo "
                authselect integrity check failed. Remediation aborted!
                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
                It is not recommended to manually edit the PAM files when authselect tool is available.
                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
                exit 1
                fi

                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
                # If not already in use, a custom profile is created preserving the enabled features.
                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
                    authselect create-profile hardening -b $CURRENT_PROFILE
                    CURRENT_PROFILE="custom/hardening"
                    
                    authselect apply-changes -b --backup=before-hardening-custom-profile
                    authselect select $CURRENT_PROFILE
                    for feature in $ENABLED_FEATURES; do
                        authselect enable-feature $feature;
                    done
                    
                    authselect apply-changes -b --backup=after-hardening-custom-profile
                fi
                PAM_FILE_NAME=$(basename "$pam_file")
                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"

                authselect apply-changes -b
            fi
            
        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdeny\b' "$PAM_FILE_PATH"; then
            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdeny\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
        fi
            if [ -f /usr/bin/authselect ]; then
                
                authselect apply-changes -b
            fi
        else
            echo "$pam_file was not found" >&2
        fi
    done
else
    for pam_file in "${AUTH_FILES[@]}"
    do
        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' "$pam_file"; then
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
        else
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
        fi
    done
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-80667-9
  - CJIS-5.5.3
  - DISA-STIG-RHEL-08-020011
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.6
  - accounts_passwords_pam_faillock_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Lock Accounts After Failed Password Attempts - Check if system relies on authselect
    tool
  ansible.builtin.stat:
    path: /usr/bin/authselect
  register: result_authselect_present
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-80667-9
  - CJIS-5.5.3
  - DISA-STIG-RHEL-08-020011
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.6
  - accounts_passwords_pam_faillock_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Lock Accounts After Failed Password Attempts - Remediation where authselect
    tool is present
  block:

  - name: Lock Accounts After Failed Password Attempts - Check integrity of authselect
      current profile
    ansible.builtin.command:
      cmd: authselect check
    register: result_authselect_check_cmd
    changed_when: false
    ignore_errors: true

  - name: Lock Accounts After Failed Password Attempts - Informative message based
      on the authselect integrity check result
    ansible.builtin.assert:
      that:
      - result_authselect_check_cmd is success
      fail_msg:
      - authselect integrity check failed. Remediation aborted!
      - This remediation could not be applied because an authselect profile was not
        selected or the selected profile is not intact.
      - It is not recommended to manually edit the PAM files when authselect tool
        is available.
      - In cases where the default authselect profile does not cover a specific demand,
        a custom authselect profile is recommended.
      success_msg:
      - authselect integrity check passed

  - name: Lock Accounts After Failed Password Attempts - Get authselect current features
    ansible.builtin.shell:
      cmd: authselect current | tail -n+3 | awk '{ print $2 }'
    register: result_authselect_features
    changed_when: false
    when:
    - result_authselect_check_cmd is success

  - name: Lock Accounts After Failed Password Attempts - Ensure "with-faillock" feature
      is enabled using authselect tool
    ansible.builtin.command:
      cmd: authselect enable-feature with-faillock
    register: result_authselect_enable_feature_cmd
    when:
    - result_authselect_check_cmd is success
    - result_authselect_features.stdout is not search("with-faillock")

  - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
      are applied
    ansible.builtin.command:
      cmd: authselect apply-changes -b
    when:
    - result_authselect_enable_feature_cmd is not skipped
    - result_authselect_enable_feature_cmd is success
  when:
  - '"pam" in ansible_facts.packages'
  - result_authselect_present.stat.exists
  tags:
  - CCE-80667-9
  - CJIS-5.5.3
  - DISA-STIG-RHEL-08-020011
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.6
  - accounts_passwords_pam_faillock_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Lock Accounts After Failed Password Attempts - Remediation where authselect
    tool is not present
  block:

  - name: Lock Accounts After Failed Password Attempts - Check if pam_faillock.so
      is already enabled
    ansible.builtin.lineinfile:
      path: /etc/pam.d/system-auth
      regexp: .*auth.*pam_faillock\.so (preauth|authfail)
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_faillock_is_enabled

  - name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so preauth
      editing PAM files
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      line: auth        required      pam_faillock.so preauth
      insertbefore: ^auth.*sufficient.*pam_unix\.so.*
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_is_enabled.found == 0

  - name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so authfail
      editing PAM files
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      line: auth        required      pam_faillock.so authfail
      insertbefore: ^auth.*required.*pam_deny\.so.*
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_is_enabled.found == 0

  - name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so account
      section editing PAM files
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      line: account     required      pam_faillock.so
      insertbefore: ^account.*required.*pam_unix\.so.*
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_is_enabled.found == 0
  when:
  - '"pam" in ansible_facts.packages'
  - not result_authselect_present.stat.exists
  tags:
  - CCE-80667-9
  - CJIS-5.5.3
  - DISA-STIG-RHEL-08-020011
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.6
  - accounts_passwords_pam_faillock_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_accounts_passwords_pam_faillock_deny # promote to variable
  set_fact:
    var_accounts_passwords_pam_faillock_deny: !!str 3
  tags:
    - always

- name: Lock Accounts After Failed Password Attempts - Check the presence of /etc/security/faillock.conf
    file
  ansible.builtin.stat:
    path: /etc/security/faillock.conf
  register: result_faillock_conf_check
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-80667-9
  - CJIS-5.5.3
  - DISA-STIG-RHEL-08-020011
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.6
  - accounts_passwords_pam_faillock_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so
    deny parameter in /etc/security/faillock.conf
  ansible.builtin.lineinfile:
    path: /etc/security/faillock.conf
    regexp: ^\s*deny\s*=
    line: deny = {{ var_accounts_passwords_pam_faillock_deny }}
    state: present
  when:
  - '"pam" in ansible_facts.packages'
  - result_faillock_conf_check.stat.exists
  tags:
  - CCE-80667-9
  - CJIS-5.5.3
  - DISA-STIG-RHEL-08-020011
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.6
  - accounts_passwords_pam_faillock_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so
    deny parameter not in PAM files
  block:

  - name: Lock Accounts After Failed Password Attempts - Check if /etc/pam.d/system-auth
      file is present
    ansible.builtin.stat:
      path: /etc/pam.d/system-auth
    register: result_pam_file_present

  - name: Lock Accounts After Failed Password Attempts - Check the proper remediation
      for the system
    block:

    - name: Lock Accounts After Failed Password Attempts - Define the PAM file to
        be edited as a local fact
      ansible.builtin.set_fact:
        pam_file_path: /etc/pam.d/system-auth

    - name: Lock Accounts After Failed Password Attempts - Check if system relies
        on authselect tool
      ansible.builtin.stat:
        path: /usr/bin/authselect
      register: result_authselect_present

    - name: Lock Accounts After Failed Password Attempts - Ensure authselect custom
        profile is used if authselect is present
      block:

      - name: Lock Accounts After Failed Password Attempts - Check integrity of authselect
          current profile
        ansible.builtin.command:
          cmd: authselect check
        register: result_authselect_check_cmd
        changed_when: false
        ignore_errors: true

      - name: Lock Accounts After Failed Password Attempts - Informative message based
          on the authselect integrity check result
        ansible.builtin.assert:
          that:
          - result_authselect_check_cmd is success
          fail_msg:
          - authselect integrity check failed. Remediation aborted!
          - This remediation could not be applied because an authselect profile was
            not selected or the selected profile is not intact.
          - It is not recommended to manually edit the PAM files when authselect tool
            is available.
          - In cases where the default authselect profile does not cover a specific
            demand, a custom authselect profile is recommended.
          success_msg:
          - authselect integrity check passed

      - name: Lock Accounts After Failed Password Attempts - Get authselect current
          profile
        ansible.builtin.shell:
          cmd: authselect current -r | awk '{ print $1 }'
        register: result_authselect_profile
        changed_when: false
        when:
        - result_authselect_check_cmd is success

      - name: Lock Accounts After Failed Password Attempts - Define the current authselect
          profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is match("custom/")

      - name: Lock Accounts After Failed Password Attempts - Define the new authselect
          custom profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: custom/hardening
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is not match("custom/")

      - name: Lock Accounts After Failed Password Attempts - Get authselect current
          features to also enable them in the custom profile
        ansible.builtin.shell:
          cmd: authselect current | tail -n+3 | awk '{ print $2 }'
        register: result_authselect_features
        changed_when: false
        when:
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")

      - name: Lock Accounts After Failed Password Attempts - Check if any custom profile
          with the same name was already created
        ansible.builtin.stat:
          path: /etc/authselect/{{ authselect_custom_profile }}
        register: result_authselect_custom_profile_present
        changed_when: false
        when:
        - authselect_current_profile is not match("custom/")

      - name: Lock Accounts After Failed Password Attempts - Create an authselect
          custom profile based on the current profile
        ansible.builtin.command:
          cmd: authselect create-profile hardening -b {{ authselect_current_profile
            }}
        when:
        - result_authselect_check_cmd is success
        - authselect_current_profile is not match("custom/")
        - not result_authselect_custom_profile_present.stat.exists

      - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
          are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Lock Accounts After Failed Password Attempts - Ensure the authselect
          custom profile is selected
        ansible.builtin.command:
          cmd: authselect select {{ authselect_custom_profile }}
        register: result_pam_authselect_select_profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Lock Accounts After Failed Password Attempts - Restore the authselect
          features in the custom profile
        ansible.builtin.command:
          cmd: authselect enable-feature {{ item }}
        loop: '{{ result_authselect_features.stdout_lines }}'
        register: result_pam_authselect_restore_features
        when:
        - result_authselect_profile is not skipped
        - result_authselect_features is not skipped
        - result_pam_authselect_select_profile is not skipped

      - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
          are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - result_pam_authselect_restore_features is not skipped

      - name: Lock Accounts After Failed Password Attempts - Change the PAM file to
          be edited according to the custom authselect profile
        ansible.builtin.set_fact:
          pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
            | basename }}
      when:
      - result_authselect_present.stat.exists

    - name: Lock Accounts After Failed Password Attempts - Ensure the "deny" option
        from "pam_faillock.so" is not present in {{ pam_file_path }}
      ansible.builtin.replace:
        dest: '{{ pam_file_path }}'
        regexp: (.*auth.*pam_faillock.so.*)\bdeny\b=?[0-9a-zA-Z]*(.*)
        replace: \1\2
      register: result_pam_option_removal

    - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
        are applied
      ansible.builtin.command:
        cmd: authselect apply-changes -b
      when:
      - result_authselect_present.stat.exists
      - result_pam_option_removal is changed
    when:
    - result_pam_file_present.stat.exists

  - name: Lock Accounts After Failed Password Attempts - Check if /etc/pam.d/password-auth
      file is present
    ansible.builtin.stat:
      path: /etc/pam.d/password-auth
    register: result_pam_file_present

  - name: Lock Accounts After Failed Password Attempts - Check the proper remediation
      for the system
    block:

    - name: Lock Accounts After Failed Password Attempts - Define the PAM file to
        be edited as a local fact
      ansible.builtin.set_fact:
        pam_file_path: /etc/pam.d/password-auth

    - name: Lock Accounts After Failed Password Attempts - Check if system relies
        on authselect tool
      ansible.builtin.stat:
        path: /usr/bin/authselect
      register: result_authselect_present

    - name: Lock Accounts After Failed Password Attempts - Ensure authselect custom
        profile is used if authselect is present
      block:

      - name: Lock Accounts After Failed Password Attempts - Check integrity of authselect
          current profile
        ansible.builtin.command:
          cmd: authselect check
        register: result_authselect_check_cmd
        changed_when: false
        ignore_errors: true

      - name: Lock Accounts After Failed Password Attempts - Informative message based
          on the authselect integrity check result
        ansible.builtin.assert:
          that:
          - result_authselect_check_cmd is success
          fail_msg:
          - authselect integrity check failed. Remediation aborted!
          - This remediation could not be applied because an authselect profile was
            not selected or the selected profile is not intact.
          - It is not recommended to manually edit the PAM files when authselect tool
            is available.
          - In cases where the default authselect profile does not cover a specific
            demand, a custom authselect profile is recommended.
          success_msg:
          - authselect integrity check passed

      - name: Lock Accounts After Failed Password Attempts - Get authselect current
          profile
        ansible.builtin.shell:
          cmd: authselect current -r | awk '{ print $1 }'
        register: result_authselect_profile
        changed_when: false
        when:
        - result_authselect_check_cmd is success

      - name: Lock Accounts After Failed Password Attempts - Define the current authselect
          profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is match("custom/")

      - name: Lock Accounts After Failed Password Attempts - Define the new authselect
          custom profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: custom/hardening
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is not match("custom/")

      - name: Lock Accounts After Failed Password Attempts - Get authselect current
          features to also enable them in the custom profile
        ansible.builtin.shell:
          cmd: authselect current | tail -n+3 | awk '{ print $2 }'
        register: result_authselect_features
        changed_when: false
        when:
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")

      - name: Lock Accounts After Failed Password Attempts - Check if any custom profile
          with the same name was already created
        ansible.builtin.stat:
          path: /etc/authselect/{{ authselect_custom_profile }}
        register: result_authselect_custom_profile_present
        changed_when: false
        when:
        - authselect_current_profile is not match("custom/")

      - name: Lock Accounts After Failed Password Attempts - Create an authselect
          custom profile based on the current profile
        ansible.builtin.command:
          cmd: authselect create-profile hardening -b {{ authselect_current_profile
            }}
        when:
        - result_authselect_check_cmd is success
        - authselect_current_profile is not match("custom/")
        - not result_authselect_custom_profile_present.stat.exists

      - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
          are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Lock Accounts After Failed Password Attempts - Ensure the authselect
          custom profile is selected
        ansible.builtin.command:
          cmd: authselect select {{ authselect_custom_profile }}
        register: result_pam_authselect_select_profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Lock Accounts After Failed Password Attempts - Restore the authselect
          features in the custom profile
        ansible.builtin.command:
          cmd: authselect enable-feature {{ item }}
        loop: '{{ result_authselect_features.stdout_lines }}'
        register: result_pam_authselect_restore_features
        when:
        - result_authselect_profile is not skipped
        - result_authselect_features is not skipped
        - result_pam_authselect_select_profile is not skipped

      - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
          are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - result_pam_authselect_restore_features is not skipped

      - name: Lock Accounts After Failed Password Attempts - Change the PAM file to
          be edited according to the custom authselect profile
        ansible.builtin.set_fact:
          pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
            | basename }}
      when:
      - result_authselect_present.stat.exists

    - name: Lock Accounts After Failed Password Attempts - Ensure the "deny" option
        from "pam_faillock.so" is not present in {{ pam_file_path }}
      ansible.builtin.replace:
        dest: '{{ pam_file_path }}'
        regexp: (.*auth.*pam_faillock.so.*)\bdeny\b=?[0-9a-zA-Z]*(.*)
        replace: \1\2
      register: result_pam_option_removal

    - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
        are applied
      ansible.builtin.command:
        cmd: authselect apply-changes -b
      when:
      - result_authselect_present.stat.exists
      - result_pam_option_removal is changed
    when:
    - result_pam_file_present.stat.exists
  when:
  - '"pam" in ansible_facts.packages'
  - result_faillock_conf_check.stat.exists
  tags:
  - CCE-80667-9
  - CJIS-5.5.3
  - DISA-STIG-RHEL-08-020011
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.6
  - accounts_passwords_pam_faillock_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so
    deny parameter in PAM files
  block:

  - name: Lock Accounts After Failed Password Attempts - Check if pam_faillock.so
      deny parameter is already enabled in pam files
    ansible.builtin.lineinfile:
      path: /etc/pam.d/system-auth
      regexp: .*auth.*pam_faillock\.so (preauth|authfail).*deny
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_faillock_deny_parameter_is_present

  - name: Lock Accounts After Failed Password Attempts - Ensure the inclusion of pam_faillock.so
      preauth deny parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
      line: \1required\3 deny={{ var_accounts_passwords_pam_faillock_deny }}
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_deny_parameter_is_present.found == 0

  - name: Lock Accounts After Failed Password Attempts - Ensure the inclusion of pam_faillock.so
      authfail deny parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
      line: \1required\3 deny={{ var_accounts_passwords_pam_faillock_deny }}
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_deny_parameter_is_present.found == 0

  - name: Lock Accounts After Failed Password Attempts - Ensure the desired value
      for pam_faillock.so preauth deny parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(deny)=[0-9]+(.*)
      line: \1required\3\4={{ var_accounts_passwords_pam_faillock_deny }}\5
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_deny_parameter_is_present.found > 0

  - name: Lock Accounts After Failed Password Attempts - Ensure the desired value
      for pam_faillock.so authfail deny parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(deny)=[0-9]+(.*)
      line: \1required\3\4={{ var_accounts_passwords_pam_faillock_deny }}\5
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_deny_parameter_is_present.found > 0
  when:
  - '"pam" in ansible_facts.packages'
  - not result_faillock_conf_check.stat.exists
  tags:
  - CCE-80667-9
  - CJIS-5.5.3
  - DISA-STIG-RHEL-08-020011
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.6
  - accounts_passwords_pam_faillock_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

OVAL test results details

No more than one pam_unix.so is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]*auth\N+pam_unix\.so	^/etc/pam.d/system-auth$	1

No more than one pam_unix.so is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]*auth\N+pam_unix\.so	^/etc/pam.d/password-auth$	1

One and only one occurrence is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]auth[\s]+(required\|\[(?=.?\bsuccess=ok\b)(?=.?\bnew_authtok_reqd=ok\b)(?=.?\bignore=ignore\b)(?=.?\bdefault=bad\b).\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]^[\s]auth[\s]+(sufficient\|\[(?=.\bsuccess=done\b)(?=.?\bnew_authtok_reqd=done\b)(?=.?\bdefault=ignore\b).\])[\s]+pam_unix\.so[\s\S]^[\s]auth[\s]+(required\|\[(?=.?\bsuccess=ok\b)(?=.?\bnew_authtok_reqd=ok\b)(?=.?\bignore=ignore\b)(?=.?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail	^/etc/pam.d/system-auth$	1

One and only one occurrence is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_account:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_faillock_account:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]account[\s]+(required\|\[(?=.?\bsuccess=ok\b)(?=.?\bnew_authtok_reqd=ok\b)(?=.?\bignore=ignore\b)(?=.?\bdefault=bad\b).\])[\s]+pam_faillock\.so[\s\S]^[\s]account[\s]+(required\|\[(?=.?\bsuccess=ok\b)(?=.?\bnew_authtok_reqd=ok\b)(?=.?\bignore=ignore\b)(?=.?\bdefault=bad\b).*\])[\s]+pam_unix\.so	^/etc/pam.d/system-auth$	1

One and only one occurrence is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]auth[\s]+(required\|\[(?=.?\bsuccess=ok\b)(?=.?\bnew_authtok_reqd=ok\b)(?=.?\bignore=ignore\b)(?=.?\bdefault=bad\b).\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]^[\s]auth[\s]+(sufficient\|\[(?=.\bsuccess=done\b)(?=.?\bnew_authtok_reqd=done\b)(?=.?\bdefault=ignore\b).\])[\s]+pam_unix\.so[\s\S]^[\s]auth[\s]+(required\|\[(?=.?\bsuccess=ok\b)(?=.?\bnew_authtok_reqd=ok\b)(?=.?\bignore=ignore\b)(?=.?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail	^/etc/pam.d/password-auth$	1

One and only one occurrence is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_account:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_faillock_account:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]account[\s]+(required\|\[(?=.?\bsuccess=ok\b)(?=.?\bnew_authtok_reqd=ok\b)(?=.?\bignore=ignore\b)(?=.?\bdefault=bad\b).\])[\s]+pam_faillock\.so[\s\S]^[\s]account[\s]+(required\|\[(?=.?\bsuccess=ok\b)(?=.?\bnew_authtok_reqd=ok\b)(?=.?\bignore=ignore\b)(?=.?\bdefault=bad\b).*\])[\s]+pam_unix\.so	^/etc/pam.d/password-auth$	1

Check the expected deny value in system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_system:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_system:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)

^/etc/pam.d/system-auth$

Check the expected deny value in password-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_password:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_password:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)

^/etc/pam.d/password-auth$

Check the absence of deny parameter in /etc/security/faillock.conf oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_faillock_conf:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]deny[\s]=[\s]*([0-9]+)	^/etc/security/faillock.conf$	1

Check the absence of deny parameter in system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_system:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_system:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]deny=([0-9]+)	^/etc/pam.d/system-auth$	1

Check the absence of deny parameter in password-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_password:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_password:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]deny=([0-9]+)	^/etc/pam.d/password-auth$	1

Check the expected deny value in in /etc/security/faillock.conf oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

^[\s]*deny[\s]*=[\s]*([0-9]+)

^/etc/security/faillock.conf$

Set Lockout Time for Failed Password Attempts

Rule ID xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1

Time 2026-03-23T19:57:55+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80670-3

References: BP28(R18), 5.4.2, 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), PR.AC-7, FIA_AFL.1, Req-8.1.7, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020016, SV-230338r627750_rule, SRG-OS-000329-VMM-001180

Description

This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid any errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. If unlock_time is set to 0, manual intervention by an administrator is required to unlock a user. This should be done using the faillock tool.

Rationale

By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Warnings

warning If the system supports the new /etc/security/faillock.conf file but the pam_faillock.so parameters are defined directly in /etc/pam.d/system-auth and /etc/pam.d/password-auth, the remediation will migrate the unlock_time parameter to /etc/security/faillock.conf to ensure compatibility with authselect tool. The parameters deny and fail_interval, if used, also have to be migrated by their respective remediation.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

var_accounts_passwords_pam_faillock_unlock_time='900'


if [ -f /usr/bin/authselect ]; then
    if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
It is not recommended to manually edit the PAM files when authselect tool is available.
In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
exit 1
fi
authselect enable-feature with-faillock

authselect apply-changes -b
else
    
AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
for pam_file in "${AUTH_FILES[@]}"
do
    if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth        required      pam_faillock.so preauth silent' "$pam_file"
        sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth        required      pam_faillock.so authfail' "$pam_file"
        sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account     required      pam_faillock.so' "$pam_file"
    fi
    sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required     \3/g' "$pam_file"
done

fi

AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")

FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
    regex="^\s*unlock_time\s*="
    line="unlock_time = $var_accounts_passwords_pam_faillock_unlock_time"
    if ! grep -q $regex $FAILLOCK_CONF; then
        echo $line >> $FAILLOCK_CONF
    else
        sed -i --follow-symlinks 's|^\s*\(unlock_time\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_unlock_time"'|g' $FAILLOCK_CONF
    fi
    for pam_file in "${AUTH_FILES[@]}"
    do
        if [ -e "$pam_file" ] ; then
            PAM_FILE_PATH="$pam_file"
            if [ -f /usr/bin/authselect ]; then
                
                if ! authselect check; then
                echo "
                authselect integrity check failed. Remediation aborted!
                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
                It is not recommended to manually edit the PAM files when authselect tool is available.
                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
                exit 1
                fi

                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
                # If not already in use, a custom profile is created preserving the enabled features.
                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
                    authselect create-profile hardening -b $CURRENT_PROFILE
                    CURRENT_PROFILE="custom/hardening"
                    
                    authselect apply-changes -b --backup=before-hardening-custom-profile
                    authselect select $CURRENT_PROFILE
                    for feature in $ENABLED_FEATURES; do
                        authselect enable-feature $feature;
                    done
                    
                    authselect apply-changes -b --backup=after-hardening-custom-profile
                fi
                PAM_FILE_NAME=$(basename "$pam_file")
                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"

                authselect apply-changes -b
            fi
            
        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bunlock_time\b' "$PAM_FILE_PATH"; then
            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bunlock_time\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
        fi
            if [ -f /usr/bin/authselect ]; then
                
                authselect apply-changes -b
            fi
        else
            echo "$pam_file was not found" >&2
        fi
    done
else
    for pam_file in "${AUTH_FILES[@]}"
    do
        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*unlock_time' "$pam_file"; then
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
        else
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
        fi
    done
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-80670-3
  - CJIS-5.5.3
  - DISA-STIG-RHEL-08-020016
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.7
  - accounts_passwords_pam_faillock_unlock_time
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set Lockout Time for Failed Password Attempts - Check if system relies on
    authselect tool
  ansible.builtin.stat:
    path: /usr/bin/authselect
  register: result_authselect_present
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-80670-3
  - CJIS-5.5.3
  - DISA-STIG-RHEL-08-020016
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.7
  - accounts_passwords_pam_faillock_unlock_time
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set Lockout Time for Failed Password Attempts - Remediation where authselect
    tool is present
  block:

  - name: Set Lockout Time for Failed Password Attempts - Check integrity of authselect
      current profile
    ansible.builtin.command:
      cmd: authselect check
    register: result_authselect_check_cmd
    changed_when: false
    ignore_errors: true

  - name: Set Lockout Time for Failed Password Attempts - Informative message based
      on the authselect integrity check result
    ansible.builtin.assert:
      that:
      - result_authselect_check_cmd is success
      fail_msg:
      - authselect integrity check failed. Remediation aborted!
      - This remediation could not be applied because an authselect profile was not
        selected or the selected profile is not intact.
      - It is not recommended to manually edit the PAM files when authselect tool
        is available.
      - In cases where the default authselect profile does not cover a specific demand,
        a custom authselect profile is recommended.
      success_msg:
      - authselect integrity check passed

  - name: Set Lockout Time for Failed Password Attempts - Get authselect current features
    ansible.builtin.shell:
      cmd: authselect current | tail -n+3 | awk '{ print $2 }'
    register: result_authselect_features
    changed_when: false
    when:
    - result_authselect_check_cmd is success

  - name: Set Lockout Time for Failed Password Attempts - Ensure "with-faillock" feature
      is enabled using authselect tool
    ansible.builtin.command:
      cmd: authselect enable-feature with-faillock
    register: result_authselect_enable_feature_cmd
    when:
    - result_authselect_check_cmd is success
    - result_authselect_features.stdout is not search("with-faillock")

  - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
      are applied
    ansible.builtin.command:
      cmd: authselect apply-changes -b
    when:
    - result_authselect_enable_feature_cmd is not skipped
    - result_authselect_enable_feature_cmd is success
  when:
  - '"pam" in ansible_facts.packages'
  - result_authselect_present.stat.exists
  tags:
  - CCE-80670-3
  - CJIS-5.5.3
  - DISA-STIG-RHEL-08-020016
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.7
  - accounts_passwords_pam_faillock_unlock_time
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set Lockout Time for Failed Password Attempts - Remediation where authselect
    tool is not present
  block:

  - name: Set Lockout Time for Failed Password Attempts - Check if pam_faillock.so
      is already enabled
    ansible.builtin.lineinfile:
      path: /etc/pam.d/system-auth
      regexp: .*auth.*pam_faillock\.so (preauth|authfail)
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_faillock_is_enabled

  - name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so preauth
      editing PAM files
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      line: auth        required      pam_faillock.so preauth
      insertbefore: ^auth.*sufficient.*pam_unix\.so.*
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_is_enabled.found == 0

  - name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so authfail
      editing PAM files
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      line: auth        required      pam_faillock.so authfail
      insertbefore: ^auth.*required.*pam_deny\.so.*
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_is_enabled.found == 0

  - name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so account
      section editing PAM files
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      line: account     required      pam_faillock.so
      insertbefore: ^account.*required.*pam_unix\.so.*
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_is_enabled.found == 0
  when:
  - '"pam" in ansible_facts.packages'
  - not result_authselect_present.stat.exists
  tags:
  - CCE-80670-3
  - CJIS-5.5.3
  - DISA-STIG-RHEL-08-020016
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.7
  - accounts_passwords_pam_faillock_unlock_time
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_accounts_passwords_pam_faillock_unlock_time # promote to variable
  set_fact:
    var_accounts_passwords_pam_faillock_unlock_time: !!str 900
  tags:
    - always

- name: Set Lockout Time for Failed Password Attempts - Check the presence of /etc/security/faillock.conf
    file
  ansible.builtin.stat:
    path: /etc/security/faillock.conf
  register: result_faillock_conf_check
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-80670-3
  - CJIS-5.5.3
  - DISA-STIG-RHEL-08-020016
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.7
  - accounts_passwords_pam_faillock_unlock_time
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so
    unlock_time parameter in /etc/security/faillock.conf
  ansible.builtin.lineinfile:
    path: /etc/security/faillock.conf
    regexp: ^\s*unlock_time\s*=
    line: unlock_time = {{ var_accounts_passwords_pam_faillock_unlock_time }}
    state: present
  when:
  - '"pam" in ansible_facts.packages'
  - result_faillock_conf_check.stat.exists
  tags:
  - CCE-80670-3
  - CJIS-5.5.3
  - DISA-STIG-RHEL-08-020016
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.7
  - accounts_passwords_pam_faillock_unlock_time
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so
    unlock_time parameter not in PAM files
  block:

  - name: Set Lockout Time for Failed Password Attempts - Check if /etc/pam.d/system-auth
      file is present
    ansible.builtin.stat:
      path: /etc/pam.d/system-auth
    register: result_pam_file_present

  - name: Set Lockout Time for Failed Password Attempts - Check the proper remediation
      for the system
    block:

    - name: Set Lockout Time for Failed Password Attempts - Define the PAM file to
        be edited as a local fact
      ansible.builtin.set_fact:
        pam_file_path: /etc/pam.d/system-auth

    - name: Set Lockout Time for Failed Password Attempts - Check if system relies
        on authselect tool
      ansible.builtin.stat:
        path: /usr/bin/authselect
      register: result_authselect_present

    - name: Set Lockout Time for Failed Password Attempts - Ensure authselect custom
        profile is used if authselect is present
      block:

      - name: Set Lockout Time for Failed Password Attempts - Check integrity of authselect
          current profile
        ansible.builtin.command:
          cmd: authselect check
        register: result_authselect_check_cmd
        changed_when: false
        ignore_errors: true

      - name: Set Lockout Time for Failed Password Attempts - Informative message
          based on the authselect integrity check result
        ansible.builtin.assert:
          that:
          - result_authselect_check_cmd is success
          fail_msg:
          - authselect integrity check failed. Remediation aborted!
          - This remediation could not be applied because an authselect profile was
            not selected or the selected profile is not intact.
          - It is not recommended to manually edit the PAM files when authselect tool
            is available.
          - In cases where the default authselect profile does not cover a specific
            demand, a custom authselect profile is recommended.
          success_msg:
          - authselect integrity check passed

      - name: Set Lockout Time for Failed Password Attempts - Get authselect current
          profile
        ansible.builtin.shell:
          cmd: authselect current -r | awk '{ print $1 }'
        register: result_authselect_profile
        changed_when: false
        when:
        - result_authselect_check_cmd is success

      - name: Set Lockout Time for Failed Password Attempts - Define the current authselect
          profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is match("custom/")

      - name: Set Lockout Time for Failed Password Attempts - Define the new authselect
          custom profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: custom/hardening
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is not match("custom/")

      - name: Set Lockout Time for Failed Password Attempts - Get authselect current
          features to also enable them in the custom profile
        ansible.builtin.shell:
          cmd: authselect current | tail -n+3 | awk '{ print $2 }'
        register: result_authselect_features
        changed_when: false
        when:
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")

      - name: Set Lockout Time for Failed Password Attempts - Check if any custom
          profile with the same name was already created
        ansible.builtin.stat:
          path: /etc/authselect/{{ authselect_custom_profile }}
        register: result_authselect_custom_profile_present
        changed_when: false
        when:
        - authselect_current_profile is not match("custom/")

      - name: Set Lockout Time for Failed Password Attempts - Create an authselect
          custom profile based on the current profile
        ansible.builtin.command:
          cmd: authselect create-profile hardening -b {{ authselect_current_profile
            }}
        when:
        - result_authselect_check_cmd is success
        - authselect_current_profile is not match("custom/")
        - not result_authselect_custom_profile_present.stat.exists

      - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
          are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Set Lockout Time for Failed Password Attempts - Ensure the authselect
          custom profile is selected
        ansible.builtin.command:
          cmd: authselect select {{ authselect_custom_profile }}
        register: result_pam_authselect_select_profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Set Lockout Time for Failed Password Attempts - Restore the authselect
          features in the custom profile
        ansible.builtin.command:
          cmd: authselect enable-feature {{ item }}
        loop: '{{ result_authselect_features.stdout_lines }}'
        register: result_pam_authselect_restore_features
        when:
        - result_authselect_profile is not skipped
        - result_authselect_features is not skipped
        - result_pam_authselect_select_profile is not skipped

      - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
          are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - result_pam_authselect_restore_features is not skipped

      - name: Set Lockout Time for Failed Password Attempts - Change the PAM file
          to be edited according to the custom authselect profile
        ansible.builtin.set_fact:
          pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
            | basename }}
      when:
      - result_authselect_present.stat.exists

    - name: Set Lockout Time for Failed Password Attempts - Ensure the "unlock_time"
        option from "pam_faillock.so" is not present in {{ pam_file_path }}
      ansible.builtin.replace:
        dest: '{{ pam_file_path }}'
        regexp: (.*auth.*pam_faillock.so.*)\bunlock_time\b=?[0-9a-zA-Z]*(.*)
        replace: \1\2
      register: result_pam_option_removal

    - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
        are applied
      ansible.builtin.command:
        cmd: authselect apply-changes -b
      when:
      - result_authselect_present.stat.exists
      - result_pam_option_removal is changed
    when:
    - result_pam_file_present.stat.exists

  - name: Set Lockout Time for Failed Password Attempts - Check if /etc/pam.d/password-auth
      file is present
    ansible.builtin.stat:
      path: /etc/pam.d/password-auth
    register: result_pam_file_present

  - name: Set Lockout Time for Failed Password Attempts - Check the proper remediation
      for the system
    block:

    - name: Set Lockout Time for Failed Password Attempts - Define the PAM file to
        be edited as a local fact
      ansible.builtin.set_fact:
        pam_file_path: /etc/pam.d/password-auth

    - name: Set Lockout Time for Failed Password Attempts - Check if system relies
        on authselect tool
      ansible.builtin.stat:
        path: /usr/bin/authselect
      register: result_authselect_present

    - name: Set Lockout Time for Failed Password Attempts - Ensure authselect custom
        profile is used if authselect is present
      block:

      - name: Set Lockout Time for Failed Password Attempts - Check integrity of authselect
          current profile
        ansible.builtin.command:
          cmd: authselect check
        register: result_authselect_check_cmd
        changed_when: false
        ignore_errors: true

      - name: Set Lockout Time for Failed Password Attempts - Informative message
          based on the authselect integrity check result
        ansible.builtin.assert:
          that:
          - result_authselect_check_cmd is success
          fail_msg:
          - authselect integrity check failed. Remediation aborted!
          - This remediation could not be applied because an authselect profile was
            not selected or the selected profile is not intact.
          - It is not recommended to manually edit the PAM files when authselect tool
            is available.
          - In cases where the default authselect profile does not cover a specific
            demand, a custom authselect profile is recommended.
          success_msg:
          - authselect integrity check passed

      - name: Set Lockout Time for Failed Password Attempts - Get authselect current
          profile
        ansible.builtin.shell:
          cmd: authselect current -r | awk '{ print $1 }'
        register: result_authselect_profile
        changed_when: false
        when:
        - result_authselect_check_cmd is success

      - name: Set Lockout Time for Failed Password Attempts - Define the current authselect
          profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is match("custom/")

      - name: Set Lockout Time for Failed Password Attempts - Define the new authselect
          custom profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: custom/hardening
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is not match("custom/")

      - name: Set Lockout Time for Failed Password Attempts - Get authselect current
          features to also enable them in the custom profile
        ansible.builtin.shell:
          cmd: authselect current | tail -n+3 | awk '{ print $2 }'
        register: result_authselect_features
        changed_when: false
        when:
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")

      - name: Set Lockout Time for Failed Password Attempts - Check if any custom
          profile with the same name was already created
        ansible.builtin.stat:
          path: /etc/authselect/{{ authselect_custom_profile }}
        register: result_authselect_custom_profile_present
        changed_when: false
        when:
        - authselect_current_profile is not match("custom/")

      - name: Set Lockout Time for Failed Password Attempts - Create an authselect
          custom profile based on the current profile
        ansible.builtin.command:
          cmd: authselect create-profile hardening -b {{ authselect_current_profile
            }}
        when:
        - result_authselect_check_cmd is success
        - authselect_current_profile is not match("custom/")
        - not result_authselect_custom_profile_present.stat.exists

      - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
          are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Set Lockout Time for Failed Password Attempts - Ensure the authselect
          custom profile is selected
        ansible.builtin.command:
          cmd: authselect select {{ authselect_custom_profile }}
        register: result_pam_authselect_select_profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Set Lockout Time for Failed Password Attempts - Restore the authselect
          features in the custom profile
        ansible.builtin.command:
          cmd: authselect enable-feature {{ item }}
        loop: '{{ result_authselect_features.stdout_lines }}'
        register: result_pam_authselect_restore_features
        when:
        - result_authselect_profile is not skipped
        - result_authselect_features is not skipped
        - result_pam_authselect_select_profile is not skipped

      - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
          are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - result_pam_authselect_restore_features is not skipped

      - name: Set Lockout Time for Failed Password Attempts - Change the PAM file
          to be edited according to the custom authselect profile
        ansible.builtin.set_fact:
          pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
            | basename }}
      when:
      - result_authselect_present.stat.exists

    - name: Set Lockout Time for Failed Password Attempts - Ensure the "unlock_time"
        option from "pam_faillock.so" is not present in {{ pam_file_path }}
      ansible.builtin.replace:
        dest: '{{ pam_file_path }}'
        regexp: (.*auth.*pam_faillock.so.*)\bunlock_time\b=?[0-9a-zA-Z]*(.*)
        replace: \1\2
      register: result_pam_option_removal

    - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
        are applied
      ansible.builtin.command:
        cmd: authselect apply-changes -b
      when:
      - result_authselect_present.stat.exists
      - result_pam_option_removal is changed
    when:
    - result_pam_file_present.stat.exists
  when:
  - '"pam" in ansible_facts.packages'
  - result_faillock_conf_check.stat.exists
  tags:
  - CCE-80670-3
  - CJIS-5.5.3
  - DISA-STIG-RHEL-08-020016
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.7
  - accounts_passwords_pam_faillock_unlock_time
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so
    unlock_time parameter in PAM files
  block:

  - name: Set Lockout Time for Failed Password Attempts - Check if pam_faillock.so
      unlock_time parameter is already enabled in pam files
    ansible.builtin.lineinfile:
      path: /etc/pam.d/system-auth
      regexp: .*auth.*pam_faillock\.so (preauth|authfail).*unlock_time
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_faillock_unlock_time_parameter_is_present

  - name: Set Lockout Time for Failed Password Attempts - Ensure the inclusion of
      pam_faillock.so preauth unlock_time parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
      line: \1required\3 unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
        }}
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_unlock_time_parameter_is_present.found == 0

  - name: Set Lockout Time for Failed Password Attempts - Ensure the inclusion of
      pam_faillock.so authfail unlock_time parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
      line: \1required\3 unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
        }}
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_unlock_time_parameter_is_present.found == 0

  - name: Set Lockout Time for Failed Password Attempts - Ensure the desired value
      for pam_faillock.so preauth unlock_time parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(unlock_time)=[0-9]+(.*)
      line: \1required\3\4={{ var_accounts_passwords_pam_faillock_unlock_time }}\5
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_unlock_time_parameter_is_present.found > 0

  - name: Set Lockout Time for Failed Password Attempts - Ensure the desired value
      for pam_faillock.so authfail unlock_time parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(unlock_time)=[0-9]+(.*)
      line: \1required\3\4={{ var_accounts_passwords_pam_faillock_unlock_time }}\5
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_unlock_time_parameter_is_present.found > 0
  when:
  - '"pam" in ansible_facts.packages'
  - not result_faillock_conf_check.stat.exists
  tags:
  - CCE-80670-3
  - CJIS-5.5.3
  - DISA-STIG-RHEL-08-020016
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.7
  - accounts_passwords_pam_faillock_unlock_time
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

OVAL test results details

No more than one pam_unix.so is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]*auth\N+pam_unix\.so	^/etc/pam.d/system-auth$	1

No more than one pam_unix.so is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]*auth\N+pam_unix\.so	^/etc/pam.d/password-auth$	1

One and only one occurrence is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]auth[\s]+(required\|\[(?=.?\bsuccess=ok\b)(?=.?\bnew_authtok_reqd=ok\b)(?=.?\bignore=ignore\b)(?=.?\bdefault=bad\b).\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]^[\s]auth[\s]+(sufficient\|\[(?=.\bsuccess=done\b)(?=.?\bnew_authtok_reqd=done\b)(?=.?\bdefault=ignore\b).\])[\s]+pam_unix\.so[\s\S]^[\s]auth[\s]+(required\|\[(?=.?\bsuccess=ok\b)(?=.?\bnew_authtok_reqd=ok\b)(?=.?\bignore=ignore\b)(?=.?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail	^/etc/pam.d/system-auth$	1

One and only one occurrence is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]account[\s]+(required\|\[(?=.?\bsuccess=ok\b)(?=.?\bnew_authtok_reqd=ok\b)(?=.?\bignore=ignore\b)(?=.?\bdefault=bad\b).\])[\s]+pam_faillock\.so[\s\S]^[\s]account[\s]+(required\|\[(?=.?\bsuccess=ok\b)(?=.?\bnew_authtok_reqd=ok\b)(?=.?\bignore=ignore\b)(?=.?\bdefault=bad\b).*\])[\s]+pam_unix\.so	^/etc/pam.d/system-auth$	1

One and only one occurrence is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]auth[\s]+(required\|\[(?=.?\bsuccess=ok\b)(?=.?\bnew_authtok_reqd=ok\b)(?=.?\bignore=ignore\b)(?=.?\bdefault=bad\b).\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]^[\s]auth[\s]+(sufficient\|\[(?=.\bsuccess=done\b)(?=.?\bnew_authtok_reqd=done\b)(?=.?\bdefault=ignore\b).\])[\s]+pam_unix\.so[\s\S]^[\s]auth[\s]+(required\|\[(?=.?\bsuccess=ok\b)(?=.?\bnew_authtok_reqd=ok\b)(?=.?\bignore=ignore\b)(?=.?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail	^/etc/pam.d/password-auth$	1

One and only one occurrence is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]account[\s]+(required\|\[(?=.?\bsuccess=ok\b)(?=.?\bnew_authtok_reqd=ok\b)(?=.?\bignore=ignore\b)(?=.?\bdefault=bad\b).\])[\s]+pam_faillock\.so[\s\S]^[\s]account[\s]+(required\|\[(?=.?\bsuccess=ok\b)(?=.?\bnew_authtok_reqd=ok\b)(?=.?\bignore=ignore\b)(?=.?\bdefault=bad\b).*\])[\s]+pam_unix\.so	^/etc/pam.d/password-auth$	1

Check the expected unlock_time value in system-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

900

^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)

^/etc/pam.d/system-auth$

Check the expected unlock_time value in password-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

900

^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)

^/etc/pam.d/password-auth$

Check the absence of unlock_time parameter in /etc/security/faillock.conf oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_faillock_conf:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]unlock_time[\s]=[\s]*([0-9]+)	^/etc/security/faillock.conf$	1

Check the absence of unlock_time parameter in system-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_system:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]unlock_time=([0-9]+)	^/etc/pam.d/system-auth$	1

Check the absence of unlock_time parameter in password-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_password:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^[\s]auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]unlock_time=([0-9]+)	^/etc/pam.d/password-auth$	1

Check the expected unlock_time value in in /etc/security/faillock.conf oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

900

^[\s]*unlock_time[\s]*=[\s]*([0-9]+)

^/etc/security/faillock.conf$

Ensure PAM Enforces Password Requirements - Minimum Different Categories

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_password_pam_minclass:def:1

Time 2026-03-23T19:57:55+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82046-4

References: 5.5.1, 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020160, SV-230362r858781_rule

Description

The pam_pwquality module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available:

* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)

Modify the minclass setting in /etc/security/pwquality.conf entry to require 4 differing categories of characters when changing passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

var_password_pam_minclass='4'






# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/security/pwquality.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minclass")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minclass"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^minclass\\>" "/etc/security/pwquality.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^minclass\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-82046-4"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
    printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-82046-4
  - DISA-STIG-RHEL-08-020160
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - accounts_password_pam_minclass
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_password_pam_minclass # promote to variable
  set_fact:
    var_password_pam_minclass: !!str 4
  tags:
    - always

- name: Ensure PAM Enforces Password Requirements - Minimum Different Categories -
    Ensure PAM variable minclass is set accordingly
  ansible.builtin.lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*minclass
    line: minclass = {{ var_password_pam_minclass }}
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-82046-4
  - DISA-STIG-RHEL-08-020160
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - accounts_password_pam_minclass
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

OVAL test results details

check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_minclass:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_password_pam_pwquality_minclass:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/security/pwquality\.conf$	^\sminclass[\s]=[\s]*(-?\d+)(?:[\s]\|$)	1

Ensure PAM Enforces Password Requirements - Minimum Length

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_password_pam_minlen:def:1

Time 2026-03-23T19:57:55+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80656-2

References: BP28(R18), 5.5.1, 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000078-GPOS-00046, RHEL-08-020230, SV-230369r858785_rule, SRG-OS-000072-VMM-000390, SRG-OS-000078-VMM-000450

Description

The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen=14 after pam_pwquality to set minimum password length requirements.

Rationale

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

var_password_pam_minlen='14'






# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/security/pwquality.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minlen")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minlen"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^minlen\\>" "/etc/security/pwquality.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^minlen\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-80656-2"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
    printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-80656-2
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020230
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - accounts_password_pam_minlen
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_password_pam_minlen # promote to variable
  set_fact:
    var_password_pam_minlen: !!str 14
  tags:
    - always

- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure PAM variable
    minlen is set accordingly
  ansible.builtin.lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*minlen
    line: minlen = {{ var_password_pam_minlen }}
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-80656-2
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020230
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - accounts_password_pam_minlen
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

OVAL test results details

check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_minlen:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_password_pam_pwquality_minlen:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/security/pwquality\.conf$	^\sminlen[\s]=[\s]*(-?\d+)(?:[\s]\|$)	1

Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_password_pam_retry:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80664-6 References: 5.4.1, 1, 11, 12, 15, 16, 3, 5, 9, 5.5.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, PR.IP-1, FMT_MOF_EXT.1, SRG-OS-000069-GPOS-00037, SRG-OS-000480-GPOS-00227, RHEL-08-020104, SV-251716r858737_rule
Description	To configure the number of retry prompts that are permitted per-session: Edit the `/etc/security/pwquality.conf` to include `retry=3`, or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session.
Rationale	Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module.

OVAL test results details

check the configuration of /etc/pam.d/password-auth oval:ssg-test_password_pam_pwquality_retry_password_auth:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/password-auth	password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality_retry_system_auth:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

check the configuration of /etc/pam.d/password-auth oval:ssg-test_password_pam_pwquality_retry_password_auth_not_set:tst:1 false

Following items have been found on the system:

Path	Content
/etc/pam.d/password-auth	password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality_retry_system_auth_not_set:tst:1 false

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_retry_pwquality_conf:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_password_pam_pwquality_retry_pwquality_conf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/security/pwquality.conf	^[\s]retry[\s]=[\s]*(\d+)(?:[\s]\|$)	1

Set PAM''s Password Hashing Algorithm - password-auth

Rule ID	xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-set_password_hashing_algorithm_passwordauth:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-85945-4 References: BP28(R32), 5.5.4, 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, CCI-000803, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, RHEL-08-010160, SV-230237r809276_rule, SRG-OS-000480-VMM-002000
Description	The PAM system service can be configured to only store encrypted representations of passwords. In `/etc/pam.d/password-auth`, the `password` section of the file controls which PAM modules execute during a password change. Set the `pam_unix.so` module in the `password` section to include the argument `sha512`, as shown below: password sufficient pam_unix.so sha512 other arguments... This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
Rationale	Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text. This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the `crypt_style` configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.

OVAL test results details

check /etc/pam.d/password-auth for correct settings oval:ssg-test_pam_unix_passwordauth_sha512:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/password-auth	password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow

Set PAM''s Password Hashing Algorithm

Rule ID	xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-set_password_hashing_algorithm_systemauth:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80893-1 References: BP28(R32), 5.4.4, 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, CCI-000803, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, RHEL-08-010159, SV-244524r809331_rule, SRG-OS-000480-VMM-002000
Description	The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/system-auth", the `password` section of the file controls which PAM modules execute during a password change. Set the `pam_unix.so` module in the `password` section to include the argument `sha512`, as shown below: password sufficient pam_unix.so sha512 other arguments... This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
Rationale	Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text. This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the `crypt_style` configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.

OVAL test results details

check /etc/pam.d/system-auth for correct settings oval:ssg-test_pam_unix_sha512:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow

Require Authentication for Emergency Systemd Target

Rule ID	xccdf_org.ssgproject.content_rule_require_emergency_target_auth
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-require_emergency_target_auth:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82186-8 References: 1.4.3, 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010152, SV-244523r743818_rule
Description	Emergency mode is intended as a system recovery method, providing a single user root access to the system during a failed boot sequence. By default, Emergency mode is protected by requiring a password and is set in `/usr/lib/systemd/system/emergency.service`.
Rationale	This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.

OVAL test results details

Tests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd emergency.service to ensure that a password must be entered to access single user mode oval:ssg-test_require_emergency_service:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/systemd/system/emergency.service	ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency

Tests that the systemd emergency.service is in the emergency.target oval:ssg-test_require_emergency_service_emergency_target:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/systemd/system/emergency.target	Requires=emergency.service

look for emergency.target in /etc/systemd/system oval:ssg-test_no_custom_emergency_target:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_no_custom_emergency_target:obj:1 of type file_object

Behaviors	Path	Filename
no value	/etc/systemd/system	^emergency.target$

look for emergency.service in /etc/systemd/system oval:ssg-test_no_custom_emergency_service:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_no_custom_emergency_service:obj:1 of type file_object

Behaviors	Path	Filename
no value	/etc/systemd/system	^emergency.service$

Require Authentication for Single User Mode

Rule ID	xccdf_org.ssgproject.content_rule_require_singleuser_auth
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-require_singleuser_auth:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80855-0 References: 1.4.3, 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010151, SV-230236r743928_rule
Description	Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, single-user mode is protected by requiring a password and is set in `/usr/lib/systemd/system/rescue.service`.
Rationale	This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.

OVAL test results details

Tests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode oval:ssg-test_require_rescue_service:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/systemd/system/rescue.service	ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue

Set Account Expiration Following Inactivity

Rule ID xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-account_disable_post_pw_expiration:def:1

Time 2026-03-23T19:57:55+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80954-1

References: 5.6.1.4, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.6.2.1.1, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000017, CCI-000795, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, IA-4(e), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, Req-8.1.4, SRG-OS-000118-GPOS-00060, RHEL-08-020260, SV-230373r627750_rule, SRG-OS-000003-VMM-000030, SRG-OS-000118-VMM-000590

Description

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in /etc/default/useradd:

INACTIVE=30

If a password is currently on the verge of expiration, then 30 day(s) remain(s) until the account is automatically disabled. However, if the password will not expire for another 60 days, then 60 days plus 30 day(s) could elapse until the account would be automatically disabled. See the useradd man page for more information.

Rationale

Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q shadow-utils; then

var_account_disable_post_pw_expiration='30'


# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/default/useradd"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^INACTIVE")

# shellcheck disable=SC2059
printf -v formatted_output "%s=%s" "$stripped_key" "$var_account_disable_post_pw_expiration"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^INACTIVE\\>" "/etc/default/useradd"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^INACTIVE\\>.*/$escaped_formatted_output/gi" "/etc/default/useradd"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-80954-1"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/default/useradd" >> "/etc/default/useradd"
    printf '%s\n' "$formatted_output" >> "/etc/default/useradd"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-80954-1
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020260
  - NIST-800-171-3.5.6
  - NIST-800-53-AC-2(3)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-4(e)
  - PCI-DSS-Req-8.1.4
  - account_disable_post_pw_expiration
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_account_disable_post_pw_expiration # promote to variable
  set_fact:
    var_account_disable_post_pw_expiration: !!str 30
  tags:
    - always

- name: Set Account Expiration Following Inactivity
  lineinfile:
    create: true
    dest: /etc/default/useradd
    regexp: ^INACTIVE
    line: INACTIVE={{ var_account_disable_post_pw_expiration }}
  when: '"shadow-utils" in ansible_facts.packages'
  tags:
  - CCE-80954-1
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020260
  - NIST-800-171-3.5.6
  - NIST-800-53-AC-2(3)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-4(e)
  - PCI-DSS-Req-8.1.4
  - account_disable_post_pw_expiration
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

OVAL test results details

the value INACTIVE parameter should be set appropriately in /etc/default/useradd oval:ssg-test_etc_default_useradd_inactive:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_etc_default_useradd_inactive:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/default/useradd	^\sINACTIVE\s=\s(\d+)\s$	1

Ensure All Accounts on the System Have Unique Names

Rule ID	xccdf_org.ssgproject.content_rule_account_unique_name
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-account_unique_name:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80674-5 References: 6.2.5, 5.5.2, CCI-000770, CCI-000804, Req-8.1.1
Description	Ensure accounts on the system have unique names. To ensure all accounts have unique names, run the following command: $ sudo getent passwd \| awk -F: '{ print $1}' \| uniq -d If a username is returned, change or delete the username.
Rationale	Unique usernames allow for accountability on the system.

OVAL test results details

There should not exist duplicate user name entries in /etc/passwd oval:ssg-test_etc_passwd_no_duplicate_user_names:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-variable_count_of_all_usernames_from_etc_passwd:var:1	27

Set Password Maximum Age

Rule ID xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_maximum_age_login_defs:def:1

Time 2026-03-23T19:57:55+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80647-1

References: BP28(R18), 5.6.1.1, 1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000199, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.4, SRG-OS-000076-GPOS-00044, RHEL-08-020200, SV-230366r646878_rule

Description

To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line:

PASS_MAX_DAYS 365

A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is 365.

Rationale

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q shadow-utils; then

var_accounts_maximum_age_login_defs='365'


grep -q ^PASS_MAX_DAYS /etc/login.defs && \
  sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS     $var_accounts_maximum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
    echo "PASS_MAX_DAYS      $var_accounts_maximum_age_login_defs" >> /etc/login.defs
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-80647-1
  - CJIS-5.6.2.1
  - DISA-STIG-RHEL-08-020200
  - NIST-800-171-3.5.6
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(d)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.4
  - accounts_maximum_age_login_defs
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_accounts_maximum_age_login_defs # promote to variable
  set_fact:
    var_accounts_maximum_age_login_defs: !!str 365
  tags:
    - always

- name: Set Password Maximum Age
  lineinfile:
    create: true
    dest: /etc/login.defs
    regexp: ^#?PASS_MAX_DAYS
    line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }}
  when: '"shadow-utils" in ansible_facts.packages'
  tags:
  - CCE-80647-1
  - CJIS-5.6.2.1
  - DISA-STIG-RHEL-08-020200
  - NIST-800-171-3.5.6
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(d)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.4
  - accounts_maximum_age_login_defs
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

OVAL test results details

The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs oval:ssg-test_pass_max_days:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-variable_last_pass_max_days_instance_value:var:1	99999

Set Password Minimum Age

Rule ID xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_minimum_age_login_defs:def:1

Time 2026-03-23T19:57:55+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80648-9

References: 5.6.1.2, 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000198, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.3.9, SRG-OS-000075-GPOS-00043, RHEL-08-020190, SV-230365r858727_rule

Description

To specify password minimum age for new accounts, edit the file /etc/login.defs and add or correct the following line:

PASS_MIN_DAYS 7

A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is 7.

Rationale

Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q shadow-utils; then

var_accounts_minimum_age_login_defs='7'


grep -q ^PASS_MIN_DAYS /etc/login.defs && \
  sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS     $var_accounts_minimum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
    echo "PASS_MIN_DAYS      $var_accounts_minimum_age_login_defs" >> /etc/login.defs
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-80648-9
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020190
  - NIST-800-171-3.5.8
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(d)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.3.9
  - accounts_minimum_age_login_defs
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_accounts_minimum_age_login_defs # promote to variable
  set_fact:
    var_accounts_minimum_age_login_defs: !!str 7
  tags:
    - always

- name: Set Password Minimum Age
  lineinfile:
    create: true
    dest: /etc/login.defs
    regexp: ^#?PASS_MIN_DAYS
    line: PASS_MIN_DAYS {{ var_accounts_minimum_age_login_defs }}
  when: '"shadow-utils" in ansible_facts.packages'
  tags:
  - CCE-80648-9
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-08-020190
  - NIST-800-171-3.5.8
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(d)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.3.9
  - accounts_minimum_age_login_defs
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

OVAL test results details

The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs oval:ssg-test_pass_min_days:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-variable_last_pass_min_days_instance_value:var:1	0

Set Existing Passwords Maximum Age

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_password_set_max_life_existing:def:1

Time 2026-03-23T19:57:55+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82473-0

References: 5.6.1.1, CCI-000199, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000076-GPOS-00044, RHEL-08-020210, SV-230367r627750_rule, SRG-OS-000076-VMM-000430

Description

Configure non-compliant accounts to enforce a 365-day maximum password lifetime restriction by running the following command:

$ sudo chage -M 365 USER

Rationale

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict


var_accounts_maximum_age_login_defs='365'


while IFS= read -r i; do
    chage -M $var_accounts_maximum_age_login_defs $i
done <   <(awk -v var="$var_accounts_maximum_age_login_defs" -F: '(/^[^:]+:[^!*]/ && ($5 > var || $5 == "")) {print $1}' /etc/shadow)

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: XCCDF Value var_accounts_maximum_age_login_defs # promote to variable
  set_fact:
    var_accounts_maximum_age_login_defs: !!str 365
  tags:
    - always

- name: Collect users with not correct maximum time period between password changes
  ansible.builtin.command:
    cmd: awk -F':' '(/^[^:]+:[^!*]/ && ($5 > {{ var_accounts_maximum_age_login_defs
      }} || $5 == "")) {print $1}' /etc/shadow
  register: user_names
  tags:
  - CCE-82473-0
  - DISA-STIG-RHEL-08-020210
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(d)
  - NIST-800-53-IA-5(f)
  - accounts_password_set_max_life_existing
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Change the maximum time period between password changes
  ansible.builtin.user:
    user: '{{ item }}'
    password_expire_max: '{{ var_accounts_maximum_age_login_defs }}'
  with_items: '{{ user_names.stdout_lines }}'
  when: user_names.stdout_lines | length > 0
  tags:
  - CCE-82473-0
  - DISA-STIG-RHEL-08-020210
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(d)
  - NIST-800-53-IA-5(f)
  - accounts_password_set_max_life_existing
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

OVAL test results details

Password maximum lifetime for existing accounts is at least the minimum. oval:ssg-test_password_max_life_existing:tst:1 false

Following items have been found on the system:

Username	Password	Chg lst	Chg allow	Chg req	Exp warn	Exp inact	Exp date	Flag	Encrypt method
root		-1	0	99999	7	-1	-1	18446744073709551615	SHA-512
sysadmin		-1	0	99999	7	-1	-1	18446744073709551615	SHA-512

Password maximum life entry is at least a defined minimum oval:ssg-test_password_max_life_existing_minimum:tst:1 true

Following items have been found on the system:

Username	Password	Chg lst	Chg allow	Chg req	Exp warn	Exp inact	Exp date	Flag	Encrypt method
root		-1	0	99999	7	-1	-1	18446744073709551615	SHA-512
sysadmin		-1	0	99999	7	-1	-1	18446744073709551615	SHA-512

Set Existing Passwords Minimum Age

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_password_set_min_life_existing:def:1

Time 2026-03-23T19:57:55+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82472-2

References: 5.6.1.2, CCI-000198, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000075-GPOS-00043, RHEL-08-020180, SV-230364r627750_rule, SRG-OS-000075-VMM000420

Description

Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command:

$ sudo chage -m 1 USER

Rationale

Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict


var_accounts_minimum_age_login_defs='7'


while IFS= read -r i; do
    chage -m $var_accounts_minimum_age_login_defs $i
done <   <(awk -v var="$var_accounts_minimum_age_login_defs" -F: '(/^[^:]+:[^!*]/ && ($4 < var || $4 == "")) {print $1}' /etc/shadow)

OVAL test results details

Password minimum lifetime for existing accounts is at least what is defined by policy. oval:ssg-test_password_min_life_existing:tst:1 false

Following items have been found on the system:

Username	Password	Chg lst	Chg allow	Chg req	Exp warn	Exp inact	Exp date	Flag	Encrypt method
root		-1	0	99999	7	-1	-1	18446744073709551615	SHA-512
sysadmin		-1	0	99999	7	-1	-1	18446744073709551615	SHA-512

Password minimum life entry is at mosta defined maximum oval:ssg-test_password_min_life_existing_maximum:tst:1 true

Following items have been found on the system:

Username	Password	Chg lst	Chg allow	Chg req	Exp warn	Exp inact	Exp date	Flag	Encrypt method
root		-1	0	99999	7	-1	-1	18446744073709551615	SHA-512
sysadmin		-1	0	99999	7	-1	-1	18446744073709551615	SHA-512

Set Password Warning Age

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_password_warn_age_login_defs:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80671-1 References: 5.6.1.3, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, 0418, 1055, 1402, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(f), IA-5(1)(d), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, Req-8.3.9
Description	To specify how many days prior to password expiration that a warning will be issued to users, edit the file `/etc/login.defs` and add or correct the following line: PASS_WARN_AGE 7 The DoD requirement is 7. The profile requirement is `7`.
Rationale	Setting the password warning age enables users to make the change at a practical time.

OVAL test results details

The value of PASS_WARN_AGE should be set appropriately in /etc/login.defs oval:ssg-test_pass_warn_age:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-variable_last_pass_warn_age_instance_value:var:1	7

All GIDs referenced in /etc/passwd must be defined in /etc/group

Rule ID	xccdf_org.ssgproject.content_rule_gid_passwd_group_same
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-gid_passwd_group_same:def:1
Time	2026-03-23T19:57:55+01:00
Severity	low
Identifiers and References	Identifiers: CCE-80822-0 References: 6.2.2, 1, 12, 15, 16, 5, 5.5.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000764, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.5.a, SRG-OS-000104-GPOS-00051
Description	Add a group to the system for each GID referenced without a corresponding group.
Rationale	If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Group Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group.

OVAL test results details

Verify all GIDs referenced in /etc/passwd are defined in /etc/group oval:ssg-test_gid_passwd_group_same:tst:1 true

Following items have been found on the system:

Path	Content
/etc/passwd	root:x:0:0:
/etc/passwd	bin:x:1:1:
/etc/passwd	daemon:x:2:2:
/etc/passwd	adm:x:3:4:
/etc/passwd	lp:x:4:7:
/etc/passwd	sync:x:5:0:
/etc/passwd	shutdown:x:6:0:
/etc/passwd	halt:x:7:0:
/etc/passwd	mail:x:8:12:
/etc/passwd	operator:x:11:0:
/etc/passwd	games:x:12:100:
/etc/passwd	ftp:x:14:50:
/etc/passwd	nobody:x:65534:65534:
/etc/passwd	dbus:x:81:81:
/etc/passwd	systemd-coredump:x:999:997:
/etc/passwd	systemd-resolve:x:193:193:
/etc/passwd	tss:x:59:59:
/etc/passwd	polkitd:x:998:996:
/etc/passwd	unbound:x:997:994:
/etc/passwd	sssd:x:996:993:
/etc/passwd	chrony:x:995:992:
/etc/passwd	sshd:x:74:74:
/etc/passwd	sysadmin:x:1000:1000:
/etc/passwd	tomcat:x:1001:1001:
/etc/passwd	postgres:x:26:26:
/etc/passwd	nginx:x:994:991:
/etc/passwd	haproxy:x:993:990:

Ensure There Are No Accounts With Blank or Null Passwords

Rule ID	xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-no_empty_passwords_etc_shadow:def:1
Time	2026-03-23T19:57:55+01:00
Severity	high
Identifiers and References	Identifiers: CCE-85953-8 References: 6.2.1, CCI-000366, CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227
Description	Check the "/etc/shadow" file for blank passwords with the following command: $ sudo awk -F: '!$2 {print $1}' /etc/shadow If the command returns any results, this is a finding. Configure all accounts on the system to have a password or lock the account with the following commands: Perform a password reset: $ sudo passwd [username] Lock an account: $ sudo passwd -l [username]
Rationale	If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
Warnings	warning Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway.

OVAL test results details

make sure there aren't blank or null passwords in /etc/shadow oval:ssg-test_no_empty_passwords_etc_shadow:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_no_empty_passwords_etc_shadow:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/shadow	^[^:]+::.*$	1

Verify No netrc Files Exist

Rule ID	xccdf_org.ssgproject.content_rule_no_netrc_files
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-no_netrc_files:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83444-0 References: 6.2.13, 6.2.15, 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, CCI-000196, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R1.3, CIP-003-8 R3, CIP-003-8 R3.1, CIP-003-8 R3.2, CIP-003-8 R3.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-5(h), IA-5(1)(c), CM-6(a), IA-5(7), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3
Description	The `.netrc` files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any `.netrc` files should be removed.
Rationale	Unencrypted passwords for remote FTP servers may be stored in `.netrc` files.

OVAL test results details

look for .netrc in /home oval:ssg-test_no_netrc_files_home:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_no_netrc_files_home:obj:1 of type file_object

Behaviors	Path	Filename
no value	/home	^\.netrc$

Verify Only Root Has UID 0

Rule ID	xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_no_uid_except_zero:def:1
Time	2026-03-23T19:57:55+01:00
Severity	high
Identifiers and References	Identifiers: CCE-80649-7 References: 6.2.8, 1, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, AC-6(5), IA-4(b), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, Req-8.2.1, SRG-OS-000480-GPOS-00227, RHEL-08-040200, SV-230534r627750_rule
Description	If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.
Rationale	An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.

OVAL test results details

test that there are no accounts with UID 0 except root in the /etc/passwd file oval:ssg-test_accounts_no_uid_except_root:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/passwd	^(?!root:)[^:]:[^:]:0	1

Verify Root Has A Primary GID 0

Rule ID	xccdf_org.ssgproject.content_rule_accounts_root_gid_zero
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_root_gid_zero:def:1
Time	2026-03-23T19:57:55+01:00
Severity	high
Identifiers and References	Identifiers: CCE-86297-9 References: 5.6.4, Req-8.2.1
Description	The `root` user should have a primary group of 0.
Rationale	To help ensure that root-owned files are not inadvertently exposed to other users.

OVAL test results details

test that there are no accounts with UID 0 except root in the /etc/passwd file oval:ssg-test_accounts_root_gid_zero:tst:1 true

Following items have been found on the system:

Path	Content
/etc/passwd	root:x:0:0:root:/root:/bin/bash

Ensure that System Accounts Do Not Run a Shell Upon Login

Rule ID	xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-no_shelllogin_for_systemaccounts:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80843-6 References: 5.6.2, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, 1491, A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-6, CM-6(a), CM-6(b), CM-6.1(iv), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, Req-8.6.1, SRG-OS-000480-GPOS-00227
Description	Some accounts are not associated with a human user of the system, and exist to perform some administrative function. Should an attacker be able to log into these accounts, they should not be granted access to a shell. The login shell for each local account is stored in the last field of each line in `/etc/passwd`. System accounts are those user accounts with a user ID less than UID_MIN, where value of UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration UID_MIN is set to 1000, thus system accounts are those user accounts with a user ID less than 1000. The user ID is stored in the third field. If any system account SYSACCT (other than root) has a login shell, disable it with the command: $ sudo usermod -s /sbin/nologin SYSACCT
Rationale	Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.
Warnings	warning Do not perform the steps in this section on the root account. Doing so might cause the system to become inaccessible.

OVAL test results details

SYS_UID_MIN not defined in /etc/login.defs oval:ssg-test_sys_uid_min_not_defined:tst:1 false

Following items have been found on the system:

Path	Content
/etc/login.defs	# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # REQUIRED # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201

SYS_UID_MAX not defined in /etc/login.defs oval:ssg-test_sys_uid_max_not_defined:tst:1 false

Following items have been found on the system:

Path	Content
/etc/login.defs	# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # REQUIRED # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999

<0, UID_MIN - 1> system UIDs having shell set oval:ssg-test_shell_defined_default_uid_range:tst:1 false

Following items have been found on the system:

Path	Content
/etc/passwd	postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
/etc/passwd	sysadmin:x:1000:1000:sysadmin:/home/sysadmin:/bin/bash

SYS_UID_MIN not defined in /etc/login.defs oval:ssg-test_sys_uid_min_not_defined:tst:1 false

Following items have been found on the system:

Path	Content
/etc/login.defs	# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # REQUIRED # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201

SYS_UID_MAX not defined in /etc/login.defs oval:ssg-test_sys_uid_max_not_defined:tst:1 false

Following items have been found on the system:

Path	Content
/etc/login.defs	# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # REQUIRED # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999

<0, SYS_UID_MIN> system UIDs having shell set oval:ssg-test_shell_defined_reserved_uid_range:tst:1 false

Following items have been found on the system:

Path	Content
/etc/passwd	postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
/etc/passwd	sysadmin:x:1000:1000:sysadmin:/home/sysadmin:/bin/bash

<SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set oval:ssg-test_shell_defined_dynalloc_uid_range:tst:1 true

Following items have been found on the system:

Path	Content
/etc/passwd	postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
/etc/passwd	sysadmin:x:1000:1000:sysadmin:/home/sysadmin:/bin/bash

Enforce usage of pam_wheel for su authentication

Rule ID xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-use_pam_wheel_for_su:def:1

Time 2026-03-23T19:57:55+01:00

Severity medium

Identifiers and References

Identifiers: CCE-83318-6

References: 5.3.7, FMT_SMF_EXT.1.1, Req-8.6.1, SRG-OS-000373-GPOS-00156, SRG-OS-000312-GPOS-00123

Description

To ensure that only users who are members of the wheel group can run commands with altered privileges through the su command, make sure that the following line exists in the file /etc/pam.d/su:

auth required pam_wheel.so use_uid

Rationale

The su program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such command is considered a good security practice.

Warnings

warning Members of "wheel" or GID 0 groups are checked by default if the group option is not set for pam_wheel.so module. Therefore, members of these groups should be manually checked or a different group should be informed according to the site policy.

Remediation Shell script ⇲


# uncomment the option if commented
  sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: restrict usage of su command only to members of wheel group
  replace:
    path: /etc/pam.d/su
    regexp: ^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$
    replace: auth             required        pam_wheel.so use_uid
  tags:
  - CCE-83318-6
  - PCI-DSS-Req-8.6.1
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - use_pam_wheel_for_su

OVAL test results details

check /etc/pam.d/su for correct setting oval:ssg-test_use_pam_wheel_for_su:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_use_pam_wheel_for_su:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/su	^[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$	1

Ensure All Accounts on the System Have Unique User IDs

Rule ID	xccdf_org.ssgproject.content_rule_account_unique_id
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-account_unique_id:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-89903-9 References: 6.2.3, CCI-000135, CCI-000764, CCI-000804, SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPOS-00020, RHEL-08-020240, SV-230371r627750_rule
Description	Change user IDs (UIDs), or delete accounts, so each has a unique name.
Rationale	To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.
Warnings	warning Automatic remediation of this control is not available due to unique requirements of each system.

OVAL test results details

There should not exist duplicate user ids in /etc/passwd oval:ssg-test_etc_passwd_no_duplicate_user_ids:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-variable_count_of_all_uids:var:1	27

Ensure All Groups on the System Have Unique Group ID

Rule ID	xccdf_org.ssgproject.content_rule_group_unique_id
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-group_unique_id:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86201-1 References: 6.2.4, CCI-000764, SRG-OS-000104-GPOS-00051
Description	Change the group name or delete groups, so each has a unique id.
Rationale	To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.
Warnings	warning Automatic remediation of this control is not available due to the unique requirements of each system.

OVAL test results details

There should not exist duplicate group ids in /etc/passwd oval:ssg-test_etc_group_no_duplicate_group_ids:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-variable_count_of_all_group_ids:var:1	45

Ensure All Groups on the System Have Unique Group Names

Rule ID	xccdf_org.ssgproject.content_rule_group_unique_name
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-group_unique_name:def:1
Time	2026-03-23T19:57:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86328-2 References: 6.2.6
Description	Change the group name or delete groups, so each has a unique name.
Rationale	To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.
Warnings	warning Automatic remediation of this control is not available due to the unique requirements of each system.

OVAL test results details

There should not exist duplicate group names in /etc/passwd oval:ssg-test_etc_group_no_duplicate_group_names:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-variable_count_of_all_group_names:var:1	45

Ensure that Root's Path Does Not Include World or Group-Writable Directories

Rule ID	xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_root_path_dirs_no_write:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80672-9 References: 6.2.7, 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), CM-6(a), PR.IP-1
Description	For each element in root's path, run: # ls -ld DIR and ensure that write permissions are disabled for group and other.
Rationale	Such entries increase the risk that root could execute code provided by unprivileged users, and potentially malicious code.

OVAL test results details

Check if there aren't directories in root's path having write permission set for group or other oval:ssg-test_accounts_root_path_dirs_no_group_other_write:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_root_path_dirs_no_group_other_write:obj:1 of type file_object

Path

Filename

Filter

/sbin

/bin

/usr/sbin

/usr/bin

no value

oval:ssg-state_accounts_root_path_dirs_wrong_perms:ste:1

oval:ssg-state_accounts_root_path_dirs_symlink:ste:1

Ensure that Root's Path Does Not Include Relative Paths or Null Directories

Rule ID	xccdf_org.ssgproject.content_rule_root_path_no_dot
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-root_path_no_dot:def:1
Time	2026-03-23T19:59:49+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-85914-0 References: 6.2.7, 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), CM-6(a), PR.IP-1
Description	Ensure that none of the directories in root's path is equal to a single `.` character, or that it contains any instances that lead to relative path traversal, such as `..` or beginning a path without the slash (`/`) character. Also ensure that there are no "empty" elements in the path, such as in these examples: PATH=:/bin PATH=/bin: PATH=/bin::/sbin These empty elements have the same effect as a single `.` character.
Rationale	Including these entries increases the risk that root could execute code from an untrusted location.

OVAL test results details

environment variable PATH starts with : or . oval:ssg-test_env_var_begins:tst:1 true

Following items have been found on the system:

Pid	Name	Value
11493	PATH	/sbin:/bin:/usr/sbin:/usr/bin

environment variable PATH doesn't contain : twice in a row oval:ssg-test_env_var_contains_doublecolon:tst:1 true

Following items have been found on the system:

Pid	Name	Value
11493	PATH	/sbin:/bin:/usr/sbin:/usr/bin

environment variable PATH doesn't contain . twice in a row oval:ssg-test_env_var_contains_doubleperiod:tst:1 true

Following items have been found on the system:

Pid	Name	Value
11493	PATH	/sbin:/bin:/usr/sbin:/usr/bin

environment variable PATH ends with : or . oval:ssg-test_env_var_ends:tst:1 true

Following items have been found on the system:

Pid	Name	Value
11493	PATH	/sbin:/bin:/usr/sbin:/usr/bin

environment variable PATH starts with an absolute path / oval:ssg-test_env_var_begins_slash:tst:1 true

Following items have been found on the system:

Pid	Name	Value
11493	PATH	/sbin:/bin:/usr/sbin:/usr/bin

environment variable PATH contains relative paths oval:ssg-test_env_var_contains_relative_path:tst:1 true

Following items have been found on the system:

Pid	Name	Value
11493	PATH	/sbin:/bin:/usr/sbin:/usr/bin

Ensure the Default Bash Umask is Set Correctly

Rule ID xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_umask_etc_bashrc:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-81036-6

References: BP28(R35), 5.6.5, 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, Req-8.6.1, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, RHEL-08-020353, SV-230385r792902_rule

Description

To ensure the default umask for users of the Bash shell is set properly, add or correct the umask setting in /etc/bashrc to read as follows:

umask 027

Rationale

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.

Remediation Shell script ⇲


var_accounts_user_umask='027'






grep -q "^\s*umask" /etc/bashrc && \
  sed -i -E -e "s/^(\s*umask).*/\1 $var_accounts_user_umask/g" /etc/bashrc
if ! [ $? -eq 0 ]; then
    echo "umask $var_accounts_user_umask" >> /etc/bashrc
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: XCCDF Value var_accounts_user_umask # promote to variable
  set_fact:
    var_accounts_user_umask: !!str 027
  tags:
    - always

- name: Check if umask in /etc/bashrc is already set
  ansible.builtin.lineinfile:
    path: /etc/bashrc
    regexp: ^(\s*)umask\s+.*
    state: absent
  check_mode: true
  changed_when: false
  register: umask_replace
  tags:
  - CCE-81036-6
  - DISA-STIG-RHEL-08-020353
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.6.1
  - accounts_umask_etc_bashrc
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Replace user umask in /etc/bashrc
  ansible.builtin.replace:
    path: /etc/bashrc
    regexp: ^(\s*)umask(\s+).*
    replace: \g<1>umask\g<2>{{ var_accounts_user_umask }}
  when: umask_replace.found > 0
  tags:
  - CCE-81036-6
  - DISA-STIG-RHEL-08-020353
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.6.1
  - accounts_umask_etc_bashrc
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure the Default umask is Appended Correctly
  ansible.builtin.lineinfile:
    create: true
    path: /etc/bashrc
    line: umask {{ var_accounts_user_umask }}
  when: umask_replace.found == 0
  tags:
  - CCE-81036-6
  - DISA-STIG-RHEL-08-020353
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.6.1
  - accounts_umask_etc_bashrc
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

OVAL test results details

Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-var_accounts_user_umask_umask_as_number:var:1	23

Test the retrieved /etc/bashrc umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_bashrc:tst:1 false

Following items have been found on the system:

Var ref	Value	Value	Value	Value	Value	Value	Value	Value
oval:ssg-var_etc_bashrc_umask_as_number:var:1	2	2	18	18	2	2	18	18

Ensure the Default Umask is Set Correctly in login.defs

Rule ID xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_umask_etc_login_defs:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82888-9

References: BP28(R35), 5.6.5, 11, 18, 3, 9, APO13.01, BAI03.01, BAI03.02, BAI03.03, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.1.1, A.14.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-1, PR.IP-2, Req-8.6.1, SRG-OS-000480-GPOS-00228, RHEL-08-020351, SV-230383r627750_rule

Description

To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows:

UMASK 027

Rationale

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q shadow-utils; then

var_accounts_user_umask='027'


# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/login.defs"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^UMASK")

# shellcheck disable=SC2059
printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_user_umask"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^UMASK\\>" "/etc/login.defs"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^UMASK\\>.*/$escaped_formatted_output/gi" "/etc/login.defs"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-82888-9"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/login.defs" >> "/etc/login.defs"
    printf '%s\n' "$formatted_output" >> "/etc/login.defs"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-82888-9
  - DISA-STIG-RHEL-08-020351
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.6.1
  - accounts_umask_etc_login_defs
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_accounts_user_umask # promote to variable
  set_fact:
    var_accounts_user_umask: !!str 027
  tags:
    - always

- name: Check if UMASK is already set
  ansible.builtin.lineinfile:
    path: /etc/login.defs
    regexp: ^(\s*)UMASK\s+.*
    state: absent
  check_mode: true
  changed_when: false
  register: result_umask_is_set
  when: '"shadow-utils" in ansible_facts.packages'
  tags:
  - CCE-82888-9
  - DISA-STIG-RHEL-08-020351
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.6.1
  - accounts_umask_etc_login_defs
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Replace user UMASK in /etc/login.defs
  ansible.builtin.replace:
    path: /etc/login.defs
    regexp: ^(\s*)UMASK(\s+).*
    replace: \g<1>UMASK\g<2>{{ var_accounts_user_umask }}
  when:
  - '"shadow-utils" in ansible_facts.packages'
  - result_umask_is_set.found > 0
  tags:
  - CCE-82888-9
  - DISA-STIG-RHEL-08-020351
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.6.1
  - accounts_umask_etc_login_defs
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure the Default UMASK is Appended Correctly
  ansible.builtin.lineinfile:
    create: true
    path: /etc/login.defs
    line: UMASK {{ var_accounts_user_umask }}
  when:
  - '"shadow-utils" in ansible_facts.packages'
  - result_umask_is_set.found == 0
  tags:
  - CCE-82888-9
  - DISA-STIG-RHEL-08-020351
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.6.1
  - accounts_umask_etc_login_defs
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

OVAL test results details

Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-var_accounts_user_umask_umask_as_number:var:1	23

Test the retrieved /etc/login.defs umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_login_defs:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-var_etc_login_defs_umask_as_number:var:1	18

Ensure the Default Umask is Set Correctly in /etc/profile

Rule ID xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_umask_etc_profile:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-81035-8

Description

To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows:

umask 027

Rationale

Remediation Shell script ⇲


var_accounts_user_umask='027'


grep -qE '^[^#]*umask' /etc/profile && \
  sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/profile
if ! [ $? -eq 0 ]; then
    echo "umask $var_accounts_user_umask" >> /etc/profile
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: XCCDF Value var_accounts_user_umask # promote to variable
  set_fact:
    var_accounts_user_umask: !!str 027
  tags:
    - always

- name: Check if umask is already set
  ansible.builtin.lineinfile:
    path: /etc/profile
    regexp: (^[\s]*umask)\s+(\d+)
    state: absent
  check_mode: true
  changed_when: false
  register: result_umask_is_set
  tags:
  - CCE-81035-8
  - DISA-STIG-RHEL-08-020353
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.6.1
  - accounts_umask_etc_profile
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Replace user umask in /etc/profile
  ansible.builtin.replace:
    path: /etc/profile
    regexp: ^(\s*)umask\s+\d+
    replace: \1umask {{ var_accounts_user_umask }}
  tags:
  - CCE-81035-8
  - DISA-STIG-RHEL-08-020353
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.6.1
  - accounts_umask_etc_profile
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Append user umask in /etc/profile
  ansible.builtin.lineinfile:
    create: true
    path: /etc/profile
    line: umask {{ var_accounts_user_umask }}
  when: result_umask_is_set.found == 0
  tags:
  - CCE-81035-8
  - DISA-STIG-RHEL-08-020353
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.6.1
  - accounts_umask_etc_profile
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

OVAL test results details

Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-var_accounts_user_umask_umask_as_number:var:1	23

Test the retrieved /etc/profile umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_profile:tst:1 false

Following items have been found on the system:

Var ref	Value	Value	Value	Value	Value	Value	Value	Value
oval:ssg-var_etc_profile_umask_as_number:var:1	2	2	18	18	2	2	18	18

Set Interactive Session Timeout

Rule ID xccdf_org.ssgproject.content_rule_accounts_tmout

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_tmout:def:1

Time 2026-03-23T19:57:55+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80673-7

References: BP28(R29), 5.6.3, 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.11, CCI-000057, CCI-001133, CCI-002361, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-12, SC-10, AC-2(5), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.6.1, SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010, SRG-OS-000163-VMM-000700, SRG-OS-000279-VMM-001010

Description

Setting the TMOUT option in /etc/profile ensures that all user sessions will terminate based on inactivity. The value of TMOUT should be exported and read only. The TMOUT setting in a file loaded by /etc/profile, e.g. /etc/profile.d/tmout.sh should read as follows:

declare -xr TMOUT=900

Rationale

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

var_accounts_tmout='900'


# if 0, no occurence of tmout found, if 1, occurence found
tmout_found=0


for f in /etc/profile /etc/profile.d/*.sh; do

    if grep --silent '^[^#].*TMOUT' $f; then
        sed -i -E "s/^(.*)TMOUT\s*=\s*(\w|\$)*(.*)$/declare -xr TMOUT=$var_accounts_tmout\3/g" $f
        tmout_found=1
    fi
done

if [ $tmout_found -eq 0 ]; then
        echo -e "\n# Set TMOUT to $var_accounts_tmout per security requirements" >> /etc/profile.d/tmout.sh
        echo "declare -xr TMOUT=$var_accounts_tmout" >> /etc/profile.d/tmout.sh
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: XCCDF Value var_accounts_tmout # promote to variable
  set_fact:
    var_accounts_tmout: !!str 900
  tags:
    - always

- name: Correct any occurrence of TMOUT in /etc/profile
  replace:
    path: /etc/profile
    regexp: ^[^#].*TMOUT=.*
    replace: declare -xr TMOUT={{ var_accounts_tmout }}
  register: profile_replaced
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80673-7
  - NIST-800-171-3.1.11
  - NIST-800-53-AC-12
  - NIST-800-53-AC-2(5)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-10
  - PCI-DSS-Req-8.6.1
  - accounts_tmout
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set Interactive Session Timeout
  lineinfile:
    path: /etc/profile.d/tmout.sh
    create: true
    regexp: TMOUT=
    line: declare -xr TMOUT={{ var_accounts_tmout }}
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80673-7
  - NIST-800-171-3.1.11
  - NIST-800-53-AC-12
  - NIST-800-53-AC-2(5)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-10
  - PCI-DSS-Req-8.6.1
  - accounts_tmout
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

OVAL test results details

TMOUT in /etc/profile oval:ssg-test_etc_profile_tmout:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_etc_profile_tmout:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/profile	^[\s]declare[\s]+-xr[\s]+TMOUT=([\w$]+).$	1

TMOUT in /etc/profile.d/*.sh oval:ssg-test_etc_profiled_tmout:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_etc_profiled_tmout:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/profile.d	^.*\.sh$	^[\s]declare[\s]+-xr[\s]+TMOUT=([\w$]+).$	1

Check that at least one TMOUT is defined oval:ssg-test_accounts_tmout_defined:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_tmout_defined:obj:1 of type variable_object

Var ref
oval:ssg-variable_count_of_tmout_instances:var:1

User Initialization Files Must Not Run World-Writable Programs

Rule ID xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_user_dot_no_world_writable_programs:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-84039-7

References: 6.2.12, CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010660, SV-230309r627750_rule

Description

Set the mode on files being executed by the user initialization files with the following command:

$ sudo chmod o-w FILE

Rationale

If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict


readarray -t world_writable_files < <(find / -xdev -type f -perm -0002 2> /dev/null)
readarray -t interactive_home_dirs < <(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd)

for world_writable in "${world_writable_files[@]}"; do
    for homedir in "${interactive_home_dirs[@]}"; do
        if grep -q -d skip "$world_writable" "$homedir"/.*; then
            chmod o-w $world_writable
            break
        fi
    done
done

OVAL test results details

Init files do not execute world-writable programs oval:ssg-test_accounts_user_dot_no_world_writable_programs:tst:1 false

Following items have been found on the system:

Path	Content
/home/sysadmin/.bash_profile	export CLASSPATH=$CLASSPATH:/opt/tomee/apache-tomee-plus-10.1.2/lib/postgresql-42.6.0.jar

All Interactive Users Home Directories Must Exist

Rule ID	xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_user_interactive_home_directory_exists:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83424-2 References: 6.2.9, CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010750, SV-230323r627750_rule
Description	Create home directories to all interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in `/etc/passwd`: $ sudo mkdir /home/USER
Rationale	If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.

OVAL test results details

Check the existence of interactive users. oval:ssg-test_accounts_user_interactive_home_directory_exists:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count_fs:var:1	2

Check the existence of interactive users. oval:ssg-test_accounts_user_interactive_home_directory_exists_users:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count:var:1	2

All Interactive User Home Directories Must Be Group-Owned By The Primary User

Rule ID	xccdf_org.ssgproject.content_rule_file_groupownership_home_directories
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupownership_home_directories:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83434-1 References: 6.2.10, CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010740, SV-230322r880717_rule
Description	Change the group owner of interactive users home directory to the group found in `/etc/passwd`. To change the group owner of interactive users home directory, use the following command: $ sudo chgrp USER_GROUP /home/USER This rule ensures every home directory related to an interactive user is group-owned by an interactive user. It also ensures that interactive users are group-owners of one and only one home directory.
Rationale	If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should.
Warnings	warning Due to OVAL limitation, this rule can report a false negative in a specific situation where two interactive users swap the group-ownership of their respective home directories.

OVAL test results details

All home directories are group-owned by a local interactive group oval:ssg-test_file_groupownership_home_directories:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/home/tomcat/	directory	1001	1001	62	`rwx------`
/home/sysadmin/	directory	1000	1000	4096	`rwx------`

All Interactive User Home Directories Must Be Owned By The Primary User

Rule ID	xccdf_org.ssgproject.content_rule_file_ownership_home_directories
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_ownership_home_directories:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86131-0 References: 6.2.10, CCI-000366, SRG-OS-000480-GPOS-00227
Description	Change the owner of interactive users home directories to that correct owner. To change the owner of a interactive users home directory, use the following command: $ sudo chown USER /home/USER This rule ensures every home directory related to an interactive user is owned by an interactive user. It also ensures that interactive users are owners of one and only one home directory.
Rationale	If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files.
Warnings	warning Due to OVAL limitation, this rule can report a false negative in a specific situation where two interactive users swap the ownership of their respective home directories.

OVAL test results details

All home directories are owned by a local interactive user oval:ssg-test_file_ownership_home_directories:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/home/tomcat/	directory	1001	1001	62	`rwx------`
/home/sysadmin/	directory	1000	1000	4096	`rwx------`

It should not exist duplicated owners of home dirs oval:ssg-test_file_ownership_home_directories_duplicated:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-var_file_ownership_home_directories_uids_count:var:1	2

All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_home_directories
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_home_directories:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-84038-9 References: 6.2.11, CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010730, SV-230321r627750_rule
Description	Change the mode of interactive users home directories to `0750`. To change the mode of interactive users home directory, use the following command: $ sudo chmod 0750 /home/USER
Rationale	Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.

OVAL test results details

All home directories have proper permissions oval:ssg-test_file_permissions_home_directories:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/home/tomcat/	directory	1001	1001	62	`rwx------`
/home/sysadmin/	directory	1000	1000	4096	`rwx------`

Enable authselect

Rule ID xccdf_org.ssgproject.content_rule_enable_authselect

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-enable_authselect:def:1

Time 2026-03-23T19:57:55+01:00

Severity medium

Identifiers and References

Identifiers: CCE-88248-0

References: BP28(R5), 1.2.3, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), AC-3, FIA_UAU.1, FIA_AFL.1, SRG-OS-000480-GPOS-00227

Description

Configure user authentication setup to use the authselect tool. If authselect profile is selected, the rule will enable the sssd profile.

Rationale

Authselect is a successor to authconfig. It is a tool to select system authentication and identity sources from a list of supported profiles instead of letting the administrator manually build the PAM stack. That way, it avoids potential breakage of configuration, as it ships several tested profiles that are well tested and supported to solve different use-cases.

Warnings

warning If the sudo authselect select command returns an error informing that the chosen profile cannot be selected, it is probably because PAM files have already been modified by the administrator. If this is the case, in order to not overwrite the desired changes made by the administrator, the current PAM settings should be investigated before forcing the selection of the chosen authselect profile.

Remediation Shell script ⇲


var_authselect_profile='sssd'


authselect select "$var_authselect_profile"

if test "$?" -ne 0; then
    if rpm --quiet --verify pam; then
        authselect select --force "$var_authselect_profile"
    else
	echo "Files in the 'pam' package have been altered, so the authselect configuration won't be forced" >&2
    fi
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	false
Strategy:	configure

- name: XCCDF Value var_authselect_profile # promote to variable
  set_fact:
    var_authselect_profile: !!str sssd
  tags:
    - always

- name: Select authselect profile
  ansible.builtin.command:
    cmd: authselect select "{{ var_authselect_profile }}"
  ignore_errors: true
  register: result_authselect_select
  tags:
  - CCE-88248-0
  - NIST-800-53-AC-3
  - configure_strategy
  - enable_authselect
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

- name: Verify if PAM has been altered
  ansible.builtin.command:
    cmd: rpm -qV pam
  register: result_altered_authselect
  ignore_errors: true
  when: result_authselect_select is failed
  tags:
  - CCE-88248-0
  - NIST-800-53-AC-3
  - configure_strategy
  - enable_authselect
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

- name: Informative message based on the authselect integrity check
  ansible.builtin.assert:
    that:
    - result_altered_authselect is success
    fail_msg:
    - Files in the 'pam' package have been altered, so the authselect configuration
      won't be forced.
  tags:
  - CCE-88248-0
  - NIST-800-53-AC-3
  - configure_strategy
  - enable_authselect
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

- name: Force authselect profile select
  ansible.builtin.command:
    cmd: authselect select --force "{{ var_authselect_profile }}"
  when:
  - result_altered_authselect is success
  - result_authselect_select is failed
  tags:
  - CCE-88248-0
  - NIST-800-53-AC-3
  - configure_strategy
  - enable_authselect
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

OVAL test results details

The 'fingerprint-auth' PAM config is a symlink to its authselect counterpart oval:ssg-test_pam_fingerprint_symlinked_to_authselect:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_pam_fingerprint_symlinked_to_authselect:obj:1 of type symlink_object

Filepath
/etc/pam.d/fingerprint-auth

The 'password-auth' PAM config is a symlink to its authselect counterpart oval:ssg-test_pam_password_symlinked_to_authselect:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_pam_password_symlinked_to_authselect:obj:1 of type symlink_object

Filepath
/etc/pam.d/password-auth

The 'postlogin' PAM config is a symlink to its authselect counterpart oval:ssg-test_pam_postlogin_symlinked_to_authselect:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_pam_postlogin_symlinked_to_authselect:obj:1 of type symlink_object

Filepath
/etc/pam.d/postlogin

The 'smartcard-auth' PAM config is a symlink to its authselect counterpart oval:ssg-test_pam_smartcard_symlinked_to_authselect:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_pam_smartcard_symlinked_to_authselect:obj:1 of type symlink_object

Filepath
/etc/pam.d/smartcard-auth

The 'system-auth' PAM config is a symlink to its authselect counterpart oval:ssg-test_pam_system_symlinked_to_authselect:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_pam_system_symlinked_to_authselect:obj:1 of type symlink_object

Filepath
/etc/pam.d/system-auth

Verify /boot/grub2/grub.cfg Group Ownership

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_grub2_cfg:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80800-6 References: 1.4.2, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1, SRG-OS-000480-GPOS-00227
Description	The file `/boot/grub2/grub.cfg` should be group-owned by the `root` group to prevent destruction or modification of the file. To properly set the group owner of `/boot/grub2/grub.cfg`, run the command: $ sudo chgrp root /boot/grub2/grub.cfg
Rationale	The `root` group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.

OVAL test results details

Testing group ownership of /boot/grub2/grub.cfg oval:ssg-test_file_groupowner_grub2_cfg_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_grub2_cfg_0:obj:1 of type file_object

Filepath	Filter	Filter
/boot/grub2/grub.cfg	oval:ssg-symlink_file_groupowner_grub2_cfg_uid_0:ste:1	oval:ssg-state_file_groupowner_grub2_cfg_gid_0_0:ste:1

Verify /boot/grub2/user.cfg Group Ownership

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_user_cfg:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86009-8 References: 1.4.2, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1, SRG-OS-000480-GPOS-00227
Description	The file `/boot/grub2/user.cfg` should be group-owned by the `root` group to prevent reading or modification of the file. To properly set the group owner of `/boot/grub2/user.cfg`, run the command: $ sudo chgrp root /boot/grub2/user.cfg
Rationale	The `root` group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.

OVAL test results details

Testing group ownership of /boot/grub2/user.cfg oval:ssg-test_file_groupowner_user_cfg_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_user_cfg_0:obj:1 of type file_object

Filepath	Filter	Filter
/boot/grub2/user.cfg	oval:ssg-symlink_file_groupowner_user_cfg_uid_0:ste:1	oval:ssg-state_file_groupowner_user_cfg_gid_0_0:ste:1

Verify /boot/grub2/grub.cfg User Ownership

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_grub2_cfg:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80805-5 References: 1.4.2, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1
Description	The file `/boot/grub2/grub.cfg` should be owned by the `root` user to prevent destruction or modification of the file. To properly set the owner of `/boot/grub2/grub.cfg`, run the command: $ sudo chown root /boot/grub2/grub.cfg
Rationale	Only root should be able to modify important boot parameters.

OVAL test results details

Testing user ownership of /boot/grub2/grub.cfg oval:ssg-test_file_owner_grub2_cfg_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_grub2_cfg_0:obj:1 of type file_object

Filepath	Filter	Filter
/boot/grub2/grub.cfg	oval:ssg-symlink_file_owner_grub2_cfg_uid_0:ste:1	oval:ssg-state_file_owner_grub2_cfg_uid_0_0:ste:1

Verify /boot/grub2/user.cfg User Ownership

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_user_cfg
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_user_cfg:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86015-5 References: 1.4.2, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1
Description	The file `/boot/grub2/user.cfg` should be owned by the `root` user to prevent reading or modification of the file. To properly set the owner of `/boot/grub2/user.cfg`, run the command: $ sudo chown root /boot/grub2/user.cfg
Rationale	Only root should be able to modify important boot parameters. Also, non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.

OVAL test results details

Testing user ownership of /boot/grub2/user.cfg oval:ssg-test_file_owner_user_cfg_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_user_cfg_0:obj:1 of type file_object

Filepath	Filter	Filter
/boot/grub2/user.cfg	oval:ssg-symlink_file_owner_user_cfg_uid_0:ste:1	oval:ssg-state_file_owner_user_cfg_uid_0_0:ste:1

Verify /boot/grub2/grub.cfg Permissions

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_grub2_cfg:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80814-7 References: 1.4.2, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5
Description	File permissions for `/boot/grub2/grub.cfg` should be set to 600. To properly set the permissions of `/boot/grub2/grub.cfg`, run the command: $ sudo chmod 600 /boot/grub2/grub.cfg
Rationale	Proper permissions ensure that only the root user can modify important boot parameters.

OVAL test results details

Testing mode of /boot/grub2/grub.cfg oval:ssg-test_file_permissions_grub2_cfg_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_grub2_cfg_0:obj:1 of type file_object

Filepath	Filter	Filter
/boot/grub2/grub.cfg	oval:ssg-exclude_symlinks__grub2_cfg:ste:1	oval:ssg-state_file_permissions_grub2_cfg_0_mode_0600or_stricter_:ste:1

Verify /boot/grub2/user.cfg Permissions

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_user_cfg
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_user_cfg:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86024-7 References: 1.4.2, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5
Description	File permissions for `/boot/grub2/user.cfg` should be set to 600. To properly set the permissions of `/boot/grub2/user.cfg`, run the command: $ sudo chmod 600 /boot/grub2/user.cfg
Rationale	Proper permissions ensure that only the root user can read or modify important boot parameters.

OVAL test results details

Testing mode of /boot/grub2/user.cfg oval:ssg-test_file_permissions_user_cfg_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_user_cfg_0:obj:1 of type file_object

Filepath	Filter	Filter
/boot/grub2/user.cfg	oval:ssg-exclude_symlinks__user_cfg:ste:1	oval:ssg-state_file_permissions_user_cfg_0_mode_0600or_stricter_:ste:1

Set Boot Loader Password in grub2

Rule ID	xccdf_org.ssgproject.content_rule_grub2_password
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-grub2_password:def:1
Time	2026-03-23T19:59:49+01:00
Severity	high
Identifiers and References	Identifiers: CCE-80828-7 References: BP28(R17), 1.4.1, 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010150, SV-230235r743925_rule
Description	The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. Since plaintext passwords are a security risk, generate a hash for the password by running the following command: # grub2-setpassword When prompted, enter the password that was selected.
Rationale	Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
Warnings	warning To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. Also, do NOT manually add the superuser account and password to the `grub.cfg` file as the grub2-mkconfig command overwrites this file.

OVAL test results details

make sure a password is defined in /boot/grub2/user.cfg oval:ssg-test_grub2_password_usercfg:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_grub2_password_usercfg:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/boot/grub2/user.cfg	^[\s]GRUB2_PASSWORD=grub\.pbkdf2\.sha512.$	1

Verify the UEFI Boot Loader grub.cfg Group Ownership

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-85915-7 References: 1.4.2, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1
Description	The file `/boot/efi/EFI/redhat/grub.cfg` should be group-owned by the `root` group to prevent destruction or modification of the file. To properly set the group owner of `/boot/efi/EFI/redhat/grub.cfg`, run the command: $ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
Rationale	The `root` group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.

Verify /boot/efi/EFI/redhat/user.cfg Group Ownership

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86012-2 References: 1.4.2, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1
Description	The file `/boot/efi/EFI/redhat/user.cfg` should be group-owned by the `root` group to prevent reading or modification of the file. To properly set the group owner of `/boot/efi/EFI/redhat/user.cfg`, run the command: $ sudo chgrp root /boot/efi/EFI/redhat/user.cfg
Rationale	The `root` group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.

Verify the UEFI Boot Loader grub.cfg User Ownership

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-85913-2 References: 1.4.2, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1
Description	The file `/boot/efi/EFI/redhat/grub.cfg` should be owned by the `root` user to prevent destruction or modification of the file. To properly set the owner of `/boot/efi/EFI/redhat/grub.cfg`, run the command: $ sudo chown root /boot/efi/EFI/redhat/grub.cfg
Rationale	Only root should be able to modify important boot parameters.

Verify /boot/efi/EFI/redhat/user.cfg User Ownership

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86021-3 References: 1.4.2, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1
Description	The file `/boot/efi/EFI/redhat/user.cfg` should be owned by the `root` user to prevent reading or modification of the file. To properly set the owner of `/boot/efi/EFI/redhat/user.cfg`, run the command: $ sudo chown root /boot/efi/EFI/redhat/user.cfg
Rationale	Only root should be able to modify important boot parameters. Also, non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.

Verify the UEFI Boot Loader grub.cfg Permissions

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-85912-4 References: 1.4.2, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5
Description	File permissions for `/boot/efi/EFI/redhat/grub.cfg` should be set to 700. To properly set the permissions of `/boot/efi/EFI/redhat/grub.cfg`, run the command: $ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg
Rationale	Proper permissions ensure that only the root user can modify important boot parameters.

Verify /boot/efi/EFI/redhat/user.cfg Permissions

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86028-8 References: 1.4.2, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5
Description	File permissions for `/boot/efi/EFI/redhat/user.cfg` should be set to 600. To properly set the permissions of `/boot/efi/EFI/redhat/user.cfg`, run the command: $ sudo chmod 600 /boot/efi/EFI/redhat/user.cfg
Rationale	Proper permissions ensure that only the root user can read or modify important boot parameters.

Set the UEFI Boot Loader Password

Rule ID	xccdf_org.ssgproject.content_rule_grub2_uefi_password
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T19:59:49+01:00
Severity	high
Identifiers and References	Identifiers: CCE-80829-5 References: BP28(R17), 1.4.1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010140, SV-230234r743922_rule
Description	The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. Since plaintext passwords are a security risk, generate a hash for the password by running the following command: # grub2-setpassword When prompted, enter the password that was selected.
Rationale	Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
Warnings	warning To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. Also, do NOT manually add the superuser account and password to the `grub.cfg` file as the grub2-mkconfig command overwrites this file.

Ensure System Log Files Have Correct Permissions

Rule ID	xccdf_org.ssgproject.content_rule_rsyslog_files_permissions
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-rsyslog_files_permissions:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80862-6 References: BP28(R36), 4.2.3, CCI-001314, 0988, 1405, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), Req-10.5.1, Req-10.5.2
Description	The file permissions for all log files written by `rsyslog` should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in `/etc/rsyslog.conf` and typically all appear in `/var/log`. For each log file LOGFILE referenced in `/etc/rsyslog.conf`, run the following command to inspect the file's permissions: $ ls -l LOGFILE If the permissions are not 600 or more restrictive, run the following command to correct this: $ sudo chmod 600 LOGFILE "
Rationale	Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value.

OVAL test results details

System log files have appropriate permissions set oval:ssg-test_rsyslog_files_permissions:tst:1 true

Following items have been found on the system:

Path	Type	Size (B)	Permissions
/var/log/messages	regular	1404678	`rw-------`
/var/log/secure	regular	49518	`rw-------`
/var/log/spooler	regular	0	`rw-------`
/var/log/cron	regular	3297	`rw-------`
/var/log/maillog	regular	0	`rw-------`
/var/log/boot.log	regular	6849	`rw-------`

Enable systemd-journald Service

Rule ID	xccdf_org.ssgproject.content_rule_service_systemd-journald_enabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-service_systemd-journald_enabled:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-85921-5 References: 4.2.2.2, CCI-001665, SC-24, SRG-OS-000269-GPOS-00103
Description	The `systemd-journald` service is an essential component of systemd. The `systemd-journald` service can be enabled with the following command: $ sudo systemctl enable systemd-journald.service
Rationale	In the event of a system failure, Red Hat Enterprise Linux 8 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes.

OVAL test results details

package systemd is installed oval:ssg-test_service_systemd-journald_package_systemd_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
systemd	x86_64	(none)	68.el8_7.4	239	0:239-68.el8_7.4	199e2f91fd431d51	systemd-0:239-68.el8_7.4.x86_64

Test that the systemd-journald service is running oval:ssg-test_service_running_systemd-journald:tst:1 true

Following items have been found on the system:

Unit	Property	Value
systemd-journald.socket	ActiveState	active
systemd-journald.service	ActiveState	active

systemd test oval:ssg-test_multi_user_wants_systemd-journald:tst:1 true

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	-.mount	sysinit.target	systemd-journal-catalog-update.service	systemd-ask-password-console.path	swap.target	dev-mapper-rhel\x2dswap.swap	plymouth-read-write.service	systemd-journald.service	systemd-tmpfiles-setup-dev.service	dev-hugepages.mount	dracut-shutdown.service	systemd-hwdb-update.service	systemd-binfmt.service	dev-mqueue.mount	nis-domainname.service	import-state.service	loadmodules.service	proc-sys-fs-binfmt_misc.automount	cryptsetup.target	kmod-static-nodes.service	sys-fs-fuse-connections.mount	systemd-udev-trigger.service	systemd-sysctl.service	systemd-sysusers.service	sys-kernel-debug.mount	systemd-journal-flush.service	plymouth-start.service	systemd-update-utmp.service	systemd-update-done.service	systemd-firstboot.service	lvm2-lvmpolld.socket	local-fs.target	boot.mount	home.mount	systemd-remount-fs.service	systemd-udevd.service	systemd-modules-load.service	systemd-machine-id-commit.service	systemd-tmpfiles-setup.service	sys-kernel-config.mount	systemd-random-seed.service	selinux-autorelabel-mark.service	ldconfig.service	lvm2-monitor.service	microcode.service	sockets.target	dbus.socket	systemd-coredump.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-udevd-control.socket	dm-event.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	systemd-journald.socket	timers.target	dnf-makecache.timer	unbound-anchor.timer	systemd-tmpfiles-clean.timer	slices.target	-.slice	system.slice	paths.target	cars-slapddefaultInst.service	NetworkManager.service	crond.service	sshd.service	haproxy.service	systemd-logind.service	auditd.service	dbus.service	rhsmcertd.service	tomcat.service	irqbalance.service	nginx.service	sssd.service	systemd-ask-password-wall.path	plymouth-quit-wait.service	chronyd.service	systemd-user-sessions.service	getty.target	getty@tty1.service	plymouth-quit.service	remote-fs.target	rsyslog.service	insights-client-boot.service	tuned.service	systemd-update-utmp-runlevel.service	kdump.service	postgresql-17.service

systemd test oval:ssg-test_multi_user_wants_systemd-journald_socket:tst:1 true

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	-.mount	sysinit.target	systemd-journal-catalog-update.service	systemd-ask-password-console.path	swap.target	dev-mapper-rhel\x2dswap.swap	plymouth-read-write.service	systemd-journald.service	systemd-tmpfiles-setup-dev.service	dev-hugepages.mount	dracut-shutdown.service	systemd-hwdb-update.service	systemd-binfmt.service	dev-mqueue.mount	nis-domainname.service	import-state.service	loadmodules.service	proc-sys-fs-binfmt_misc.automount	cryptsetup.target	kmod-static-nodes.service	sys-fs-fuse-connections.mount	systemd-udev-trigger.service	systemd-sysctl.service	systemd-sysusers.service	sys-kernel-debug.mount	systemd-journal-flush.service	plymouth-start.service	systemd-update-utmp.service	systemd-update-done.service	systemd-firstboot.service	lvm2-lvmpolld.socket	local-fs.target	boot.mount	home.mount	systemd-remount-fs.service	systemd-udevd.service	systemd-modules-load.service	systemd-machine-id-commit.service	systemd-tmpfiles-setup.service	sys-kernel-config.mount	systemd-random-seed.service	selinux-autorelabel-mark.service	ldconfig.service	lvm2-monitor.service	microcode.service	sockets.target	dbus.socket	systemd-coredump.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-udevd-control.socket	dm-event.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	systemd-journald.socket	timers.target	dnf-makecache.timer	unbound-anchor.timer	systemd-tmpfiles-clean.timer	slices.target	-.slice	system.slice	paths.target	cars-slapddefaultInst.service	NetworkManager.service	crond.service	sshd.service	haproxy.service	systemd-logind.service	auditd.service	dbus.service	rhsmcertd.service	tomcat.service	irqbalance.service	nginx.service	sssd.service	systemd-ask-password-wall.path	plymouth-quit-wait.service	chronyd.service	systemd-user-sessions.service	getty.target	getty@tty1.service	plymouth-quit.service	remote-fs.target	rsyslog.service	insights-client-boot.service	tuned.service	systemd-update-utmp-runlevel.service	kdump.service	postgresql-17.service

Ensure journald is configured to compress large log files

Rule ID xccdf_org.ssgproject.content_rule_journald_compress

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-journald_compress:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-85930-6

References: 4.2.2.3

Description

The journald system can compress large log files to avoid fill the system disk.

Rationale

Log files that are not properly compressed run the risk of growing so large that they fill up the log partition. Valuable logging information could be lost if the log partition becomes full.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/systemd/journald.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*Compress\s*=\s*/d" "/etc/systemd/journald.conf"
else
    touch "/etc/systemd/journald.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/systemd/journald.conf"

cp "/etc/systemd/journald.conf" "/etc/systemd/journald.conf.bak"
# Insert before the line matching the regex '^#\s*Compress'.
line_number="$(LC_ALL=C grep -n "^#\s*Compress" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^#\s*Compress', insert at
    # the end of the file.
    printf '%s\n' "Compress='yes'" >> "/etc/systemd/journald.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf"
    printf '%s\n' "Compress='yes'" >> "/etc/systemd/journald.conf"
    tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf"
fi
# Clean up after ourselves.
rm "/etc/systemd/journald.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Setting shell-quoted shell-style assignment of 'Compress' to 'yes' in '/etc/systemd/journald.conf'
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/systemd/journald.conf
      create: false
      regexp: ^\s*Compress=
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/systemd/journald.conf
    lineinfile:
      path: /etc/systemd/journald.conf
      create: false
      regexp: ^\s*Compress=
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/systemd/journald.conf
    lineinfile:
      path: /etc/systemd/journald.conf
      create: true
      regexp: ^\s*Compress=
      line: Compress="yes"
      state: present
      insertbefore: ^# Compress
      validate: /usr/bin/bash -n %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-85930-6
  - journald_compress
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

OVAL test results details

tests the value of Compress setting in the /etc/systemd/journald.conf file oval:ssg-test_journald_compress:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_journald_compress:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/systemd/journald.conf	^[ \t]Compress=(.+?)[ \t](?:$\|#)	1

Ensure journald is configured to send logs to rsyslog

Rule ID xccdf_org.ssgproject.content_rule_journald_forward_to_syslog

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-journald_forward_to_syslog:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-85995-9

References: 4.2.1.3

Description

Data from journald may be stored in volatile memory or persisted locally. Utilities exist to accept remote export of journald logs.

Rationale

Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/systemd/journald.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*ForwardToSyslog\s*=\s*/d" "/etc/systemd/journald.conf"
else
    touch "/etc/systemd/journald.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/systemd/journald.conf"

cp "/etc/systemd/journald.conf" "/etc/systemd/journald.conf.bak"
# Insert before the line matching the regex '^#\s*ForwardToSyslog'.
line_number="$(LC_ALL=C grep -n "^#\s*ForwardToSyslog" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^#\s*ForwardToSyslog', insert at
    # the end of the file.
    printf '%s\n' "ForwardToSyslog='yes'" >> "/etc/systemd/journald.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf"
    printf '%s\n' "ForwardToSyslog='yes'" >> "/etc/systemd/journald.conf"
    tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf"
fi
# Clean up after ourselves.
rm "/etc/systemd/journald.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Setting shell-quoted shell-style assignment of 'ForwardToSyslog' to 'yes'
    in '/etc/systemd/journald.conf'
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/systemd/journald.conf
      create: false
      regexp: ^\s*ForwardToSyslog=
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/systemd/journald.conf
    lineinfile:
      path: /etc/systemd/journald.conf
      create: false
      regexp: ^\s*ForwardToSyslog=
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/systemd/journald.conf
    lineinfile:
      path: /etc/systemd/journald.conf
      create: true
      regexp: ^\s*ForwardToSyslog=
      line: ForwardToSyslog="yes"
      state: present
      insertbefore: ^# ForwardToSyslog
      validate: /usr/bin/bash -n %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-85995-9
  - journald_forward_to_syslog
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

OVAL test results details

tests the value of ForwardToSyslog setting in the /etc/systemd/journald.conf file oval:ssg-test_journald_forward_to_syslog:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_journald_forward_to_syslog:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/systemd/journald.conf	^[ \t]ForwardToSyslog=(.+?)[ \t](?:$\|#)	1

Ensure journald is configured to write log files to persistent disk

Rule ID xccdf_org.ssgproject.content_rule_journald_storage

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-journald_storage:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-86045-2

References: 4.2.2.4

Description

The journald system may store log files in volatile memory or locally on disk. If the logs are only stored in volatile memory they will we lost upon reboot.

Rationale

Log files contain valuable data and need to be persistent to aid in possible investigations.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/systemd/journald.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*Storage\s*=\s*/d" "/etc/systemd/journald.conf"
else
    touch "/etc/systemd/journald.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/systemd/journald.conf"

cp "/etc/systemd/journald.conf" "/etc/systemd/journald.conf.bak"
# Insert before the line matching the regex '^#\s*Storage'.
line_number="$(LC_ALL=C grep -n "^#\s*Storage" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^#\s*Storage', insert at
    # the end of the file.
    printf '%s\n' "Storage='persistent'" >> "/etc/systemd/journald.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf"
    printf '%s\n' "Storage='persistent'" >> "/etc/systemd/journald.conf"
    tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf"
fi
# Clean up after ourselves.
rm "/etc/systemd/journald.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Setting shell-quoted shell-style assignment of 'Storage' to 'persistent' in
    '/etc/systemd/journald.conf'
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/systemd/journald.conf
      create: false
      regexp: ^\s*Storage=
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/systemd/journald.conf
    lineinfile:
      path: /etc/systemd/journald.conf
      create: false
      regexp: ^\s*Storage=
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/systemd/journald.conf
    lineinfile:
      path: /etc/systemd/journald.conf
      create: true
      regexp: ^\s*Storage=
      line: Storage="persistent"
      state: present
      insertbefore: ^# Storage
      validate: /usr/bin/bash -n %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-86045-2
  - journald_storage
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

OVAL test results details

tests the value of Storage setting in the /etc/systemd/journald.conf file oval:ssg-test_journald_storage:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_journald_storage:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/systemd/journald.conf	^[ \t]Storage=(.+?)[ \t](?:$\|#)	1

Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server

Rule ID	xccdf_org.ssgproject.content_rule_rsyslog_nolisten
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-rsyslog_nolisten:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-84275-7 References: 4.2.1.7, 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, MEA02.01, CCI-000318, CCI-000366, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 4.2.3.4, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.8, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.IP-1, PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227
Description	The `rsyslog` daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure the following lines are not found in `/etc/rsyslog.conf`: $ModLoad imtcp $InputTCPServerRun port $ModLoad imudp $UDPServerRun port $ModLoad imrelp $InputRELPServerRun port
Rationale	Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network.

OVAL test results details

Ensure that the /etc/rsyslog.conf does not contain $InputTCPServerRun | $UDPServerRun | $InputRELPServerRun | $ModLoad imtcp | $ModLoad imudp | $ModLoad imrelp oval:ssg-test_rsyslog_nolisten:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_rsyslog_nolisten:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/rsyslog.conf	^[\s]*\$((?:Input(?:TCP\|RELP)\|UDP)ServerRun\|ModLoad[\s]+(imtcp\|imudp\|imrelp))	1

Ensure rsyslog is Installed

Rule ID	xccdf_org.ssgproject.content_rule_package_rsyslog_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_rsyslog_installed:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80847-7 References: BP28(R5), NT28(R46), 4.2.1.1, 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227, RHEL-08-030670, SV-230477r627750_rule
Description	Rsyslog is installed by default. The `rsyslog` package can be installed with the following command: $ sudo yum install rsyslog
Rationale	The rsyslog package provides the rsyslog daemon, which provides system logging services.

OVAL test results details

package rsyslog is installed oval:ssg-test_package_rsyslog_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
rsyslog	x86_64	(none)	10.el8	8.2102.0	0:8.2102.0-10.el8	199e2f91fd431d51	rsyslog-0:8.2102.0-10.el8.x86_64

Enable rsyslog Service

Rule ID	xccdf_org.ssgproject.content_rule_service_rsyslog_enabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-service_rsyslog_enabled:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80886-5 References: BP28(R5), NT28(R46), 4.2.1.2, 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227, RHEL-08-010561, SV-230298r627750_rule
Description	The `rsyslog` service provides syslog-style logging by default on Red Hat Enterprise Linux 8. The `rsyslog` service can be enabled with the following command: $ sudo systemctl enable rsyslog.service
Rationale	The `rsyslog` service must be running in order to provide logging services, which are essential to system administration.

OVAL test results details

package rsyslog is installed oval:ssg-test_service_rsyslog_package_rsyslog_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
rsyslog	x86_64	(none)	10.el8	8.2102.0	0:8.2102.0-10.el8	199e2f91fd431d51	rsyslog-0:8.2102.0-10.el8.x86_64

Test that the rsyslog service is running oval:ssg-test_service_running_rsyslog:tst:1 true

Following items have been found on the system:

Unit	Property	Value
rsyslog.service	ActiveState	active

systemd test oval:ssg-test_multi_user_wants_rsyslog:tst:1 true

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	-.mount	sysinit.target	systemd-journal-catalog-update.service	systemd-ask-password-console.path	swap.target	dev-mapper-rhel\x2dswap.swap	plymouth-read-write.service	systemd-journald.service	systemd-tmpfiles-setup-dev.service	dev-hugepages.mount	dracut-shutdown.service	systemd-hwdb-update.service	systemd-binfmt.service	dev-mqueue.mount	nis-domainname.service	import-state.service	loadmodules.service	proc-sys-fs-binfmt_misc.automount	cryptsetup.target	kmod-static-nodes.service	sys-fs-fuse-connections.mount	systemd-udev-trigger.service	systemd-sysctl.service	systemd-sysusers.service	sys-kernel-debug.mount	systemd-journal-flush.service	plymouth-start.service	systemd-update-utmp.service	systemd-update-done.service	systemd-firstboot.service	lvm2-lvmpolld.socket	local-fs.target	boot.mount	home.mount	systemd-remount-fs.service	systemd-udevd.service	systemd-modules-load.service	systemd-machine-id-commit.service	systemd-tmpfiles-setup.service	sys-kernel-config.mount	systemd-random-seed.service	selinux-autorelabel-mark.service	ldconfig.service	lvm2-monitor.service	microcode.service	sockets.target	dbus.socket	systemd-coredump.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-udevd-control.socket	dm-event.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	systemd-journald.socket	timers.target	dnf-makecache.timer	unbound-anchor.timer	systemd-tmpfiles-clean.timer	slices.target	-.slice	system.slice	paths.target	cars-slapddefaultInst.service	NetworkManager.service	crond.service	sshd.service	haproxy.service	systemd-logind.service	auditd.service	dbus.service	rhsmcertd.service	tomcat.service	irqbalance.service	nginx.service	sssd.service	systemd-ask-password-wall.path	plymouth-quit-wait.service	chronyd.service	systemd-user-sessions.service	getty.target	getty@tty1.service	plymouth-quit.service	remote-fs.target	rsyslog.service	insights-client-boot.service	tuned.service	systemd-update-utmp-runlevel.service	kdump.service	postgresql-17.service

systemd test oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1 false

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	-.mount	sysinit.target	systemd-journal-catalog-update.service	systemd-ask-password-console.path	swap.target	dev-mapper-rhel\x2dswap.swap	plymouth-read-write.service	systemd-journald.service	systemd-tmpfiles-setup-dev.service	dev-hugepages.mount	dracut-shutdown.service	systemd-hwdb-update.service	systemd-binfmt.service	dev-mqueue.mount	nis-domainname.service	import-state.service	loadmodules.service	proc-sys-fs-binfmt_misc.automount	cryptsetup.target	kmod-static-nodes.service	sys-fs-fuse-connections.mount	systemd-udev-trigger.service	systemd-sysctl.service	systemd-sysusers.service	sys-kernel-debug.mount	systemd-journal-flush.service	plymouth-start.service	systemd-update-utmp.service	systemd-update-done.service	systemd-firstboot.service	lvm2-lvmpolld.socket	local-fs.target	boot.mount	home.mount	systemd-remount-fs.service	systemd-udevd.service	systemd-modules-load.service	systemd-machine-id-commit.service	systemd-tmpfiles-setup.service	sys-kernel-config.mount	systemd-random-seed.service	selinux-autorelabel-mark.service	ldconfig.service	lvm2-monitor.service	microcode.service	sockets.target	dbus.socket	systemd-coredump.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-udevd-control.socket	dm-event.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	systemd-journald.socket	timers.target	dnf-makecache.timer	unbound-anchor.timer	systemd-tmpfiles-clean.timer	slices.target	-.slice	system.slice	paths.target	cars-slapddefaultInst.service	NetworkManager.service	crond.service	sshd.service	haproxy.service	systemd-logind.service	auditd.service	dbus.service	rhsmcertd.service	tomcat.service	irqbalance.service	nginx.service	sssd.service	systemd-ask-password-wall.path	plymouth-quit-wait.service	chronyd.service	systemd-user-sessions.service	getty.target	getty@tty1.service	plymouth-quit.service	remote-fs.target	rsyslog.service	insights-client-boot.service	tuned.service	systemd-update-utmp-runlevel.service	kdump.service	postgresql-17.service

Install firewalld Package

Rule ID	xccdf_org.ssgproject.content_rule_package_firewalld_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_firewalld_installed:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82998-6 References: 3.4.1.1, CCI-002314, CM-6(a), FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00232, RHEL-08-040100, SV-230505r854048_rule
Description	The `firewalld` package can be installed with the following command: $ sudo yum install firewalld
Rationale	"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Red Hat Enterprise Linux 8 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets)."

OVAL test results details

package firewalld is installed oval:ssg-test_package_firewalld_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
firewalld	noarch	(none)	13.el8	0.9.3	0:0.9.3-13.el8	199e2f91fd431d51	firewalld-0:0.9.3-13.el8.noarch

Verify firewalld Enabled

Rule ID xccdf_org.ssgproject.content_rule_service_firewalld_enabled

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-service_firewalld_enabled:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80877-4

References: 3.4.1.4, 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.3, 3.4.7, CCI-000366, CCI-000382, CCI-002314, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4, CIP-003-8 R5, CIP-004-6 R3, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.IP-1, FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232, RHEL-08-040101, SV-244544r854073_rule

Description

The firewalld service can be enabled with the following command:

$ sudo systemctl enable firewalld.service

Rationale

Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'firewalld.service'
"$SYSTEMCTL_EXEC" start 'firewalld.service'
"$SYSTEMCTL_EXEC" enable 'firewalld.service'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

- name: Enable service firewalld
  block:

  - name: Gather the package facts
    package_facts:
      manager: auto

  - name: Enable service firewalld
    service:
      name: firewalld
      enabled: 'yes'
      state: started
      masked: 'no'
    when:
    - '"firewalld" in ansible_facts.packages'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80877-4
  - DISA-STIG-RHEL-08-040101
  - NIST-800-171-3.1.3
  - NIST-800-171-3.4.7
  - NIST-800-53-AC-4
  - NIST-800-53-CA-3(5)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(21)
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_firewalld_enabled

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

include enable_firewalld

class enable_firewalld {
  service {'firewalld':
    enable => true,
    ensure => 'running',
  }
}

Remediation OSBuild Blueprint snippet ⇲


[customizations.services]
enabled = ["firewalld"]

OVAL test results details

package firewalld is installed oval:ssg-test_service_firewalld_package_firewalld_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
firewalld	noarch	(none)	13.el8	0.9.3	0:0.9.3-13.el8	199e2f91fd431d51	firewalld-0:0.9.3-13.el8.noarch

Test that the firewalld service is running oval:ssg-test_service_running_firewalld:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_service_running_firewalld:obj:1 of type systemdunitproperty_object

Unit	Property
^firewalld\.(socket\|service)$	ActiveState

systemd test oval:ssg-test_multi_user_wants_firewalld:tst:1 false

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	-.mount	sysinit.target	systemd-journal-catalog-update.service	systemd-ask-password-console.path	swap.target	dev-mapper-rhel\x2dswap.swap	plymouth-read-write.service	systemd-journald.service	systemd-tmpfiles-setup-dev.service	dev-hugepages.mount	dracut-shutdown.service	systemd-hwdb-update.service	systemd-binfmt.service	dev-mqueue.mount	nis-domainname.service	import-state.service	loadmodules.service	proc-sys-fs-binfmt_misc.automount	cryptsetup.target	kmod-static-nodes.service	sys-fs-fuse-connections.mount	systemd-udev-trigger.service	systemd-sysctl.service	systemd-sysusers.service	sys-kernel-debug.mount	systemd-journal-flush.service	plymouth-start.service	systemd-update-utmp.service	systemd-update-done.service	systemd-firstboot.service	lvm2-lvmpolld.socket	local-fs.target	boot.mount	home.mount	systemd-remount-fs.service	systemd-udevd.service	systemd-modules-load.service	systemd-machine-id-commit.service	systemd-tmpfiles-setup.service	sys-kernel-config.mount	systemd-random-seed.service	selinux-autorelabel-mark.service	ldconfig.service	lvm2-monitor.service	microcode.service	sockets.target	dbus.socket	systemd-coredump.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-udevd-control.socket	dm-event.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	systemd-journald.socket	timers.target	dnf-makecache.timer	unbound-anchor.timer	systemd-tmpfiles-clean.timer	slices.target	-.slice	system.slice	paths.target	cars-slapddefaultInst.service	NetworkManager.service	crond.service	sshd.service	haproxy.service	systemd-logind.service	auditd.service	dbus.service	rhsmcertd.service	tomcat.service	irqbalance.service	nginx.service	sssd.service	systemd-ask-password-wall.path	plymouth-quit-wait.service	chronyd.service	systemd-user-sessions.service	getty.target	getty@tty1.service	plymouth-quit.service	remote-fs.target	rsyslog.service	insights-client-boot.service	tuned.service	systemd-update-utmp-runlevel.service	kdump.service	postgresql-17.service

systemd test oval:ssg-test_multi_user_wants_firewalld_socket:tst:1 false

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	-.mount	sysinit.target	systemd-journal-catalog-update.service	systemd-ask-password-console.path	swap.target	dev-mapper-rhel\x2dswap.swap	plymouth-read-write.service	systemd-journald.service	systemd-tmpfiles-setup-dev.service	dev-hugepages.mount	dracut-shutdown.service	systemd-hwdb-update.service	systemd-binfmt.service	dev-mqueue.mount	nis-domainname.service	import-state.service	loadmodules.service	proc-sys-fs-binfmt_misc.automount	cryptsetup.target	kmod-static-nodes.service	sys-fs-fuse-connections.mount	systemd-udev-trigger.service	systemd-sysctl.service	systemd-sysusers.service	sys-kernel-debug.mount	systemd-journal-flush.service	plymouth-start.service	systemd-update-utmp.service	systemd-update-done.service	systemd-firstboot.service	lvm2-lvmpolld.socket	local-fs.target	boot.mount	home.mount	systemd-remount-fs.service	systemd-udevd.service	systemd-modules-load.service	systemd-machine-id-commit.service	systemd-tmpfiles-setup.service	sys-kernel-config.mount	systemd-random-seed.service	selinux-autorelabel-mark.service	ldconfig.service	lvm2-monitor.service	microcode.service	sockets.target	dbus.socket	systemd-coredump.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-udevd-control.socket	dm-event.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	systemd-journald.socket	timers.target	dnf-makecache.timer	unbound-anchor.timer	systemd-tmpfiles-clean.timer	slices.target	-.slice	system.slice	paths.target	cars-slapddefaultInst.service	NetworkManager.service	crond.service	sshd.service	haproxy.service	systemd-logind.service	auditd.service	dbus.service	rhsmcertd.service	tomcat.service	irqbalance.service	nginx.service	sssd.service	systemd-ask-password-wall.path	plymouth-quit-wait.service	chronyd.service	systemd-user-sessions.service	getty.target	getty@tty1.service	plymouth-quit.service	remote-fs.target	rsyslog.service	insights-client-boot.service	tuned.service	systemd-update-utmp-runlevel.service	kdump.service	postgresql-17.service

Set Default firewalld Zone for Incoming Packets

Rule ID	xccdf_org.ssgproject.content_rule_set_firewalld_default_zone
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-set_firewalld_default_zone:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80890-7 References: 3.4.1.5, 11, 14, 3, 9, 5.10.1, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.3, 3.4.7, 3.13.6, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 1416, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CA-3(5), CM-7(b), SC-7(23), CM-6(a), PR.IP-1, PR.PT-3, FMT_MOF_EXT.1, Req-1.4, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000
Description	To set the default zone to `drop` for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in `/etc/firewalld/firewalld.conf` to be: DefaultZone=drop
Rationale	In `firewalld` the default zone is applied only after all the applicable rules in the table are examined for a match. Setting the default zone to `drop` implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.
Warnings	warning To prevent denying any access to the system, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above.

OVAL test results details

Check /etc/firewalld/firewalld.conf DefaultZone for drop oval:ssg-test_firewalld_input_drop:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_firewalld_input_drop:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/firewalld/firewalld.conf	^DefaultZone=drop$	1

Set Default ip6tables Policy for Incoming Packets

Rule ID	xccdf_org.ssgproject.content_rule_set_ip6tables_default_rule
Result	notchecked
Multi-check rule	no
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-85965-2 References: 3.4.3.3.4, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CIP-003-8 R4, CIP-003-8 R5, CIP-004-6 R3, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.IP-1, PR.PT-3, Req-1.4.1
Description	To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in `/etc/sysconfig/ip6tables`: :INPUT DROP [0:0] If changes were required, reload the ip6tables rules: $ sudo service ip6tables reload
Rationale	In `ip6tables`, the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to `DROP` implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.
Evaluation messages info No candidate or applicable check found.

Configure Accepting Router Advertisements on All IPv6 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_all_accept_ra:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81006-9 References: 3.3.9, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040261, SV-230541r858812_rule
Description	To set the runtime status of the `net.ipv6.conf.all.accept_ra` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.accept_ra = 0
Rationale	An illicit router advertisement message could result in a man-in-the-middle attack.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_not_defined:tst:1 false

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1
/etc/sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	1

net.ipv6.conf.all.accept_ra static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.accept_ra[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.accept_ra static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.accept_ra[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.accept_ra static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.accept_ra[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.accept_ra static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.accept_ra[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.accept_ra static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv6_conf_all_accept_ra_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1

kernel runtime parameter net.ipv6.conf.all.accept_ra set to the appropriate value oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_runtime:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.accept_ra	1

Disable Accepting ICMP Redirects for All IPv6 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81009-3 References: BP28(R22), 3.3.2, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040280, SV-230544r858820_rule
Description	To set the runtime status of the `net.ipv6.conf.all.accept_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.accept_redirects = 0
Rationale	An illicit ICMP redirect message could result in a man-in-the-middle attack.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_not_defined:tst:1 false

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1
/etc/sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	1

net.ipv6.conf.all.accept_redirects static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.accept_redirects[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.accept_redirects[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.accept_redirects static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.accept_redirects[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.accept_redirects static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.accept_redirects[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.accept_redirects static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv6_conf_all_accept_redirects_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1

kernel runtime parameter net.ipv6.conf.all.accept_redirects set to the appropriate value oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_runtime:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.accept_redirects	1

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81013-5 References: BP28(R22), 3.3.1, 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040240, SV-230538r858801_rule
Description	To set the runtime status of the `net.ipv6.conf.all.accept_source_route` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.accept_source_route = 0
Rationale	Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_not_defined:tst:1 false

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1
/etc/sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	1

net.ipv6.conf.all.accept_source_route static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.accept_source_route[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.accept_source_route[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.accept_source_route static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.accept_source_route[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.accept_source_route static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.accept_source_route[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.accept_source_route static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv6_conf_all_accept_source_route_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1

kernel runtime parameter net.ipv6.conf.all.accept_source_route set to the appropriate value oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_runtime:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.accept_source_route	0

Disable Kernel Parameter for IPv6 Forwarding

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_all_forwarding:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82863-2 References: 3.2.1, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040260, SV-230540r858810_rule
Description	To set the runtime status of the `net.ipv6.conf.all.forwarding` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.forwarding=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.forwarding = 0
Rationale	IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_not_defined:tst:1 false

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1
/etc/sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	1

net.ipv6.conf.all.forwarding static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_forwarding:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.forwarding[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.forwarding static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_forwarding:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.forwarding[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.forwarding static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_forwarding:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.forwarding[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.forwarding static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_forwarding:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.forwarding[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.forwarding static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv6_conf_all_forwarding_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_forwarding:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_forwarding:obj:1

kernel runtime parameter net.ipv6.conf.all.forwarding set to the appropriate value oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_runtime:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.forwarding	0

Disable Accepting Router Advertisements on all IPv6 Interfaces by Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_default_accept_ra:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81007-7 References: 3.3.9, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040262, SV-230542r858814_rule
Description	To set the runtime status of the `net.ipv6.conf.default.accept_ra` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.accept_ra = 0
Rationale	An illicit router advertisement message could result in a man-in-the-middle attack.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_not_defined:tst:1 false

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1
/etc/sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	1

net.ipv6.conf.default.accept_ra static configuration oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.default.accept_ra[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.default.accept_ra static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.default.accept_ra[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.default.accept_ra static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.default.accept_ra[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.default.accept_ra static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.default.accept_ra[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.default.accept_ra static configuration oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv6_conf_default_accept_ra_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1

kernel runtime parameter net.ipv6.conf.default.accept_ra set to the appropriate value oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_runtime:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.default.accept_ra	1

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81010-1 References: BP28(R22), 3.3.2, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040210, SV-230535r858793_rule
Description	To set the runtime status of the `net.ipv6.conf.default.accept_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.accept_redirects = 0
Rationale	An illicit ICMP redirect message could result in a man-in-the-middle attack.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_not_defined:tst:1 false

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1
/etc/sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	1

net.ipv6.conf.default.accept_redirects static configuration oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.default.accept_redirects[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.default.accept_redirects[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.default.accept_redirects static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.default.accept_redirects[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.default.accept_redirects static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.default.accept_redirects[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.default.accept_redirects static configuration oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv6_conf_default_accept_redirects_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1

kernel runtime parameter net.ipv6.conf.default.accept_redirects set to the appropriate value oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_runtime:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.default.accept_redirects	1

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81015-0 References: BP28(R22), 3.3.1, 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, RHEL-08-040250, SV-230539r861085_rule
Description	To set the runtime status of the `net.ipv6.conf.default.accept_source_route` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.accept_source_route = 0
Rationale	Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_not_defined:tst:1 false

Following items have been found on the system:

Path	Content
/etc/sysctl.d/99-sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1
/etc/sysctl.conf	net.ipv6.conf.all.disable_ipv6 = 1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	1

net.ipv6.conf.default.accept_source_route static configuration oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.default.accept_source_route[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.default.accept_source_route[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.default.accept_source_route static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.default.accept_source_route[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.default.accept_source_route static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.default.accept_source_route[\s]=[\s](.)[\s]*$	1

net.ipv6.conf.default.accept_source_route static configuration oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv6_conf_default_accept_source_route_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1

kernel runtime parameter net.ipv6.conf.default.accept_source_route set to the appropriate value oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_runtime:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.default.accept_source_route	0

Disable Accepting ICMP Redirects for All IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80917-8

References: BP28(R22), 3.3.2, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, 5.10.1.1, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, CCI-001503, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040279, SV-244553r858818_rule

Description

To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.accept_redirects = 0

Rationale

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required."

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.all.accept_redirects from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_redirects.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.all.accept_redirects" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done
sysctl_net_ipv4_conf_all_accept_redirects_value='0'


#
# Set runtime for net.ipv4.conf.all.accept_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects="$sysctl_net_ipv4_conf_all_accept_redirects_value"

#
# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.all.accept_redirects = value" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_redirects")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_accept_redirects_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_redirects\\>" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^net.ipv4.conf.all.accept_redirects\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-80917-8"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" >> "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.all.accept_redirects.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80917-8
  - CJIS-5.10.1.1
  - DISA-STIG-RHEL-08-040279
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_accept_redirects

- name: Comment out any occurrences of net.ipv4.conf.all.accept_redirects from config
    files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.all.accept_redirects
    replace: '#net.ipv4.conf.all.accept_redirects'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80917-8
  - CJIS-5.10.1.1
  - DISA-STIG-RHEL-08-040279
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_accept_redirects
- name: XCCDF Value sysctl_net_ipv4_conf_all_accept_redirects_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_all_accept_redirects_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.all.accept_redirects is set
  sysctl:
    name: net.ipv4.conf.all.accept_redirects
    value: '{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80917-8
  - CJIS-5.10.1.1
  - DISA-STIG-RHEL-08-040279
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_accept_redirects

Remediation Kubernetes snippet ⇲

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.all.accept_redirects%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_redirects.conf
        overwrite: true

OVAL test results details

net.ipv4.conf.all.accept_redirects static configuration oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv4.conf.all.accept_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.accept_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.accept_redirects static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.accept_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.accept_redirects static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.accept_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.accept_redirects static configuration oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv4_conf_all_accept_redirects_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1

kernel runtime parameter net.ipv4.conf.all.accept_redirects set to the appropriate value oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_runtime:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv4.conf.all.accept_redirects	1

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-81011-9

References: BP28(R22), 3.3.1, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040239, SV-244551r858799_rule

Description

To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.accept_source_route = 0

Rationale

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.all.accept_source_route from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_source_route.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.all.accept_source_route" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done
sysctl_net_ipv4_conf_all_accept_source_route_value='0'


#
# Set runtime for net.ipv4.conf.all.accept_source_route
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route="$sysctl_net_ipv4_conf_all_accept_source_route_value"

#
# If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.all.accept_source_route = value" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_source_route")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_accept_source_route_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_source_route\\>" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^net.ipv4.conf.all.accept_source_route\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-81011-9"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" >> "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.all.accept_source_route.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81011-9
  - DISA-STIG-RHEL-08-040239
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_accept_source_route

- name: Comment out any occurrences of net.ipv4.conf.all.accept_source_route from
    config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.all.accept_source_route
    replace: '#net.ipv4.conf.all.accept_source_route'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81011-9
  - DISA-STIG-RHEL-08-040239
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_accept_source_route
- name: XCCDF Value sysctl_net_ipv4_conf_all_accept_source_route_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_all_accept_source_route_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.all.accept_source_route is set
  sysctl:
    name: net.ipv4.conf.all.accept_source_route
    value: '{{ sysctl_net_ipv4_conf_all_accept_source_route_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81011-9
  - DISA-STIG-RHEL-08-040239
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_accept_source_route

Remediation Kubernetes snippet ⇲

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.all.accept_source_route%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_source_route.conf
        overwrite: true

OVAL test results details

net.ipv4.conf.all.accept_source_route static configuration oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv4.conf.all.accept_source_route[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.accept_source_route[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.accept_source_route static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.accept_source_route[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.accept_source_route static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.accept_source_route[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.accept_source_route static configuration oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv4_conf_all_accept_source_route_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1

kernel runtime parameter net.ipv4.conf.all.accept_source_route set to the appropriate value oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_runtime:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.conf.all.accept_source_route	0

Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_all_log_martians:def:1

Time 2026-03-23T19:59:49+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-81018-4

References: BP28(R22), 3.3.4, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000126, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), SC-5(3)(a), DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.log_martians=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.log_martians = 1

Rationale

The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.all.log_martians from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.log_martians.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.all.log_martians" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done
sysctl_net_ipv4_conf_all_log_martians_value='1'


#
# Set runtime for net.ipv4.conf.all.log_martians
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.log_martians="$sysctl_net_ipv4_conf_all_log_martians_value"

#
# If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.all.log_martians = value" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.log_martians")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_log_martians_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.log_martians\\>" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^net.ipv4.conf.all.log_martians\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-81018-4"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" >> "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.all.log_martians.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81018-4
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5(3)(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - reboot_required
  - sysctl_net_ipv4_conf_all_log_martians
  - unknown_severity

- name: Comment out any occurrences of net.ipv4.conf.all.log_martians from config
    files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.all.log_martians
    replace: '#net.ipv4.conf.all.log_martians'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81018-4
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5(3)(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - reboot_required
  - sysctl_net_ipv4_conf_all_log_martians
  - unknown_severity
- name: XCCDF Value sysctl_net_ipv4_conf_all_log_martians_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_all_log_martians_value: !!str 1
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.all.log_martians is set
  sysctl:
    name: net.ipv4.conf.all.log_martians
    value: '{{ sysctl_net_ipv4_conf_all_log_martians_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81018-4
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5(3)(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - reboot_required
  - sysctl_net_ipv4_conf_all_log_martians
  - unknown_severity

Remediation Kubernetes snippet ⇲

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.all.log_martians%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_log_martians.conf
        overwrite: true

OVAL test results details

net.ipv4.conf.all.log_martians static configuration oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_log_martians:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv4.conf.all.log_martians[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_log_martians:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.log_martians[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.log_martians static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_log_martians:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.log_martians[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.log_martians static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_all_log_martians:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.log_martians[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.log_martians static configuration oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv4_conf_all_log_martians_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1

kernel runtime parameter net.ipv4.conf.all.log_martians set to the appropriate value oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_runtime:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv4.conf.all.log_martians	0

Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-81021-8

References: BP28(R22), 3.3.7, 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, RHEL-08-040285, SV-230549r858830_rule

Description

To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.rp_filter = 1

Rationale

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.all.rp_filter from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.rp_filter.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.all.rp_filter" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done
sysctl_net_ipv4_conf_all_rp_filter_value='1'


#
# Set runtime for net.ipv4.conf.all.rp_filter
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.rp_filter="$sysctl_net_ipv4_conf_all_rp_filter_value"

#
# If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.all.rp_filter = value" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.rp_filter")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_rp_filter_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.rp_filter\\>" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^net.ipv4.conf.all.rp_filter\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-81021-8"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" >> "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.all.rp_filter.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81021-8
  - DISA-STIG-RHEL-08-040285
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_rp_filter

- name: Comment out any occurrences of net.ipv4.conf.all.rp_filter from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.all.rp_filter
    replace: '#net.ipv4.conf.all.rp_filter'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81021-8
  - DISA-STIG-RHEL-08-040285
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_rp_filter
- name: XCCDF Value sysctl_net_ipv4_conf_all_rp_filter_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_all_rp_filter_value: !!str 1
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.all.rp_filter is set
  sysctl:
    name: net.ipv4.conf.all.rp_filter
    value: '{{ sysctl_net_ipv4_conf_all_rp_filter_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81021-8
  - DISA-STIG-RHEL-08-040285
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_rp_filter

Remediation Kubernetes snippet ⇲

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.all.rp_filter%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_rp_filter.conf
        overwrite: true

OVAL test results details

net.ipv4.conf.all.rp_filter static configuration oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv4.conf.all.rp_filter[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.rp_filter[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.rp_filter static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.rp_filter[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.rp_filter static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.rp_filter[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.rp_filter static configuration oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv4_conf_all_rp_filter_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1

kernel runtime parameter net.ipv4.conf.all.rp_filter set to 1 or 2 oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_runtime:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.conf.all.rp_filter	1

Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-81016-8

References: BP28(R22), 3.3.3, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-001503, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.secure_redirects = 0

Rationale

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.all.secure_redirects from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.secure_redirects.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.all.secure_redirects" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done
sysctl_net_ipv4_conf_all_secure_redirects_value='0'


#
# Set runtime for net.ipv4.conf.all.secure_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.secure_redirects="$sysctl_net_ipv4_conf_all_secure_redirects_value"

#
# If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.all.secure_redirects = value" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.secure_redirects")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_secure_redirects_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.secure_redirects\\>" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^net.ipv4.conf.all.secure_redirects\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-81016-8"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" >> "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.all.secure_redirects.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81016-8
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_secure_redirects

- name: Comment out any occurrences of net.ipv4.conf.all.secure_redirects from config
    files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.all.secure_redirects
    replace: '#net.ipv4.conf.all.secure_redirects'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81016-8
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_secure_redirects
- name: XCCDF Value sysctl_net_ipv4_conf_all_secure_redirects_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_all_secure_redirects_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.all.secure_redirects is set
  sysctl:
    name: net.ipv4.conf.all.secure_redirects
    value: '{{ sysctl_net_ipv4_conf_all_secure_redirects_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81016-8
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_secure_redirects

Remediation Kubernetes snippet ⇲

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.all.secure_redirects%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_secure_redirects.conf
        overwrite: true

OVAL test results details

net.ipv4.conf.all.secure_redirects static configuration oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv4.conf.all.secure_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.secure_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.secure_redirects static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.secure_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.secure_redirects static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.secure_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.secure_redirects static configuration oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv4_conf_all_secure_redirects_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1

kernel runtime parameter net.ipv4.conf.all.secure_redirects set to the appropriate value oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_runtime:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv4.conf.all.secure_redirects	1

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80919-4

References: BP28(R22), 3.3.2, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, RHEL-08-040209, SV-244550r858791_rule

Description

To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.accept_redirects = 0

Rationale

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.default.accept_redirects from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_redirects.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.default.accept_redirects" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done
sysctl_net_ipv4_conf_default_accept_redirects_value='0'


#
# Set runtime for net.ipv4.conf.default.accept_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects="$sysctl_net_ipv4_conf_default_accept_redirects_value"

#
# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.default.accept_redirects = value" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.accept_redirects")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_accept_redirects_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.accept_redirects\\>" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^net.ipv4.conf.default.accept_redirects\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-80919-4"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" >> "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.default.accept_redirects.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80919-4
  - CJIS-5.10.1.1
  - DISA-STIG-RHEL-08-040209
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_accept_redirects

- name: Comment out any occurrences of net.ipv4.conf.default.accept_redirects from
    config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.default.accept_redirects
    replace: '#net.ipv4.conf.default.accept_redirects'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80919-4
  - CJIS-5.10.1.1
  - DISA-STIG-RHEL-08-040209
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_accept_redirects
- name: XCCDF Value sysctl_net_ipv4_conf_default_accept_redirects_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_default_accept_redirects_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.default.accept_redirects is set
  sysctl:
    name: net.ipv4.conf.default.accept_redirects
    value: '{{ sysctl_net_ipv4_conf_default_accept_redirects_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80919-4
  - CJIS-5.10.1.1
  - DISA-STIG-RHEL-08-040209
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_accept_redirects

Remediation Kubernetes snippet ⇲

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.default.accept_redirects%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_redirects.conf
        overwrite: true

OVAL test results details

net.ipv4.conf.default.accept_redirects static configuration oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv4.conf.default.accept_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.accept_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.accept_redirects static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.accept_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.accept_redirects static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.accept_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.accept_redirects static configuration oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv4_conf_default_accept_redirects_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1

kernel runtime parameter net.ipv4.conf.default.accept_redirects set to the appropriate value oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_runtime:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv4.conf.default.accept_redirects	1

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80920-2

References: BP28(R22), 3.3.1, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040249, SV-244552r858803_rule

Description

To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.accept_source_route = 0

Rationale

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.default.accept_source_route from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_source_route.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.default.accept_source_route" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done
sysctl_net_ipv4_conf_default_accept_source_route_value='0'


#
# Set runtime for net.ipv4.conf.default.accept_source_route
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route="$sysctl_net_ipv4_conf_default_accept_source_route_value"

#
# If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.default.accept_source_route = value" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.accept_source_route")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_accept_source_route_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.accept_source_route\\>" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^net.ipv4.conf.default.accept_source_route\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-80920-2"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" >> "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.default.accept_source_route.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80920-2
  - CJIS-5.10.1.1
  - DISA-STIG-RHEL-08-040249
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_accept_source_route

- name: Comment out any occurrences of net.ipv4.conf.default.accept_source_route from
    config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.default.accept_source_route
    replace: '#net.ipv4.conf.default.accept_source_route'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80920-2
  - CJIS-5.10.1.1
  - DISA-STIG-RHEL-08-040249
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_accept_source_route
- name: XCCDF Value sysctl_net_ipv4_conf_default_accept_source_route_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_default_accept_source_route_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.default.accept_source_route is set
  sysctl:
    name: net.ipv4.conf.default.accept_source_route
    value: '{{ sysctl_net_ipv4_conf_default_accept_source_route_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80920-2
  - CJIS-5.10.1.1
  - DISA-STIG-RHEL-08-040249
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_accept_source_route

Remediation Kubernetes snippet ⇲

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.default.accept_source_route%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_source_route.conf
        overwrite: true

OVAL test results details

net.ipv4.conf.default.accept_source_route static configuration oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv4.conf.default.accept_source_route[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.accept_source_route[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.accept_source_route static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.accept_source_route[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.accept_source_route static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.accept_source_route[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.accept_source_route static configuration oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv4_conf_default_accept_source_route_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1

kernel runtime parameter net.ipv4.conf.default.accept_source_route set to the appropriate value oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_runtime:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv4.conf.default.accept_source_route	1

Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_default_log_martians:def:1

Time 2026-03-23T19:59:49+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-81020-0

References: 3.3.4, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000126, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), SC-5(3)(a), DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.log_martians=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.log_martians = 1

Rationale

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.default.log_martians from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.log_martians.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.default.log_martians" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done
sysctl_net_ipv4_conf_default_log_martians_value='1'


#
# Set runtime for net.ipv4.conf.default.log_martians
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.log_martians="$sysctl_net_ipv4_conf_default_log_martians_value"

#
# If net.ipv4.conf.default.log_martians present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.default.log_martians = value" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.log_martians")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_log_martians_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.log_martians\\>" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^net.ipv4.conf.default.log_martians\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-81020-0"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" >> "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.default.log_martians.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81020-0
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5(3)(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - reboot_required
  - sysctl_net_ipv4_conf_default_log_martians
  - unknown_severity

- name: Comment out any occurrences of net.ipv4.conf.default.log_martians from config
    files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.default.log_martians
    replace: '#net.ipv4.conf.default.log_martians'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81020-0
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5(3)(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - reboot_required
  - sysctl_net_ipv4_conf_default_log_martians
  - unknown_severity
- name: XCCDF Value sysctl_net_ipv4_conf_default_log_martians_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_default_log_martians_value: !!str 1
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.default.log_martians is set
  sysctl:
    name: net.ipv4.conf.default.log_martians
    value: '{{ sysctl_net_ipv4_conf_default_log_martians_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81020-0
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5(3)(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - reboot_required
  - sysctl_net_ipv4_conf_default_log_martians
  - unknown_severity

Remediation Kubernetes snippet ⇲

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.default.log_martians%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_log_martians.conf
        overwrite: true

OVAL test results details

net.ipv4.conf.default.log_martians static configuration oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_log_martians:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv4.conf.default.log_martians[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.log_martians static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_log_martians:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.log_martians[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.log_martians static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_log_martians:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.log_martians[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.log_martians static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_default_log_martians:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.log_martians[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.log_martians static configuration oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv4_conf_default_log_martians_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1

kernel runtime parameter net.ipv4.conf.default.log_martians set to the appropriate value oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_runtime:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv4.conf.default.log_martians	0

Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_default_rp_filter:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-81022-6

References: BP28(R22), 3.3.7, 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.rp_filter = 1

Rationale

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.default.rp_filter from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.rp_filter.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.default.rp_filter" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done
sysctl_net_ipv4_conf_default_rp_filter_value='1'


#
# Set runtime for net.ipv4.conf.default.rp_filter
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.rp_filter="$sysctl_net_ipv4_conf_default_rp_filter_value"

#
# If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.default.rp_filter = value" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.rp_filter")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_rp_filter_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.rp_filter\\>" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^net.ipv4.conf.default.rp_filter\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-81022-6"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" >> "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.default.rp_filter.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81022-6
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_rp_filter

- name: Comment out any occurrences of net.ipv4.conf.default.rp_filter from config
    files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.default.rp_filter
    replace: '#net.ipv4.conf.default.rp_filter'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81022-6
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_rp_filter
- name: XCCDF Value sysctl_net_ipv4_conf_default_rp_filter_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_default_rp_filter_value: !!str 1
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.default.rp_filter is set
  sysctl:
    name: net.ipv4.conf.default.rp_filter
    value: '{{ sysctl_net_ipv4_conf_default_rp_filter_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81022-6
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_rp_filter

Remediation Kubernetes snippet ⇲

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.default.rp_filter%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_rp_filter.conf
        overwrite: true

OVAL test results details

net.ipv4.conf.default.rp_filter static configuration oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_rp_filter:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv4.conf.default.rp_filter[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_rp_filter:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.rp_filter[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.rp_filter static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_rp_filter:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.rp_filter[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.rp_filter static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_default_rp_filter:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.rp_filter[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.rp_filter static configuration oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv4_conf_default_rp_filter_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1

kernel runtime parameter net.ipv4.conf.default.rp_filter set to the appropriate value oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_runtime:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv4.conf.default.rp_filter	0

Configure Kernel Parameter for Accepting Secure Redirects By Default

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-81017-6

References: BP28(R22), 3.3.3, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.secure_redirects = 0

Rationale

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.default.secure_redirects from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.secure_redirects.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.default.secure_redirects" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done
sysctl_net_ipv4_conf_default_secure_redirects_value='0'


#
# Set runtime for net.ipv4.conf.default.secure_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.secure_redirects="$sysctl_net_ipv4_conf_default_secure_redirects_value"

#
# If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.default.secure_redirects = value" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.secure_redirects")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_secure_redirects_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.secure_redirects\\>" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^net.ipv4.conf.default.secure_redirects\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-81017-6"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" >> "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.default.secure_redirects.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81017-6
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_secure_redirects

- name: Comment out any occurrences of net.ipv4.conf.default.secure_redirects from
    config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.default.secure_redirects
    replace: '#net.ipv4.conf.default.secure_redirects'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81017-6
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_secure_redirects
- name: XCCDF Value sysctl_net_ipv4_conf_default_secure_redirects_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_default_secure_redirects_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.default.secure_redirects is set
  sysctl:
    name: net.ipv4.conf.default.secure_redirects
    value: '{{ sysctl_net_ipv4_conf_default_secure_redirects_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81017-6
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_secure_redirects

Remediation Kubernetes snippet ⇲

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.default.secure_redirects%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_secure_redirects.conf
        overwrite: true

OVAL test results details

net.ipv4.conf.default.secure_redirects static configuration oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv4.conf.default.secure_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.secure_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.secure_redirects static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.secure_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.secure_redirects static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.secure_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.secure_redirects static configuration oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv4_conf_default_secure_redirects_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1

kernel runtime parameter net.ipv4.conf.default.secure_redirects set to the appropriate value oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_runtime:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv4.conf.default.secure_redirects	1

Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80922-8

References: 3.3.5, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, RHEL-08-040230, SV-230537r858797_rule

Description

To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.icmp_echo_ignore_broadcasts = 1

Rationale

Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.icmp_echo_ignore_broadcasts from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_echo_ignore_broadcasts.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.icmp_echo_ignore_broadcasts" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done
sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value='1'


#
# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts
#
/sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts="$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value"

#
# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.icmp_echo_ignore_broadcasts = value" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.icmp_echo_ignore_broadcasts")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.icmp_echo_ignore_broadcasts\\>" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^net.ipv4.icmp_echo_ignore_broadcasts\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-80922-8"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" >> "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80922-8
  - CJIS-5.10.1.1
  - DISA-STIG-RHEL-08-040230
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - PCI-DSS-Req-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_icmp_echo_ignore_broadcasts

- name: Comment out any occurrences of net.ipv4.icmp_echo_ignore_broadcasts from config
    files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts
    replace: '#net.ipv4.icmp_echo_ignore_broadcasts'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80922-8
  - CJIS-5.10.1.1
  - DISA-STIG-RHEL-08-040230
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - PCI-DSS-Req-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- name: XCCDF Value sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value # promote to variable
  set_fact:
    sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: !!str 1
  tags:
    - always

- name: Ensure sysctl net.ipv4.icmp_echo_ignore_broadcasts is set
  sysctl:
    name: net.ipv4.icmp_echo_ignore_broadcasts
    value: '{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80922-8
  - CJIS-5.10.1.1
  - DISA-STIG-RHEL-08-040230
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - PCI-DSS-Req-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_icmp_echo_ignore_broadcasts

Remediation Kubernetes snippet ⇲

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.icmp_echo_ignore_broadcasts%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_echo_ignore_broadcasts.conf
        overwrite: true

OVAL test results details

net.ipv4.icmp_echo_ignore_broadcasts static configuration oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv4.icmp_echo_ignore_broadcasts[\s]=[\s](.)[\s]*$	1

net.ipv4.icmp_echo_ignore_broadcasts static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv4.icmp_echo_ignore_broadcasts[\s]=[\s](.)[\s]*$	1

net.ipv4.icmp_echo_ignore_broadcasts static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.icmp_echo_ignore_broadcasts[\s]=[\s](.)[\s]*$	1

net.ipv4.icmp_echo_ignore_broadcasts static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.icmp_echo_ignore_broadcasts[\s]=[\s](.)[\s]*$	1

net.ipv4.icmp_echo_ignore_broadcasts static configuration oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1

kernel runtime parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_runtime:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.icmp_echo_ignore_broadcasts	1

Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses:def:1

Time 2026-03-23T19:59:49+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-81023-4

References: BP28(R22), 3.3.6, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, Req-1.4.3, SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.icmp_ignore_bogus_error_responses = 1

Rationale

Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_ignore_bogus_error_responses.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.icmp_ignore_bogus_error_responses" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done
sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value='1'


#
# Set runtime for net.ipv4.icmp_ignore_bogus_error_responses
#
/sbin/sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses="$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value"

#
# If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.icmp_ignore_bogus_error_responses = value" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.icmp_ignore_bogus_error_responses")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.icmp_ignore_bogus_error_responses\\>" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^net.ipv4.icmp_ignore_bogus_error_responses\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-81023-4"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" >> "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81023-4
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - PCI-DSS-Req-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - reboot_required
  - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
  - unknown_severity

- name: Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses
    from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses
    replace: '#net.ipv4.icmp_ignore_bogus_error_responses'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81023-4
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - PCI-DSS-Req-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - reboot_required
  - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
  - unknown_severity
- name: XCCDF Value sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value # promote to variable
  set_fact:
    sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: !!str 1
  tags:
    - always

- name: Ensure sysctl net.ipv4.icmp_ignore_bogus_error_responses is set
  sysctl:
    name: net.ipv4.icmp_ignore_bogus_error_responses
    value: '{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81023-4
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - PCI-DSS-Req-1.4.3
  - disable_strategy
  - low_complexity
  - medium_disruption
  - reboot_required
  - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
  - unknown_severity

Remediation Kubernetes snippet ⇲

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.icmp_ignore_bogus_error_responses%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_ignore_bogus_error_responses.conf
        overwrite: true

OVAL test results details

net.ipv4.icmp_ignore_bogus_error_responses static configuration oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv4.icmp_ignore_bogus_error_responses[\s]=[\s](.)[\s]*$	1

net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv4.icmp_ignore_bogus_error_responses[\s]=[\s](.)[\s]*$	1

net.ipv4.icmp_ignore_bogus_error_responses static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.icmp_ignore_bogus_error_responses[\s]=[\s](.)[\s]*$	1

net.ipv4.icmp_ignore_bogus_error_responses static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.icmp_ignore_bogus_error_responses[\s]=[\s](.)[\s]*$	1

net.ipv4.icmp_ignore_bogus_error_responses static configuration oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1

kernel runtime parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_runtime:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.icmp_ignore_bogus_error_responses	1

Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_tcp_syncookies:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80923-6

References: BP28(R22), 3.3.8, 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, CCI-001095, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5(1), SC-5(2), SC-5(3)(a), CM-6(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, Req-1.4.1, SRG-OS-000480-GPOS-00227, SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00071

Description

To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.tcp_syncookies=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.tcp_syncookies = 1

Rationale

A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.tcp_syncookies from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_syncookies.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.tcp_syncookies" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done
sysctl_net_ipv4_tcp_syncookies_value='1'


#
# Set runtime for net.ipv4.tcp_syncookies
#
/sbin/sysctl -q -n -w net.ipv4.tcp_syncookies="$sysctl_net_ipv4_tcp_syncookies_value"

#
# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.tcp_syncookies = value" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.tcp_syncookies")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_tcp_syncookies_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.tcp_syncookies\\>" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^net.ipv4.tcp_syncookies\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-80923-6"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" >> "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.tcp_syncookies.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80923-6
  - CJIS-5.10.1.1
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5(1)
  - NIST-800-53-SC-5(2)
  - NIST-800-53-SC-5(3)(a)
  - PCI-DSS-Req-1.4.1
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_tcp_syncookies

- name: Comment out any occurrences of net.ipv4.tcp_syncookies from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.tcp_syncookies
    replace: '#net.ipv4.tcp_syncookies'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80923-6
  - CJIS-5.10.1.1
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5(1)
  - NIST-800-53-SC-5(2)
  - NIST-800-53-SC-5(3)(a)
  - PCI-DSS-Req-1.4.1
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_tcp_syncookies
- name: XCCDF Value sysctl_net_ipv4_tcp_syncookies_value # promote to variable
  set_fact:
    sysctl_net_ipv4_tcp_syncookies_value: !!str 1
  tags:
    - always

- name: Ensure sysctl net.ipv4.tcp_syncookies is set
  sysctl:
    name: net.ipv4.tcp_syncookies
    value: '{{ sysctl_net_ipv4_tcp_syncookies_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80923-6
  - CJIS-5.10.1.1
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5(1)
  - NIST-800-53-SC-5(2)
  - NIST-800-53-SC-5(3)(a)
  - PCI-DSS-Req-1.4.1
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_tcp_syncookies

Remediation Kubernetes snippet ⇲

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.tcp_syncookies%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_tcp_syncookies.conf
        overwrite: true

OVAL test results details

net.ipv4.tcp_syncookies static configuration oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv4_tcp_syncookies:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv4.tcp_syncookies[\s]=[\s](.)[\s]*$	1

net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_tcp_syncookies:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv4.tcp_syncookies[\s]=[\s](.)[\s]*$	1

net.ipv4.tcp_syncookies static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_tcp_syncookies:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.tcp_syncookies[\s]=[\s](.)[\s]*$	1

net.ipv4.tcp_syncookies static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_tcp_syncookies:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.tcp_syncookies[\s]=[\s](.)[\s]*$	1

net.ipv4.tcp_syncookies static configuration oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv4_tcp_syncookies_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1

kernel runtime parameter net.ipv4.tcp_syncookies set to the appropriate value oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_runtime:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.tcp_syncookies	1

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80918-6

References: BP28(R22), 3.2.2, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040220, SV-230536r858795_rule

Description

To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.send_redirects = 0

Rationale

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.all.send_redirects from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.send_redirects.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.all.send_redirects" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set runtime for net.ipv4.conf.all.send_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects="0"

#
# If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.conf.all.send_redirects = 0" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.send_redirects")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "0"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.send_redirects\\>" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^net.ipv4.conf.all.send_redirects\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-80918-6"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" >> "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.all.send_redirects.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80918-6
  - CJIS-5.10.1.1
  - DISA-STIG-RHEL-08-040220
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_send_redirects

- name: Comment out any occurrences of net.ipv4.conf.all.send_redirects from config
    files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.all.send_redirects
    replace: '#net.ipv4.conf.all.send_redirects'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80918-6
  - CJIS-5.10.1.1
  - DISA-STIG-RHEL-08-040220
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_send_redirects

- name: Ensure sysctl net.ipv4.conf.all.send_redirects is set to 0
  sysctl:
    name: net.ipv4.conf.all.send_redirects
    value: '0'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80918-6
  - CJIS-5.10.1.1
  - DISA-STIG-RHEL-08-040220
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_send_redirects

Remediation Kubernetes snippet ⇲

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.all.send_redirects%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_send_redirects.conf
        overwrite: true

OVAL test results details

net.ipv4.conf.all.send_redirects static configuration oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_send_redirects:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv4.conf.all.send_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.send_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.send_redirects static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.send_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.send_redirects static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.send_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.all.send_redirects static configuration oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv4_conf_all_send_redirects_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1

kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0 oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_runtime:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv4.conf.all.send_redirects	1

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80921-0

Description

To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.send_redirects = 0

Rationale

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.default.send_redirects from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.send_redirects.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.conf.default.send_redirects" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set runtime for net.ipv4.conf.default.send_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects="0"

#
# If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.conf.default.send_redirects = 0" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.send_redirects")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "0"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.send_redirects\\>" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^net.ipv4.conf.default.send_redirects\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-80921-0"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" >> "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.default.send_redirects.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80921-0
  - CJIS-5.10.1.1
  - DISA-STIG-RHEL-08-040270
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_send_redirects

- name: Comment out any occurrences of net.ipv4.conf.default.send_redirects from config
    files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.default.send_redirects
    replace: '#net.ipv4.conf.default.send_redirects'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80921-0
  - CJIS-5.10.1.1
  - DISA-STIG-RHEL-08-040270
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_send_redirects

- name: Ensure sysctl net.ipv4.conf.default.send_redirects is set to 0
  sysctl:
    name: net.ipv4.conf.default.send_redirects
    value: '0'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80921-0
  - CJIS-5.10.1.1
  - DISA-STIG-RHEL-08-040270
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_default_send_redirects

Remediation Kubernetes snippet ⇲

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.default.send_redirects%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_send_redirects.conf
        overwrite: true

OVAL test results details

net.ipv4.conf.default.send_redirects static configuration oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_send_redirects:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv4.conf.default.send_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.send_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.send_redirects static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.send_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.send_redirects static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.send_redirects[\s]=[\s](.)[\s]*$	1

net.ipv4.conf.default.send_redirects static configuration oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv4_conf_default_send_redirects_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1

kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0 oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_runtime:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv4.conf.default.send_redirects	1

Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_ip_forward:def:1

Time 2026-03-23T19:59:49+01:00

Severity medium

Identifiers and References

Identifiers: CCE-81024-2

References: BP28(R22), 3.2.1, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.3.1, Req-1.3.2, SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.ip_forward=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.ip_forward = 0

Rationale

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.

Warnings

warning Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking. Disabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in profiles or benchmarks that target usage of IPv4 forwarding.

warning This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable. RHV host requires IPv4 forwarding for the Hosted Engine bootstrap VM to reach network outside of the initial host.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.ip_forward from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.ip_forward.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "net.ipv4.ip_forward" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set runtime for net.ipv4.ip_forward
#
/sbin/sysctl -q -n -w net.ipv4.ip_forward="0"

#
# If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.ip_forward = 0" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.ip_forward")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "0"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.ip_forward\\>" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^net.ipv4.ip_forward\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-81024-2"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" >> "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.ip_forward.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81024-2
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.3.1
  - PCI-DSS-Req-1.3.2
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_ip_forward

- name: Comment out any occurrences of net.ipv4.ip_forward from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.ip_forward
    replace: '#net.ipv4.ip_forward'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81024-2
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.3.1
  - PCI-DSS-Req-1.3.2
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_ip_forward

- name: Ensure sysctl net.ipv4.ip_forward is set to 0
  sysctl:
    name: net.ipv4.ip_forward
    value: '0'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81024-2
  - NIST-800-171-3.1.20
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-5
  - NIST-800-53-SC-7(a)
  - PCI-DSS-Req-1.3.1
  - PCI-DSS-Req-1.3.2
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_ip_forward

OVAL test results details

net.ipv4.ip_forward static configuration oval:ssg-test_sysctl_net_ipv4_ip_forward_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_net_ipv4_ip_forward:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv4.ip_forward[\s]=[\s](.)[\s]*$	1

net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_ip_forward_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_ip_forward:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv4.ip_forward[\s]=[\s](.)[\s]*$	1

net.ipv4.ip_forward static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_ip_forward_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_ip_forward:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.ip_forward[\s]=[\s](.)[\s]*$	1

net.ipv4.ip_forward static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_ip_forward_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_ip_forward:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.ip_forward[\s]=[\s](.)[\s]*$	1

net.ipv4.ip_forward static configuration oval:ssg-test_sysctl_net_ipv4_ip_forward_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_net_ipv4_ip_forward_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_ip_forward:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_ip_forward:obj:1

kernel runtime parameter net.ipv4.ip_forward set to 0 oval:ssg-test_sysctl_net_ipv4_ip_forward_runtime:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.ip_forward	0

Install nftables Package

Rule ID	xccdf_org.ssgproject.content_rule_package_nftables_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_nftables_installed:def:1
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86376-1 References: 3.4.2.1
Description	nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem. The `nftables` package can be installed with the following command: $ sudo yum install nftables
Rationale	`nftables` is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host.

OVAL test results details

package nftables is installed oval:ssg-test_package_nftables_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
nftables	x86_64	1	26.el8	0.9.3	1:0.9.3-26.el8	199e2f91fd431d51	nftables-1:0.9.3-26.el8.x86_64

Deactivate Wireless Network Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_wireless_disable_interfaces
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T19:59:49+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83501-7 References: 3.1.4, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-002418, CCI-002421, CCI-001443, CCI-001444, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 1315, 1319, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.3.3, SRG-OS-000299-GPOS-00117, SRG-OS-000300-GPOS-00118, SRG-OS-000424-GPOS-00188, SRG-OS-000481-GPOS-000481, RHEL-08-040110, SV-230506r627750_rule
Description	Deactivating wireless network interfaces should prevent normal usage of the wireless capability. Configure the system to disable all wireless network interfaces with the following command: $ sudo nmcli radio all off
Rationale	The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.

Verify Group Who Owns Backup group File

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_backup_etc_group:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83475-4 References: 6.1.9, CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227
Description	To properly set the group owner of `/etc/group-`, run the command: $ sudo chgrp root /etc/group-
Rationale	The `/etc/group-` file is a backup file of `/etc/group`, and as such, it contains information regarding groups that are configured on the system. Protection of this file is important for system security.

OVAL test results details

Testing group ownership of /etc/group- oval:ssg-test_file_groupowner_backup_etc_group_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_backup_etc_group_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/group-	oval:ssg-symlink_file_groupowner_backup_etc_group_uid_0:ste:1	oval:ssg-state_file_groupowner_backup_etc_group_gid_0_0:ste:1

Verify Group Who Owns Backup gshadow File

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_backup_etc_gshadow:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83535-5 References: 6.1.10, CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227
Description	To properly set the group owner of `/etc/gshadow-`, run the command: $ sudo chgrp root /etc/gshadow-
Rationale	The `/etc/gshadow-` file is a backup of `/etc/gshadow`, and as such, it contains group password hashes. Protection of this file is critical for system security.

OVAL test results details

Testing group ownership of /etc/gshadow- oval:ssg-test_file_groupowner_backup_etc_gshadow_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_backup_etc_gshadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/gshadow-	oval:ssg-symlink_file_groupowner_backup_etc_gshadow_uid_0:ste:1	oval:ssg-state_file_groupowner_backup_etc_gshadow_gid_0_0:ste:1

Verify Group Who Owns Backup passwd File

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_backup_etc_passwd:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83324-4 References: 6.1.7, CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227
Description	To properly set the group owner of `/etc/passwd-`, run the command: $ sudo chgrp root /etc/passwd-
Rationale	The `/etc/passwd-` file is a backup file of `/etc/passwd`, and as such, it contains information about the users that are configured on the system. Protection of this file is critical for system security.

OVAL test results details

Testing group ownership of /etc/passwd- oval:ssg-test_file_groupowner_backup_etc_passwd_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_backup_etc_passwd_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/passwd-	oval:ssg-symlink_file_groupowner_backup_etc_passwd_uid_0:ste:1	oval:ssg-state_file_groupowner_backup_etc_passwd_gid_0_0:ste:1

Verify User Who Owns Backup shadow File

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_backup_etc_shadow:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83415-0 References: 6.1.8, SRG-OS-000480-GPOS-00227
Description	To properly set the group owner of `/etc/shadow-`, run the command: $ sudo chgrp root /etc/shadow-
Rationale	The `/etc/shadow-` file is a backup file of `/etc/shadow`, and as such, it contains the list of local system accounts and password hashes. Protection of this file is critical for system security.

OVAL test results details

Testing group ownership of /etc/shadow- oval:ssg-test_file_groupowner_backup_etc_shadow_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_backup_etc_shadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/shadow-	oval:ssg-symlink_file_groupowner_backup_etc_shadow_uid_0:ste:1	oval:ssg-state_file_groupowner_backup_etc_shadow_gid_0_0:ste:1

Verify Group Who Owns group File

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_etc_group
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_etc_group:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80796-6 References: 6.1.5, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227
Description	To properly set the group owner of `/etc/group`, run the command: $ sudo chgrp root /etc/group
Rationale	The `/etc/group` file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

OVAL test results details

Testing group ownership of /etc/group oval:ssg-test_file_groupowner_etc_group_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_etc_group_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/group	oval:ssg-symlink_file_groupowner_etc_group_uid_0:ste:1	oval:ssg-state_file_groupowner_etc_group_gid_0_0:ste:1

Verify Group Who Owns gshadow File

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_etc_gshadow:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80797-4 References: 6.1.6, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	To properly set the group owner of `/etc/gshadow`, run the command: $ sudo chgrp root /etc/gshadow
Rationale	The `/etc/gshadow` file contains group password hashes. Protection of this file is critical for system security.

OVAL test results details

Testing group ownership of /etc/gshadow oval:ssg-test_file_groupowner_etc_gshadow_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_etc_gshadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/gshadow	oval:ssg-symlink_file_groupowner_etc_gshadow_uid_0:ste:1	oval:ssg-state_file_groupowner_etc_gshadow_gid_0_0:ste:1

Verify Group Who Owns passwd File

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_etc_passwd:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80798-2 References: 6.1.3, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227
Description	To properly set the group owner of `/etc/passwd`, run the command: $ sudo chgrp root /etc/passwd
Rationale	The `/etc/passwd` file contains information about the users that are configured on the system. Protection of this file is critical for system security.

OVAL test results details

Testing group ownership of /etc/passwd oval:ssg-test_file_groupowner_etc_passwd_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_etc_passwd_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/passwd	oval:ssg-symlink_file_groupowner_etc_passwd_uid_0:ste:1	oval:ssg-state_file_groupowner_etc_passwd_gid_0_0:ste:1

Verify Group Who Owns shadow File

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_etc_shadow:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80799-0 References: 6.1.4, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227
Description	To properly set the group owner of `/etc/shadow`, run the command: $ sudo chgrp root /etc/shadow
Rationale	The `/etc/shadow` file stores password hashes. Protection of this file is critical for system security.

OVAL test results details

Testing group ownership of /etc/shadow oval:ssg-test_file_groupowner_etc_shadow_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_etc_shadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/shadow	oval:ssg-symlink_file_groupowner_etc_shadow_uid_0:ste:1	oval:ssg-state_file_groupowner_etc_shadow_gid_0_0:ste:1

Verify User Who Owns Backup group File

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_backup_etc_group:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83473-9 References: 6.1.9, CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227
Description	To properly set the owner of `/etc/group-`, run the command: $ sudo chown root /etc/group-
Rationale	The `/etc/group-` file is a backup file of `/etc/group`, and as such, it contains information regarding groups that are configured on the system. Protection of this file is important for system security.

OVAL test results details

Testing user ownership of /etc/group- oval:ssg-test_file_owner_backup_etc_group_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_backup_etc_group_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/group-	oval:ssg-symlink_file_owner_backup_etc_group_uid_0:ste:1	oval:ssg-state_file_owner_backup_etc_group_uid_0_0:ste:1

Verify User Who Owns Backup gshadow File

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_backup_etc_gshadow:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83533-0 References: 6.1.10, CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227
Description	To properly set the owner of `/etc/gshadow-`, run the command: $ sudo chown root /etc/gshadow-
Rationale	The `/etc/gshadow-` file is a backup of `/etc/gshadow`, and as such, it contains group password hashes. Protection of this file is critical for system security.

OVAL test results details

Testing user ownership of /etc/gshadow- oval:ssg-test_file_owner_backup_etc_gshadow_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_backup_etc_gshadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/gshadow-	oval:ssg-symlink_file_owner_backup_etc_gshadow_uid_0:ste:1	oval:ssg-state_file_owner_backup_etc_gshadow_uid_0_0:ste:1

Verify User Who Owns Backup passwd File

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_backup_etc_passwd:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83326-9 References: 6.1.7, CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227
Description	To properly set the owner of `/etc/passwd-`, run the command: $ sudo chown root /etc/passwd-
Rationale	The `/etc/passwd-` file is a backup file of `/etc/passwd`, and as such, it contains information about the users that are configured on the system. Protection of this file is critical for system security.

OVAL test results details

Testing user ownership of /etc/passwd- oval:ssg-test_file_owner_backup_etc_passwd_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_backup_etc_passwd_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/passwd-	oval:ssg-symlink_file_owner_backup_etc_passwd_uid_0:ste:1	oval:ssg-state_file_owner_backup_etc_passwd_uid_0_0:ste:1

Verify Group Who Owns Backup shadow File

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_backup_etc_shadow:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83413-5 References: 6.1.8, CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227
Description	To properly set the owner of `/etc/shadow-`, run the command: $ sudo chown root /etc/shadow-
Rationale	The `/etc/shadow-` file is a backup file of `/etc/shadow`, and as such, it contains the list of local system accounts and password hashes. Protection of this file is critical for system security.

OVAL test results details

Testing user ownership of /etc/shadow- oval:ssg-test_file_owner_backup_etc_shadow_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_backup_etc_shadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/shadow-	oval:ssg-symlink_file_owner_backup_etc_shadow_uid_0:ste:1	oval:ssg-state_file_owner_backup_etc_shadow_uid_0_0:ste:1

Verify User Who Owns group File

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_etc_group
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_etc_group:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80801-4 References: 6.1.5, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227
Description	To properly set the owner of `/etc/group`, run the command: $ sudo chown root /etc/group
Rationale	The `/etc/group` file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

OVAL test results details

Testing user ownership of /etc/group oval:ssg-test_file_owner_etc_group_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_etc_group_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/group	oval:ssg-symlink_file_owner_etc_group_uid_0:ste:1	oval:ssg-state_file_owner_etc_group_uid_0_0:ste:1

Verify User Who Owns gshadow File

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_etc_gshadow:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80802-2 References: BP28(R36), 6.1.6, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	To properly set the owner of `/etc/gshadow`, run the command: $ sudo chown root /etc/gshadow
Rationale	The `/etc/gshadow` file contains group password hashes. Protection of this file is critical for system security.

OVAL test results details

Testing user ownership of /etc/gshadow oval:ssg-test_file_owner_etc_gshadow_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_etc_gshadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/gshadow	oval:ssg-symlink_file_owner_etc_gshadow_uid_0:ste:1	oval:ssg-state_file_owner_etc_gshadow_uid_0_0:ste:1

Verify User Who Owns passwd File

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_etc_passwd:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80803-0 References: 6.1.3, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227
Description	To properly set the owner of `/etc/passwd`, run the command: $ sudo chown root /etc/passwd
Rationale	The `/etc/passwd` file contains information about the users that are configured on the system. Protection of this file is critical for system security.

OVAL test results details

Testing user ownership of /etc/passwd oval:ssg-test_file_owner_etc_passwd_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_etc_passwd_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/passwd	oval:ssg-symlink_file_owner_etc_passwd_uid_0:ste:1	oval:ssg-state_file_owner_etc_passwd_uid_0_0:ste:1

Verify User Who Owns shadow File

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_etc_shadow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_etc_shadow:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80804-8 References: BP28(R36), 6.1.4, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227
Description	To properly set the owner of `/etc/shadow`, run the command: $ sudo chown root /etc/shadow
Rationale	The `/etc/shadow` file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

OVAL test results details

Testing user ownership of /etc/shadow oval:ssg-test_file_owner_etc_shadow_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_etc_shadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/shadow	oval:ssg-symlink_file_owner_etc_shadow_uid_0:ste:1	oval:ssg-state_file_owner_etc_shadow_uid_0_0:ste:1

Verify Permissions on Backup group File

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_backup_etc_group:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83483-8 References: 6.1.9, CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227
Description	To properly set the permissions of `/etc/group-`, run the command: $ sudo chmod 0644 /etc/group-
Rationale	The `/etc/group-` file is a backup file of `/etc/group`, and as such, it contains information regarding groups that are configured on the system. Protection of this file is important for system security.

OVAL test results details

Testing mode of /etc/group- oval:ssg-test_file_permissions_backup_etc_group_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_backup_etc_group_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/group-	oval:ssg-exclude_symlinks__backup_etc_group:ste:1	oval:ssg-state_file_permissions_backup_etc_group_0_mode_0644or_stricter_:ste:1

Verify Permissions on Backup gshadow File

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_backup_etc_gshadow:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83573-6 References: 6.1.10, CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227
Description	To properly set the permissions of `/etc/gshadow-`, run the command: $ sudo chmod 0000 /etc/gshadow-
Rationale	The `/etc/gshadow-` file is a backup of `/etc/gshadow`, and as such, it contains group password hashes. Protection of this file is critical for system security.

OVAL test results details

Testing mode of /etc/gshadow- oval:ssg-test_file_permissions_backup_etc_gshadow_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_backup_etc_gshadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/gshadow-	oval:ssg-exclude_symlinks__backup_etc_gshadow:ste:1	oval:ssg-state_file_permissions_backup_etc_gshadow_0_mode_0000or_stricter_:ste:1

Verify Permissions on Backup passwd File

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_backup_etc_passwd:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83332-7 References: 6.1.7, CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227
Description	To properly set the permissions of `/etc/passwd-`, run the command: $ sudo chmod 0644 /etc/passwd-
Rationale	The `/etc/passwd-` file is a backup file of `/etc/passwd`, and as such, it contains information about the users that are configured on the system. Protection of this file is critical for system security.

OVAL test results details

Testing mode of /etc/passwd- oval:ssg-test_file_permissions_backup_etc_passwd_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_backup_etc_passwd_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/passwd-	oval:ssg-exclude_symlinks__backup_etc_passwd:ste:1	oval:ssg-state_file_permissions_backup_etc_passwd_0_mode_0644or_stricter_:ste:1

Verify Permissions on Backup shadow File

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_backup_etc_shadow:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83417-6 References: 6.1.8, CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227
Description	To properly set the permissions of `/etc/shadow-`, run the command: $ sudo chmod 0000 /etc/shadow-
Rationale	The `/etc/shadow-` file is a backup file of `/etc/shadow`, and as such, it contains the list of local system accounts and password hashes. Protection of this file is critical for system security.

OVAL test results details

Testing mode of /etc/shadow- oval:ssg-test_file_permissions_backup_etc_shadow_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_backup_etc_shadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/shadow-	oval:ssg-exclude_symlinks__backup_etc_shadow:ste:1	oval:ssg-state_file_permissions_backup_etc_shadow_0_mode_0000or_stricter_:ste:1

Verify Permissions on group File

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_etc_group
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_etc_group:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80810-5 References: BP28(R36), 6.1.5, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227
Description	To properly set the permissions of `/etc/passwd`, run the command: $ sudo chmod 0644 /etc/passwd
Rationale	The `/etc/group` file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

OVAL test results details

Testing mode of /etc/group oval:ssg-test_file_permissions_etc_group_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_etc_group_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/group	oval:ssg-exclude_symlinks__etc_group:ste:1	oval:ssg-state_file_permissions_etc_group_0_mode_0644or_stricter_:ste:1

Verify Permissions on gshadow File

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_etc_gshadow:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80811-3 References: BP28(R36), 6.1.6, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	To properly set the permissions of `/etc/gshadow`, run the command: $ sudo chmod 0000 /etc/gshadow
Rationale	The `/etc/gshadow` file contains group password hashes. Protection of this file is critical for system security.

OVAL test results details

Testing mode of /etc/gshadow oval:ssg-test_file_permissions_etc_gshadow_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_etc_gshadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/gshadow	oval:ssg-exclude_symlinks__etc_gshadow:ste:1	oval:ssg-state_file_permissions_etc_gshadow_0_mode_0000or_stricter_:ste:1

Verify Permissions on passwd File

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_etc_passwd:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80812-1 References: BP28(R36), 6.1.3, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227
Description	To properly set the permissions of `/etc/passwd`, run the command: $ sudo chmod 0644 /etc/passwd
Rationale	If the `/etc/passwd` file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.

OVAL test results details

Testing mode of /etc/passwd oval:ssg-test_file_permissions_etc_passwd_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_etc_passwd_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/passwd	oval:ssg-exclude_symlinks__etc_passwd:ste:1	oval:ssg-state_file_permissions_etc_passwd_0_mode_0644or_stricter_:ste:1

Verify Permissions on shadow File

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_etc_shadow:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80813-9 References: BP28(R36), 6.1.4, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227
Description	To properly set the permissions of `/etc/shadow`, run the command: $ sudo chmod 0000 /etc/shadow
Rationale	The `/etc/shadow` file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

OVAL test results details

Testing mode of /etc/shadow oval:ssg-test_file_permissions_etc_shadow_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_etc_shadow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/shadow	oval:ssg-exclude_symlinks__etc_shadow:ste:1	oval:ssg-state_file_permissions_etc_shadow_0_mode_0000or_stricter_:ste:1

Verify that All World-Writable Directories Have Sticky Bits Set

Rule ID xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-dir_perms_world_writable_sticky_bits:def:1

Time 2026-03-23T19:59:50+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80783-4

References: BP28(R40), 6.1.2, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001090, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000138-GPOS-00069, RHEL-08-010190, SV-230243r792857_rule

Description

When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command:

$ sudo chmod +t DIR

Rationale

Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.

The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as /tmp), and for directories requiring global read/write access.

Remediation Shell script ⇲

df --local -P | awk '{if (NR!=1) print $6}' \
| xargs -I '$6' find '$6' -xdev -type d \
\( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \
-exec chmod a+t {} +

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Get all world-writable directories with no sticky bits set
  shell: |
    set -o pipefail
    df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null
  register: dir_output
  tags:
  - CCE-80783-4
  - DISA-STIG-RHEL-08-010190
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - dir_perms_world_writable_sticky_bits
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: ensure sticky bit is set
  file:
    path: '{{ item }}'
    mode: a+t
  with_items:
  - '{{ dir_output.stdout_lines }}'
  tags:
  - CCE-80783-4
  - DISA-STIG-RHEL-08-010190
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - dir_perms_world_writable_sticky_bits
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

OVAL test results details

all local world-writable directories have sticky bit set oval:ssg-test_dir_perms_world_writable_sticky_bits:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/opt/jdk-21.0.1/include/linux/	directory	0	0	39	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/	directory	0	0	4096	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/	directory	0	0	4096	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.base/	directory	0	0	4096	`rwxrwxrwx`
/home/sysadmin/otds-2530/lib/	directory	1000	1000	4096	`rwxrwxrwx`
/home/sysadmin/otds-2530/	directory	1000	1000	72	`rwxrwxrwx`
/etc/opentext/landscape/	directory	0	0	45	`rwxrwxrwx`
/etc/opentext/products/	directory	0	0	70	`rwxrwxrwx`
/opt/jdk-21.0.1/	directory	0	0	107	`rwxrwxrwx`
/home/sysadmin/otds-2530/OTDS/native/	directory	1000	1000	52	`rwxrwxrwx`
/home/sysadmin/otds-2530/OTDS/	directory	1000	1000	4096	`rwxrwxrwx`
/etc/opentext/	directory	0	0	56	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/management/	directory	0	0	94	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/	directory	0	0	4096	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/sdp/	directory	0	0	31	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/security/	directory	0	0	60	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/security/policy/	directory	0	0	56	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/security/policy/limited/	directory	0	0	93	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/security/policy/unlimited/	directory	0	0	66	`rwxrwxrwx`
/opt/jdk-21.0.1/include/	directory	0	0	132	`rwxrwxrwx`
/home/sysadmin/otds-2530/tools/	directory	1000	1000	4096	`rwxrwxrwx`
/opt/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/	directory	0	0	146	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.compiler/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.datatransfer/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.desktop/	directory	0	0	4096	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.instrument/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.logging/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.management.rmi/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.management/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.naming/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.net.http/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.prefs/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.rmi/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.scripting/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.se/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.security.jgss/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.security.sasl/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.smartcardio/	directory	0	0	97	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.sql.rowset/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.sql/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.transaction.xa/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.xml.crypto/	directory	0	0	98	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.xml/	directory	0	0	155	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.accessibility/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.attach/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.charsets/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.compiler/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.crypto.cryptoki/	directory	0	0	130	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.crypto.ec/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.dynalink/	directory	0	0	97	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.editpad/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.hotspot.agent/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.httpserver/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.incubator.vector/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.internal.ed/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.internal.jvmstat/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.internal.le/	directory	0	0	94	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.internal.opt/	directory	0	0	100	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.internal.vm.ci/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.internal.vm.compiler.management/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.internal.vm.compiler/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.jartool/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.javadoc/	directory	0	0	114	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.jcmd/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.jconsole/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.jdeps/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.jdi/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.jdwp.agent/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.jfr/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.jlink/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.jpackage/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.jshell/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.jsobject/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.jstatd/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.localedata/	directory	0	0	112	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.management.agent/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.management.jfr/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.management/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.naming.dns/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.naming.rmi/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.net/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.nio.mapmode/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.random/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.sctp/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.security.auth/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.security.jgss/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.unsupported.desktop/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.unsupported/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.xml.dom/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/jdk.zipfs/	directory	0	0	78	`rwxrwxrwx`
/opt/jdk-21.0.1/lib/	directory	0	0	4096	`rwxrwxrwx`
/opt/jdk-21.0.1/lib/jfr/	directory	0	0	44	`rwxrwxrwx`
/opt/jdk-21.0.1/lib/security/	directory	0	0	94	`rwxrwxrwx`
/opt/tomee/	directory	1001	1001	52	`rwxrwxrwx`
/opt/jdk-21.0.1/lib/server/	directory	0	0	87	`rwxrwxrwx`
/opt/tomee/apache-tomee-plus-10.1.2/	directory	1001	1001	4096	`rwxrwxrwx`
/opt/tomee/apache-tomee-plus-10.1.2/bin/	directory	1001	1001	4096	`rwxrwxrwx`
/opt/tomee/apache-tomee-plus-10.1.2/conf/	directory	1001	1001	4096	`rwxrwxrwx`
/opt/tomee/apache-tomee-plus-10.1.2/conf/conf.d/	directory	0	0	76	`rwxrwxrwx`

... and 4810 more items.

Ensure No World-Writable Files Exist

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_unauthorized_world_writable:def:1
Time	2026-03-23T19:59:55+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80818-8 References: BP28(R40), 6.1.11, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5
Description	It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account. Finally, this applies to real files and not virtual files that are a part of pseudo file systems such as `sysfs` or `procfs`.
Rationale	Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.
Remediation Shell script ⇲ `find / -xdev -type f -perm -002 -exec chmod o-w {} \;`

OVAL test results details

world writable files oval:ssg-test_file_permissions_unauthorized_world_write:tst:1 false

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText Identity/ver25.4build7.cap	regular	1001	1001	662986	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText Identity/ver26.1build9.cap	regular	1001	1001	663668	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText HTTP Connector Runtime/ver25.4build7.cap	regular	1001	1001	76045	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText HTTP Connector Runtime/ver26.1build9.cap	regular	1001	1001	74742	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText iHub Connector/ver25.4build7.cap	regular	1001	1001	96445	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText iHub Connector/ver26.1build9.cap	regular	1001	1001	95045	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText iHub Connector Runtime/ver25.4build7.cap	regular	1001	1001	109112527	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText iHub Connector Runtime/ver26.1build9.cap	regular	1001	1001	109111232	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText Inbox Task Management/ver25.4build7.cap	regular	1001	1001	53976	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText Inbox Task Management/ver26.1build9.cap	regular	1001	1001	53034	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText Instance Role Modeler/ver25.4build7.cap	regular	1001	1001	54106	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText Instance Role Modeler/ver26.1build9.cap	regular	1001	1001	52817	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText JavaArchive Export Plugin/ver25.4build7.cap	regular	1001	1001	26333	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText JavaArchive Export Plugin/ver26.1build9.cap	regular	1001	1001	25037	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText JavaArchive Import Plugin/ver25.4build7.cap	regular	1001	1001	39194	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText JavaArchive Import Plugin/ver26.1build9.cap	regular	1001	1001	37899	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText JMS Connector/ver25.4build7.cap	regular	1001	1001	8370594	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText JMS Connector/ver26.1build9.cap	regular	1001	1001	8369174	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText JMS Connector Extensions/ver25.4build7.cap	regular	1001	1001	15984	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText JMS Connector Extensions/ver26.1build9.cap	regular	1001	1001	14681	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText License/ver25.4build7.cap	regular	1001	1001	167279	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText License/ver26.1build9.cap	regular	1001	1001	165988	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText Mobile App Deployer/ver25.4build7.cap	regular	1001	1001	64158	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText Mobile App Deployer/ver26.1build9.cap	regular	1001	1001	62861	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText OTDS Authentication/ver25.4build7.cap	regular	1001	1001	30425	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText OTDS Authentication/ver26.1build9.cap	regular	1001	1001	29198	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText OTDS Platform Configurator/ver25.4build7.cap	regular	1001	1001	14778	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText OTDS Platform Configurator/ver26.1build9.cap	regular	1001	1001	13486	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText OTDS Platform Push Connector/ver25.4build7.cap	regular	1001	1001	296109	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText OTDS Platform Push Connector/ver26.1build9.cap	regular	1001	1001	296433	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText RPA Client/ver25.4build7.cap	regular	1001	1001	49745	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText RPA Client/ver26.1build9.cap	regular	1001	1001	48445	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText RPA Runtime/ver25.4build7.cap	regular	1001	1001	34104	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText RPA Runtime/ver26.1build9.cap	regular	1001	1001	32792	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText Rule Engine Runtime/ver25.4build7.cap	regular	1001	1001	65853	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText Rule Engine Runtime/ver26.1build9.cap	regular	1001	1001	64556	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText Taxonomy Report Plugin/ver25.4build7.cap	regular	1001	1001	13525068	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText Taxonomy Report Plugin/ver26.1build9.cap	regular	1001	1001	13523792	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText Theme Editor/ver25.4build7.cap	regular	1001	1001	129179	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText Theme Editor/ver26.1build9.cap	regular	1001	1001	128386	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText Web Library Export Plugin/ver25.4build7.cap	regular	1001	1001	21089	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText Web Library Export Plugin/ver26.1build9.cap	regular	1001	1001	19794	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText Web Library Import Plugin/ver25.4build7.cap	regular	1001	1001	36989	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText Web Library Import Plugin/ver26.1build9.cap	regular	1001	1001	35702	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText Workflow Template/ver25.4build7.cap	regular	1001	1001	47201	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/OpenText Workflow Template/ver26.1build9.cap	regular	1001	1001	45897	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/REST Gateway/ver25.4build7.cap	regular	1001	1001	312931	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/REST Gateway/ver26.1build9.cap	regular	1001	1001	311718	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/Cordys ACL Modeler Client/ver25.4build7.cap	regular	1001	1001	49380	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/capcontent/packages/shared/Cordys ACL Modeler Client/ver26.1build9.cap	regular	1001	1001	48083	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/bin/asenv.sh	regular	1001	1001	299	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/bin/runas.sh	regular	1001	1001	337	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/bin/configureapplicationserver.sh	regular	1001	1001	7828	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/bin/wcpenv.sh	regular	1001	1001	446	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/bin/wcpd	regular	1001	1001	8125	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/bin/cmc.sh	regular	1001	1001	258	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/bin/simpleclient.sh	regular	1001	1001	175	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/bin/productpackager.cmd	regular	1001	1001	533	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/bin/productpackager.sh	regular	1001	1001	240	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/bin/cws.sh	regular	1001	1001	2575	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/bin/cws.cmd	regular	1001	1001	3484	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/bin/caremigrationtool.cmd	regular	1001	1001	469	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/bin/caremigrationtool.sh	regular	1001	1001	397	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/bin/otdsconfigurator.cmd	regular	1001	1001	448	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/bin/otdsconfigurator.sh	regular	1001	1001	153	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/bin/otdsmigrator.cmd	regular	1001	1001	444	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/bin/otdsmigrator.sh	regular	1001	1001	148	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libxqy.so	regular	1001	1001	112360	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/WCPMonitor	regular	1001	1001	33024	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libwrappers.so	regular	1001	1001	214128	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libExpressionEval.so	regular	1001	1001	91960	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libwcplic.so	regular	1001	1001	56537	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libeibxml.so	regular	1001	1001	1017336	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libz.so.1	regular	1001	1001	121917	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libeib4java.so	regular	1001	1001	24096	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libxml2.so.16	regular	1001	1001	5682600	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libz.so.1.2.13	regular	1001	1001	121917	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libjniForCpp.so	regular	1001	1001	102992	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libaclForJava.so	regular	1001	1001	13936	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libz.so	regular	1001	1001	121917	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libevalForJava.so	regular	1001	1001	68624	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libxqyJDBC.so	regular	1001	1001	135696	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libxqyForJava.so	regular	1001	1001	26016	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libjs.so	regular	1001	1001	825128	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libphj.so	regular	1001	1001	7776	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libxml2.so.16.0.5	regular	1001	1001	5682600	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libccutilForJava.so	regular	1001	1001	13328	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libxml2.so	regular	1001	1001	5682600	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libacllib.so	regular	1001	1001	37800	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libxmlForJava.so	regular	1001	1001	268264	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libbcputil.so	regular	1001	1001	29512	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/libccutil.so	regular	1001	1001	155512	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/lib/hs_err_pid2031.log	regular	1001	1001	104452	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/config/Log4j2Configuration.xml	regular	1001	1001	1870	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/config/wcp.properties	regular	1001	1001	3234	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/config/ccmu.properties	regular	1001	1001	30	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/config/bcp.classpath	regular	1001	1001	3370	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/config/DMZ.xml	regular	1001	1001	8132	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/config/wcp.properties.original	regular	0	0	3171	`rwxrwxrwx`
/opt/opentext/ProcessAutomationCE/defaultInst/silent_properties/cordys.uninstaller.properties	regular	1001	1001	10440	`rwxrwxrwx`

... and 30251 more items.

Ensure All Files Are Owned by a Group

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_ungroupowned:def:1
Time	2026-03-23T19:59:58+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83497-8 References: 6.1.13, 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, CCI-000366, CCI-002165, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010790, SV-230327r627750_rule
Description	If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group. The following command will discover and print any files on local partitions which do not belong to a valid group: $ df --local -P \| awk '{if (NR!=1) print $6}' \| sudo xargs -I '{}' find '{}' -xdev -nogroup To search all filesystems on a system including network mounted filesystems the following command can be run manually for each partition: $ sudo find PARTITION -xdev -nogroup
Rationale	Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.
Warnings	warning This rule only considers local groups. If you have your groups defined outside `/etc/group`, the rule won't consider those.

OVAL test results details

files with no group owner oval:ssg-test_file_permissions_ungroupowned:tst:1 false

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/opt/jdk-21.0.1/bin/jar	regular	10668	10668	12384	`rwxrwxrwx`
/opt/jdk-21.0.1/include/classfile_constants.h	regular	10668	10668	22155	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jmod	regular	10668	10668	12384	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jps	regular	10668	10668	12384	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/javac	regular	10668	10668	12416	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/javadoc	regular	10668	10668	12424	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/javap	regular	10668	10668	12384	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jcmd	regular	10668	10668	12384	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jmap	regular	10668	10668	12416	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.desktop/xwd.md	regular	10668	10668	1348	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jconsole	regular	10668	10668	12456	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jdb	regular	10668	10668	12384	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jdeprscan	regular	10668	10668	12392	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jdeps	regular	10668	10668	12384	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jhsdb	regular	10668	10668	12384	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jimage	regular	10668	10668	12392	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/jaxp.properties	regular	10668	10668	7302	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jarsigner	regular	10668	10668	12392	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jfr	regular	10668	10668	12384	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/java	regular	10668	10668	12328	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jinfo	regular	10668	10668	12416	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jlink	regular	10668	10668	12416	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jpackage	regular	10668	10668	12392	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jrunscript	regular	10668	10668	12424	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jshell	regular	10668	10668	12392	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jstack	regular	10668	10668	12424	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jstat	regular	10668	10668	12384	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jstatd	regular	10668	10668	12392	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jwebserver	regular	10668	10668	12392	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/keytool	regular	10668	10668	12392	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/rmiregistry	regular	10668	10668	12416	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/serialver	regular	10668	10668	12392	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/logging.properties	regular	10668	10668	2732	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/management/jmxremote.access	regular	10668	10668	3997	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/management/management.properties	regular	10668	10668	14988	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/management/jmxremote.password.template	regular	10668	10668	5690	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/net.properties	regular	10668	10668	6608	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/sdp/sdp.conf.template	regular	10668	10668	1455	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/security/java.policy	regular	10668	10668	2294	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/security/java.security	regular	10668	10668	64249	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/security/policy/README.txt	regular	10668	10668	2390	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/security/policy/limited/default_US_export.policy	regular	10668	10668	146	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/security/policy/limited/default_local.policy	regular	10668	10668	647	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/security/policy/limited/exempt_local.policy	regular	10668	10668	566	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/security/policy/unlimited/default_US_export.policy	regular	10668	10668	146	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/security/policy/unlimited/default_local.policy	regular	10668	10668	193	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/sound.properties	regular	10668	10668	1210	`rwxrwxrwx`
/opt/jdk-21.0.1/include/jawt.h	regular	10668	10668	12458	`rwxrwxrwx`
/opt/jdk-21.0.1/include/jdwpTransport.h	regular	10668	10668	8166	`rwxrwxrwx`
/opt/jdk-21.0.1/include/jni.h	regular	10668	10668	76018	`rwxrwxrwx`
/opt/jdk-21.0.1/include/jvmti.h	regular	10668	10668	83067	`rwxrwxrwx`
/opt/jdk-21.0.1/include/jvmticmlr.h	regular	10668	10668	4771	`rwxrwxrwx`
/opt/jdk-21.0.1/include/linux/jawt_md.h	regular	10668	10668	1965	`rwxrwxrwx`
/opt/jdk-21.0.1/include/linux/jni_md.h	regular	10668	10668	2208	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.base.jmod	regular	10668	10668	23522050	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.compiler.jmod	regular	10668	10668	132034	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.datatransfer.jmod	regular	10668	10668	59306	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.desktop.jmod	regular	10668	10668	13818782	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.instrument.jmod	regular	10668	10668	50881	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.logging.jmod	regular	10668	10668	124120	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.management.jmod	regular	10668	10668	900314	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.transaction.xa.jmod	regular	10668	10668	11680	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.crypto.cryptoki.jmod	regular	10668	10668	419452	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.incubator.vector.jmod	regular	10668	10668	1167035	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.internal.jvmstat.jmod	regular	10668	10668	96033	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.internal.vm.compiler.jmod	regular	10668	10668	9654	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.management.agent.jmod	regular	10668	10668	81902	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.unsupported.desktop.jmod	regular	10668	10668	21750	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.desktop/colorimaging.md	regular	10668	10668	167	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.management.rmi.jmod	regular	10668	10668	98809	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.naming.jmod	regular	10668	10668	482749	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.net.http.jmod	regular	10668	10668	774029	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.prefs.jmod	regular	10668	10668	70279	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.rmi.jmod	regular	10668	10668	268098	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.scripting.jmod	regular	10668	10668	45843	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.se.jmod	regular	10668	10668	9867	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.security.jgss.jmod	regular	10668	10668	598379	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.security.sasl.jmod	regular	10668	10668	89343	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.smartcardio.jmod	regular	10668	10668	62962	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.sql.jmod	regular	10668	10668	83898	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.sql.rowset.jmod	regular	10668	10668	201106	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.xml.crypto.jmod	regular	10668	10668	686984	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.xml.jmod	regular	10668	10668	4669115	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.accessibility.jmod	regular	10668	10668	57678	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.attach.jmod	regular	10668	10668	38763	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.charsets.jmod	regular	10668	10668	1248663	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.compiler.jmod	regular	10668	10668	10865681	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.crypto.ec.jmod	regular	10668	10668	146479	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.dynalink.jmod	regular	10668	10668	163989	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.editpad.jmod	regular	10668	10668	15304	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.hotspot.agent.jmod	regular	10668	10668	2311702	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.httpserver.jmod	regular	10668	10668	161214	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.internal.ed.jmod	regular	10668	10668	15165	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.internal.le.jmod	regular	10668	10668	513021	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.internal.opt.jmod	regular	10668	10668	95611	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.internal.vm.ci.jmod	regular	10668	10668	501972	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.internal.vm.compiler.management.jmod	regular	10668	10668	9659	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.jartool.jmod	regular	10668	10668	210791	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.javadoc.jmod	regular	10668	10668	1570440	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.jcmd.jmod	regular	10668	10668	117322	`rwxrwxrwx`

... and 320 more items.

Ensure All Files Are Owned by a User

Rule ID	xccdf_org.ssgproject.content_rule_no_files_unowned_by_user
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-no_files_unowned_by_user:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83499-4 References: 6.1.12, 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, CCI-000366, CCI-002165, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010780, SV-230326r627750_rule
Description	If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. The following command will discover and print any files on local partitions which do not belong to a valid user: $ df --local -P \| awk {'if (NR!=1) print $6'} \| sudo xargs -I '{}' find '{}' -xdev -nouser To search all filesystems on a system including network mounted filesystems the following command can be run manually for each partition: $ sudo find PARTITION -xdev -nouser
Rationale	Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.
Warnings	warning For this rule to evaluate centralized user accounts, `getent` must be working properly so that running the command getent passwd returns a list of all users in your organization. If using the System Security Services Daemon (SSSD), enumerate = true must be configured in your organization's domain to return a complete list of users warning Enabling this rule will result in slower scan times depending on the size of your organization and number of centralized users.

OVAL test results details

Check user ids on all files on the system oval:ssg-no_files_unowned_by_user_test:tst:1 false

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/opt/jdk-21.0.1/bin/jar	regular	10668	10668	12384	`rwxrwxrwx`
/opt/jdk-21.0.1/include/classfile_constants.h	regular	10668	10668	22155	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jmod	regular	10668	10668	12384	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jps	regular	10668	10668	12384	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/javac	regular	10668	10668	12416	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/javadoc	regular	10668	10668	12424	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/javap	regular	10668	10668	12384	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jcmd	regular	10668	10668	12384	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jmap	regular	10668	10668	12416	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.desktop/xwd.md	regular	10668	10668	1348	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jconsole	regular	10668	10668	12456	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jdb	regular	10668	10668	12384	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jdeprscan	regular	10668	10668	12392	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jdeps	regular	10668	10668	12384	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jhsdb	regular	10668	10668	12384	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jimage	regular	10668	10668	12392	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/jaxp.properties	regular	10668	10668	7302	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jarsigner	regular	10668	10668	12392	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jfr	regular	10668	10668	12384	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/java	regular	10668	10668	12328	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jinfo	regular	10668	10668	12416	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jlink	regular	10668	10668	12416	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jpackage	regular	10668	10668	12392	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jrunscript	regular	10668	10668	12424	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jshell	regular	10668	10668	12392	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jstack	regular	10668	10668	12424	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jstat	regular	10668	10668	12384	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jstatd	regular	10668	10668	12392	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/jwebserver	regular	10668	10668	12392	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/keytool	regular	10668	10668	12392	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/rmiregistry	regular	10668	10668	12416	`rwxrwxrwx`
/opt/jdk-21.0.1/bin/serialver	regular	10668	10668	12392	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/logging.properties	regular	10668	10668	2732	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/management/jmxremote.access	regular	10668	10668	3997	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/management/management.properties	regular	10668	10668	14988	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/management/jmxremote.password.template	regular	10668	10668	5690	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/net.properties	regular	10668	10668	6608	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/sdp/sdp.conf.template	regular	10668	10668	1455	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/security/java.policy	regular	10668	10668	2294	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/security/java.security	regular	10668	10668	64249	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/security/policy/README.txt	regular	10668	10668	2390	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/security/policy/limited/default_US_export.policy	regular	10668	10668	146	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/security/policy/limited/default_local.policy	regular	10668	10668	647	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/security/policy/limited/exempt_local.policy	regular	10668	10668	566	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/security/policy/unlimited/default_US_export.policy	regular	10668	10668	146	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/security/policy/unlimited/default_local.policy	regular	10668	10668	193	`rwxrwxrwx`
/opt/jdk-21.0.1/conf/sound.properties	regular	10668	10668	1210	`rwxrwxrwx`
/opt/jdk-21.0.1/include/jawt.h	regular	10668	10668	12458	`rwxrwxrwx`
/opt/jdk-21.0.1/include/jdwpTransport.h	regular	10668	10668	8166	`rwxrwxrwx`
/opt/jdk-21.0.1/include/jni.h	regular	10668	10668	76018	`rwxrwxrwx`
/opt/jdk-21.0.1/include/jvmti.h	regular	10668	10668	83067	`rwxrwxrwx`
/opt/jdk-21.0.1/include/jvmticmlr.h	regular	10668	10668	4771	`rwxrwxrwx`
/opt/jdk-21.0.1/include/linux/jawt_md.h	regular	10668	10668	1965	`rwxrwxrwx`
/opt/jdk-21.0.1/include/linux/jni_md.h	regular	10668	10668	2208	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.base.jmod	regular	10668	10668	23522050	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.compiler.jmod	regular	10668	10668	132034	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.datatransfer.jmod	regular	10668	10668	59306	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.desktop.jmod	regular	10668	10668	13818782	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.instrument.jmod	regular	10668	10668	50881	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.logging.jmod	regular	10668	10668	124120	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.management.jmod	regular	10668	10668	900314	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.transaction.xa.jmod	regular	10668	10668	11680	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.crypto.cryptoki.jmod	regular	10668	10668	419452	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.incubator.vector.jmod	regular	10668	10668	1167035	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.internal.jvmstat.jmod	regular	10668	10668	96033	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.internal.vm.compiler.jmod	regular	10668	10668	9654	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.management.agent.jmod	regular	10668	10668	81902	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.unsupported.desktop.jmod	regular	10668	10668	21750	`rwxrwxrwx`
/opt/jdk-21.0.1/legal/java.desktop/colorimaging.md	regular	10668	10668	167	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.management.rmi.jmod	regular	10668	10668	98809	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.naming.jmod	regular	10668	10668	482749	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.net.http.jmod	regular	10668	10668	774029	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.prefs.jmod	regular	10668	10668	70279	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.rmi.jmod	regular	10668	10668	268098	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.scripting.jmod	regular	10668	10668	45843	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.se.jmod	regular	10668	10668	9867	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.security.jgss.jmod	regular	10668	10668	598379	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.security.sasl.jmod	regular	10668	10668	89343	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.smartcardio.jmod	regular	10668	10668	62962	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.sql.jmod	regular	10668	10668	83898	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.sql.rowset.jmod	regular	10668	10668	201106	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.xml.crypto.jmod	regular	10668	10668	686984	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/java.xml.jmod	regular	10668	10668	4669115	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.accessibility.jmod	regular	10668	10668	57678	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.attach.jmod	regular	10668	10668	38763	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.charsets.jmod	regular	10668	10668	1248663	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.compiler.jmod	regular	10668	10668	10865681	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.crypto.ec.jmod	regular	10668	10668	146479	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.dynalink.jmod	regular	10668	10668	163989	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.editpad.jmod	regular	10668	10668	15304	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.hotspot.agent.jmod	regular	10668	10668	2311702	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.httpserver.jmod	regular	10668	10668	161214	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.internal.ed.jmod	regular	10668	10668	15165	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.internal.le.jmod	regular	10668	10668	513021	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.internal.opt.jmod	regular	10668	10668	95611	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.internal.vm.ci.jmod	regular	10668	10668	501972	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.internal.vm.compiler.management.jmod	regular	10668	10668	9659	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.jartool.jmod	regular	10668	10668	210791	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.javadoc.jmod	regular	10668	10668	1570440	`rwxrwxrwx`
/opt/jdk-21.0.1/jmods/jdk.jcmd.jmod	regular	10668	10668	117322	`rwxrwxrwx`

... and 320 more items.

Disable the Automounter

Rule ID	xccdf_org.ssgproject.content_rule_service_autofs_disabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-service_autofs_disabled:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80873-3 References: 1.1.9, 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.4.6, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, RHEL-08-040070, SV-230502r627750_rule
Description	The `autofs` daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as `/misc/cd`. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing `/etc/fstab` rather than relying on the automounter. The `autofs` service can be disabled with the following command: $ sudo systemctl mask --now autofs.service
Rationale	Disabling the automounter permits the administrator to statically control filesystem mounting through `/etc/fstab`. Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity.

OVAL test results details

package autofs is removed oval:ssg-test_service_autofs_package_autofs_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_service_autofs_package_autofs_removed:obj:1 of type rpminfo_object

Name
autofs

Test that the autofs service is not running oval:ssg-test_service_not_running_autofs:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_service_not_running_autofs:obj:1 of type systemdunitproperty_object

Unit	Property
^autofs\.(service\|socket)$	ActiveState

Test that the property LoadState from the service autofs is masked oval:ssg-test_service_loadstate_is_masked_autofs:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_service_loadstate_is_masked_autofs:obj:1 of type systemdunitproperty_object

Unit	Property
^autofs\.(service\|socket)$	LoadState

Disable Mounting of cramfs

Rule ID xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-kernel_module_cramfs_disabled:def:1

Time 2026-03-23T20:00:00+01:00

Severity low

Identifiers and References

Identifiers: CCE-81031-7

References: 1.1.1.1, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000095-GPOS-00049, RHEL-08-040025, SV-230498r792922_rule

Description

To configure the system to prevent the cramfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf:

install cramfs /bin/true

To configure the system to prevent the cramfs from being used, add the following line to file /etc/modprobe.d/cramfs.conf:

blacklist cramfs

This effectively prevents usage of this uncommon filesystem. The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.

Rationale

Removing support for unneeded filesystem types reduces the local attack surface of the server.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if LC_ALL=C grep -q -m 1 "^install cramfs" /etc/modprobe.d/cramfs.conf ; then
	
	sed -i 's#^install cramfs.*#install cramfs /bin/true#g' /etc/modprobe.d/cramfs.conf
else
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cramfs.conf
	echo "install cramfs /bin/true" >> /etc/modprobe.d/cramfs.conf
fi

if ! LC_ALL=C grep -q -m 1 "^blacklist cramfs$" /etc/modprobe.d/cramfs.conf ; then
	echo "blacklist cramfs" >> /etc/modprobe.d/cramfs.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Ensure kernel module 'cramfs' is disabled
  lineinfile:
    create: true
    dest: /etc/modprobe.d/cramfs.conf
    regexp: cramfs
    line: install cramfs /bin/true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81031-7
  - DISA-STIG-RHEL-08-040025
  - NIST-800-171-3.4.6
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - kernel_module_cramfs_disabled
  - low_complexity
  - low_severity
  - medium_disruption
  - reboot_required

- name: Ensure kernel module 'cramfs' is blacklisted
  lineinfile:
    create: true
    dest: /etc/modprobe.d/cramfs.conf
    regexp: ^blacklist cramfs$
    line: blacklist cramfs
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81031-7
  - DISA-STIG-RHEL-08-040025
  - NIST-800-171-3.4.6
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - kernel_module_cramfs_disabled
  - low_complexity
  - low_severity
  - medium_disruption
  - reboot_required

Remediation Kubernetes snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20cramfs%20/bin/true%0Ablacklist%20cramfs%0A
        mode: 0644
        path: /etc/modprobe.d/cramfs.conf
        overwrite: true

OVAL test results details

kernel module cramfs blacklisted oval:ssg-test_kernmod_cramfs_blacklisted:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_cramfs_blacklisted:obj:1 of type textfilecontent54_object

Path

Filename

Pattern

Instance

/etc/modprobe.d

/etc/modules-load.d

/run/modprobe.d

/run/modules-load.d

/usr/lib/modprobe.d

/usr/lib/modules-load.d

^.*\.conf$

^blacklist\s+cramfs$

kernel module cramfs disabled oval:ssg-test_kernmod_cramfs_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_cramfs_disabled:obj:1 of type textfilecontent54_object

Path

Filename

Pattern

Instance

/etc/modprobe.d

/etc/modules-load.d

/run/modprobe.d

/run/modules-load.d

/usr/lib/modprobe.d

/usr/lib/modules-load.d

^.*\.conf$

^\s*install\s+cramfs\s+(/bin/false|/bin/true)$

Disable Modprobe Loading of USB Storage Driver

Rule ID xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-kernel_module_usb-storage_disabled:def:1

Time 2026-03-23T20:00:00+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80835-2

References: 1.1.10, 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.21, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, RHEL-08-040080, SV-230503r809319_rule

Description

To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf:

install usb-storage /bin/true

To configure the system to prevent the usb-storage from being used, add the following line to file /etc/modprobe.d/usb-storage.conf:

blacklist usb-storage

This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.

Rationale

USB storage devices such as thumb drives can be used to introduce malicious software.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if LC_ALL=C grep -q -m 1 "^install usb-storage" /etc/modprobe.d/usb-storage.conf ; then
	
	sed -i 's#^install usb-storage.*#install usb-storage /bin/true#g' /etc/modprobe.d/usb-storage.conf
else
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/usb-storage.conf
	echo "install usb-storage /bin/true" >> /etc/modprobe.d/usb-storage.conf
fi

if ! LC_ALL=C grep -q -m 1 "^blacklist usb-storage$" /etc/modprobe.d/usb-storage.conf ; then
	echo "blacklist usb-storage" >> /etc/modprobe.d/usb-storage.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Ensure kernel module 'usb-storage' is disabled
  lineinfile:
    create: true
    dest: /etc/modprobe.d/usb-storage.conf
    regexp: usb-storage
    line: install usb-storage /bin/true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80835-2
  - DISA-STIG-RHEL-08-040080
  - NIST-800-171-3.1.21
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - disable_strategy
  - kernel_module_usb-storage_disabled
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required

- name: Ensure kernel module 'usb-storage' is blacklisted
  lineinfile:
    create: true
    dest: /etc/modprobe.d/usb-storage.conf
    regexp: ^blacklist usb-storage$
    line: blacklist usb-storage
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80835-2
  - DISA-STIG-RHEL-08-040080
  - NIST-800-171-3.1.21
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - disable_strategy
  - kernel_module_usb-storage_disabled
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required

Remediation Kubernetes snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20usb-storage%20/bin/true%0Ablacklist%20usb-storage%0A
        mode: 0644
        path: /etc/modprobe.d/usb-storage.conf
        overwrite: true

OVAL test results details

kernel module usb-storage blacklisted oval:ssg-test_kernmod_usb-storage_blacklisted:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_usb-storage_blacklisted:obj:1 of type textfilecontent54_object

Path

Filename

Pattern

Instance

/etc/modprobe.d

/etc/modules-load.d

/run/modprobe.d

/run/modules-load.d

/usr/lib/modprobe.d

/usr/lib/modules-load.d

^.*\.conf$

^blacklist\s+usb-storage$

kernel module usb-storage disabled oval:ssg-test_kernmod_usb-storage_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_usb-storage_disabled:obj:1 of type textfilecontent54_object

Path

Filename

Pattern

Instance

/etc/modprobe.d

/etc/modules-load.d

/run/modprobe.d

/run/modules-load.d

/usr/lib/modprobe.d

/usr/lib/modules-load.d

^.*\.conf$

^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$

Add nodev Option to /dev/shm

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_dev_shm_nodev:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80837-8 References: 1.1.8.1, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040120, SV-230508r854049_rule
Description	The `nodev` mount option can be used to prevent creation of device files in `/dev/shm`. Legitimate character and block devices should not exist within temporary directories like `/dev/shm`. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/dev/shm`.
Rationale	The only legitimate location for device files is the `/dev` directory located on the root partition. The only exception to this is chroot jails.

OVAL test results details

nodev on /dev/shm optional no oval:ssg-test_dev_shm_partition_nodev_optional_no:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Total space	Space used	Space left
/dev/shm	tmpfs		tmpfs	rw	nosuid	nodev	2050523	263	2050260

/dev/shm exists oval:ssg-test_dev_shm_no_partition_nodev_optional_no:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Total space	Space used	Space left
/dev/shm	tmpfs		tmpfs	rw	nosuid	nodev	2050523	263	2050260

Add noexec Option to /dev/shm

Rule ID xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_dev_shm_noexec:def:1

Time 2026-03-23T20:00:00+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80838-6

References: 1.1.8.2, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040122, SV-230510r854051_rule

Description

The noexec mount option can be used to prevent binaries from being executed out of /dev/shm. It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /dev/shm. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.

Rationale

Allowing users to execute binaries from world-writable directories such as /dev/shm can expose the system to potential compromise.

Remediation Shell script ⇲

Reboot:	false

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /dev/shm)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "noexec")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
    fi


    if mkdir -p "/dev/shm"; then
        if mountpoint -q "/dev/shm"; then
            mount -o remount --target "/dev/shm"
        else
            mount --target "/dev/shm"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	configure

- name: 'Add noexec Option to /dev/shm: Check information associated to mountpoint'
  command: findmnt  '/dev/shm'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80838-6
  - DISA-STIG-RHEL-08-040122
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /dev/shm: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-80838-6
  - DISA-STIG-RHEL-08-040122
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /dev/shm: If /dev/shm not mounted, craft mount_info
    manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /dev/shm
    - tmpfs
    - tmpfs
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-80838-6
  - DISA-STIG-RHEL-08-040122
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /dev/shm: Make sure noexec option is part of the to
    /dev/shm options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "noexec" not in mount_info.options
  tags:
  - CCE-80838-6
  - DISA-STIG-RHEL-08-040122
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /dev/shm: Ensure /dev/shm is mounted with noexec option'
  mount:
    path: /dev/shm
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" |
    length == 0)
  tags:
  - CCE-80838-6
  - DISA-STIG-RHEL-08-040122
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_noexec
  - no_reboot_needed

OVAL test results details

noexec on /dev/shm optional no oval:ssg-test_dev_shm_partition_noexec_optional_no:tst:1 false

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Total space	Space used	Space left
/dev/shm	tmpfs		tmpfs	rw	nosuid	nodev	2050523	263	2050260

/dev/shm exists oval:ssg-test_dev_shm_no_partition_noexec_optional_no:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Total space	Space used	Space left
/dev/shm	tmpfs		tmpfs	rw	nosuid	nodev	2050523	263	2050260

Add nosuid Option to /dev/shm

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_dev_shm_nosuid:def:1
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80839-4 References: 1.1.8.3, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040121, SV-230509r854050_rule
Description	The `nosuid` mount option can be used to prevent execution of setuid programs in `/dev/shm`. The SUID and SGID permissions should not be required in these world-writable directories. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/dev/shm`.
Rationale	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.

OVAL test results details

nosuid on /dev/shm optional no oval:ssg-test_dev_shm_partition_nosuid_optional_no:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Total space	Space used	Space left
/dev/shm	tmpfs		tmpfs	rw	nosuid	nodev	2050523	263	2050260

/dev/shm exists oval:ssg-test_dev_shm_no_partition_nosuid_optional_no:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Total space	Space used	Space left
/dev/shm	tmpfs		tmpfs	rw	nosuid	nodev	2050523	263	2050260

Add grpquota Option to /home

Rule ID xccdf_org.ssgproject.content_rule_mount_option_home_grpquota

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_home_grpquota:def:1

Time 2026-03-23T20:00:00+01:00

Severity medium

Identifiers and References

Identifiers: CCE-86039-5

References: 1.1.7.5, CM-6(b)

Description

The grpquota mount option allows for the filesystem to have disk quotas configured. Add the grpquota option to the fourth column of /etc/fstab for the line which controls mounting of /home.

Rationale

To ensure the availability of disk space on /home, it is important to limit the impact a single user or group can cause for other users (or the wider system) by intentionally or accidentally filling up the partition. Quotas can also be applied to inodes for filesystems where inode exhaustion is a concern.

Warnings

warning The quota options for XFS file systems can only be activated when mounting the partition. It is not possible to enable them by remounting an already mounted partition. Therefore, if the desired options were not defined before mounting the partition, dismount and mount it again to apply the quota options.

Remediation Shell script ⇲

Reboot:	false

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/home")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /home)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|grpquota)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /home  defaults,${previous_mount_opts}grpquota 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "grpquota")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,grpquota|" /etc/fstab
    fi


    if mkdir -p "/home"; then
        if mountpoint -q "/home"; then
            mount -o remount --target "/home"
        else
            mount --target "/home"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	configure

- name: 'Add grpquota Option to /home: Check information associated to mountpoint'
  command: findmnt --fstab '/home'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-86039-5
  - NIST-800-53-CM-6(b)
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_grpquota
  - no_reboot_needed

- name: 'Add grpquota Option to /home: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-86039-5
  - NIST-800-53-CM-6(b)
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_grpquota
  - no_reboot_needed

- name: 'Add grpquota Option to /home: If /home not mounted, craft mount_info manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /home
    - ''
    - ''
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("--fstab" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-86039-5
  - NIST-800-53-CM-6(b)
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_grpquota
  - no_reboot_needed

- name: 'Add grpquota Option to /home: Make sure grpquota option is part of the to
    /home options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',grpquota''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "grpquota" not in mount_info.options
  tags:
  - CCE-86039-5
  - NIST-800-53-CM-6(b)
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_grpquota
  - no_reboot_needed

- name: 'Add grpquota Option to /home: Ensure /home is mounted with grpquota option'
  mount:
    path: /home
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-86039-5
  - NIST-800-53-CM-6(b)
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_grpquota
  - no_reboot_needed

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	enable


part /home --mountoptions="grpquota"

OVAL test results details

grpquota on /home optional yes oval:ssg-test_home_partition_grpquota_optional_yes:tst:1 false

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/home	/dev/mapper/rhel-home	72a67c88-9c86-4e96-a4da-df9252a5d619	xfs	rw	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	44833394	759591	44073803

Add nodev Option to /home

Rule ID xccdf_org.ssgproject.content_rule_mount_option_home_nodev

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_home_nodev:def:1

Time 2026-03-23T20:00:00+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-81048-1

References: BP28(R12), 1.1.7.2, SRG-OS-000368-GPOS-00154

Description

The nodev mount option can be used to prevent device files from being created in /home. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /home.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Remediation Shell script ⇲

Reboot:	false

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/home")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /home)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /home  defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nodev")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
    fi


    if mkdir -p "/home"; then
        if mountpoint -q "/home"; then
            mount -o remount --target "/home"
        else
            mount --target "/home"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	configure

- name: 'Add nodev Option to /home: Check information associated to mountpoint'
  command: findmnt --fstab '/home'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81048-1
  - configure_strategy
  - high_disruption
  - low_complexity
  - mount_option_home_nodev
  - no_reboot_needed
  - unknown_severity

- name: 'Add nodev Option to /home: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-81048-1
  - configure_strategy
  - high_disruption
  - low_complexity
  - mount_option_home_nodev
  - no_reboot_needed
  - unknown_severity

- name: 'Add nodev Option to /home: If /home not mounted, craft mount_info manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /home
    - ''
    - ''
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("--fstab" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-81048-1
  - configure_strategy
  - high_disruption
  - low_complexity
  - mount_option_home_nodev
  - no_reboot_needed
  - unknown_severity

- name: 'Add nodev Option to /home: Make sure nodev option is part of the to /home
    options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "nodev" not in mount_info.options
  tags:
  - CCE-81048-1
  - configure_strategy
  - high_disruption
  - low_complexity
  - mount_option_home_nodev
  - no_reboot_needed
  - unknown_severity

- name: 'Add nodev Option to /home: Ensure /home is mounted with nodev option'
  mount:
    path: /home
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-81048-1
  - configure_strategy
  - high_disruption
  - low_complexity
  - mount_option_home_nodev
  - no_reboot_needed
  - unknown_severity

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	enable


part /home --mountoptions="nodev"

OVAL test results details

nodev on /home optional yes oval:ssg-test_home_partition_nodev_optional_yes:tst:1 false

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/home	/dev/mapper/rhel-home	72a67c88-9c86-4e96-a4da-df9252a5d619	xfs	rw	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	44833394	759591	44073803

Add nosuid Option to /home

Rule ID xccdf_org.ssgproject.content_rule_mount_option_home_nosuid

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_home_nosuid:def:1

Time 2026-03-23T20:00:00+01:00

Severity medium

Identifiers and References

Identifiers: CCE-81050-7

References: BP28(R12), 1.1.7.3, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, RHEL-08-010570, SV-230299r627750_rule

Description

The nosuid mount option can be used to prevent execution of setuid programs in /home. The SUID and SGID permissions should not be required in these user data directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /home.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions.

Remediation Shell script ⇲

Reboot:	false

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/home")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /home)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /home  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nosuid")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
    fi


    if mkdir -p "/home"; then
        if mountpoint -q "/home"; then
            mount -o remount --target "/home"
        else
            mount --target "/home"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	configure

- name: 'Add nosuid Option to /home: Check information associated to mountpoint'
  command: findmnt --fstab '/home'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-81050-7
  - DISA-STIG-RHEL-08-010570
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /home: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-81050-7
  - DISA-STIG-RHEL-08-010570
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /home: If /home not mounted, craft mount_info manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /home
    - ''
    - ''
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("--fstab" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-81050-7
  - DISA-STIG-RHEL-08-010570
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /home: Make sure nosuid option is part of the to /home
    options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "nosuid" not in mount_info.options
  tags:
  - CCE-81050-7
  - DISA-STIG-RHEL-08-010570
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /home: Ensure /home is mounted with nosuid option'
  mount:
    path: /home
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-81050-7
  - DISA-STIG-RHEL-08-010570
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_nosuid
  - no_reboot_needed

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	enable


part /home --mountoptions="nosuid"

OVAL test results details

nosuid on /home optional yes oval:ssg-test_home_partition_nosuid_optional_yes:tst:1 false

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/home	/dev/mapper/rhel-home	72a67c88-9c86-4e96-a4da-df9252a5d619	xfs	rw	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	44833394	759591	44073803

Add usrquota Option to /home

Rule ID xccdf_org.ssgproject.content_rule_mount_option_home_usrquota

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_home_usrquota:def:1

Time 2026-03-23T20:00:00+01:00

Severity medium

Identifiers and References

Identifiers: CCE-86035-3

References: 1.1.7.4, CM-6(b)

Description

The usrquota mount option allows for the filesystem to have disk quotas configured. Add the usrquota option to the fourth column of /etc/fstab for the line which controls mounting of /home.

Rationale

Warnings

Remediation Shell script ⇲

Reboot:	false

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/home")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /home)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|usrquota)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /home  defaults,${previous_mount_opts}usrquota 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "usrquota")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,usrquota|" /etc/fstab
    fi


    if mkdir -p "/home"; then
        if mountpoint -q "/home"; then
            mount -o remount --target "/home"
        else
            mount --target "/home"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	configure

- name: 'Add usrquota Option to /home: Check information associated to mountpoint'
  command: findmnt --fstab '/home'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-86035-3
  - NIST-800-53-CM-6(b)
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_usrquota
  - no_reboot_needed

- name: 'Add usrquota Option to /home: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-86035-3
  - NIST-800-53-CM-6(b)
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_usrquota
  - no_reboot_needed

- name: 'Add usrquota Option to /home: If /home not mounted, craft mount_info manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /home
    - ''
    - ''
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("--fstab" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-86035-3
  - NIST-800-53-CM-6(b)
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_usrquota
  - no_reboot_needed

- name: 'Add usrquota Option to /home: Make sure usrquota option is part of the to
    /home options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',usrquota''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "usrquota" not in mount_info.options
  tags:
  - CCE-86035-3
  - NIST-800-53-CM-6(b)
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_usrquota
  - no_reboot_needed

- name: 'Add usrquota Option to /home: Ensure /home is mounted with usrquota option'
  mount:
    path: /home
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-86035-3
  - NIST-800-53-CM-6(b)
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_usrquota
  - no_reboot_needed

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	enable


part /home --mountoptions="usrquota"

OVAL test results details

usrquota on /home optional yes oval:ssg-test_home_partition_usrquota_optional_yes:tst:1 false

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/home	/dev/mapper/rhel-home	72a67c88-9c86-4e96-a4da-df9252a5d619	xfs	rw	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	44833394	759591	44073803

Add nodev Option to /tmp

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82623-0 References: BP28(R12), 1.1.2.2, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040123, SV-230511r854052_rule
Description	The `nodev` mount option can be used to prevent device files from being created in `/tmp`. Legitimate character and block devices should not exist within temporary directories like `/tmp`. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/tmp`.
Rationale	The only legitimate location for device files is the `/dev` directory located on the root partition. The only exception to this is chroot jails.

Add noexec Option to /tmp

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82139-7 References: BP28(R12), 1.1.2.3, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040125, SV-230513r854054_rule
Description	The `noexec` mount option can be used to prevent binaries from being executed out of `/tmp`. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/tmp`.
Rationale	Allowing users to execute binaries from world-writable directories such as `/tmp` should never be necessary in normal operation and can expose the system to potential compromise.

Add nosuid Option to /tmp

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82140-5 References: BP28(R12), 1.1.2.4, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040124, SV-230512r854053_rule
Description	The `nosuid` mount option can be used to prevent execution of setuid programs in `/tmp`. The SUID and SGID permissions should not be required in these world-writable directories. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/tmp`.
Rationale	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.

Add nodev Option to /var/log/audit

Rule ID xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_var_log_audit_nodev:def:1

Time 2026-03-23T20:00:00+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82080-3

References: 1.1.6.3, CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040129, SV-230517r854058_rule

Description

The nodev mount option can be used to prevent device files from being created in /var/log/audit. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Remediation Shell script ⇲

Reboot:	false

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/var/log/audit")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /var/log/audit)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /var/log/audit  defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nodev")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
    fi


    if mkdir -p "/var/log/audit"; then
        if mountpoint -q "/var/log/audit"; then
            mount -o remount --target "/var/log/audit"
        else
            mount --target "/var/log/audit"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	configure

- name: 'Add nodev Option to /var/log/audit: Check information associated to mountpoint'
  command: findmnt --fstab '/var/log/audit'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82080-3
  - DISA-STIG-RHEL-08-040129
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /var/log/audit: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-82080-3
  - DISA-STIG-RHEL-08-040129
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /var/log/audit: If /var/log/audit not mounted, craft
    mount_info manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /var/log/audit
    - ''
    - ''
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("--fstab" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-82080-3
  - DISA-STIG-RHEL-08-040129
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /var/log/audit: Make sure nodev option is part of the
    to /var/log/audit options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "nodev" not in mount_info.options
  tags:
  - CCE-82080-3
  - DISA-STIG-RHEL-08-040129
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /var/log/audit: Ensure /var/log/audit is mounted with
    nodev option'
  mount:
    path: /var/log/audit
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-82080-3
  - DISA-STIG-RHEL-08-040129
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_nodev
  - no_reboot_needed

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	enable


part /var/log/audit --mountoptions="nodev"

OVAL test results details

nodev on /var/log/audit optional yes oval:ssg-test_var_log_audit_partition_nodev_optional_yes:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_var_log_audit_partition_nodev_optional_yes:obj:1 of type partition_object

Mount point
/var/log/audit

Add noexec Option to /var/log/audit

Rule ID xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_var_log_audit_noexec:def:1

Time 2026-03-23T20:00:00+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82975-4

References: 1.1.6.2, CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040131, SV-230519r854060_rule

Description

The noexec mount option can be used to prevent binaries from being executed out of /var/log/audit. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.

Rationale

Allowing users to execute binaries from directories containing audit log files such as /var/log/audit should never be necessary in normal operation and can expose the system to potential compromise.

Remediation Shell script ⇲

Reboot:	false

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/var/log/audit")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /var/log/audit)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /var/log/audit  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "noexec")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
    fi


    if mkdir -p "/var/log/audit"; then
        if mountpoint -q "/var/log/audit"; then
            mount -o remount --target "/var/log/audit"
        else
            mount --target "/var/log/audit"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	configure

- name: 'Add noexec Option to /var/log/audit: Check information associated to mountpoint'
  command: findmnt --fstab '/var/log/audit'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82975-4
  - DISA-STIG-RHEL-08-040131
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /var/log/audit: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-82975-4
  - DISA-STIG-RHEL-08-040131
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /var/log/audit: If /var/log/audit not mounted, craft
    mount_info manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /var/log/audit
    - ''
    - ''
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("--fstab" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-82975-4
  - DISA-STIG-RHEL-08-040131
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /var/log/audit: Make sure noexec option is part of the
    to /var/log/audit options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "noexec" not in mount_info.options
  tags:
  - CCE-82975-4
  - DISA-STIG-RHEL-08-040131
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /var/log/audit: Ensure /var/log/audit is mounted with
    noexec option'
  mount:
    path: /var/log/audit
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-82975-4
  - DISA-STIG-RHEL-08-040131
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_noexec
  - no_reboot_needed

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	enable


part /var/log/audit --mountoptions="noexec"

OVAL test results details

noexec on /var/log/audit optional yes oval:ssg-test_var_log_audit_partition_noexec_optional_yes:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_var_log_audit_partition_noexec_optional_yes:obj:1 of type partition_object

Mount point
/var/log/audit

Add nosuid Option to /var/log/audit

Rule ID xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_var_log_audit_nosuid:def:1

Time 2026-03-23T20:00:00+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82921-8

References: 1.1.6.4, CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040130, SV-230518r854059_rule

Description

The nosuid mount option can be used to prevent execution of setuid programs in /var/log/audit. The SUID and SGID permissions should not be required in directories containing audit log files. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for audit log files.

Remediation Shell script ⇲

Reboot:	false

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/var/log/audit")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /var/log/audit)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /var/log/audit  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nosuid")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
    fi


    if mkdir -p "/var/log/audit"; then
        if mountpoint -q "/var/log/audit"; then
            mount -o remount --target "/var/log/audit"
        else
            mount --target "/var/log/audit"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	configure

- name: 'Add nosuid Option to /var/log/audit: Check information associated to mountpoint'
  command: findmnt --fstab '/var/log/audit'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82921-8
  - DISA-STIG-RHEL-08-040130
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /var/log/audit: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-82921-8
  - DISA-STIG-RHEL-08-040130
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /var/log/audit: If /var/log/audit not mounted, craft
    mount_info manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /var/log/audit
    - ''
    - ''
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("--fstab" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-82921-8
  - DISA-STIG-RHEL-08-040130
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /var/log/audit: Make sure nosuid option is part of the
    to /var/log/audit options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "nosuid" not in mount_info.options
  tags:
  - CCE-82921-8
  - DISA-STIG-RHEL-08-040130
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /var/log/audit: Ensure /var/log/audit is mounted with
    nosuid option'
  mount:
    path: /var/log/audit
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-82921-8
  - DISA-STIG-RHEL-08-040130
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_nosuid
  - no_reboot_needed

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	enable


part /var/log/audit --mountoptions="nosuid"

OVAL test results details

nosuid on /var/log/audit optional yes oval:ssg-test_var_log_audit_partition_nosuid_optional_yes:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_var_log_audit_partition_nosuid_optional_yes:obj:1 of type partition_object

Mount point
/var/log/audit

Add nodev Option to /var/log

Rule ID xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_var_log_nodev:def:1

Time 2026-03-23T20:00:00+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82077-9

References: 1.1.5.2, CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040126, SV-230514r854055_rule

Description

The nodev mount option can be used to prevent device files from being created in /var/log. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Remediation Shell script ⇲

Reboot:	false

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/var/log")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /var/log)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /var/log  defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nodev")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
    fi


    if mkdir -p "/var/log"; then
        if mountpoint -q "/var/log"; then
            mount -o remount --target "/var/log"
        else
            mount --target "/var/log"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	configure

- name: 'Add nodev Option to /var/log: Check information associated to mountpoint'
  command: findmnt --fstab '/var/log'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82077-9
  - DISA-STIG-RHEL-08-040126
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /var/log: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-82077-9
  - DISA-STIG-RHEL-08-040126
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /var/log: If /var/log not mounted, craft mount_info manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /var/log
    - ''
    - ''
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("--fstab" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-82077-9
  - DISA-STIG-RHEL-08-040126
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /var/log: Make sure nodev option is part of the to /var/log
    options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "nodev" not in mount_info.options
  tags:
  - CCE-82077-9
  - DISA-STIG-RHEL-08-040126
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /var/log: Ensure /var/log is mounted with nodev option'
  mount:
    path: /var/log
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-82077-9
  - DISA-STIG-RHEL-08-040126
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_nodev
  - no_reboot_needed

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	enable


part /var/log --mountoptions="nodev"

OVAL test results details

nodev on /var/log optional yes oval:ssg-test_var_log_partition_nodev_optional_yes:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_var_log_partition_nodev_optional_yes:obj:1 of type partition_object

Mount point
/var/log

Add noexec Option to /var/log

Rule ID xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_var_log_noexec:def:1

Time 2026-03-23T20:00:00+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82008-4

References: BP28(R12), 1.1.5.3, CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040128, SV-230516r854057_rule

Description

The noexec mount option can be used to prevent binaries from being executed out of /var/log. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.

Rationale

Allowing users to execute binaries from directories containing log files such as /var/log should never be necessary in normal operation and can expose the system to potential compromise.

Remediation Shell script ⇲

Reboot:	false

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/var/log")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /var/log)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /var/log  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "noexec")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
    fi


    if mkdir -p "/var/log"; then
        if mountpoint -q "/var/log"; then
            mount -o remount --target "/var/log"
        else
            mount --target "/var/log"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	configure

- name: 'Add noexec Option to /var/log: Check information associated to mountpoint'
  command: findmnt --fstab '/var/log'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82008-4
  - DISA-STIG-RHEL-08-040128
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /var/log: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-82008-4
  - DISA-STIG-RHEL-08-040128
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /var/log: If /var/log not mounted, craft mount_info
    manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /var/log
    - ''
    - ''
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("--fstab" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-82008-4
  - DISA-STIG-RHEL-08-040128
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /var/log: Make sure noexec option is part of the to
    /var/log options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "noexec" not in mount_info.options
  tags:
  - CCE-82008-4
  - DISA-STIG-RHEL-08-040128
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /var/log: Ensure /var/log is mounted with noexec option'
  mount:
    path: /var/log
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-82008-4
  - DISA-STIG-RHEL-08-040128
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_noexec
  - no_reboot_needed

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	enable


part /var/log --mountoptions="noexec"

OVAL test results details

noexec on /var/log optional yes oval:ssg-test_var_log_partition_noexec_optional_yes:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_var_log_partition_noexec_optional_yes:obj:1 of type partition_object

Mount point
/var/log

Add nosuid Option to /var/log

Rule ID xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_var_log_nosuid:def:1

Time 2026-03-23T20:00:00+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82065-4

References: BP28(R12), 1.1.5.4, CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040127, SV-230515r854056_rule

Description

The nosuid mount option can be used to prevent execution of setuid programs in /var/log. The SUID and SGID permissions should not be required in directories containing log files. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for log files.

Remediation Shell script ⇲

Reboot:	false

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/var/log")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /var/log)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /var/log  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nosuid")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
    fi


    if mkdir -p "/var/log"; then
        if mountpoint -q "/var/log"; then
            mount -o remount --target "/var/log"
        else
            mount --target "/var/log"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	configure

- name: 'Add nosuid Option to /var/log: Check information associated to mountpoint'
  command: findmnt --fstab '/var/log'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82065-4
  - DISA-STIG-RHEL-08-040127
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /var/log: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-82065-4
  - DISA-STIG-RHEL-08-040127
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /var/log: If /var/log not mounted, craft mount_info
    manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /var/log
    - ''
    - ''
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("--fstab" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-82065-4
  - DISA-STIG-RHEL-08-040127
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /var/log: Make sure nosuid option is part of the to
    /var/log options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "nosuid" not in mount_info.options
  tags:
  - CCE-82065-4
  - DISA-STIG-RHEL-08-040127
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /var/log: Ensure /var/log is mounted with nosuid option'
  mount:
    path: /var/log
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-82065-4
  - DISA-STIG-RHEL-08-040127
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_nosuid
  - no_reboot_needed

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	enable


part /var/log --mountoptions="nosuid"

OVAL test results details

nosuid on /var/log optional yes oval:ssg-test_var_log_partition_nosuid_optional_yes:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_var_log_partition_nosuid_optional_yes:obj:1 of type partition_object

Mount point
/var/log

Add nodev Option to /var

Rule ID xccdf_org.ssgproject.content_rule_mount_option_var_nodev

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_var_nodev:def:1

Time 2026-03-23T20:00:00+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82062-1

References: 1.1.3.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154

Description

The nodev mount option can be used to prevent device files from being created in /var. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Remediation Shell script ⇲

Reboot:	false

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/var")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/var' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /var)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /var  defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nodev")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
    fi


    if mkdir -p "/var"; then
        if mountpoint -q "/var"; then
            mount -o remount --target "/var"
        else
            mount --target "/var"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	configure

- name: 'Add nodev Option to /var: Check information associated to mountpoint'
  command: findmnt --fstab '/var'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82062-1
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /var: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-82062-1
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /var: If /var not mounted, craft mount_info manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /var
    - ''
    - ''
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("--fstab" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-82062-1
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /var: Make sure nodev option is part of the to /var options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "nodev" not in mount_info.options
  tags:
  - CCE-82062-1
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /var: Ensure /var is mounted with nodev option'
  mount:
    path: /var
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-82062-1
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_nodev
  - no_reboot_needed

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	enable


part /var --mountoptions="nodev"

OVAL test results details

nodev on /var optional yes oval:ssg-test_var_partition_nodev_optional_yes:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_var_partition_nodev_optional_yes:obj:1 of type partition_object

Mount point
/var

Add noexec Option to /var

Rule ID xccdf_org.ssgproject.content_rule_mount_option_var_noexec

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_var_noexec:def:1

Time 2026-03-23T20:00:00+01:00

Severity medium

Identifiers and References

Identifiers: CCE-83330-1

References: BP28(R12), 1.1.3.3

Description

The noexec mount option can be used to prevent binaries from being executed out of /var. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var.

Rationale

The /var directory contains variable system data such as logs, mails and caches. No binaries should be executed from this directory.

Remediation Shell script ⇲

Reboot:	false

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/var")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/var' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /var)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /var  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "noexec")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
    fi


    if mkdir -p "/var"; then
        if mountpoint -q "/var"; then
            mount -o remount --target "/var"
        else
            mount --target "/var"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	configure

- name: 'Add noexec Option to /var: Check information associated to mountpoint'
  command: findmnt --fstab '/var'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83330-1
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /var: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-83330-1
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /var: If /var not mounted, craft mount_info manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /var
    - ''
    - ''
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("--fstab" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-83330-1
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /var: Make sure noexec option is part of the to /var
    options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "noexec" not in mount_info.options
  tags:
  - CCE-83330-1
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /var: Ensure /var is mounted with noexec option'
  mount:
    path: /var
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-83330-1
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_noexec
  - no_reboot_needed

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	enable


part /var --mountoptions="noexec"

OVAL test results details

noexec on /var optional yes oval:ssg-test_var_partition_noexec_optional_yes:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_var_partition_noexec_optional_yes:obj:1 of type partition_object

Mount point
/var

Add nosuid Option to /var

Rule ID xccdf_org.ssgproject.content_rule_mount_option_var_nosuid

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_var_nosuid:def:1

Time 2026-03-23T20:00:00+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-83383-0

References: BP28(R12), 1.1.3.4

Description

The nosuid mount option can be used to prevent execution of setuid programs in /var. The SUID and SGID permissions should not be required for this directory. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var.

Rationale

The presence of SUID and SGID executables should be tightly controlled.

Remediation Shell script ⇲

Reboot:	false

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/var")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/var' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /var)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /var  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nosuid")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
    fi


    if mkdir -p "/var"; then
        if mountpoint -q "/var"; then
            mount -o remount --target "/var"
        else
            mount --target "/var"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	configure

- name: 'Add nosuid Option to /var: Check information associated to mountpoint'
  command: findmnt --fstab '/var'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83383-0
  - configure_strategy
  - high_disruption
  - low_complexity
  - mount_option_var_nosuid
  - no_reboot_needed
  - unknown_severity

- name: 'Add nosuid Option to /var: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-83383-0
  - configure_strategy
  - high_disruption
  - low_complexity
  - mount_option_var_nosuid
  - no_reboot_needed
  - unknown_severity

- name: 'Add nosuid Option to /var: If /var not mounted, craft mount_info manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /var
    - ''
    - ''
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("--fstab" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-83383-0
  - configure_strategy
  - high_disruption
  - low_complexity
  - mount_option_var_nosuid
  - no_reboot_needed
  - unknown_severity

- name: 'Add nosuid Option to /var: Make sure nosuid option is part of the to /var
    options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "nosuid" not in mount_info.options
  tags:
  - CCE-83383-0
  - configure_strategy
  - high_disruption
  - low_complexity
  - mount_option_var_nosuid
  - no_reboot_needed
  - unknown_severity

- name: 'Add nosuid Option to /var: Ensure /var is mounted with nosuid option'
  mount:
    path: /var
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-83383-0
  - configure_strategy
  - high_disruption
  - low_complexity
  - mount_option_var_nosuid
  - no_reboot_needed
  - unknown_severity

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Reboot:	false
Strategy:	enable


part /var --mountoptions="nosuid"

OVAL test results details

nosuid on /var optional yes oval:ssg-test_var_partition_nosuid_optional_yes:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_var_partition_nosuid_optional_yes:obj:1 of type partition_object

Mount point
/var

Add nodev Option to /var/tmp

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82068-8 References: BP28(R12), 1.1.4.4, CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040132, SV-230520r854061_rule
Description	The `nodev` mount option can be used to prevent device files from being created in `/var/tmp`. Legitimate character and block devices should not exist within temporary directories like `/var/tmp`. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/tmp`.
Rationale	The only legitimate location for device files is the `/dev` directory located on the root partition. The only exception to this is chroot jails.

Add noexec Option to /var/tmp

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82151-2 References: BP28(R12), 1.1.4.2, CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040134, SV-230522r854063_rule
Description	The `noexec` mount option can be used to prevent binaries from being executed out of `/var/tmp`. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/tmp`.
Rationale	Allowing users to execute binaries from world-writable directories such as `/var/tmp` should never be necessary in normal operation and can expose the system to potential compromise.

Add nosuid Option to /var/tmp

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T20:00:00+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82154-6 References: BP28(R12), 1.1.4.3, CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040133, SV-230521r854062_rule
Description	The `nosuid` mount option can be used to prevent execution of setuid programs in `/var/tmp`. The SUID and SGID permissions should not be required in these world-writable directories. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/tmp`.
Rationale	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.

Disable core dump backtraces

Rule ID xccdf_org.ssgproject.content_rule_coredump_disable_backtraces

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-coredump_disable_backtraces:def:1

Time 2026-03-23T20:00:00+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82251-0

References: 1.5.2, CCI-000366, CM-6, FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010675, SV-230315r627750_rule

Description

The ProcessSizeMax option in [Coredump] section of /etc/systemd/coredump.conf specifies the maximum size in bytes of a core which will be processed. Core dumps exceeding this size may be stored, but the backtrace will not be generated.

Rationale

A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy.

Warnings

warning If the /etc/systemd/coredump.conf file does not already contain the [Coredump] section, the value will not be configured correctly.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

if [ -e "/etc/systemd/coredump.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*ProcessSizeMax\s*=\s*/Id" "/etc/systemd/coredump.conf"
else
    touch "/etc/systemd/coredump.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/systemd/coredump.conf"

cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak"
# Insert at the end of the file
printf '%s\n' "ProcessSizeMax=0" >> "/etc/systemd/coredump.conf"
# Clean up after ourselves.
rm "/etc/systemd/coredump.conf.bak"

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Disable core dump backtraces
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/systemd/coredump.conf
      create: false
      regexp: ^\s*ProcessSizeMax\s*=\s*
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/systemd/coredump.conf
    lineinfile:
      path: /etc/systemd/coredump.conf
      create: false
      regexp: ^\s*ProcessSizeMax\s*=\s*
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/systemd/coredump.conf
    lineinfile:
      path: /etc/systemd/coredump.conf
      create: false
      regexp: ^\s*ProcessSizeMax\s*=\s*
      line: ProcessSizeMax=0
      state: present
  tags:
  - CCE-82251-0
  - DISA-STIG-RHEL-08-010675
  - NIST-800-53-CM-6
  - coredump_disable_backtraces
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Kubernetes snippet ⇲

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A
        mode: 0644
        path: /etc/systemd/coredump.conf
        overwrite: true

OVAL test results details

tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf file oval:ssg-test_coredump_disable_backtraces:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_coredump_disable_backtraces:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/systemd/coredump.conf	^\s\[Coredump\].(?:\n\s[^[\s].)\n^[ \t](?i)ProcessSizeMax(?-i)[ \t]=[ \t](.+?)[ \t]*(?:$\|#)	1

Disable storing core dump

Rule ID xccdf_org.ssgproject.content_rule_coredump_disable_storage

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-coredump_disable_storage:def:1

Time 2026-03-23T20:00:00+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82252-8

References: 1.5.1, CCI-000366, CM-6, FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010674, SV-230314r627750_rule

Description

The Storage option in [Coredump] section of /etc/systemd/coredump.conf can be set to none to disable storing core dumps permanently.

Rationale

Warnings

warning If the /etc/systemd/coredump.conf file does not already contain the [Coredump] section, the value will not be configured correctly.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

if [ -e "/etc/systemd/coredump.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*Storage\s*=\s*/Id" "/etc/systemd/coredump.conf"
else
    touch "/etc/systemd/coredump.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/systemd/coredump.conf"

cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak"
# Insert at the end of the file
printf '%s\n' "Storage=none" >> "/etc/systemd/coredump.conf"
# Clean up after ourselves.
rm "/etc/systemd/coredump.conf.bak"

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Disable storing core dump
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/systemd/coredump.conf
      create: false
      regexp: ^\s*Storage\s*=\s*
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/systemd/coredump.conf
    lineinfile:
      path: /etc/systemd/coredump.conf
      create: false
      regexp: ^\s*Storage\s*=\s*
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/systemd/coredump.conf
    lineinfile:
      path: /etc/systemd/coredump.conf
      create: false
      regexp: ^\s*Storage\s*=\s*
      line: Storage=none
      state: present
  tags:
  - CCE-82252-8
  - DISA-STIG-RHEL-08-010674
  - NIST-800-53-CM-6
  - coredump_disable_storage
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Kubernetes snippet ⇲

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A
        mode: 0644
        path: /etc/systemd/coredump.conf
        overwrite: true

OVAL test results details

tests the value of Storage setting in the /etc/systemd/coredump.conf file oval:ssg-test_coredump_disable_storage:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_coredump_disable_storage:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/systemd/coredump.conf	^\s\[Coredump\].(?:\n\s[^[\s].)\n^[ \t](?i)Storage(?-i)[ \t]=[ \t](.+?)[ \t]*(?:$\|#)	1

Enable Randomized Layout of Virtual Address Space

Rule ID xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_kernel_randomize_va_space:def:1

Time 2026-03-23T20:00:00+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80916-0

References: BP28(R23), 1.5.3, 3.1.7, CCI-000366, CCI-002824, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4, SC-30, SC-30(2), CM-6(a), Req-2.2.1, SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227, RHEL-08-010430, SV-230280r858767_rule

Description

To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:

$ sudo sysctl -w kernel.randomize_va_space=2

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.randomize_va_space = 2

Rationale

Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of kernel.randomize_va_space from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*kernel.randomize_va_space.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "kernel.randomize_va_space" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set runtime for kernel.randomize_va_space
#
/sbin/sysctl -q -n -w kernel.randomize_va_space="2"

#
# If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2"
#	else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.randomize_va_space")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "2"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.randomize_va_space\\>" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    "${sed_command[@]}" "s/^kernel.randomize_va_space\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-80916-0"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" >> "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*kernel.randomize_va_space.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80916-0
  - DISA-STIG-RHEL-08-010430
  - NIST-800-171-3.1.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-30
  - NIST-800-53-SC-30(2)
  - PCI-DSS-Req-2.2.1
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_randomize_va_space

- name: Comment out any occurrences of kernel.randomize_va_space from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*kernel.randomize_va_space
    replace: '#kernel.randomize_va_space'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80916-0
  - DISA-STIG-RHEL-08-010430
  - NIST-800-171-3.1.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-30
  - NIST-800-53-SC-30(2)
  - PCI-DSS-Req-2.2.1
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_randomize_va_space

- name: Ensure sysctl kernel.randomize_va_space is set to 2
  sysctl:
    name: kernel.randomize_va_space
    value: '2'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80916-0
  - DISA-STIG-RHEL-08-010430
  - NIST-800-171-3.1.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-30
  - NIST-800-53-SC-30(2)
  - PCI-DSS-Req-2.2.1
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_randomize_va_space

Remediation Kubernetes snippet ⇲

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,kernel.randomize_va_space%3D2%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_randomize_va_space.conf
        overwrite: true

OVAL test results details

kernel.randomize_va_space static configuration oval:ssg-test_sysctl_kernel_randomize_va_space_static:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_sysctl_kernel_randomize_va_space:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]kernel.randomize_va_space[\s]=[\s](.)[\s]*$	1

kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_kernel_randomize_va_space_static_etc_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_sysctl_kernel_randomize_va_space:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]kernel.randomize_va_space[\s]=[\s](.)[\s]*$	1

kernel.randomize_va_space static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_kernel_randomize_va_space_static_run_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_sysctl_kernel_randomize_va_space:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]kernel.randomize_va_space[\s]=[\s](.)[\s]*$	1

kernel.randomize_va_space static configuration in /usr/local/lib/sysctl.d/*.conf oval:ssg-test_sysctl_kernel_randomize_va_space_static_usr_local_lib_sysctld:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_randomize_va_space:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/local/lib/sysctl.d	^.*\.conf$	^[\s]kernel.randomize_va_space[\s]=[\s](.)[\s]*$	1

kernel.randomize_va_space static configuration oval:ssg-test_sysctl_kernel_randomize_va_space_not_defined:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_sysctl_kernel_randomize_va_space_static_set_sysctls_unfiltered:obj:1 of type textfilecontent54_object

Set
oval:ssg-object_static_etc_sysctls_sysctl_kernel_randomize_va_space:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_randomize_va_space:obj:1

kernel runtime parameter kernel.randomize_va_space set to 2 oval:ssg-test_sysctl_kernel_randomize_va_space_runtime:tst:1 true

Following items have been found on the system:

Name	Value
kernel.randomize_va_space	2

Install libselinux Package

Rule ID	xccdf_org.ssgproject.content_rule_package_libselinux_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_libselinux_installed:def:1
Time	2026-03-23T20:00:00+01:00
Severity	high
Identifiers and References	Identifiers: CCE-82877-2 References: 1.6.1.1
Description	The `libselinux` package can be installed with the following command: $ sudo yum install libselinux
Rationale	Security-enhanced Linux is a feature of the Linux kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The `libselinux` package contains the core library of the Security-enhanced Linux system.

OVAL test results details

package libselinux is installed oval:ssg-test_package_libselinux_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
libselinux	x86_64	(none)	6.el8	2.9	0:2.9-6.el8	199e2f91fd431d51	libselinux-0:2.9-6.el8.x86_64

Uninstall mcstrans Package

Rule ID	xccdf_org.ssgproject.content_rule_package_mcstrans_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_mcstrans_removed:def:1
Time	2026-03-23T20:00:00+01:00
Severity	low
Identifiers and References	Identifiers: CCE-82756-8 References: 1.6.1.8
Description	The `mcstransd` daemon provides category label information to client processes requesting information. The label translations are defined in `/etc/selinux/targeted/setrans.conf`. The `mcstrans` package can be removed with the following command: $ sudo yum erase mcstrans
Rationale	Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system.

OVAL test results details

package mcstrans is removed oval:ssg-test_package_mcstrans_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_mcstrans_removed:obj:1 of type rpminfo_object

Name
mcstrans

Uninstall setroubleshoot Package

Rule ID	xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_setroubleshoot_removed:def:1
Time	2026-03-23T20:00:00+01:00
Severity	low
Identifiers and References	Identifiers: CCE-82755-0 References: BP28(R68), 1.6.1.7
Description	The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The `setroubleshoot` package can be removed with the following command: $ sudo yum erase setroubleshoot
Rationale	The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is removed or disabled.

OVAL test results details

package setroubleshoot is removed oval:ssg-test_package_setroubleshoot_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_setroubleshoot_removed:obj:1 of type rpminfo_object

Name
setroubleshoot

Ensure SELinux Not Disabled in /etc/default/grub

Rule ID	xccdf_org.ssgproject.content_rule_grub2_enable_selinux
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-grub2_enable_selinux:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80827-9 References: 1.6.1.2, 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-000022, CCI-000032, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-3, AC-3(3)(a), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-VMM-001780
Description	SELinux can be disabled at boot time by an argument in `/etc/default/grub`. Remove any instances of `selinux=0` from the kernel arguments in that file to prevent SELinux from being disabled at boot.
Rationale	Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.

OVAL test results details

check value selinux|enforcing=0 in /etc/default/grub, fail if found oval:ssg-test_selinux_default_grub:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_selinux_default_grub:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/default/grub	^[\s]GRUB_CMDLINE_LINUX.(selinux\|enforcing)=0.*$	1

check value selinux|enforcing=0 in /etc/grub2.cfg, fail if found oval:ssg-test_selinux_grub2_cfg:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_selinux_grub2_cfg:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/grub2.cfg	^.(selinux\|enforcing)=0.$	1

check value selinux|enforcing=0 in /etc/grub.d fail if found oval:ssg-test_selinux_grub_dir:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_selinux_grub_dir:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/grub.d	^.*$	^.(selinux\|enforcing)=0.$	1

Ensure No Daemons are Unconfined by SELinux

Rule ID	xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-selinux_confinement_of_daemons:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80867-5 References: 1.6.1.6, 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, MEA02.01, 3.1.2, 3.1.5, 3.7.2, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-3(3)(a), AC-6, PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, PR.PT-3
Description	Daemons for which the SELinux policy does not contain rules will inherit the context of the parent process. Because daemons are launched during startup and descend from the `init` process, they inherit the `unconfined_service_t` context. To check for unconfined daemons, run the following command: $ sudo ps -eZ \| grep "unconfined_service_t" It should produce no output in a well-configured system.
Rationale	Daemons which run with the `unconfined_service_t` context may cause AVC denials, or allow privileges that the daemon does not require.
Warnings	warning Automatic remediation of this control is not available. Remediation can be achieved by amending SELinux policy or stopping the unconfined daemons as outlined above.

OVAL test results details

none satisfy unconfined_service_t in /proc oval:ssg-test_selinux_confinement_of_daemons:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_selinux_confinement_of_daemons:obj:1 of type selinuxsecuritycontext_object

Behaviors	Path	Filename	Filter
no value	/proc	^.*$	oval:ssg-state_selinux_confinement_of_daemons:ste:1

Configure SELinux Policy

Rule ID	xccdf_org.ssgproject.content_rule_selinux_policytype
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-selinux_policytype:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80868-3 References: BP28(R66), 1.6.1.3, 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, RHEL-08-010450, SV-230282r854035_rule, SRG-OS-000445-VMM-001780
Description	The SELinux `targeted` policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in `/etc/selinux/config`: SELINUXTYPE=targeted Other policies, such as `mls`, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
Rationale	Setting the SELinux policy to `targeted` or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in `permissive` mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to `targeted`.

OVAL test results details

Tests the value of the ^[\s]SELINUXTYPE[\s]=[\s]([^#]) expression in the /etc/selinux/config file oval:ssg-test_selinux_policy:tst:1 true

Following items have been found on the system:

Path	Content
/etc/selinux/config	SELINUXTYPE=targeted

Ensure that /etc/at.deny does not exist

Rule ID	xccdf_org.ssgproject.content_rule_file_at_deny_not_exist
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_at_deny_not_exist:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86945-3 References: 5.1.9
Description	The file `/etc/at.deny` should not exist. Use `/etc/at.allow` instead.
Rationale	Access to `at` should be restricted. It is easier to manage an allow list than a deny list.

OVAL test results details

Test that that /etc/at.deny does not exist oval:ssg-test_file_at_deny_not_exist:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_at_deny_not_exist:obj:1 of type file_object

Filepath
/etc/at.deny

Ensure that /etc/cron.deny does not exist

Rule ID xccdf_org.ssgproject.content_rule_file_cron_deny_not_exist

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-file_cron_deny_not_exist:def:1

Time 2026-03-23T20:00:01+01:00

Severity medium

Identifiers and References

Identifiers: CCE-86849-7

References: 5.1.8

Description

The file /etc/cron.deny should not exist. Use /etc/cron.allow instead.

Rationale

Access to cron should be restricted. It is easier to manage an allow list than a deny list.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

#!/bin/bash



    if [[ -f  /etc/cron.deny ]]; then
        rm /etc/cron.deny
    fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

- name: Remove /etc/cron.deny
  file:
    path: /etc/cron.deny
    state: absent
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-86849-7
  - disable_strategy
  - file_cron_deny_not_exist
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

OVAL test results details

Test that that /etc/cron.deny does not exist oval:ssg-test_file_cron_deny_not_exist:tst:1 false

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/etc/cron.deny	regular	0	0	0	`rw-r--r--`

Verify Group Who Owns /etc/at.allow file

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_at_allow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_at_allow:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-87102-0 References: 5.1.9
Description	If `/etc/at.allow` exists, it must be group-owned by `root`. To properly set the group owner of `/etc/at.allow`, run the command: $ sudo chgrp root /etc/at.allow
Rationale	If the owner of the at.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.

OVAL test results details

Testing group ownership of /etc/at.allow oval:ssg-test_file_groupowner_at_allow_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_at_allow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/at.allow	oval:ssg-symlink_file_groupowner_at_allow_uid_0:ste:1	oval:ssg-state_file_groupowner_at_allow_gid_0_0:ste:1

Verify Group Who Owns /etc/cron.allow file

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_cron_allow:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86829-9 References: 5.1.8, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	If `/etc/cron.allow` exists, it must be group-owned by `root`. To properly set the group owner of `/etc/cron.allow`, run the command: $ sudo chgrp root /etc/cron.allow
Rationale	If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.

OVAL test results details

Testing group ownership of /etc/cron.allow oval:ssg-test_file_groupowner_cron_allow_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_cron_allow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/cron.allow	oval:ssg-symlink_file_groupowner_cron_allow_uid_0:ste:1	oval:ssg-state_file_groupowner_cron_allow_gid_0_0:ste:1

Verify User Who Owns /etc/cron.allow file

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_cron_allow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_cron_allow:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86843-0 References: 5.1.8, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	If `/etc/cron.allow` exists, it must be owned by `root`. To properly set the owner of `/etc/cron.allow`, run the command: $ sudo chown root /etc/cron.allow
Rationale	If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.

OVAL test results details

Testing user ownership of /etc/cron.allow oval:ssg-test_file_owner_cron_allow_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_cron_allow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/cron.allow	oval:ssg-symlink_file_owner_cron_allow_uid_0:ste:1	oval:ssg-state_file_owner_cron_allow_uid_0_0:ste:1

Verify Permissions on /etc/at.allow file

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_at_allow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_at_allow:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86903-2 References: 5.1.9
Description	If `/etc/at.allow` exists, it must have permissions `0600` or more restrictive. To properly set the permissions of `/etc/at.allow`, run the command: $ sudo chmod 0600 /etc/at.allow
Rationale	If the permissions of the at.allow file are not set to 0600 or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information.

OVAL test results details

Testing mode of /etc/at.allow oval:ssg-test_file_permissions_at_allow_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_at_allow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/at.allow	oval:ssg-exclude_symlinks__at_allow:ste:1	oval:ssg-state_file_permissions_at_allow_0_mode_0600or_stricter_:ste:1

Verify Permissions on /etc/cron.allow file

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_cron_allow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_cron_allow:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86876-0 References: 5.1.8, SRG-OS-000480-GPOS-00227
Description	If `/etc/cron.allow` exists, it must have permissions `0600` or more restrictive. To properly set the permissions of `/etc/cron.allow`, run the command: $ sudo chmod 0600 /etc/cron.allow
Rationale	If the permissions of the cron.allow file are not set to 0600 or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information.

OVAL test results details

Testing mode of /etc/cron.allow oval:ssg-test_file_permissions_cron_allow_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_cron_allow_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/cron.allow	oval:ssg-exclude_symlinks__cron_allow:ste:1	oval:ssg-state_file_permissions_cron_allow_0_mode_0600or_stricter_:ste:1

Enable cron Service

Rule ID	xccdf_org.ssgproject.content_rule_service_crond_enabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-service_crond_enabled:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80875-8 References: 5.1.1, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-6(a), PR.IP-1, PR.PT-3
Description	The `crond` service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The `crond` service can be enabled with the following command: $ sudo systemctl enable crond.service
Rationale	Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.

OVAL test results details

package cronie is installed oval:ssg-test_service_crond_package_cronie_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
cronie	x86_64	(none)	8.el8	1.5.2	0:1.5.2-8.el8	199e2f91fd431d51	cronie-0:1.5.2-8.el8.x86_64

Test that the crond service is running oval:ssg-test_service_running_crond:tst:1 true

Following items have been found on the system:

Unit	Property	Value
crond.service	ActiveState	active

systemd test oval:ssg-test_multi_user_wants_crond:tst:1 true

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	-.mount	sysinit.target	systemd-journal-catalog-update.service	systemd-ask-password-console.path	swap.target	dev-mapper-rhel\x2dswap.swap	plymouth-read-write.service	systemd-journald.service	systemd-tmpfiles-setup-dev.service	dev-hugepages.mount	dracut-shutdown.service	systemd-hwdb-update.service	systemd-binfmt.service	dev-mqueue.mount	nis-domainname.service	import-state.service	loadmodules.service	proc-sys-fs-binfmt_misc.automount	cryptsetup.target	kmod-static-nodes.service	sys-fs-fuse-connections.mount	systemd-udev-trigger.service	systemd-sysctl.service	systemd-sysusers.service	sys-kernel-debug.mount	systemd-journal-flush.service	plymouth-start.service	systemd-update-utmp.service	systemd-update-done.service	systemd-firstboot.service	lvm2-lvmpolld.socket	local-fs.target	boot.mount	home.mount	systemd-remount-fs.service	systemd-udevd.service	systemd-modules-load.service	systemd-machine-id-commit.service	systemd-tmpfiles-setup.service	sys-kernel-config.mount	systemd-random-seed.service	selinux-autorelabel-mark.service	ldconfig.service	lvm2-monitor.service	microcode.service	sockets.target	dbus.socket	systemd-coredump.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-udevd-control.socket	dm-event.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	systemd-journald.socket	timers.target	dnf-makecache.timer	unbound-anchor.timer	systemd-tmpfiles-clean.timer	slices.target	-.slice	system.slice	paths.target	cars-slapddefaultInst.service	NetworkManager.service	crond.service	sshd.service	haproxy.service	systemd-logind.service	auditd.service	dbus.service	rhsmcertd.service	tomcat.service	irqbalance.service	nginx.service	sssd.service	systemd-ask-password-wall.path	plymouth-quit-wait.service	chronyd.service	systemd-user-sessions.service	getty.target	getty@tty1.service	plymouth-quit.service	remote-fs.target	rsyslog.service	insights-client-boot.service	tuned.service	systemd-update-utmp-runlevel.service	kdump.service	postgresql-17.service

systemd test oval:ssg-test_multi_user_wants_crond_socket:tst:1 false

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	-.mount	sysinit.target	systemd-journal-catalog-update.service	systemd-ask-password-console.path	swap.target	dev-mapper-rhel\x2dswap.swap	plymouth-read-write.service	systemd-journald.service	systemd-tmpfiles-setup-dev.service	dev-hugepages.mount	dracut-shutdown.service	systemd-hwdb-update.service	systemd-binfmt.service	dev-mqueue.mount	nis-domainname.service	import-state.service	loadmodules.service	proc-sys-fs-binfmt_misc.automount	cryptsetup.target	kmod-static-nodes.service	sys-fs-fuse-connections.mount	systemd-udev-trigger.service	systemd-sysctl.service	systemd-sysusers.service	sys-kernel-debug.mount	systemd-journal-flush.service	plymouth-start.service	systemd-update-utmp.service	systemd-update-done.service	systemd-firstboot.service	lvm2-lvmpolld.socket	local-fs.target	boot.mount	home.mount	systemd-remount-fs.service	systemd-udevd.service	systemd-modules-load.service	systemd-machine-id-commit.service	systemd-tmpfiles-setup.service	sys-kernel-config.mount	systemd-random-seed.service	selinux-autorelabel-mark.service	ldconfig.service	lvm2-monitor.service	microcode.service	sockets.target	dbus.socket	systemd-coredump.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-udevd-control.socket	dm-event.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	systemd-journald.socket	timers.target	dnf-makecache.timer	unbound-anchor.timer	systemd-tmpfiles-clean.timer	slices.target	-.slice	system.slice	paths.target	cars-slapddefaultInst.service	NetworkManager.service	crond.service	sshd.service	haproxy.service	systemd-logind.service	auditd.service	dbus.service	rhsmcertd.service	tomcat.service	irqbalance.service	nginx.service	sssd.service	systemd-ask-password-wall.path	plymouth-quit-wait.service	chronyd.service	systemd-user-sessions.service	getty.target	getty@tty1.service	plymouth-quit.service	remote-fs.target	rsyslog.service	insights-client-boot.service	tuned.service	systemd-update-utmp-runlevel.service	kdump.service	postgresql-17.service

Verify Group Who Owns cron.d

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_cron_d
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_cron_d:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82268-4 References: 5.1.7, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	To properly set the group owner of `/etc/cron.d`, run the command: $ sudo chgrp root /etc/cron.d
Rationale	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

OVAL test results details

Testing group ownership of /etc/cron.d/ oval:ssg-test_file_groupowner_cron_d_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_cron_d_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/cron.d	no value	oval:ssg-symlink_file_groupowner_cron_d_uid_0:ste:1	oval:ssg-state_file_groupowner_cron_d_gid_0_0:ste:1

Verify Group Who Owns cron.daily

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_cron_daily
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_cron_daily:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82234-6 References: 5.1.4, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	To properly set the group owner of `/etc/cron.daily`, run the command: $ sudo chgrp root /etc/cron.daily
Rationale	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

OVAL test results details

Testing group ownership of /etc/cron.daily/ oval:ssg-test_file_groupowner_cron_daily_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_cron_daily_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/cron.daily	no value	oval:ssg-symlink_file_groupowner_cron_daily_uid_0:ste:1	oval:ssg-state_file_groupowner_cron_daily_gid_0_0:ste:1

Verify Group Who Owns cron.hourly

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_cron_hourly:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82227-0 References: 5.1.3, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	To properly set the group owner of `/etc/cron.hourly`, run the command: $ sudo chgrp root /etc/cron.hourly
Rationale	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

OVAL test results details

Testing group ownership of /etc/cron.hourly/ oval:ssg-test_file_groupowner_cron_hourly_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_cron_hourly_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/cron.hourly	no value	oval:ssg-symlink_file_groupowner_cron_hourly_uid_0:ste:1	oval:ssg-state_file_groupowner_cron_hourly_gid_0_0:ste:1

Verify Group Who Owns cron.monthly

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_cron_monthly:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82256-9 References: 5.1.6, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	To properly set the group owner of `/etc/cron.monthly`, run the command: $ sudo chgrp root /etc/cron.monthly
Rationale	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

OVAL test results details

Testing group ownership of /etc/cron.monthly/ oval:ssg-test_file_groupowner_cron_monthly_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_cron_monthly_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/cron.monthly	no value	oval:ssg-symlink_file_groupowner_cron_monthly_uid_0:ste:1	oval:ssg-state_file_groupowner_cron_monthly_gid_0_0:ste:1

Verify Group Who Owns cron.weekly

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_cron_weekly:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82244-5 References: 5.1.5, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	To properly set the group owner of `/etc/cron.weekly`, run the command: $ sudo chgrp root /etc/cron.weekly
Rationale	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

OVAL test results details

Testing group ownership of /etc/cron.weekly/ oval:ssg-test_file_groupowner_cron_weekly_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_cron_weekly_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/cron.weekly	no value	oval:ssg-symlink_file_groupowner_cron_weekly_uid_0:ste:1	oval:ssg-state_file_groupowner_cron_weekly_gid_0_0:ste:1

Verify Group Who Owns Crontab

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_crontab
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_crontab:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82223-9 References: 5.1.2, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	To properly set the group owner of `/etc/crontab`, run the command: $ sudo chgrp root /etc/crontab
Rationale	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

OVAL test results details

Testing group ownership of /etc/crontab oval:ssg-test_file_groupowner_crontab_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_crontab_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/crontab	oval:ssg-symlink_file_groupowner_crontab_uid_0:ste:1	oval:ssg-state_file_groupowner_crontab_gid_0_0:ste:1

Verify Owner on cron.d

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_cron_d
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_cron_d:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82272-6 References: 5.1.7, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	To properly set the owner of `/etc/cron.d`, run the command: $ sudo chown root /etc/cron.d
Rationale	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.

OVAL test results details

Testing user ownership of /etc/cron.d/ oval:ssg-test_file_owner_cron_d_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_cron_d_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/cron.d	no value	oval:ssg-symlink_file_owner_cron_d_uid_0:ste:1	oval:ssg-state_file_owner_cron_d_uid_0_0:ste:1

Verify Owner on cron.daily

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_cron_daily
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_cron_daily:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82237-9 References: 5.1.4, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	To properly set the owner of `/etc/cron.daily`, run the command: $ sudo chown root /etc/cron.daily
Rationale	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.

OVAL test results details

Testing user ownership of /etc/cron.daily/ oval:ssg-test_file_owner_cron_daily_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_cron_daily_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/cron.daily	no value	oval:ssg-symlink_file_owner_cron_daily_uid_0:ste:1	oval:ssg-state_file_owner_cron_daily_uid_0_0:ste:1

Verify Owner on cron.hourly

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_cron_hourly
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_cron_hourly:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82209-8 References: 5.1.3, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	To properly set the owner of `/etc/cron.hourly`, run the command: $ sudo chown root /etc/cron.hourly
Rationale	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.

OVAL test results details

Testing user ownership of /etc/cron.hourly/ oval:ssg-test_file_owner_cron_hourly_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_cron_hourly_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/cron.hourly	no value	oval:ssg-symlink_file_owner_cron_hourly_uid_0:ste:1	oval:ssg-state_file_owner_cron_hourly_uid_0_0:ste:1

Verify Owner on cron.monthly

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_cron_monthly
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_cron_monthly:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82260-1 References: 5.1.6, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	To properly set the owner of `/etc/cron.monthly`, run the command: $ sudo chown root /etc/cron.monthly
Rationale	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.

OVAL test results details

Testing user ownership of /etc/cron.monthly/ oval:ssg-test_file_owner_cron_monthly_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_cron_monthly_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/cron.monthly	no value	oval:ssg-symlink_file_owner_cron_monthly_uid_0:ste:1	oval:ssg-state_file_owner_cron_monthly_uid_0_0:ste:1

Verify Owner on cron.weekly

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_cron_weekly
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_cron_weekly:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82247-8 References: 5.1.5, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	To properly set the owner of `/etc/cron.weekly`, run the command: $ sudo chown root /etc/cron.weekly
Rationale	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.

OVAL test results details

Testing user ownership of /etc/cron.weekly/ oval:ssg-test_file_owner_cron_weekly_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_cron_weekly_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/cron.weekly	no value	oval:ssg-symlink_file_owner_cron_weekly_uid_0:ste:1	oval:ssg-state_file_owner_cron_weekly_uid_0_0:ste:1

Verify Owner on crontab

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_crontab
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_crontab:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82224-7 References: 5.1.2, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	To properly set the owner of `/etc/crontab`, run the command: $ sudo chown root /etc/crontab
Rationale	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.

OVAL test results details

Testing user ownership of /etc/crontab oval:ssg-test_file_owner_crontab_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_crontab_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/crontab	oval:ssg-symlink_file_owner_crontab_uid_0:ste:1	oval:ssg-state_file_owner_crontab_uid_0_0:ste:1

Verify Permissions on cron.d

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_cron_d

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-file_permissions_cron_d:def:1

Time 2026-03-23T20:00:01+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82277-5

References: 5.1.7, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227

Description

To properly set the permissions of /etc/cron.d, run the command:

$ sudo chmod 0700 /etc/cron.d

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

find -H /etc/cron.d/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

- name: Set permissions for /etc/cron.d/
  file:
    path: /etc/cron.d/
    state: directory
    mode: u-s,g-xwrs,o-xwrt
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82277-5
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - file_permissions_cron_d
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

OVAL test results details

Testing mode of /etc/cron.d/ oval:ssg-test_file_permissions_cron_d_0:tst:1 false

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/etc/cron.d/	directory	0	0	21	`rwxr-xr-x`

Verify Permissions on cron.daily

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_cron_daily

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-file_permissions_cron_daily:def:1

Time 2026-03-23T20:00:01+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82240-3

References: 5.1.4, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227

Description

To properly set the permissions of /etc/cron.daily, run the command:

$ sudo chmod 0700 /etc/cron.daily

Rationale

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

find -H /etc/cron.daily/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

- name: Set permissions for /etc/cron.daily/
  file:
    path: /etc/cron.daily/
    state: directory
    mode: u-s,g-xwrs,o-xwrt
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82240-3
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - file_permissions_cron_daily
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

OVAL test results details

Testing mode of /etc/cron.daily/ oval:ssg-test_file_permissions_cron_daily_0:tst:1 false

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/etc/cron.daily/	directory	0	0	23	`rwxr-xr-x`

Verify Permissions on cron.hourly

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_cron_hourly

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-file_permissions_cron_hourly:def:1

Time 2026-03-23T20:00:01+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82230-4

References: 5.1.3, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227

Description

To properly set the permissions of /etc/cron.hourly, run the command:

$ sudo chmod 0700 /etc/cron.hourly

Rationale

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

find -H /etc/cron.hourly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

- name: Set permissions for /etc/cron.hourly/
  file:
    path: /etc/cron.hourly/
    state: directory
    mode: u-s,g-xwrs,o-xwrt
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82230-4
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - file_permissions_cron_hourly
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

OVAL test results details

Testing mode of /etc/cron.hourly/ oval:ssg-test_file_permissions_cron_hourly_0:tst:1 false

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/etc/cron.hourly/	directory	0	0	22	`rwxr-xr-x`

Verify Permissions on cron.monthly

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_cron_monthly

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-file_permissions_cron_monthly:def:1

Time 2026-03-23T20:00:01+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82263-5

References: 5.1.6, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227

Description

To properly set the permissions of /etc/cron.monthly, run the command:

$ sudo chmod 0700 /etc/cron.monthly

Rationale

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

find -H /etc/cron.monthly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

- name: Set permissions for /etc/cron.monthly/
  file:
    path: /etc/cron.monthly/
    state: directory
    mode: u-s,g-xwrs,o-xwrt
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82263-5
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - file_permissions_cron_monthly
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

OVAL test results details

Testing mode of /etc/cron.monthly/ oval:ssg-test_file_permissions_cron_monthly_0:tst:1 false

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/etc/cron.monthly/	directory	0	0	6	`rwxr-xr-x`

Verify Permissions on cron.weekly

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_cron_weekly

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-file_permissions_cron_weekly:def:1

Time 2026-03-23T20:00:01+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82253-6

References: 5.1.5, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227

Description

To properly set the permissions of /etc/cron.weekly, run the command:

$ sudo chmod 0700 /etc/cron.weekly

Rationale

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

find -H /etc/cron.weekly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

- name: Set permissions for /etc/cron.weekly/
  file:
    path: /etc/cron.weekly/
    state: directory
    mode: u-s,g-xwrs,o-xwrt
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82253-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - file_permissions_cron_weekly
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

OVAL test results details

Testing mode of /etc/cron.weekly/ oval:ssg-test_file_permissions_cron_weekly_0:tst:1 false

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/etc/cron.weekly/	directory	0	0	6	`rwxr-xr-x`

Verify Permissions on crontab

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_crontab

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-file_permissions_crontab:def:1

Time 2026-03-23T20:00:01+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82206-4

References: 5.1.2, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227

Description

To properly set the permissions of /etc/crontab, run the command:

$ sudo chmod 0600 /etc/crontab

Rationale

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

chmod u-xs,g-xwrs,o-xwrt /etc/crontab

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

- name: Test for existence /etc/crontab
  stat:
    path: /etc/crontab
  register: file_exists
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82206-4
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - file_permissions_crontab
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure permission u-xs,g-xwrs,o-xwrt on /etc/crontab
  file:
    path: /etc/crontab
    mode: u-xs,g-xwrs,o-xwrt
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - file_exists.stat is defined and file_exists.stat.exists
  tags:
  - CCE-82206-4
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - file_permissions_crontab
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

OVAL test results details

Testing mode of /etc/crontab oval:ssg-test_file_permissions_crontab_0:tst:1 false

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/etc/crontab	regular	0	0	451	`rw-r--r--`

Uninstall DHCP Server Package

Rule ID	xccdf_org.ssgproject.content_rule_package_dhcp_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_dhcp_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83385-5 References: BP28(R1), 2.2.5, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3
Description	If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The `dhcp-server` package can be removed with the following command: $ sudo yum erase dhcp-server
Rationale	Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation.

OVAL test results details

package dhcp-server is removed oval:ssg-test_package_dhcp-server_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_dhcp-server_removed:obj:1 of type rpminfo_object

Name
dhcp-server

Uninstall bind Package

Rule ID	xccdf_org.ssgproject.content_rule_package_bind_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_bind_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	low
Identifiers and References	Identifiers: CCE-82408-6 References: 2.2.6, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3
Description	The `named` service is provided by the `bind` package. The `bind` package can be removed with the following command: $ sudo yum erase bind
Rationale	If there is no need to make DNS server software available, removing it provides a safeguard against its activation.

OVAL test results details

package bind is removed oval:ssg-test_package_bind_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_bind_removed:obj:1 of type rpminfo_object

Name
bind

Uninstall vsftpd Package

Rule ID	xccdf_org.ssgproject.content_rule_package_vsftpd_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_vsftpd_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	high
Identifiers and References	Identifiers: CCE-82414-4 References: 2.2.8, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000197, CCI-000366, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), IA-5(1).1(v), CM-7, CM-7.1(ii), PR.IP-1, PR.PT-3, Req-2.2.4, SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040360, SV-230558r627750_rule
Description	The `vsftpd` package can be removed with the following command: $ sudo yum erase vsftpd
Rationale	Removing the `vsftpd` package decreases the risk of its accidental activation.

OVAL test results details

package vsftpd is removed oval:ssg-test_package_vsftpd_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_vsftpd_removed:obj:1 of type rpminfo_object

Name
vsftpd

Uninstall httpd Package

Rule ID	xccdf_org.ssgproject.content_rule_package_httpd_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_httpd_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-85970-2 References: 2.2.10, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3
Description	The `httpd` package can be removed with the following command: $ sudo yum erase httpd
Rationale	If there is no need to make the web server software available, removing it provides a safeguard against its activation.

OVAL test results details

package httpd is removed oval:ssg-test_package_httpd_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_httpd_removed:obj:1 of type rpminfo_object

Name
httpd

Uninstall dovecot Package

Rule ID	xccdf_org.ssgproject.content_rule_package_dovecot_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_dovecot_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-85976-9 References: 2.2.11
Description	The `dovecot` package can be removed with the following command: $ sudo yum erase dovecot
Rationale	If there is no need to make the Dovecot software available, removing it provides a safeguard against its activation.

OVAL test results details

package dovecot is removed oval:ssg-test_package_dovecot_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_dovecot_removed:obj:1 of type rpminfo_object

Name
dovecot

Ensure LDAP client is not installed

Rule ID	xccdf_org.ssgproject.content_rule_package_openldap-clients_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_openldap-clients_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	low
Identifiers and References	Identifiers: CCE-82885-5 References: 2.3.5, Req-2.2.4
Description	The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The `openldap-clients` package can be removed with the following command: $ sudo yum erase openldap-clients
Rationale	If the system does not need to act as an LDAP client, it is recommended that the software is removed to reduce the potential attack surface.

OVAL test results details

package openldap-clients is removed oval:ssg-test_package_openldap-clients_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_openldap-clients_removed:obj:1 of type rpminfo_object

Name
openldap-clients

Disable Postfix Network Listening

Rule ID	xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled
Result	notapplicable
Multi-check rule	no
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82174-4 References: BP28(R48), 2.2.17, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000382, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, Req-2.2.4
Description	Edit the file `/etc/postfix/main.cf` to ensure that only the following `inet_interfaces` line appears: inet_interfaces = loopback-only
Rationale	This ensures `postfix` accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.

Disable rpcbind Service

Rule ID	xccdf_org.ssgproject.content_rule_service_rpcbind_disabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-service_rpcbind_disabled:def:1
Time	2026-03-23T20:00:01+01:00
Severity	low
Identifiers and References	Identifiers: CCE-82858-2 References: 2.2.19
Description	The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service. If the system does not require RPC (such as for NFS servers) then this service should be disabled. The `rpcbind` service can be disabled with the following command: $ sudo systemctl mask --now rpcbind.service
Rationale	If the system does not require rpc based services, it is recommended that rpcbind be disabled to reduce the attack surface.

OVAL test results details

package nfs-utils is removed oval:ssg-test_service_rpcbind_package_nfs-utils_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_service_rpcbind_package_nfs-utils_removed:obj:1 of type rpminfo_object

Name
nfs-utils

Test that the rpcbind service is not running oval:ssg-test_service_not_running_rpcbind:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_service_not_running_rpcbind:obj:1 of type systemdunitproperty_object

Unit	Property
^rpcbind\.(service\|socket)$	ActiveState

Test that the property LoadState from the service rpcbind is masked oval:ssg-test_service_loadstate_is_masked_rpcbind:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_service_loadstate_is_masked_rpcbind:obj:1 of type systemdunitproperty_object

Unit	Property
^rpcbind\.(service\|socket)$	LoadState

Disable Network File System (nfs)

Rule ID	xccdf_org.ssgproject.content_rule_service_nfs_disabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-service_nfs_disabled:def:1
Time	2026-03-23T20:00:01+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-82762-6 References: 2.2.18, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3
Description	The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is not designated as a NFS server then this service should be disabled. The `nfs-server` service can be disabled with the following command: $ sudo systemctl mask --now nfs-server.service
Rationale	Unnecessary services should be disabled to decrease the attack surface of the system.

OVAL test results details

package nfs-utils is removed oval:ssg-test_service_nfs-server_package_nfs-utils_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_service_nfs-server_package_nfs-utils_removed:obj:1 of type rpminfo_object

Name
nfs-utils

Test that the nfs-server service is not running oval:ssg-test_service_not_running_nfs-server:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_service_not_running_nfs-server:obj:1 of type systemdunitproperty_object

Unit	Property
^nfs-server\.(service\|socket)$	ActiveState

Test that the property LoadState from the service nfs-server is masked oval:ssg-test_service_loadstate_is_masked_nfs-server:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_service_loadstate_is_masked_nfs-server:obj:1 of type systemdunitproperty_object

Unit	Property
^nfs-server\.(service\|socket)$	LoadState

Ensure that chronyd is running under chrony user account

Rule ID	xccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-chronyd_run_as_chrony_user:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82879-8 References: 2.1.2
Description	chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. Chrony can be configured to be a client and/or a server. To ensure that chronyd is running under chrony user account, remove any `-u ...` option from `OPTIONS` other than `-u chrony`, as chrony is run under its own user by default. This recommendation only applies if chrony is in use on the system.
Rationale	If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.

OVAL test results details

The default chrony user hasn't been overriden oval:ssg-test_no_user_override:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_user_override:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/sysconfig/chronyd	^\sOPTIONS=.[\s'"]-u(?!\schrony\b).	0

A remote time server for Chrony is configured

Rule ID	xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-chronyd_specify_remote_server:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82873-1 References: BP28(R43), 2.1.2, CCI-000160, CCI-001891, 0988, 1405, CM-6(a), AU-8(1)(a), Req-10.4.3
Description	`Chrony` is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on `chrony` can be found at http://chrony.tuxfamily.org/. `Chrony` can be configured to be a client and/or a server. Add or edit server or pool lines to `/etc/chrony.conf` as appropriate: server <remote-server> Multiple servers may be configured.
Rationale	If `chrony` is in use on the system proper configuration is vital to ensuring time synchronization is working properly.

OVAL test results details

Ensure at least one NTP server is set oval:ssg-test_chronyd_remote_server:tst:1 true

Following items have been found on the system:

Path	Content
/etc/chrony.conf	pool 2.rhel.pool.ntp.org iburst

Uninstall xinetd Package

Rule ID	xccdf_org.ssgproject.content_rule_package_xinetd_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_xinetd_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	low
Identifiers and References	Identifiers: CCE-80850-1 References: BP28(R1), 2.1.1, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000305, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4
Description	The `xinetd` package can be removed with the following command: $ sudo yum erase xinetd
Rationale	Removing the `xinetd` package decreases the risk of the xinetd service's accidental (or intentional) activation.

OVAL test results details

package xinetd is removed oval:ssg-test_package_xinetd_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_xinetd_removed:obj:1 of type rpminfo_object

Name
xinetd

Remove NIS Client

Rule ID	xccdf_org.ssgproject.content_rule_package_ypbind_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_ypbind_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-82181-9 References: BP28(R1), 2.3.1, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
Description	The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (`ypbind`) was used to bind a system to an NIS server and receive the distributed configuration files.
Rationale	The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed.

OVAL test results details

package ypbind is removed oval:ssg-test_package_ypbind_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_ypbind_removed:obj:1 of type rpminfo_object

Name
ypbind

Uninstall ypserv Package

Rule ID	xccdf_org.ssgproject.content_rule_package_ypserv_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_ypserv_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	high
Identifiers and References	Identifiers: CCE-82432-6 References: BP28(R1), 2.2.15, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-2.2.4, SRG-OS-000095-GPOS-00049
Description	The `ypserv` package can be removed with the following command: $ sudo yum erase ypserv
Rationale	The NIS service provides an unencrypted authentication service which does not provide for the confidentiality and integrity of user passwords or the remote session. Removing the `ypserv` package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.

OVAL test results details

package ypserv is removed oval:ssg-test_package_ypserv_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_ypserv_removed:obj:1 of type rpminfo_object

Name
ypserv

Uninstall rsh Package

Rule ID	xccdf_org.ssgproject.content_rule_package_rsh_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_rsh_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-82183-5 References: BP28(R1), 2.3.2, 3.1.13, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
Description	The `rsh` package contains the client commands for the rsh services
Rationale	These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the `rsh` package removes the clients for `rsh`,`rcp`, and `rlogin`.

OVAL test results details

package rsh is removed oval:ssg-test_package_rsh_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_rsh_removed:obj:1 of type rpminfo_object

Name
rsh

Remove Rsh Trust Files

Rule ID	xccdf_org.ssgproject.content_rule_no_rsh_trust_files
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-no_rsh_trust_files:def:1
Time	2026-03-23T20:00:01+01:00
Severity	high
Identifiers and References	Identifiers: CCE-80842-8 References: 6.2.16, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-001436, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4
Description	The files `/etc/hosts.equiv` and `~/.rhosts` (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location: $ sudo rm /etc/hosts.equiv $ rm ~/.rhosts
Rationale	This action is only meaningful if `.rhosts` support is permitted through PAM. Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.

OVAL test results details

look for .rhosts in /root oval:ssg-test_no_rsh_trust_files_root:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_no_rsh_trust_files_root:obj:1 of type file_object

Path	Filename
/root	^\.rhosts$

look for .rhosts in /home oval:ssg-test_no_rsh_trust_files_home:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_no_rsh_trust_files_home:obj:1 of type file_object

Behaviors	Path	Filename
no value	/home	^\.rhosts$

look for /etc/hosts.equiv oval:ssg-test_no_rsh_trust_files_etc:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_no_rsh_trust_files_etc:obj:1 of type file_object

Path	Filename
/etc	^hosts\.equiv$

Uninstall talk Package

Rule ID	xccdf_org.ssgproject.content_rule_package_talk_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_talk_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80848-5 References: BP28(R1), 2.3.3, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
Description	The `talk` package contains the client program for the Internet talk protocol, which allows the user to chat with other users on different systems. Talk is a communication program which copies lines from one terminal to the terminal of another user. The `talk` package can be removed with the following command: $ sudo yum erase talk
Rationale	The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the `talk` package decreases the risk of the accidental (or intentional) activation of talk client program.

OVAL test results details

package talk is removed oval:ssg-test_package_talk_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_talk_removed:obj:1 of type rpminfo_object

Name
talk

Uninstall telnet-server Package

Rule ID	xccdf_org.ssgproject.content_rule_package_telnet-server_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_telnet-server_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	high
Identifiers and References	Identifiers: CCE-82182-7 References: BP28(R1), 2.2.16, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-2.2.4, SRG-OS-000095-GPOS-00049, RHEL-08-040000, SV-230487r627750_rule
Description	The `telnet-server` package can be removed with the following command: $ sudo yum erase telnet-server
Rationale	It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain unsecure. They increase the risk to the platform by providing additional attack vectors. The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised. Removing the `telnet-server` package decreases the risk of the telnet service's accidental (or intentional) activation.

OVAL test results details

package telnet-server is removed oval:ssg-test_package_telnet-server_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_telnet-server_removed:obj:1 of type rpminfo_object

Name
telnet-server

Remove telnet Clients

Rule ID	xccdf_org.ssgproject.content_rule_package_telnet_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_telnet_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	low
Identifiers and References	Identifiers: CCE-80849-3 References: BP28(R1), 2.3.4, 3.1.13, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
Description	The telnet client allows users to start connections to other systems via the telnet protocol.
Rationale	The `telnet` protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The `ssh` package provides an encrypted session and stronger security and is included in Red Hat Enterprise Linux 8.

OVAL test results details

package telnet is removed oval:ssg-test_package_telnet_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_telnet_removed:obj:1 of type rpminfo_object

Name
telnet

Uninstall tftp-server Package

Rule ID	xccdf_org.ssgproject.content_rule_package_tftp-server_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_tftp-server_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	high
Identifiers and References	Identifiers: CCE-82436-7 References: BP28(R1), 2.2.9, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000318, CCI-000366, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040190, SV-230533r627750_rule
Description	The `tftp-server` package can be removed with the following command: $ sudo yum erase tftp-server
Rationale	Removing the `tftp-server` package decreases the risk of the accidental (or intentional) activation of tftp services. If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established.

OVAL test results details

package tftp-server is removed oval:ssg-test_package_tftp-server_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_tftp-server_removed:obj:1 of type rpminfo_object

Name
tftp-server

Remove tftp Daemon

Rule ID	xccdf_org.ssgproject.content_rule_package_tftp_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_tftp_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	low
Identifiers and References	Identifiers: CCE-83590-0 References: BP28(R1), 2.3.6
Description	Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between systems. TFTP does not support authentication and can be easily hacked. The package `tftp` is a client program that allows for connections to a `tftp` server.
Rationale	It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server). In that case, use extreme caution when configuring the services.

OVAL test results details

package tftp is removed oval:ssg-test_package_tftp_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_tftp_removed:obj:1 of type rpminfo_object

Name
tftp

Uninstall rsync Package

Rule ID	xccdf_org.ssgproject.content_rule_package_rsync_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_rsync_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86335-7 References: 2.2.20
Description	The rsyncd service can be used to synchronize files between systems over network links. The `rsync-daemon` package can be removed with the following command: $ sudo yum erase rsync-daemon
Rationale	The rsyncd service presents a security risk as it uses unencrypted protocols for communication.

OVAL test results details

package rsync-daemon is removed oval:ssg-test_package_rsync-daemon_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_rsync-daemon_removed:obj:1 of type rpminfo_object

Name
rsync-daemon

Uninstall CUPS Package

Rule ID	xccdf_org.ssgproject.content_rule_package_cups_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_cups_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-86299-5 References: 2.2.4, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3
Description	The `cups` package can be removed with the following command: $ sudo yum erase cups
Rationale	If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface.

OVAL test results details

package cups is removed oval:ssg-test_package_cups_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_cups_removed:obj:1 of type rpminfo_object

Name
cups

Uninstall squid Package

Rule ID	xccdf_org.ssgproject.content_rule_package_squid_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_squid_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-82189-2 References: 2.2.13
Description	The `squid` package can be removed with the following command: $ sudo yum erase squid
Rationale	If there is no need to make the proxy server software available, removing it provides a safeguard against its activation.

OVAL test results details

package squid is removed oval:ssg-test_package_squid_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_squid_removed:obj:1 of type rpminfo_object

Name
squid

Uninstall Samba Package

Rule ID	xccdf_org.ssgproject.content_rule_package_samba_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_samba_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-85978-5 References: 2.2.12
Description	The `samba` package can be removed with the following command: $ sudo yum erase samba
Rationale	If there is no need to make the Samba software available, removing it provides a safeguard against its activation.

OVAL test results details

package samba is removed oval:ssg-test_package_samba_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_samba_removed:obj:1 of type rpminfo_object

Name
samba

Uninstall net-snmp Package

Rule ID	xccdf_org.ssgproject.content_rule_package_net-snmp_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_net-snmp_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-85980-1 References: 2.2.14
Description	The `net-snmp` package provides the snmpd service. The `net-snmp` package can be removed with the following command: $ sudo yum erase net-snmp
Rationale	If there is no need to run SNMP server software, removing the package provides a safeguard against its activation.

OVAL test results details

package net-snmp is removed oval:ssg-test_package_net-snmp_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_net-snmp_removed:obj:1 of type rpminfo_object

Name
net-snmp

Set SSH Client Alive Count Max

Rule ID xccdf_org.ssgproject.content_rule_sshd_set_keepalive

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sshd_set_keepalive:def:1

Time 2026-03-23T20:00:01+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80907-9

References: BP28(R29), 5.2.20, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, RHEL-08-010200, SV-230244r858697_rule, SRG-OS-000480-VMM-002000

Description

The SSH server sends at most ClientAliveCountMax messages during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not receive a response from the client, then the connection is considered unresponsive and terminated. For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes a timeout precisely when the ClientAliveInterval is set. Starting with v8.2, a value of 0 disables the timeout functionality completely. If the option is set to a number greater than 0, then the session will be disconnected after ClientAliveInterval * ClientAliveCountMax seconds without receiving a keep alive message.

Rationale

This ensures a user login will be terminated as soon as the ClientAliveInterval is reached.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

var_sshd_set_keepalive='0'


if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" >> "/etc/ssh/sshd_config"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
    printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" >> "/etc/ssh/sshd_config"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: XCCDF Value var_sshd_set_keepalive # promote to variable
  set_fact:
    var_sshd_set_keepalive: !!str 0
  tags:
    - always

- name: Set SSH Client Alive Count Max
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*ClientAliveCountMax\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*ClientAliveCountMax\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*ClientAliveCountMax\s+
      line: ClientAliveCountMax {{ var_sshd_set_keepalive }}
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80907-9
  - CJIS-5.5.6
  - DISA-STIG-RHEL-08-010200
  - NIST-800-171-3.1.11
  - NIST-800-53-AC-12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-AC-2(5)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-10
  - PCI-DSS-Req-8.1.8
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_set_keepalive

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

Check the value of ClientAliveCountMax setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_set_keepalive_clientalivecountmax:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_sshd_set_keepalive_clientalivecountmax:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[\s](?i)ClientAliveCountMax[\s]+([\d]+)[\s](?:#.*)?$	1

Disable Host-Based Authentication

Rule ID xccdf_org.ssgproject.content_rule_disable_host_auth

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-disable_host_auth:def:1

Time 2026-03-23T20:00:01+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80786-7

References: 5.2.8, 11, 12, 14, 15, 16, 18, 3, 5, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-3, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3, FIA_UAU.1, SRG-OS-000480-GPOS-00229, SRG-OS-000480-VMM-002000

Description

SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.
The default SSH configuration disables host-based authentication. The appropriate configuration is used if no value is set for HostbasedAuthentication.
To explicitly disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config:

HostbasedAuthentication no

Rationale

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "HostbasedAuthentication no" >> "/etc/ssh/sshd_config"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
    printf '%s\n' "HostbasedAuthentication no" >> "/etc/ssh/sshd_config"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Disable Host-Based Authentication
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*HostbasedAuthentication\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*HostbasedAuthentication\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*HostbasedAuthentication\s+
      line: HostbasedAuthentication no
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80786-7
  - CJIS-5.5.6
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-AC-3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_host_auth
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Remediation Kubernetes snippet ⇲

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018%2F04%2F09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fbin%3A%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Fsbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_rsa_key%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_ecdsa_key%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20512M%201h%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20%2Fetc%2Fsysconfig%2Fsshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%202m%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh%2Fauthorized_keys%20and%20.ssh%2Fauthorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh%2Fauthorized_keys%0AAuthorizedKeysFile%09.ssh%2Fauthorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20%2Fetc%2Fssh%2Fssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~%2F.ssh%2Fknown_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~%2F.rhosts%20and%20~%2F.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s%2Fkey%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20%2Fetc%2Fpam.d%2Fsshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20no%0AClientAliveInterval%20600%0AClientAliveCountMax%200%0A%23UseDNS%20no%0A%23PidFile%20%2Fvar%2Frun%2Fsshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20%2Fetc%2Fissue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09%2Fusr%2Flibexec%2Fopenssh%2Fsftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20sandbox
        mode: 0600
        path: /etc/ssh/sshd_config
        overwrite: true

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config file oval:ssg-test_disable_host_auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_disable_host_auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t](?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

Disable SSH Access via Empty Passwords

Rule ID xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sshd_disable_empty_passwords:def:1

Time 2026-03-23T20:00:01+01:00

Severity high

Identifiers and References

Identifiers: CCE-80896-4

References: NT007(R17), 5.2.9, 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, 5.5.6, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, 3.1.1, 3.1.5, CCI-000366, CCI-000766, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, FIA_UAU.1, Req-2.2.6, SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPOS-00227, RHEL-08-020330, SV-230380r858715_rule, SRG-OS-000480-VMM-002000

Description

Disallow SSH login with empty passwords. The default SSH configuration disables logins with empty passwords. The appropriate configuration is used if no value is set for PermitEmptyPasswords.
To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config:

PermitEmptyPasswords no

Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.

Rationale

Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "PermitEmptyPasswords no" >> "/etc/ssh/sshd_config"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
    printf '%s\n' "PermitEmptyPasswords no" >> "/etc/ssh/sshd_config"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Disable SSH Access via Empty Passwords
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*PermitEmptyPasswords\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*PermitEmptyPasswords\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*PermitEmptyPasswords\s+
      line: PermitEmptyPasswords no
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80896-4
  - CJIS-5.5.6
  - DISA-STIG-RHEL-08-020330
  - NIST-800-171-3.1.1
  - NIST-800-171-3.1.5
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - PCI-DSS-Req-2.2.6
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - restrict_strategy
  - sshd_disable_empty_passwords

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_disable_empty_passwords:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sshd_disable_empty_passwords:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t](?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

Disable SSH Support for .rhosts Files

Rule ID xccdf_org.ssgproject.content_rule_sshd_disable_rhosts

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sshd_disable_rhosts:def:1

Time 2026-03-23T20:00:01+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80899-8

References: 5.2.11, 11, 12, 14, 15, 16, 18, 3, 5, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.12, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3, FIA_UAU.1, SRG-OS-000480-GPOS-00227, SRG-OS-000107-VMM-000530

Description

SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.
The default SSH configuration disables support for .rhosts. The appropriate configuration is used if no value is set for IgnoreRhosts.
To explicitly disable support for .rhosts files, add or correct the following line in /etc/ssh/sshd_config:

IgnoreRhosts yes

Rationale

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "IgnoreRhosts yes" >> "/etc/ssh/sshd_config"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
    printf '%s\n' "IgnoreRhosts yes" >> "/etc/ssh/sshd_config"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Disable SSH Support for .rhosts Files
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*IgnoreRhosts\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*IgnoreRhosts\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*IgnoreRhosts\s+
      line: IgnoreRhosts yes
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80899-8
  - CJIS-5.5.6
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_disable_rhosts

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

tests the value of IgnoreRhosts setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_disable_rhosts:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sshd_disable_rhosts:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t](?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

Disable SSH Root Login

Rule ID xccdf_org.ssgproject.content_rule_sshd_disable_root_login

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sshd_disable_root_login:def:1

Time 2026-03-23T20:00:01+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80901-2

References: BP28(R19), NT007(R21), 5.2.7, 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.6, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.1.5, CCI-000366, CCI-000770, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-6(2), AC-17(a), IA-2, IA-2(5), CM-7(a), CM-7(b), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, FAU_GEN.1, Req-2.2.6, SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227, RHEL-08-010550, SV-230296r858711_rule, SRG-OS-000480-VMM-002000

Description

The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config:

PermitRootLogin no

Rationale

Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.

Warnings

warning This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable. RHV hosts require root access to be managed by RHV Manager.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "PermitRootLogin no" >> "/etc/ssh/sshd_config"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
    printf '%s\n' "PermitRootLogin no" >> "/etc/ssh/sshd_config"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Disable SSH Root Login
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*PermitRootLogin\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*PermitRootLogin\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*PermitRootLogin\s+
      line: PermitRootLogin no
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80901-2
  - CJIS-5.5.6
  - DISA-STIG-RHEL-08-010550
  - NIST-800-171-3.1.1
  - NIST-800-171-3.1.5
  - NIST-800-53-AC-17(a)
  - NIST-800-53-AC-6(2)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-IA-2
  - NIST-800-53-IA-2(5)
  - PCI-DSS-Req-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_disable_root_login

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_disable_root_login:tst:1 false

Following items have been found on the system:

Path	Content
/etc/ssh/sshd_config	PermitRootLogin yes

Do Not Allow SSH Environment Options

Rule ID xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sshd_do_not_permit_user_env:def:1

Time 2026-03-23T20:00:01+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80903-8

References: 5.2.10, 11, 3, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, Req-2.2.6, SRG-OS-000480-GPOS-00229, RHEL-08-010830, SV-230330r877377_rule, SRG-OS-000480-VMM-002000

Description

Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate configuration is used if no value is set for PermitUserEnvironment.
To explicitly disable Environment options, add or correct the following /etc/ssh/sshd_config:

PermitUserEnvironment no

Rationale

SSH environment options potentially allow users to bypass access restriction in some configurations.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "PermitUserEnvironment no" >> "/etc/ssh/sshd_config"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
    printf '%s\n' "PermitUserEnvironment no" >> "/etc/ssh/sshd_config"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Do Not Allow SSH Environment Options
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*PermitUserEnvironment\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*PermitUserEnvironment\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*PermitUserEnvironment\s+
      line: PermitUserEnvironment no
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80903-8
  - CJIS-5.5.6
  - DISA-STIG-RHEL-08-010830
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - PCI-DSS-Req-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_do_not_permit_user_env

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

tests the value of PermitUserEnvironment setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_do_not_permit_user_env:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sshd_do_not_permit_user_env:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t](?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

Enable PAM

Rule ID	xccdf_org.ssgproject.content_rule_sshd_enable_pam
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_enable_pam:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-86721-8 References: 5.2.6, CCI-000877, SRG-OS-000125-GPOS-00065
Description	UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types. To enable PAM authentication, add or correct the following line in `/etc/ssh/sshd_config`: UsePAM yes
Rationale	When UsePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server.

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

tests the value of UsePAM setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_enable_pam:tst:1 true

Following items have been found on the system:

Path	Content
/etc/ssh/sshd_config	UsePAM yes

Enable SSH Warning Banner

Rule ID xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sshd_enable_warning_banner:def:1

Time 2026-03-23T20:00:01+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80905-3

References: 5.2.15, 1, 12, 15, 16, 5.5.6, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), AC-17(a), CM-6(a), PR.AC-7, FTA_TAB.1, Req-2.2.6, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, RHEL-08-010040, SV-230225r858694_rule, SRG-OS-000023-VMM-000060, SRG-OS-000024-VMM-000070

Description

To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config:

Banner /etc/issue

Another section contains information on how to create an appropriate system-wide warning banner.

Rationale

The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "Banner /etc/issue" >> "/etc/ssh/sshd_config"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
    printf '%s\n' "Banner /etc/issue" >> "/etc/ssh/sshd_config"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Enable SSH Warning Banner
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*Banner\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*Banner\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*Banner\s+
      line: Banner /etc/issue
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80905-3
  - CJIS-5.5.6
  - DISA-STIG-RHEL-08-010040
  - NIST-800-171-3.1.9
  - NIST-800-53-AC-17(a)
  - NIST-800-53-AC-8(a)
  - NIST-800-53-AC-8(c)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_enable_warning_banner

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

tests the value of Banner setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_enable_warning_banner:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sshd_enable_warning_banner:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t](?i)Banner(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

Ensure SSH LoginGraceTime is configured

Rule ID xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sshd_set_login_grace_time:def:1

Time 2026-03-23T20:00:01+01:00

Severity medium

Identifiers and References

Identifiers: CCE-86551-9

References: 5.2.19

Description

The LoginGraceTime parameter to the SSH server specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate limits to ensure the service is available for needed access.

Rationale

Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

var_sshd_set_login_grace_time='60'


if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*LoginGraceTime\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "LoginGraceTime $var_sshd_set_login_grace_time" >> "/etc/ssh/sshd_config"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
    printf '%s\n' "LoginGraceTime $var_sshd_set_login_grace_time" >> "/etc/ssh/sshd_config"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: XCCDF Value var_sshd_set_login_grace_time # promote to variable
  set_fact:
    var_sshd_set_login_grace_time: !!str 60
  tags:
    - always

- name: Ensure SSH LoginGraceTime is configured
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*LoginGraceTime\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*LoginGraceTime\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*LoginGraceTime\s+
      line: LoginGraceTime {{ var_sshd_set_login_grace_time }}
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-86551-9
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_set_login_grace_time

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

LoginGraceTime is configured oval:ssg-test_sshd_login_grace_time:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_sshd_login_grace_time:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[\s](?i)LoginGraceTime[\s]+(\d+)[\s](?:#.*)?$	1

Set SSH Daemon LogLevel to VERBOSE

Rule ID xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sshd_set_loglevel_verbose:def:1

Time 2026-03-23T20:00:01+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82420-1

References: 5.2.5, CCI-000067, CIP-007-3 R7.1, AC-17(a), AC-17(1), CM-6(a), Req-2.2.6, SRG-OS-000032-GPOS-00013

Description

The VERBOSE parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct the following line in /etc/ssh/sshd_config:

LogLevel VERBOSE

Rationale

SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO or VERBOSE level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "LogLevel VERBOSE" >> "/etc/ssh/sshd_config"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
    printf '%s\n' "LogLevel VERBOSE" >> "/etc/ssh/sshd_config"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Set SSH Daemon LogLevel to VERBOSE
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*LogLevel\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*LogLevel\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*LogLevel\s+
      line: LogLevel VERBOSE
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82420-1
  - NIST-800-53-AC-17(1)
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_set_loglevel_verbose

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

tests the value of LogLevel setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_set_loglevel_verbose:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sshd_set_loglevel_verbose:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t](?i)LogLevel(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

Set SSH authentication attempt limit

Rule ID xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sshd_set_max_auth_tries:def:1

Time 2026-03-23T20:00:01+01:00

Severity medium

Identifiers and References

Identifiers: CCE-83500-9

References: 5.2.16, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561

Description

The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. to set MaxAUthTries edit /etc/ssh/sshd_config as follows:

MaxAuthTries 4

Rationale

Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

sshd_max_auth_tries_value='4'


if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*MaxAuthTries\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" >> "/etc/ssh/sshd_config"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
    printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" >> "/etc/ssh/sshd_config"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: XCCDF Value sshd_max_auth_tries_value # promote to variable
  set_fact:
    sshd_max_auth_tries_value: !!str 4
  tags:
    - always

- name: Set SSH authentication attempt limit
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*MaxAuthTries\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*MaxAuthTries\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*MaxAuthTries\s+
      line: MaxAuthTries {{ sshd_max_auth_tries_value }}
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83500-9
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_set_max_auth_tries

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

maxauthtries is configured oval:ssg-test_sshd_max_auth_tries:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_sshd_max_auth_tries:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[\s](?i)MaxAuthTries[\s]+(\d+)[\s](?:#.*)?$	1

Set SSH MaxSessions limit

Rule ID xccdf_org.ssgproject.content_rule_sshd_set_max_sessions

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sshd_set_max_sessions:def:1

Time 2026-03-23T20:00:01+01:00

Severity medium

Identifiers and References

Identifiers: CCE-83357-4

References: 5.2.18

Description

The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection. To set MaxSessions edit /etc/ssh/sshd_config as follows:

MaxSessions 10

Rationale

To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

var_sshd_max_sessions='10'


if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*MaxSessions\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "MaxSessions $var_sshd_max_sessions" >> "/etc/ssh/sshd_config"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
    printf '%s\n' "MaxSessions $var_sshd_max_sessions" >> "/etc/ssh/sshd_config"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

- name: XCCDF Value var_sshd_max_sessions # promote to variable
  set_fact:
    var_sshd_max_sessions: !!str 10
  tags:
    - always

- name: Set SSH MaxSessions limit
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*MaxSessions\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*MaxSessions\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*MaxSessions\s+
      line: MaxSessions {{ var_sshd_max_sessions }}
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83357-4
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sshd_set_max_sessions

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

maxsessions is configured oval:ssg-test_sshd_max_sessions:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_sshd_max_sessions:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[\s](?i)MaxSessions[\s]+(\d+)[\s](?:#.*)?$	1

Ensure SSH MaxStartups is configured

Rule ID xccdf_org.ssgproject.content_rule_sshd_set_maxstartups

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sshd_set_maxstartups:def:1

Time 2026-03-23T20:00:01+01:00

Severity medium

Identifiers and References

Identifiers: CCE-90718-8

References: 5.2.17

Description

The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. To confgure MaxStartups, you should add or correct the following line in the /etc/ssh/sshd_config file:

MaxStartups 10:30:60

CIS recommends a MaxStartups value of '10:30:60', or more restrictive where dictated by site policy.

Rationale

To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

var_sshd_set_maxstartups='10:30:60'


if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*MaxStartups\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "MaxStartups $var_sshd_set_maxstartups" >> "/etc/ssh/sshd_config"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
    printf '%s\n' "MaxStartups $var_sshd_set_maxstartups" >> "/etc/ssh/sshd_config"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: XCCDF Value var_sshd_set_maxstartups # promote to variable
  set_fact:
    var_sshd_set_maxstartups: !!str 10:30:60
  tags:
    - always

- name: Ensure SSH MaxStartups is configured
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*MaxStartups\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*MaxStartups\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*MaxStartups\s+
      line: MaxStartups {{ var_sshd_set_maxstartups }}
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90718-8
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_set_maxstartups

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	17.el8_7	8.0p1	0:8.0p1-17.el8_7	199e2f91fd431d51	openssh-server-0:8.0p1-17.el8_7.x86_64

SSH MaxStartups start parameter is less than or equal to 10 oval:ssg-tst_maxstartups_start_parameter:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sshd_config_maxstartups_first_parameter:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	(?i)^\sMaxStartups\s+(\d+):\d+:\d+\s$	1

SSH MaxStartups rate parameter is greater than or equal to 30 oval:ssg-tst_maxstartups_rate_parameter:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sshd_config_maxstartups_second_parameter:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	(?i)^\sMaxStartups\s+\d+:(\d+):\d+\s$	1

SSH MaxStartups full parameter is less than or equal to 100 oval:ssg-tst_maxstartups_full_parameter:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sshd_config_maxstartups_third_parameter:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	(?i)^\sMaxStartups\s+\d+:\d+:(\d+)\s$	1

Verify Group Who Owns SSH Server config file

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupowner_sshd_config:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82901-0 References: 5.2.1, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	To properly set the group owner of `/etc/ssh/sshd_config`, run the command: $ sudo chgrp root /etc/ssh/sshd_config
Rationale	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

OVAL test results details

Testing group ownership of /etc/ssh/sshd_config oval:ssg-test_file_groupowner_sshd_config_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_groupowner_sshd_config_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/ssh/sshd_config	oval:ssg-symlink_file_groupowner_sshd_config_uid_0:ste:1	oval:ssg-state_file_groupowner_sshd_config_gid_0_0:ste:1

Verify Owner on SSH Server config file

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_sshd_config
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_owner_sshd_config:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82898-8 References: 5.2.1, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	To properly set the owner of `/etc/ssh/sshd_config`, run the command: $ sudo chown root /etc/ssh/sshd_config
Rationale	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

OVAL test results details

Testing user ownership of /etc/ssh/sshd_config oval:ssg-test_file_owner_sshd_config_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_owner_sshd_config_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/ssh/sshd_config	oval:ssg-symlink_file_owner_sshd_config_uid_0:ste:1	oval:ssg-state_file_owner_sshd_config_uid_0_0:ste:1

Verify Permissions on SSH Server config file

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_sshd_config
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_sshd_config:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82894-7 References: 5.2.1, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	To properly set the permissions of `/etc/ssh/sshd_config`, run the command: $ sudo chmod 0600 /etc/ssh/sshd_config
Rationale	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

OVAL test results details

Testing mode of /etc/ssh/sshd_config oval:ssg-test_file_permissions_sshd_config_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_sshd_config_0:obj:1 of type file_object

Filepath	Filter	Filter
/etc/ssh/sshd_config	oval:ssg-exclude_symlinks__sshd_config:ste:1	oval:ssg-state_file_permissions_sshd_config_0_mode_0600or_stricter_:ste:1

Verify Permissions on SSH Server Private *_key Key Files

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_sshd_private_key:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82424-3 References: BP28(R36), 5.2.2, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.13, 3.13.10, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-2.2.6, SRG-OS-000480-GPOS-00227, RHEL-08-010490, SV-230287r880714_rule
Description	SSH server private keys - files that match the `/etc/ssh/*_key` glob, have to have restricted permissions. If those files are owned by the `root` user and the `root` group, they have to have the `0600` permission or stricter. If they are owned by the `root` user, but by a dedicated group `ssh_keys`, they can have the `0640` permission or stricter.
Rationale	If an unauthorized user obtains the private SSH host key file, the host could be impersonated.

OVAL test results details

No keys that have unsafe ownership/permissions combination exist oval:ssg-test_no_offending_keys:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_offending_keys:obj:1 of type file_object

Path	Filename	Filter	Filter	Filter
/etc/ssh	.*_key$	oval:ssg-exclude_symlinks__sshd_private_key:ste:1	oval:ssg-filter_ssh_key_owner_root:ste:1	oval:ssg-filter_ssh_key_owner_ssh_keys:ste:1

Verify Permissions on SSH Server Public *.pub Key Files

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_sshd_pub_key:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82428-4 References: 5.2.3, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.13, 3.13.10, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-2.2.6, SRG-OS-000480-GPOS-00227, RHEL-08-010480, SV-230286r627750_rule
Description	To properly set the permissions of `/etc/ssh/.pub`, run the command: $ sudo chmod 0644 /etc/ssh/.pub
Rationale	If a public host key file is modified by an unauthorized user, the SSH service may be compromised.

OVAL test results details

Testing mode of /etc/ssh/ oval:ssg-test_file_permissions_sshd_pub_key_0:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_sshd_pub_key_0:obj:1 of type file_object

Path	Filename	Filter	Filter
/etc/ssh	^.*\.pub$	oval:ssg-exclude_symlinks__sshd_pub_key:ste:1	oval:ssg-state_file_permissions_sshd_pub_key_0_mode_0644or_stricter_:ste:1

Remove the X Windows Package Group

Rule ID	xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_xorg-x11-server-common_removed:def:1
Time	2026-03-23T20:00:01+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82757-6 References: 2.2.2, 12, 15, 8, APO13.01, DSS01.04, DSS05.02, DSS05.03, CCI-000366, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.PT-4, SRG-OS-000480-GPOS-00227
Description	By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a `graphical.target` mode. To do so, run the following command: $ sudo yum groupremove base-x $ sudo yum remove xorg-x11-server-common
Rationale	Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.
Warnings	warning The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target which might bring your system to an inconsistent state requiring additional configuration to access the system again. If a GUI is an operational requirement, a tailored profile that removes this rule should used before continuing installation.

OVAL test results details

package xorg-x11-server-common is removed oval:ssg-test_package_xorg-x11-server-common_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_xorg-x11-server-common_removed:obj:1 of type rpminfo_object

Name
xorg-x11-server-common

Scroll back to the first rule

Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.