xccdf_org.open-scap_testresult_xccdf_hardpipe_profile_slmicro62_hardened

Guide to the Secure Configuration of SUSE Linux Enterprise Micro 6

The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide

This guide presents a catalog of security-relevant configuration settings for SUSE Linux Enterprise Micro 6. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation target	localhost
Benchmark URL	/usr/share/xml/scap/ssg/content/ssg-slmicro6-ds.xml
Benchmark ID	xccdf_org.ssgproject.content_benchmark_SLMICRO6
Benchmark version	0.1.80
Profile ID	xccdf_hardpipe_profile_slmicro62_hardened
Started at	2026-04-19T11:29:24+00:00
Finished at	2026-04-19T11:29:47+00:00
Performed by	root
Test system	cpe:/a:redhat:openscap:1.3.6

CPE Platforms

cpe:/o:suse:sl-micro:6.0
cpe:/o:suse:sl-micro:6.1

Addresses

IPv4 127.0.0.1
IPv4 192.168.77.194
IPv6 fe80:0:0:0:5054:ff:fe76:11c3
MAC 00:00:00:00:00:00
MAC 52:54:00:76:11:C3
MAC 06:B4:10:95:14:DF

Compliance and Scoring

The target system did not satisfy the conditions of 7 rules! Please review rule results and consider applying remediation.

Rule results

158 passed

7 failed

10 other

Severity of failed rules

0 other

1 low

6 medium

0 high

Score

Scoring system	Score	Maximum	Percent
urn:xccdf:scoring:default	90.153442	100.000000	90.15%

Rule Overview

Title	Severity	Result
Guide to the Secure Configuration of SUSE Linux Enterprise Micro 6 7x fail 10x notchecked
System Settings 6x fail 8x notchecked
Installing and Maintaining Software 4x fail 2x notchecked
System and Software Integrity 3x fail
Software Integrity Checking 3x fail
Verify Integrity with AIDE 3x fail
Install AIDE	medium	pass
Build and Test AIDE Database	medium	pass
Configure AIDE to Verify the Audit Tools	medium	fail
Configure Systemd Timer Execution of AIDE	medium	pass
Configure Notification of Post-AIDE Scan Details	medium	fail
Configure AIDE to Verify Access Control Lists (ACLs)	low	pass
Configure AIDE to Verify Extended Attributes	low	fail
Operating System Vendor Support and Certification
The Installed Operating System Is Vendor Supported	high	pass
Disk Partitioning 1x notchecked
Encrypt Partitions	high	notchecked
Sudo 1x fail
Require Re-Authentication When Using the sudo Command	medium	pass
The operating system must restrict privilege elevation to authorized personnel	medium	pass
Ensure sudo only includes the default configuration directory	medium	pass
Ensure invoking users password for privilege escalation when using sudo	medium	fail
Updating Software 1x notchecked
Ensure gpgcheck Enabled In Main zypper Configuration	high	pass
Ensure Software Patches Installed ()	medium	notchecked
Account and Access Control 3x notchecked
Warning Banners for System Accesses
Modify the System Login Banner	medium	pass
Protect Accounts by Configuring PAM
Set Lockouts for Failed Password Attempts
Limit Password Reuse	medium	pass
Enforce Delay After Failed Logon Attempts	medium	pass
Set Password Hashing Algorithm
Set Password Hashing Algorithm in /usr/etc/login.defs	medium	pass
Set PAM Password Hashing Algorithm - system-auth	medium	pass
Set Password Hashing Rounds in /usr/etc/login.defs	medium	pass
Protect Physical Console Access
Configure Screen Locking
Configure Console Screen Locking
Check that vlock is installed to allow session locking	medium	pass
Hardware Tokens for Authentication
Enable Smart Card Logins in PAM	medium	pass
Disable Ctrl-Alt-Del Reboot Activation	high	pass
Protect Accounts by Restricting Password-Based Login 2x notchecked
Set Account Expiration Parameters 2x notchecked
Set Account Expiration Following Inactivity	medium	pass
Never Automatically Remove or Disable Emergency Administrator Accounts	medium	notchecked
Assign Expiration Date to Temporary Accounts	medium	notchecked
Set Password Expiration Parameters
Set Password Maximum Age	medium	pass
Set Password Minimum Age	medium	pass
Set Existing Passwords Maximum Age	medium	pass
Set Existing Passwords Minimum Age	medium	pass
Verify Proper Storage and Existence of Password Hashes
Verify All Account Password Hashes are Shadowed with SHA512	medium	pass
Prevent Login to Accounts With Empty Password	high	pass
Ensure There Are No Accounts With Blank or Null Passwords	high	pass
Restrict Root Logins
Verify Only Root Has UID 0	high	pass
Ensure that System Accounts Do Not Run a Shell Upon Login	medium	pass
Ensure All Accounts on the System Have Unique User IDs	medium	pass
Secure Session Configuration Files for Login Accounts 1x notchecked
Ensure that Users Have Sensible Umask Values
Ensure the Default Umask is Set Correctly in login.defs	medium	pass
Ensure Home Directories are Created for New Users	medium	pass
Ensure the Logon Failure Delay is Set Correctly in login.defs	medium	pass
Limit the Number of Concurrent Login Sessions Allowed Per User	low	pass
Set Interactive Session Timeout	medium	pass
User Initialization Files Must Not Run World-Writable Programs	medium	pass
Ensure that Users Path Contains Only Local Directories	medium	notchecked
All Interactive Users Must Have A Home Directory Defined	medium	pass
All Interactive Users Home Directories Must Exist	medium	pass
All Interactive User Home Directories Must Be Group-Owned By The Primary Group	medium	pass
Ensure All User Initialization Files Have Mode 0740 Or Less Permissive	medium	pass
All Interactive User Home Directories Must Have mode 0750 Or Less Permissive	medium	pass
Configure Syslog
systemd-journald
Enable systemd-journal-upload Service	medium	notapplicable
Network Configuration and Firewalls
firewalld
Inspect and Activate Default firewalld Rules
Verify firewalld Enabled	medium	notapplicable
IPv6
Configure IPv6 Settings if Necessary
Disable Accepting ICMP Redirects for All IPv6 Interfaces	medium	pass
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces	medium	pass
Disable Kernel Parameter for IPv6 Forwarding	medium	pass
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces	medium	pass
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default	medium	pass
Disable Kernel Parameter for IPv6 Forwarding by default	medium	pass
Kernel Parameters Which Affect Networking
Network Related Kernel Runtime Parameters for Hosts and Routers
Disable Accepting ICMP Redirects for All IPv4 Interfaces	medium	pass
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces	medium	pass
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces	medium	pass
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default	medium	pass
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces	medium	pass
Network Parameters for Hosts Only
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces	medium	pass
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default	medium	pass
Wireless Networking
Disable Wireless Through Software Configuration
Deactivate Wireless Network Interfaces	medium	pass
Ensure System is Not Acting as a Network Sniffer	medium	pass
File Permissions and Masks 2x fail 2x notchecked
Verify Permissions on Important Files and Directories 1x fail
Verify Permissions on Files with Local Account Information and Credentials
Verify Permissions and Ownership of Old Passwords File	medium	pass
Verify File Permissions Within Some Important Directories
Verify that Shared Library Directories Have Root Group Ownership	medium	pass
Verify that Shared Library Directories Have Root Ownership	medium	pass
Verify that System Executable Directories Have Restrictive Permissions	medium	pass
Verify that Shared Library Directories Have Restrictive Permissions	medium	pass
Verify that system commands files are group owned by root or a system account	medium	pass
Verify that System Executables Have Root Ownership	medium	pass
Verify that Shared Library Files Have Root Ownership	medium	pass
Verify that System Executables Have Restrictive Permissions	medium	pass
Verify that Shared Library Files Have Restrictive Permissions	medium	pass
Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.	medium	pass
Verify that All World-Writable Directories Have Sticky Bits Set	medium	pass
Ensure All World-Writable Directories Are Group Owned by a System Account	medium	pass
Verify that system commands directories have root as a group owner	medium	pass
Verify that system commands directories have root ownership	medium	pass
Ensure All Files Are Owned by a Group	medium	pass
Ensure All Files Are Owned by a User	medium	pass
Verify permissions of log files	medium	fail
Restrict Dynamic Mounting and Unmounting of Filesystems
Disable Modprobe Loading of USB Storage Driver	medium	pass
Restrict Partition Mount Options
Add nosuid Option to Removable Media Partitions	medium	pass
Verify Permissions on Important Files and Directories Are Configured in /etc/permissions.local 2x notchecked
Verify that local /var/log/messages is not world-readable	medium	pass
Verify Permissions of Local Logs of audit Tools	medium	notchecked
Verify that Local Logs of the audit Daemon are not World-Readable	medium	notchecked
Restrict Programs from Dangerous Execution Patterns 1x fail
Enable ExecShield 1x fail
Restrict Exposed Kernel Pointer Addresses Access	medium	fail
Enable Randomized Layout of Virtual Address Space	medium	pass
Restrict Access to Kernel Message Buffer	low	pass
SELinux 1x notchecked
Install policycoreutils-python-utils package	medium	pass
Install policycoreutils Package	low	pass
Configure SELinux Policy	medium	pass
Ensure SELinux State is Enforcing	high	pass
Map System Users To The Appropriate SELinux Role	medium	notchecked
Services 1x fail 1x notchecked
Base Services
Disable KDump Kernel Crash Analyzer (kdump)	medium	pass
Mail Server Software 1x fail
Configure SMTP For Mail Clients 1x fail
Configure System to Forward All Mail For The Root Account	medium	fail
Network Time Protocol
A remote time server for Chrony is configured	medium	notapplicable
Configure Time Service Maxpoll Interval	medium	notapplicable
Obsolete Services
Rlogin, Rsh, and Rexec
Remove Host-Based Authentication Files	high	pass
Remove User Host-Based Authentication Files	high	pass
Telnet
Uninstall telnet-server Package	high	pass
SSH Server 1x notchecked
Configure OpenSSH Server if Necessary
Set SSH Client Alive Count Max	medium	pass
Set SSH Client Alive Interval	medium	pass
Disable SSH Access via Empty Passwords	high	pass
Disable SSH Root Login	medium	pass
Disable SSH Support for User Known Hosts	medium	pass
Disable X11 Forwarding	medium	pass
Do Not Allow SSH Environment Options	medium	pass
Enable Use of Strict Mode Checking	medium	pass
Enable SSH Warning Banner	medium	pass
Enable SSH Print Last Log	medium	pass
Set SSH Daemon LogLevel to VERBOSE	medium	pass
Use Only FIPS 140-2 Validated Ciphers	medium	pass
Use Only FIPS 140-2 Validated Ciphers	medium	pass
Use Only FIPS 140-2 Validated Key Exchange Algorithms	medium	pass
Use Only FIPS 140-2 Validated MACs	medium	pass
Use Only FIPS 140-2 Validated MACs	medium	pass
Install the OpenSSH Server Package	medium	pass
Enable the OpenSSH Service	medium	pass
Verify Permissions on SSH Server Private *_key Key Files	medium	pass
Verify Permissions on SSH Server Public *.pub Key Files	medium	pass
OpenSSH Service Must Use Passcode for Their Private Keys	medium	notchecked
System Security Services Daemon
Configure SSSD's Memory Cache to Expire	medium	notapplicable
Configure SSSD to Expire Offline Credentials	medium	notapplicable
System Accounting with auditd 1x notchecked
Configure auditd Rules for Comprehensive Auditing
Record Events that Modify the System's Discretionary Access Controls
Record Events that Modify the System's Discretionary Access Controls - fchmod	medium	pass
Record Events that Modify the System's Discretionary Access Controls - fremovexattr	medium	pass
Record Events that Modify the System's Discretionary Access Controls - lchown	medium	pass
Record Events that Modify the System's Discretionary Access Controls - umount2	medium	pass
Record Execution Attempts to Run ACL Privileged Commands
Record Any Attempts to Run chacl	medium	pass
Record Any Attempts to Run chmod	medium	pass
Record Any Attempts to Run setfacl	medium	pass
Record Execution Attempts to Run SELinux Privileged Commands
Record Any Attempts to Run chcon	medium	pass
Record Any Attempts to Run rm	medium	pass
Record Any Attempts to Run semanage	medium	pass
Record Any Attempts to Run setfiles	medium	pass
Record Any Attempts to Run setsebool	medium	pass
Record Unauthorized Access Attempts Events to Files (unsuccessful)
Record Unsuccessful Access Attempts to Files - open	medium	pass
Record Unsuccessful Delete Attempts to Files - rename	medium	pass
Record Information on Kernel Modules Loading and Unloading
Ensure auditd Collects Information on Kernel Module Unloading - delete_module	medium	pass
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module	medium	pass
Record Attempts to Alter Logon and Logout Events
Record Attempts to Alter Logon and Logout Events - lastlog	medium	pass
Record Attempts to Alter Logon and Logout Events - tallylog	medium	pass
Record Information on the Use of Privileged Commands
Ensure auditd Collects Information on the Use of Privileged Commands - chage	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - chfn	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - chsh	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - crontab	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - insmod	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - kmod	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - modprobe	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - passwd	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - rmmod	medium	pass
Record Any Attempts to Run ssh-agent	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - su	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - sudo	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - usermod	medium	pass
Ensure auditd Collects Information on Exporting to Media (successful)	medium	pass
Record Attempts to Alter Process and Session Initiation Information btmp	medium	pass
Record Attempts to Alter Process and Session Initiation Information utmp	medium	pass
Record Attempts to Alter Process and Session Initiation Information wtmp	medium	pass
Record Events When Privileged Executables Are Run	medium	pass
Ensure auditd Collects System Administrator Actions	medium	pass
Record Events that Modify User/Group Information - /etc/group	medium	pass
Record Events that Modify User/Group Information - /etc/security/opasswd	medium	pass
Record Events that Modify User/Group Information - /etc/passwd	medium	pass
Record Events that Modify User/Group Information - /etc/shadow	medium	pass
Configure auditd Data Retention 1x notchecked
Configure a Sufficiently Large Partition for Audit Logs	medium	notchecked
Configure auditd Disk Full Action when Disk Space Is Full	medium	pass
Configure auditd mail_acct Action on Low Disk Space	medium	pass
Configure auditd space_left Action on Low Disk Space	medium	pass
Configure auditd space_left on Low Disk Space	medium	pass
Ensure the audit Subsystem is Installed	medium	pass
Enable auditd Service	medium	pass

Result Details

Install AIDE

Rule ID	xccdf_org.ssgproject.content_rule_package_aide_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_aide_installed:def:1
Time	2026-04-19T11:29:24+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94712-7 References: 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, R76, R79, 1034, 1288, 1341, 1417, 11.5.2
Description	The `aide` package can be installed with the following command: $ sudo zypper install aide
Rationale	The AIDE package must be installed if it is to be available for integrity checking.

Build and Test AIDE Database

Rule ID	xccdf_org.ssgproject.content_rule_aide_build_database
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-aide_build_database:def:1
Time	2026-04-19T11:29:24+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94713-5 References: 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, R76, R79, 11.5.2
Description	Run the following command to generate a new database: $ sudo /usr/bin/aide --init By default, the database will be written to the file `/var/lib/aide/aide.db.new`. Storing the database, the configuration file `/etc/aide.conf`, and the binary `/usr/bin/aide` (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: $ sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db To initiate a manual check, run the following command: $ sudo /usr/bin/aide --check If this check produces any unexpected output, investigate.
Rationale	For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Warnings	warning In RHEL Image Mode (bootc) systems, the AIDE database must be regenerated after each system update. Image Mode systems receive updates through new container images that may include modified files. After applying system updates, run the following commands to regenerate the AIDE database: $ sudo /usr/bin/aide --init Then replace the existing database: $ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz Failure to regenerate the AIDE database after updates will result in false positive alerts for legitimate system changes introduced by the update process.

Configure AIDE to Verify the Audit Tools

Rule ID xccdf_org.ssgproject.content_rule_aide_check_audit_tools

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-aide_check_audit_tools:def:1

Time 2026-04-19T11:29:24+00:00

Severity medium

Identifiers and References

Identifiers: CCE-94702-8

References: AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108

Description

The operating system file integrity tool must be configured to protect the integrity of the audit tools.

Rationale

Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then

zypper install -y "aide"










if grep -i -E '^.*(/usr)?/sbin/auditctl.*$' /etc/aide.conf; then
sed -i -r "s#.*(/usr)?/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
else
echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
fi

if grep -i -E '^.*(/usr)?/sbin/auditd.*$' /etc/aide.conf; then
sed -i -r "s#.*(/usr)?/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
else
echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
fi

if grep -i -E '^.*(/usr)?/sbin/ausearch.*$' /etc/aide.conf; then
sed -i -r "s#.*(/usr)?/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
else
echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
fi

if grep -i -E '^.*(/usr)?/sbin/aureport.*$' /etc/aide.conf; then
sed -i -r "s#.*(/usr)?/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
else
echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
fi

if grep -i -E '^.*(/usr)?/sbin/autrace.*$' /etc/aide.conf; then
sed -i -r "s#.*(/usr)?/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
else
echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
fi

if grep -i -E '^.*(/usr)?/sbin/augenrules.*$' /etc/aide.conf; then
sed -i -r "s#.*(/usr)?/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
else
echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
fi

if grep -i -E '^.*(/usr)?/sbin/audispd.*$' /etc/aide.conf; then
sed -i -r "s#.*(/usr)?/sbin/audispd.*#/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
else
echo "/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-94702-8
  - NIST-800-53-AU-9(3)
  - NIST-800-53-AU-9(3).1
  - aide_check_audit_tools
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure AIDE to Verify the Audit Tools - Gather List of Packages
  tags:
  - CCE-94702-8
  - NIST-800-53-AU-9(3)
  - NIST-800-53-AU-9(3).1
  - aide_check_audit_tools
  - aide_check_audit_tools
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  ansible.builtin.package_facts:
    manager: auto
  when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)

- name: Configure AIDE to Verify the Audit Tools - Ensure AIDE is Installed
  ansible.builtin.package:
    name: '{{ item }}'
    state: present
  with_items:
  - aide
  when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  tags:
  - CCE-94702-8
  - NIST-800-53-AU-9(3)
  - NIST-800-53-AU-9(3).1
  - aide_check_audit_tools
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure AIDE to Verify the Audit Tools - Gather the Package Facts
  ansible.builtin.package_facts:
    manager: auto
  when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  tags:
  - CCE-94702-8
  - NIST-800-53-AU-9(3)
  - NIST-800-53-AU-9(3).1
  - aide_check_audit_tools
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set "Configure AIDE to Verify the Audit Tools - audit_tools fact"
  ansible.builtin.set_fact:
    audit_tools:
    - /usr/sbin/audispd
    - /usr/sbin/auditctl
    - /usr/sbin/auditd
    - /usr/sbin/augenrules
    - /usr/sbin/aureport
    - /usr/sbin/ausearch
    - /usr/sbin/autrace
  when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  tags:
  - CCE-94702-8
  - NIST-800-53-AU-9(3)
  - NIST-800-53-AU-9(3).1
  - aide_check_audit_tools
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure AIDE to Verify the Audit Tools - Ensure Existing AIDE Configuration
    for Audit Tools are Correct
  ansible.builtin.lineinfile:
    path: /etc/aide.conf
    regexp: ^{{ item }}\s
    line: '{{ item }} p+i+n+u+g+s+b+acl+selinux+xattrs+sha512'
    create: true
  with_items: '{{ audit_tools }}'
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '"aide" in ansible_facts.packages'
  tags:
  - CCE-94702-8
  - NIST-800-53-AU-9(3)
  - NIST-800-53-AU-9(3).1
  - aide_check_audit_tools
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure AIDE to Verify the Audit Tools - Configure AIDE to Properly Protect
    Audit Tools
  ansible.builtin.lineinfile:
    path: /etc/aide.conf
    line: '{{ item }} p+i+n+u+g+s+b+acl+selinux+xattrs+sha512'
    create: true
  with_items: '{{ audit_tools }}'
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '"aide" in ansible_facts.packages'
  tags:
  - CCE-94702-8
  - NIST-800-53-AU-9(3)
  - NIST-800-53-AU-9(3).1
  - aide_check_audit_tools
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Configure Systemd Timer Execution of AIDE

Rule ID	xccdf_org.ssgproject.content_rule_aide_periodic_checking_systemd_timer
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-aide_periodic_checking_systemd_timer:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94714-3 References: 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, R76, 11.5.2
Description	At a minimum, AIDE should be configured to run a weekly scan. To implement a systemd service and a timer unit to run the service periodically: For example, if a systemd timer is expected to be started every day at 5AM OnCalendar=--* 05:00:0 [Timer] section in the timer unit and a Unit section starting the AIDE check service unit should be referred.
Rationale	AIDE provides a means to check if unauthorized changes are made to the system. AIDE itself does not setup a periodic execution, so in order to detect unauthorized changes a systemd service to run the check and a systemd timer to take care of periodical execution of that systemd service should be defined.

Configure Notification of Post-AIDE Scan Details

Rule ID xccdf_org.ssgproject.content_rule_aide_scan_notification

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-aide_scan_notification:def:1

Time 2026-04-19T11:29:25+00:00

Severity medium

Identifiers and References

Identifiers: CCE-94730-9

References: 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, R76

Description

AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in /etc/crontab, append the following line to the existing AIDE line:

 | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost

Otherwise, add the following line to /etc/crontab:

05 4 * * * root /usr/bin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost

AIDE can be executed periodically through other means; this is merely one example.

Rationale

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then

zypper install -y "aide"
var_aide_scan_notification_email='root@localhost'



# create unit file for periodic aide database check
cat > /etc/systemd/system/aidecheck.service <<CHECKEOF
[Unit]
        Description=Aide Check
        Before=aidecheck-notify.service
        Wants=aidecheck-notify.service
        [Service]
        Type=forking
        ExecStart=/usr/bin/aide --check -r file:/tmp/aide-report.log
        [Install]
        WantedBy=multi-user.target
CHECKEOF
cat > /etc/systemd/system/aidecheck-notify.service <<NOTIFYEOF
[Unit]
        Description=Status email for AIDE check result
        After=aidecheck.service
        [Service]
        Type=forking
        ExecStart=/bin/sh -c 'cat /tmp/aide-report.log | /bin/mail -s "$(hostname) - AIDE Integrity Check"  $var_aide_scan_notification_email'
NOTIFYEOF

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-94730-9
  - NIST-800-53-CM-3(5)
  - NIST-800-53-CM-6(a)
  - aide_scan_notification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_aide_scan_notification_email # promote to variable
  set_fact:
    var_aide_scan_notification_email: !!str root@localhost
  tags:
    - always

- name: Configure Notification of Post-AIDE Scan Details - Ensure AIDE is installed
  ansible.builtin.package:
    name: '{{ item }}'
    state: present
  with_items:
  - aide
  when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  tags:
  - CCE-94730-9
  - NIST-800-53-CM-3(5)
  - NIST-800-53-CM-6(a)
  - aide_scan_notification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Notification of Post-AIDE Scan Details - Check Service
  ansible.builtin.blockinfile:
    create: true
    dest: /etc/systemd/system/aidecheck.service
    owner: root
    group: root
    mode: '0644'
    block: |
      [Unit]
      Description=Aide Check
      Before=aidecheck-notify.service
      Wants=aidecheck-notify.service
      [Service]
      Type=forking
      ExecStart=/usr/bin/aide --check -r file:/tmp/aide-report.log
      [Install]
      WantedBy=multi-user.target
  when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  tags:
  - CCE-94730-9
  - NIST-800-53-CM-3(5)
  - NIST-800-53-CM-6(a)
  - aide_scan_notification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Notification of Post-AIDE Scan Details - Notify Service
  ansible.builtin.blockinfile:
    create: true
    dest: /etc/systemd/system/aidecheck-notify.service
    owner: root
    group: root
    mode: '0644'
    block: |
      [Unit]
      Description=Status email for AIDE check result
      After=aidecheck.service
      [Service]
      Type=forking
      ExecStart=/bin/sh -c 'cat /tmp/aide-report.log | /bin/mail -s "$(hostname) - AIDE Integrity Check"  {{ var_aide_scan_notification_email }}'
  when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  tags:
  - CCE-94730-9
  - NIST-800-53-CM-3(5)
  - NIST-800-53-CM-6(a)
  - aide_scan_notification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Configure AIDE to Verify Access Control Lists (ACLs)

Rule ID	xccdf_org.ssgproject.content_rule_aide_verify_acls
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-aide_verify_acls:def:1
Time	2026-04-19T11:29:25+00:00
Severity	low
Identifiers and References	Identifiers: CCE-95052-7 References: 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, R76
Description	By default, the `acl` option is added to the `FIPSR` ruleset in AIDE. If using a custom ruleset or the `acl` option is missing, add `acl` to the appropriate ruleset. For example, add `acl` to the following line in `/etc/aide.conf`: FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds `acl` to all rule sets available in `/etc/aide.conf`
Rationale	ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools.

Configure AIDE to Verify Extended Attributes

Rule ID xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-aide_verify_ext_attributes:def:1

Time 2026-04-19T11:29:25+00:00

Severity low

Identifiers and References

Identifiers: CCE-95053-5

References: 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, R76

Description

By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in /etc/aide.conf:

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds xattrs to all rule sets available in /etc/aide.conf

Rationale

Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then

zypper install -y "aide"

aide_conf="/etc/aide.conf"


groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)


for group in $groups
do
	config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ')

	if ! [[ $config = *xattrs* ]]
	then
		if [[ -z $config ]]
		then
			config="xattrs"
		else
			config=$config"+xattrs"
		fi
	fi
	sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf
done

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-95053-5
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - aide_verify_ext_attributes
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy

- name: Gather list of packages
  ansible.builtin.package_facts:
    manager: auto
  when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  tags:
  - CCE-95053-5
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - aide_verify_ext_attributes
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy

- name: Get rules groups
  ansible.builtin.shell: |
    set -o pipefail
    LC_ALL=C grep "^[A-Z][A-Za-z_]*" /etc/aide.conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u || true
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '''aide'' in ansible_facts.packages'
  register: find_rules_groups_results
  changed_when: false
  check_mode: false
  tags:
  - CCE-95053-5
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - aide_verify_ext_attributes
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure the xattrs rule is present when aide is installed.
  ansible.builtin.replace:
    path: /etc/aide.conf
    regexp: (^\s*{{ item }}\s*=\s*)(?!.*xattrs)([^\s]*)
    replace: \g<1>\g<2>+xattrs
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - find_rules_groups_results is not skipped and "'aide' in ansible_facts.packages"
  with_items: '{{ find_rules_groups_results.stdout_lines | map(''trim'') | list }}'
  tags:
  - CCE-95053-5
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - aide_verify_ext_attributes
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy

The Installed Operating System Is Vendor Supported

Rule ID	xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-installed_OS_is_vendor_supported:def:1
Time	2026-04-19T11:29:25+00:00
Severity	high
Identifiers and References	Identifiers: CCE-95035-2 References: 18, 20, 4, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, CM-6(a), MA-6, SA-13(a), ID.RA-1, PR.IP-12, SRG-OS-000480-GPOS-00227
Description	The installed operating system must be maintained by a vendor. SUSE Linux Enterprise is supported by SUSE. As the SUSE Linux Enterprise vendor, SUSE is responsible for providing security patches.
Rationale	An operating system is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve any security issue discovered in the system software.
Warnings	warning There is no remediation besides switching to a different operating system.

Encrypt Partitions

Rule ID	xccdf_org.ssgproject.content_rule_encrypt_partitions
Result	notchecked
Multi-check rule	no
Time	2026-04-19T11:29:25+00:00
Severity	high
Identifiers and References	Identifiers: CCE-94686-3 References: 13, 14, APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS05.04, DSS05.07, DSS06.02, DSS06.06, 3.13.16, 164.308(a)(1)(ii)(D), 164.308(b)(1), 164.310(d), 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.314(b)(2)(i), 164.312(d), SR 3.4, SR 4.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), SC-28, SC-28(1), SC-13, AU-9(3), PR.DS-1, PR.DS-5, SRG-OS-000405-GPOS-00184, SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183
Description	SUSE Linux Enterprise Micro 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the `Encrypt` checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the SUSE Linux Enterprise Micro 6 Documentation web site: https://documentation.suse.com/sle-micro/6.0/html/Micro-deployment-raw-images/index.html#deployment-jeos-firstboot .
Rationale	The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.
Evaluation messages info No candidate or applicable check found.

Require Re-Authentication When Using the sudo Command

Rule ID	xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sudo_require_reauthentication:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94719-2 References: IA-11, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, 2.2.6, 2.2
Description	The sudo `timestamp_timeout` tag sets the amount of time sudo password prompt waits. The default `timestamp_timeout` value is 5 minutes. The timestamp_timeout should be configured by making sure that the `timestamp_timeout` tag exists in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`. If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.
Rationale	Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

The operating system must restrict privilege elevation to authorized personnel

Rule ID	xccdf_org.ssgproject.content_rule_sudo_restrict_privilege_elevation_to_authorized
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sudo_restrict_privilege_elevation_to_authorized:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95042-8 References: CM-6(b), CM-6(iv), SRG-OS-000480-GPOS-00227
Description	The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. Restrict privileged actions by removing the following entries from the sudoers file: `ALL ALL=(ALL) ALL` `ALL ALL=(ALL:ALL) ALL`
Rationale	If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.
Warnings	warning This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable.

Ensure sudo only includes the default configuration directory

Rule ID	xccdf_org.ssgproject.content_rule_sudoers_default_includedir
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sudoers_default_includedir:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95040-2 References: SRG-OS-000480-GPOS-00227
Description	Administrators can configure authorized `sudo` users via drop-in files, and it is possible to include other directories and configuration files from the file currently being parsed. Make sure that `/etc/sudoers` only includes drop-in configuration files from `/etc/sudoers.d`, or that no drop-in file is included. Either the `/etc/sudoers` should contain only one `#includedir` directive pointing to `/etc/sudoers.d`, and no file in `/etc/sudoers.d/` should include other files or directories; Or the `/etc/sudoers` should not contain any `#include`, `@include`, `#includedir` or `@includedir` directives. Note that the '#' character doesn't denote a comment in the configuration file.
Rationale	Some `sudo` configuration options allow users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts.

Ensure invoking users password for privilege escalation when using sudo

Rule ID xccdf_org.ssgproject.content_rule_sudoers_validate_passwd

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sudoers_validate_passwd:def:1

Time 2026-04-19T11:29:25+00:00

Severity medium

Identifiers and References

Identifiers: CCE-95043-6

References: CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227

Description

The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. The expected output for:

 sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$'

 Defaults !targetpw
      Defaults !rootpw
      Defaults !runaspw

or if cvtsudoers not supported:

 sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \;

 /etc/sudoers:Defaults !targetpw
      /etc/sudoers:Defaults !rootpw
      /etc/sudoers:Defaults !runaspw

Rationale

If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base && { rpm --quiet -q sudo; }; then

if grep -x '^Defaults targetpw$' /etc/sudoers; then
    sed -i "/Defaults targetpw/d" /etc/sudoers \;
fi
if grep -x '^Defaults targetpw$' /etc/sudoers.d/*; then
    find /etc/sudoers.d/ -type f -exec sed -i "/Defaults targetpw/d" {} \;
fi
if grep -x '^Defaults rootpw$' /etc/sudoers; then
    sed -i "/Defaults rootpw/d" /etc/sudoers \;
fi
if grep -x '^Defaults rootpw$' /etc/sudoers.d/*; then
    find /etc/sudoers.d/ -type f -exec sed -i "/Defaults rootpw/d" {} \;
fi
if grep -x '^Defaults runaspw$' /etc/sudoers; then
    sed -i "/Defaults runaspw/d" /etc/sudoers \;
fi
if grep -x '^Defaults runaspw$' /etc/sudoers.d/*; then
    find /etc/sudoers.d/ -type f -exec sed -i "/Defaults runaspw/d" {} \;
fi

if [ -e "/etc/sudoers" ] ; then
    
    LC_ALL=C sed -i "/Defaults !targetpw/d" "/etc/sudoers"
else
    touch "/etc/sudoers"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/sudoers"

cp "/etc/sudoers" "/etc/sudoers.bak"
# Insert at the end of the file
printf '%s\n' "Defaults !targetpw" >> "/etc/sudoers"
# Clean up after ourselves.
rm "/etc/sudoers.bak"
if [ -e "/etc/sudoers" ] ; then
    
    LC_ALL=C sed -i "/Defaults !rootpw/d" "/etc/sudoers"
else
    touch "/etc/sudoers"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/sudoers"

cp "/etc/sudoers" "/etc/sudoers.bak"
# Insert at the end of the file
printf '%s\n' "Defaults !rootpw" >> "/etc/sudoers"
# Clean up after ourselves.
rm "/etc/sudoers.bak"
if [ -e "/etc/sudoers" ] ; then
    
    LC_ALL=C sed -i "/Defaults !runaspw/d" "/etc/sudoers"
else
    touch "/etc/sudoers"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/sudoers"

cp "/etc/sudoers" "/etc/sudoers.bak"
# Insert at the end of the file
printf '%s\n' "Defaults !runaspw" >> "/etc/sudoers"
# Clean up after ourselves.
rm "/etc/sudoers.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-95043-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudoers_validate_passwd

- name: Find out if /etc/sudoers.d/* files contain Defaults targetpw to be deduplicated
  ansible.builtin.find:
    path: /etc/sudoers.d
    patterns: '*'
    contains: ^Defaults targetpw$
  register: sudoers_d_defaults
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '"sudo" in ansible_facts.packages'
  tags:
  - CCE-95043-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudoers_validate_passwd

- name: Remove found occurrences of Defaults targetpw from /etc/sudoers.d/* files
  ansible.builtin.lineinfile:
    path: '{{ item.path }}'
    regexp: ^Defaults targetpw$
    state: absent
  with_items: '{{ sudoers_d_defaults.files }}'
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '"sudo" in ansible_facts.packages'
  tags:
  - CCE-95043-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudoers_validate_passwd

- name: Find out if /etc/sudoers.d/* files contain Defaults rootpw to be deduplicated
  ansible.builtin.find:
    path: /etc/sudoers.d
    patterns: '*'
    contains: ^Defaults rootpw$
  register: sudoers_d_defaults
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '"sudo" in ansible_facts.packages'
  tags:
  - CCE-95043-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudoers_validate_passwd

- name: Remove found occurrences of Defaults rootpw from /etc/sudoers.d/* files
  ansible.builtin.lineinfile:
    path: '{{ item.path }}'
    regexp: ^Defaults rootpw$
    state: absent
  with_items: '{{ sudoers_d_defaults.files }}'
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '"sudo" in ansible_facts.packages'
  tags:
  - CCE-95043-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudoers_validate_passwd

- name: Find out if /etc/sudoers.d/* files contain Defaults runaspw to be deduplicated
  ansible.builtin.find:
    path: /etc/sudoers.d
    patterns: '*'
    contains: ^Defaults runaspw$
  register: sudoers_d_defaults
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '"sudo" in ansible_facts.packages'
  tags:
  - CCE-95043-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudoers_validate_passwd

- name: Remove found occurrences of Defaults runaspw from /etc/sudoers.d/* files
  ansible.builtin.lineinfile:
    path: '{{ item.path }}'
    regexp: ^Defaults runaspw$
    state: absent
  with_items: '{{ sudoers_d_defaults.files }}'
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '"sudo" in ansible_facts.packages'
  tags:
  - CCE-95043-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudoers_validate_passwd

- name: Remove any occurrences of Defaults targetpw in /etc/sudoers
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    regexp: ^Defaults targetpw$
    validate: /usr/sbin/visudo -cf %s
    state: absent
  register: sudoers_file_defaults
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '"sudo" in ansible_facts.packages'
  tags:
  - CCE-95043-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudoers_validate_passwd

- name: Remove any occurrences of Defaults rootpw in /etc/sudoers
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    regexp: ^Defaults rootpw$
    validate: /usr/sbin/visudo -cf %s
    state: absent
  register: sudoers_file_defaults
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '"sudo" in ansible_facts.packages'
  tags:
  - CCE-95043-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudoers_validate_passwd

- name: Remove any occurrences of Defaults runaspw in /etc/sudoers
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    regexp: ^Defaults runaspw$
    validate: /usr/sbin/visudo -cf %s
    state: absent
  register: sudoers_file_defaults
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '"sudo" in ansible_facts.packages'
  tags:
  - CCE-95043-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudoers_validate_passwd

- name: Check for duplicate values
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    create: false
    regexp: ^Defaults !targetpw$
    state: absent
  check_mode: true
  changed_when: false
  register: dupes
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '"sudo" in ansible_facts.packages'
  tags:
  - CCE-95043-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudoers_validate_passwd

- name: Deduplicate values from /etc/sudoers
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    create: false
    regexp: ^Defaults !targetpw$
    state: absent
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '"sudo" in ansible_facts.packages'
  - dupes.found is defined and dupes.found > 1
  tags:
  - CCE-95043-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudoers_validate_passwd

- name: Insert correct line into /etc/sudoers
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    create: false
    regexp: ^Defaults !targetpw$
    line: Defaults !targetpw
    state: present
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '"sudo" in ansible_facts.packages'
  tags:
  - CCE-95043-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudoers_validate_passwd

- name: Check for duplicate values
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    create: false
    regexp: ^Defaults !rootpw$
    state: absent
  check_mode: true
  changed_when: false
  register: dupes
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '"sudo" in ansible_facts.packages'
  tags:
  - CCE-95043-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudoers_validate_passwd

- name: Deduplicate values from /etc/sudoers
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    create: false
    regexp: ^Defaults !rootpw$
    state: absent
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '"sudo" in ansible_facts.packages'
  - dupes.found is defined and dupes.found > 1
  tags:
  - CCE-95043-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudoers_validate_passwd

- name: Insert correct line into /etc/sudoers
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    create: false
    regexp: ^Defaults !rootpw$
    line: Defaults !rootpw
    state: present
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '"sudo" in ansible_facts.packages'
  tags:
  - CCE-95043-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudoers_validate_passwd

- name: Check for duplicate values
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    create: false
    regexp: ^Defaults !runaspw$
    state: absent
  check_mode: true
  changed_when: false
  register: dupes
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '"sudo" in ansible_facts.packages'
  tags:
  - CCE-95043-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudoers_validate_passwd

- name: Deduplicate values from /etc/sudoers
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    create: false
    regexp: ^Defaults !runaspw$
    state: absent
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '"sudo" in ansible_facts.packages'
  - dupes.found is defined and dupes.found > 1
  tags:
  - CCE-95043-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudoers_validate_passwd

- name: Insert correct line into /etc/sudoers
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    create: false
    regexp: ^Defaults !runaspw$
    line: Defaults !runaspw
    state: present
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - '"sudo" in ansible_facts.packages'
  tags:
  - CCE-95043-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudoers_validate_passwd

Ensure gpgcheck Enabled In Main zypper Configuration

Rule ID	xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-ensure_gpgcheck_globally_activated:def:1
Time	2026-04-19T11:29:25+00:00
Severity	high
Identifiers and References	Identifiers: CCE-94715-0 References: 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, R59, 1493, 6.3.3, 6.3
Description	The `gpgcheck` option controls whether RPM packages' signatures are always checked prior to installation. To configure zypper to check package signatures before installing them, ensure the following line appears in `/etc/zypp/zypp.conf` in the `[main]` section: gpgcheck=1
Rationale	Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).

Ensure Software Patches Installed

Rule ID	xccdf_org.ssgproject.content_rule_security_patches_up_to_date
Result	notchecked
Multi-check rule	yes
OVAL Definition ID
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95036-0 References: 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, SRG-OS-000480-GPOS-00227, R61, 1409, 6.3.3, 6.3
Description	If the system is configured for online updates, invoking the following command will list available security updates: $ sudo zypper refresh && sudo zypper list-patches -g security NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.
Rationale	Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.
Warnings	warning The OVAL feed of SUSE Linux Enterprise Micro 6 is not a XML file, which may not be understood by all scanners.
Evaluation messages info None of the check-content-ref elements was resolvable.

Modify the System Login Banner

Rule ID	xccdf_org.ssgproject.content_rule_banner_etc_issue
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-banner_etc_issue:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94665-7 References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
Description	To configure the system login banner edit `/etc/issue`. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR: `I've read & consent to terms in IS user agreem't.`
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

Limit Password Reuse

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_password_pam_pwhistory_remember:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94641-8 References: SRG-OS-000077-GPOS-00045
Description	Do not allow users to reuse recent passwords. This can be accomplished by using the `remember` option for the `pam_pwhistory` PAM modules. In the file `/etc/pam.d/common-password`, make sure the parameters `remember` and `use_authtok` are present, and that the value for the `remember` parameter is 5 or greater. For example: password requisite pam_pwhistory.so ...existing_options... remember=5 use_authtok The profile requirement is 5 passwords.
Rationale	Preventing reuse of previous passwords helps ensure that a compromised password is not reused by a user.

Enforce Delay After Failed Logon Attempts

Rule ID	xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faildelay_delay
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_passwords_pam_faildelay_delay:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94742-4 References: SRG-OS-000480-GPOS-00226
Description	To configure the system to introduce a delay after failed logon attempts, add or correct the `pam_faildelay` settings in `/etc/pam.d/common-auth` to make sure its `delay` parameter is at least 4000000 or greater. For example: auth required pam_faildelay.so delay=4000000
Rationale	Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.

Set Password Hashing Algorithm in /usr/etc/login.defs

Rule ID	xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-set_password_hashing_algorithm_logindefs:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	References: 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, 0418, 1055, 1402, 8.3.2, 8.3
Description	In `/usr/etc/login.defs`, add or update the following line to ensure the system will use SHA512 as the hashing algorithm: ENCRYPT_METHOD SHA512
Rationale	Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text. Using a stronger hashing algorithm makes password cracking attacks more difficult.

Set PAM Password Hashing Algorithm - system-auth

Rule ID	xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-set_password_hashing_algorithm_systemauth:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94659-0 References: 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, R68, 0418, 1055, 1402, 8.3.2, 8.3
Description	The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/common-password", the `password` section of the file controls which PAM modules to execute during a password change. Set the `pam_unix.so` module in the `password` section to include the option `sha512` and no other hashing algorithms as shown below: password required pam_unix.so sha512 other arguments... This will help ensure that new passwords for local users will be stored using the sha512 algorithm.
Rationale	Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text. This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the `crypt_style` configuration option in `/etc/libuser.conf` ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
Warnings	warning The hashing algorithms to be used with pam_unix.so are defined with independent module options. There are at least 7 possible algorithms and likely more algorithms will be introduced along the time. Due the the number of options and its possible combinations, the use of multiple hashing algorithm options may bring unexpected behaviors to the system. For this reason the check will pass only when one hashing algorithm option is defined and is aligned to the "var_password_hashing_algorithm_pam" variable. The remediation will ensure the correct option and remove any other extra hashing algorithm option.

Set Password Hashing Rounds in /usr/etc/login.defs

Rule ID	xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-set_password_hashing_min_rounds_logindefs:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94660-8 References: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
Description	In `/usr/etc/login.defs`, ensure `SHA_CRYPT_MIN_ROUNDS` and `SHA_CRYPT_MAX_ROUNDS` has the minimum value of `5000`. For example: SHA_CRYPT_MIN_ROUNDS 5000 SHA_CRYPT_MAX_ROUNDS 5000 Notice that if neither are set, they already have the default value of 5000. If either is set, they must have the minimum value of 5000.
Rationale	Passwords need to be protected at all times, and hashing is the standard method for protecting passwords. If passwords are not hashed, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are hashed with a weak algorithm are no more protected than if they are kept in plain text. Using more hashing rounds makes password cracking attacks more difficult.

Check that vlock is installed to allow session locking

Rule ID	xccdf_org.ssgproject.content_rule_vlock_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-vlock_installed:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94630-1 References: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011
Description	The SUSE Linux Enterprise Micro 6 operating system must have vlock installed to allow for session locking. The `kbd` package can be installed with the following command: $ sudo zypper install kbd
Rationale	A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.

Enable Smart Card Logins in PAM

Rule ID	xccdf_org.ssgproject.content_rule_smartcard_pam_enabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-smartcard_pam_enabled:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94658-2 References: SRG-OS-000068-GPOS-00036, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162
Description	This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). Check that the `pam_pkcs11.so` option is configured in the `etc/pam.d/common-auth` file with the following command: # grep pam_pkcs11.so /etc/pam.d/common-auth auth sufficient pam_pkcs11.so For general information about enabling smart card authentication, consult the documentation at: https://www.suse.com/c/configuring-smart-card-authentication-suse-linux-enterprise/
Rationale	Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards or similar secure authentication devices issued by an organization or identity provider.

Disable Ctrl-Alt-Del Reboot Activation

Rule ID	xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-disable_ctrlaltdel_reboot:def:1
Time	2026-04-19T11:29:25+00:00
Severity	high
Identifiers and References	Identifiers: CCE-95054-3 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, FAU_GEN.1.2, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227
Description	By default, `SystemD` will reboot the system if the `Ctrl-Alt-Del` key sequence is pressed. To configure the system to ignore the `Ctrl-Alt-Del` key sequence from the command line instead of rebooting the system, do either of the following: ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target or systemctl mask ctrl-alt-del.target Do not simply delete the `/usr/lib/systemd/system/ctrl-alt-del.service` file, as this file may be restored during future system updates.
Rationale	A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.

Set Account Expiration Following Inactivity

Rule ID	xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-account_disable_post_pw_expiration:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94675-6 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.6.2.1.1, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, IA-4(e), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, Req-8.1.4, SRG-OS-000118-GPOS-00060, 8.2.6, 8.2
Description	To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in `/etc/default/useradd`: INACTIVE=35 If a password is currently on the verge of expiration, then `35` day(s) remain(s) until the account is automatically disabled. However, if the password will not expire for another 60 days, then 60 days plus `35` day(s) could elapse until the account would be automatically disabled. See the `useradd` man page for more information.
Rationale	Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.

Never Automatically Remove or Disable Emergency Administrator Accounts

Rule ID	xccdf_org.ssgproject.content_rule_account_emergency_admin
Result	notchecked
Multi-check rule	no
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94677-2 References: SRG-OS-000123-GPOS-00064
Description	Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Check to see if an emergency administrator account password or account expires with the following command: # sudo chage -l [Emergency_Administrator] Password expires:never If `Password expires` or `Account expires` is set to anything other than `never`, this is a finding.
Rationale	Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. To address access requirements the SUSE operating system can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.
Evaluation messages info No candidate or applicable check found.

Assign Expiration Date to Temporary Accounts

Rule ID	xccdf_org.ssgproject.content_rule_account_temp_expire_date
Result	notchecked
Multi-check rule	no
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94678-0 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(2), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, SRG-OS-000123-GPOS-00064, SRG-OS-000002-GPOS-00002
Description	Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event temporary accounts are required, configure the system to terminate them after a documented time period. For every temporary account, run the following command to set an expiration date on it, substituting `USER` and `YYYY-MM-DD` appropriately: $ sudo chage -E YYYY-MM-DD USER `YYYY-MM-DD` indicates the documented expiration date for the account. For U.S. Government systems, the operating system must be configured to automatically terminate these types of accounts after a period of 72 hours.
Rationale	If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.
Evaluation messages info No candidate or applicable check found.

Set Password Maximum Age

Rule ID	xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_maximum_age_login_defs:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94670-7 References: 1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.4, SRG-OS-000076-GPOS-00044, 0418, 1055, 1402, 8.3.9, 8.3
Description	To specify password maximum age for new accounts, edit the file `/usr/etc/login.defs` and add or correct the following line: PASS_MAX_DAYS 60 The profile requirement is `60`.
Rationale	Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.

Set Password Minimum Age

Rule ID	xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_minimum_age_login_defs:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94669-9 References: 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000075-GPOS-00043, 0418, 1055, 1402
Description	To specify password minimum age for new accounts, edit the file `/usr/etc/login.defs` and add or correct the following line: PASS_MIN_DAYS 1 A value of 1 day is considered sufficient for many environments. The profile requirement is `1`.
Rationale	Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.

Set Existing Passwords Maximum Age

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_password_set_max_life_existing:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94662-4 References: IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000076-GPOS-00044, 8.3.9, 8.3
Description	Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction by running the following command: $ sudo passwd -x 60 USER
Rationale	Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

Set Existing Passwords Minimum Age

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_password_set_min_life_existing:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94661-6 References: IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000075-GPOS-00043
Description	Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command: $ sudo chage -m 1 USER
Rationale	Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Verify All Account Password Hashes are Shadowed with SHA512

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_password_all_shadowed_sha512:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94676-4 References: IA-5(1)(c), IA-5(1).1(v), IA-7, IA-7.1, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
Description	Verify the operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptographic hash. Check that the interactive user account passwords are using a strong password hash with the following command: $ sudo cut -d: -f2 /etc/shadow $6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/ Password hashes `!` or `*` indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with `$6`, this is a finding.
Rationale	Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

Prevent Login to Accounts With Empty Password

Rule ID	xccdf_org.ssgproject.content_rule_no_empty_passwords
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-no_empty_passwords:def:1
Time	2026-04-19T11:29:25+00:00
Severity	high
Identifiers and References	Identifiers: CCE-95047-7 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(1)(a), IA-5(c), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, FIA_UAU.1, Req-8.2.3, SRG-OS-000480-GPOS-00227, 1546, 8.3.1, 8.3
Description	If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the `nullok` in password authentication configurations in `/etc/pam.d/` to prevent logins with empty passwords.
Rationale	If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
Warnings	warning If the system relies on `authselect` tool to manage PAM settings, the remediation will also use `authselect` tool. However, if any manual modification was made in PAM files, the `authselect` integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway.

Ensure There Are No Accounts With Blank or Null Passwords

Rule ID	xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-no_empty_passwords_etc_shadow:def:1
Time	2026-04-19T11:29:25+00:00
Severity	high
Identifiers and References	Identifiers: CCE-95046-9 References: CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227, 2.2.2, 2.2
Description	Check the "/etc/shadow" file for blank passwords with the following command: $ sudo awk -F: '!$2 {print $1}' /etc/shadow If the command returns any results, this is a finding. Configure all accounts on the system to have a password or lock the account with the following commands: Perform a password reset: $ sudo passwd [username] Lock an account: $ sudo passwd -l [username]
Rationale	If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
Warnings	warning Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway.

Verify Only Root Has UID 0

Rule ID	xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_no_uid_except_zero:def:1
Time	2026-04-19T11:29:25+00:00
Severity	high
Identifiers and References	Identifiers: CCE-95041-0 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, AC-6(5), IA-4(b), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, Req-8.5, SRG-OS-000480-GPOS-00227, 1546, 8.2.1, 8.2
Description	If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.
Rationale	An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.

Ensure that System Accounts Do Not Run a Shell Upon Login

Rule ID	xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-no_shelllogin_for_systemaccounts:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95039-4 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-6, CM-6(a), CM-6(b), CM-6.1(iv), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, SRG-OS-000480-GPOS-00227, 1491, 8.2.2, 8.2
Description	Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. Should an attacker be able to log into these accounts, they should not be granted access to a shell. The login shell for each local account is stored in the last field of each line in `/etc/passwd`. System accounts are those user accounts with a user ID less than `1000`. The user ID is stored in the third field. If any system account other than `root` has a login shell, disable it with the command: $ sudo usermod -s /sbin/nologin account
Rationale	Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.
Warnings	warning Do not perform the steps in this section on the root account. Doing so might cause the system to become inaccessible.

Ensure All Accounts on the System Have Unique User IDs

Rule ID	xccdf_org.ssgproject.content_rule_account_unique_id
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-account_unique_id:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94673-1 References: Req-8.1.1, SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, 8.2.1, 8.2
Description	Change user IDs (UIDs), or delete accounts, so each has a unique name.
Rationale	To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.
Warnings	warning Automatic remediation of this control is not available due to unique requirements of each system.

Ensure the Default Umask is Set Correctly in login.defs

Rule ID	xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_umask_etc_login_defs:def:1
Time	2026-04-19T11:29:26+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95089-9 References: 11, 18, 3, 9, APO13.01, BAI03.01, BAI03.02, BAI03.03, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.1.1, A.14.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-1, PR.IP-2, SRG-OS-000480-GPOS-00228, R36
Description	To ensure the default umask controlled by `/usr/etc/login.defs` is set properly, add or correct the `UMASK` setting in `/usr/etc/login.defs` to read as follows: UMASK 027
Rationale	The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users.

Ensure Home Directories are Created for New Users

Rule ID	xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_have_homedir_login_defs:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95044-4 References: SRG-OS-000480-GPOS-00227
Description	All local interactive user accounts, upon creation, should be assigned a home directory. Configure the operating system to assign home directories to all new local interactive users by setting the `CREATE_HOME` parameter in `/usr/etc/login.defs` to `yes` as follows: CREATE_HOME yes
Rationale	If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.

Ensure the Logon Failure Delay is Set Correctly in login.defs

Rule ID	xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_logon_fail_delay:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95034-5 References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-7(b), CM-6(a), PR.IP-1, SRG-OS-000480-GPOS-00226
Description	To ensure the logon failure delay controlled by `/usr/etc/login.defs` is set properly, add or correct the `FAIL_DELAY` setting in `/usr/etc/login.defs` to read as follows: FAIL_DELAY 5
Rationale	Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack.

Limit the Number of Concurrent Login Sessions Allowed Per User

Rule ID	xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_max_concurrent_login_sessions:def:1
Time	2026-04-19T11:29:25+00:00
Severity	low
Identifiers and References	Identifiers: CCE-94644-2 References: 14, 15, 18, 9, 5.5.2.2, DSS01.05, DSS05.02, 4.3.3.4, SR 3.1, SR 3.8, A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, AC-10, CM-6(a), PR.AC-5, SRG-OS-000027-GPOS-00008
Description	Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in `/etc/security/limits.conf` or a file under `/etc/security/limits.d/`: * hard maxlogins 10
Rationale	Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.

Set Interactive Session Timeout

Rule ID	xccdf_org.ssgproject.content_rule_accounts_tmout
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_tmout:def:1
Time	2026-04-19T11:29:25+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94645-9 References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.11, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-12, SC-10, AC-2(5), CM-6(a), PR.AC-7, SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010, R32, 8.6.1, 8.6
Description	Setting the `TMOUT` option in `/etc/profile` ensures that all user sessions will terminate based on inactivity. A value of `0` (zero) disables the automatic logout feature and is therefore not a compliant setting. The value of TMOUT should be a positive integer, exported, and read only. The `TMOUT` setting in `/etc/profile.d/autologout.sh` should read as follows: TMOUT=900 readonly TMOUT export TMOUT
Rationale	Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.

User Initialization Files Must Not Run World-Writable Programs

Rule ID	xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_user_dot_no_world_writable_programs:def:1
Time	2026-04-19T11:29:26+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95061-8 References: SRG-OS-000480-GPOS-00227
Description	Set the mode on files being executed by the user initialization files with the following command: $ sudo chmod o-w FILE
Rationale	If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.

Ensure that Users Path Contains Only Local Directories

Rule ID	xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only
Result	notchecked
Multi-check rule	no
Time	2026-04-19T11:29:26+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95060-0 References: SRG-OS-000480-GPOS-00227
Description	Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory.
Rationale	The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the users home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).
Evaluation messages info No candidate or applicable check found.

All Interactive Users Must Have A Home Directory Defined

Rule ID	xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_user_interactive_home_directory_defined:def:1
Time	2026-04-19T11:29:26+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95055-0 References: SRG-OS-000480-GPOS-00227
Description	Assign home directories to all interactive users that currently do not have a home directory assigned. This rule checks if the home directory is properly defined in a folder which has at least one parent folder, like "user" in "/home/user" or "/remote/users/user". Therefore, this rule will report a finding for home directories like `/users`, `/tmp` or `/`.
Rationale	If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.

All Interactive Users Home Directories Must Exist

Rule ID	xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_user_interactive_home_directory_exists:def:1
Time	2026-04-19T11:29:26+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95056-8 References: SRG-OS-000480-GPOS-00227
Description	Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in `/etc/passwd`: $ sudo mkdir /home/USER
Rationale	If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.

All Interactive User Home Directories Must Be Group-Owned By The Primary Group

Rule ID	xccdf_org.ssgproject.content_rule_file_groupownership_home_directories
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupownership_home_directories:def:1
Time	2026-04-19T11:29:26+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95058-4 References: SRG-OS-000480-GPOS-00227
Description	Change the group owner of interactive users home directory to the group found in `/etc/passwd`. To change the group owner of interactive users home directory, use the following command: $ sudo chgrp USER_GROUP /home/USER This rule ensures every home directory related to an interactive user is group-owned by an interactive user. It also ensures that interactive users are group-owners of one and only one home directory.
Rationale	If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should.
Warnings	warning Due to OVAL limitation, this rule can report a false negative in a specific situation where two interactive users swap the group-ownership of their respective home directories.

Ensure All User Initialization Files Have Mode 0740 Or Less Permissive

Rule ID	xccdf_org.ssgproject.content_rule_file_permission_user_init_files
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permission_user_init_files:def:1
Time	2026-04-19T11:29:26+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95059-2 References: SRG-OS-000480-GPOS-00227, R50
Description	Set the mode of the user initialization files to `0740` with the following command: $ sudo chmod 0740 /home/USER/.INIT_FILE
Rationale	Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.

All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_home_directories
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_home_directories:def:1
Time	2026-04-19T11:29:26+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95057-6 References: SRG-OS-000480-GPOS-00227
Description	Change the mode of interactive users home directories to `0750`. To change the mode of interactive users home directory, use the following command: $ sudo chmod 0750 /home/USER
Rationale	Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.

Enable systemd-journal-upload Service

Rule ID	xccdf_org.ssgproject.content_rule_service_systemd-journal-upload_enabled
Result	notapplicable
Multi-check rule	no
Time	2026-04-19T11:29:26+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94735-8 References: SRG-OS-000479-GPOS-00224
Description	The `systemd-journal-upload` service is part of the `systemd-journal-remote` package and enables centralized logging by uploading local systemd journal entries to a remote log server via HTTPS. This service acts as a client that pushes journal data to a remote host running the `systemd-journal-remote` receiver service. The `systemd-journal-upload` service can be enabled with the following command: $ sudo systemctl enable systemd-journal-upload.service
Rationale	Centralized logging through `systemd-journal-upload` is essential for security monitoring, incident response, and compliance requirements. Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data stored locally to hide their activities. Remote logging ensures that audit trails remain intact even if the local system is compromised. Additionally, centralized logs facilitate correlation of events across multiple systems, enabling better detection of distributed attacks and security incidents.
Warnings	warning The `systemd-journal-upload` service will fail to start if the remote server URL is not configured. Edit `/etc/systemd/journal-upload.conf` to configure the remote server URL.

Verify firewalld Enabled

Rule ID	xccdf_org.ssgproject.content_rule_service_firewalld_enabled
Result	notapplicable
Multi-check rule	no
Time	2026-04-19T11:29:26+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94672-3 References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.3, 3.4.7, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4, CIP-003-8 R5, CIP-004-6 R3, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.IP-1, FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232, SYS.1.6.A5, SYS.1.6.A21, 1409, 1.2.1, 1.2
Description	The `firewalld` service can be enabled with the following command: $ sudo systemctl enable firewalld.service
Rationale	Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols.

Disable Accepting ICMP Redirects for All IPv6 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1
Time	2026-04-19T11:29:26+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95079-0 References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, R13
Description	To set the runtime status of the `net.ipv6.conf.all.accept_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.accept_redirects = 0
Rationale	An illicit ICMP redirect message could result in a man-in-the-middle attack.

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1
Time	2026-04-19T11:29:26+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95074-1 References: 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, R13
Description	To set the runtime status of the `net.ipv6.conf.all.accept_source_route` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.accept_source_route = 0
Rationale	Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Disable Kernel Parameter for IPv6 Forwarding

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_all_forwarding:def:1
Time	2026-04-19T11:29:26+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95084-0 References: 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227
Description	To set the runtime status of the `net.ipv6.conf.all.forwarding` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.forwarding=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.forwarding = 0
Rationale	IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1
Time	2026-04-19T11:29:27+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95080-8 References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, R13
Description	To set the runtime status of the `net.ipv6.conf.default.accept_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.accept_redirects = 0
Rationale	An illicit ICMP redirect message could result in a man-in-the-middle attack.

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1
Time	2026-04-19T11:29:27+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95076-6 References: 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, R13, 1.4.2, 1.4
Description	To set the runtime status of the `net.ipv6.conf.default.accept_source_route` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.accept_source_route = 0
Rationale	Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Disable Kernel Parameter for IPv6 Forwarding by default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_forwarding
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_default_forwarding:def:1
Time	2026-04-19T11:29:27+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95085-7 References: CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227
Description	To set the runtime status of the `net.ipv6.conf.default.forwarding` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.forwarding=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.forwarding = 0
Rationale	IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.

Disable Accepting ICMP Redirects for All IPv4 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1
Time	2026-04-19T11:29:27+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95077-4 References: 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, 5.10.1.1, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, R12
Description	To set the runtime status of the `net.ipv4.conf.all.accept_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.accept_redirects = 0
Rationale	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required."

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1
Time	2026-04-19T11:29:27+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95073-3 References: 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, R12
Description	To set the runtime status of the `net.ipv4.conf.all.accept_source_route` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.accept_source_route = 0
Rationale	Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1
Time	2026-04-19T11:29:27+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95078-2 References: 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, R12, 1.4.3, 1.4
Description	To set the runtime status of the `net.ipv4.conf.default.accept_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.default.accept_redirects = 0
Rationale	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1
Time	2026-04-19T11:29:27+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95075-8 References: 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, R12
Description	To set the runtime status of the `net.ipv4.conf.default.accept_source_route` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.default.accept_source_route = 0
Rationale	Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.

Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_tcp_syncookies:def:1
Time	2026-04-19T11:29:27+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94684-8 References: 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5(1), SC-5(2), SC-5(3)(a), CM-6(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, Req-1.4.1, SRG-OS-000480-GPOS-00227, SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00071, R12, 1.4.3, 1.4
Description	To set the runtime status of the `net.ipv4.tcp_syncookies` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.tcp_syncookies = 1
Rationale	A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1
Time	2026-04-19T11:29:27+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95082-4 References: 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, R12, 1.4.5, 1.4
Description	To set the runtime status of the `net.ipv4.conf.all.send_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.send_redirects = 0
Rationale	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers.

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1
Time	2026-04-19T11:29:27+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95081-6 References: 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, R12, 1.4.5, 1.4
Description	To set the runtime status of the `net.ipv4.conf.default.send_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.default.send_redirects = 0
Rationale	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers.

Deactivate Wireless Network Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_wireless_disable_interfaces
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-wireless_disable_interfaces:def:1
Time	2026-04-19T11:29:27+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94703-6 References: 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.3.3, SRG-OS-000299-GPOS-00117, SRG-OS-000300-GPOS-00118, SRG-OS-000424-GPOS-00188, SRG-OS-000481-GPOS-00481, 1315, 1319, 1.3.3, 1.3
Description	Deactivating wireless network interfaces should prevent normal usage of the wireless capability. Configure the system to disable all wireless network interfaces with the following command: $ sudo nmcli radio all off
Rationale	The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.

Ensure System is Not Acting as a Network Sniffer

Rule ID	xccdf_org.ssgproject.content_rule_network_sniffer_disabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-network_sniffer_disabled:def:1
Time	2026-04-19T11:29:26+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95086-5 References: 1, 11, 14, 3, 9, APO11.06, APO12.06, BAI03.10, BAI09.01, BAI09.02, BAI09.03, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.05, DSS04.05, DSS05.02, DSS05.05, DSS06.06, 4.2.3.4, 4.3.3.3.7, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, SR 7.8, A.11.1.2, A.11.2.4, A.11.2.5, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.16.1.6, A.8.1.1, A.8.1.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-7(2), MA-3, DE.DP-5, ID.AM-1, PR.IP-1, PR.MA-1, PR.PT-3, SRG-OS-000480-GPOS-00227, 1409, 1.4.5, 1.4
Description	The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode: $ ip link \| grep PROMISC Promiscuous mode of an interface can be disabled with the following command: $ sudo ip link set dev `device_name` multicast off promisc off
Rationale	Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems. If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information Systems Security Manager (ISSM) and restricted to only authorized personnel.

Verify Permissions and Ownership of Old Passwords File

Rule ID	xccdf_org.ssgproject.content_rule_file_etc_security_opasswd
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_etc_security_opasswd:def:1
Time	2026-04-19T11:29:36+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94663-2 References: SRG-OS-000077-GPOS-00045
Description	To properly set the owner of `/etc/security/opasswd`, run the command: $ sudo chown root /etc/security/opasswd To properly set the group owner of `/etc/security/opasswd`, run the command: $ sudo chgrp root /etc/security/opasswd To properly set the permissions of `/etc/security/opasswd`, run the command: $ sudo chmod 0600 /etc/security/opasswd
Rationale	The `/etc/security/opasswd` file stores old passwords to prevent password reuse. Protection of this file is critical for system security.

Verify that Shared Library Directories Have Root Group Ownership

Rule ID	xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-dir_group_ownership_library_dirs:def:1
Time	2026-04-19T11:29:36+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94695-4 References: CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100
Description	System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are also stored in `/lib/modules`. All files in these directories should be group-owned by the `root` user. If the directories, is found to be owned by a user other than root correct its ownership with the following command: $ sudo chgrp root DIR
Rationale	Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system.

Verify that Shared Library Directories Have Root Ownership

Rule ID	xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-dir_ownership_library_dirs:def:1
Time	2026-04-19T11:29:37+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94693-9 References: CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100
Description	System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are also stored in `/lib/modules`. All files in these directories should be owned by the `root` user. If the directories, is found to be owned by a user other than root correct its ownership with the following command: $ sudo chown root DIR
Rationale	Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system.

Verify that System Executable Directories Have Restrictive Permissions

Rule ID	xccdf_org.ssgproject.content_rule_dir_permissions_binary_dirs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-dir_permissions_binary_dirs:def:1
Time	2026-04-19T11:29:37+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95100-4 References: SRG-OS-000258-GPOS-00099
Description	System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin These directories should not be group-writable or world-writable. If any directory DIR in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod go-w DIR
Rationale	System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.

Verify that Shared Library Directories Have Restrictive Permissions

Rule ID	xccdf_org.ssgproject.content_rule_dir_permissions_library_dirs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-dir_permissions_library_dirs:def:1
Time	2026-04-19T11:29:38+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94691-3 References: CIP-003-8 R6, CM-5, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100
Description	System-wide shared library directories, which contain are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in `/lib/modules`. All sub-directories in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod go-w DIR
Rationale	If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Verify that system commands files are group owned by root or a system account

Rule ID	xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_groupownership_system_commands_dirs:def:1
Time	2026-04-19T11:29:38+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94699-6 References: CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, R50
Description	System commands files are stored in the following directories by default: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin All files in these directories should be owned by the `root` group, or a system account. If the directory, or any file in these directories, is found to be owned by a group other than root or a a system account correct its ownership with the following command: $ sudo chgrp root FILE
Rationale	If the operating system allows any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Verify that System Executables Have Root Ownership

Rule ID	xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_ownership_binary_dirs:def:1
Time	2026-04-19T11:29:38+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94697-0 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-5(6), CM-5(6).1, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, R50, 1409
Description	System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin All files in these directories should be owned by the `root` user. If any file FILE in these directories is found to be owned by a user other than root, correct its ownership with the following command: $ sudo chown root FILE
Rationale	System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.

Verify that Shared Library Files Have Root Ownership

Rule ID	xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_ownership_library_dirs:def:1
Time	2026-04-19T11:29:40+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94692-1 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-5(6), CM-5(6).1, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, 1409
Description	System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are also stored in `/lib/modules`. All files in these directories should be owned by the `root` user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command: $ sudo chown root FILE
Rationale	Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.

Verify that System Executables Have Restrictive Permissions

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_binary_dirs:def:1
Time	2026-04-19T11:29:41+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94696-2 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-5(6), CM-5(6).1, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, R50, 1409
Description	System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod go-w FILE
Rationale	System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.

Verify that Shared Library Files Have Restrictive Permissions

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_library_dirs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_library_dirs:def:1
Time	2026-04-19T11:29:43+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94690-5 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), CM-5(6), CM-5(6).1, AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, 1409
Description	System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in `/lib/modules`. All files in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod go-w FILE
Rationale	Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system.

Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.

Rule ID	xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-root_permissions_syslibrary_files:def:1
Time	2026-04-19T11:29:46+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94694-7 References: CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100
Description	System-wide library files are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 All system-wide shared library files should be protected from unauthorised access. If any of these files is not group-owned by root, correct its group-owner with the following command: $ sudo chgrp root FILE
Rationale	If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Verify that All World-Writable Directories Have Sticky Bits Set

Rule ID	xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-dir_perms_world_writable_sticky_bits:def:1
Time	2026-04-19T11:29:28+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94682-2 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000138-GPOS-00069, R54, 1409, 2.2.6, 2.2
Description	When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes. To set the sticky bit on a world-writable directory DIR, run the following command: $ sudo chmod +t DIR
Rationale	Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as `/tmp`), and for directories requiring global read/write access.
Warnings	warning This rule can take a long time to perform the check and might consume a considerable amount of resources depending on the number of directories present on the system. It is not a problem in most cases, but especially systems with a large number of directories can be affected. See `https://access.redhat.com/articles/6999111`. warning Please note that there might be cases where the rule remediation cannot fix directory permissions. This can happen for example when running on a system with some immutable parts. These immutable parts cannot be remediated because they are read-only. Example of such directories can be OStree deployments located at `/sysroot/ostree/deploy`. In such case, it is needed to make modifications to the underlying ostree snapshot and this is out of scope of regular rule remediation.

Ensure All World-Writable Directories Are Group Owned by a System Account

Rule ID	xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned_group
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-dir_perms_world_writable_system_owned_group:def:1
Time	2026-04-19T11:29:29+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95064-2 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	All directories in local partitions which are world-writable should be group owned by root or another system account. If any world-writable directories are not group owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.
Rationale	Allowing a user account to group own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.

Verify that system commands directories have root as a group owner

Rule ID	xccdf_org.ssgproject.content_rule_dir_system_commands_group_root_owned
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-dir_system_commands_group_root_owned:def:1
Time	2026-04-19T11:29:29+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94700-2 References: CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, R50
Description	System commands are stored in the following directories: by default: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin All these directories should have `root` user as a group owner. If any system command directory is not group owned by a user other than root correct its ownership with the following command: $ sudo chgrp root DIR
Rationale	If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Verify that system commands directories have root ownership

Rule ID	xccdf_org.ssgproject.content_rule_dir_system_commands_root_owned
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-dir_system_commands_root_owned:def:1
Time	2026-04-19T11:29:29+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94698-8 References: CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, R50
Description	System commands are stored in the following directories by default: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin All these directories should be owned by the `root` user. If any system command directory is not owned by a user other than root correct its ownership with the following command: $ sudo chown root DIR
Rationale	If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Ensure All Files Are Owned by a Group

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_ungroupowned:def:1
Time	2026-04-19T11:29:34+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95088-1 References: 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, SRG-OS-000480-GPOS-00227, R53, 2.2.6, 2.2
Description	If any file is not group-owned by a valid defined group, the cause of the lack of group-ownership must be investigated. Following this, those files should be deleted or assigned to an appropriate group. The groups need to be defined in `/etc/group` or in `/usr/lib/group` if `nss-altfiles` are configured to be used in `/etc/nsswitch.conf`. Locate the mount points related to local devices by the following command: $ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems \| paste -sd,) For all mount points listed by the previous command, it is necessary to search for files which do not belong to a valid group using the following command: $ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null
Rationale	Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account, or other similar cases. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.
Warnings	warning This rule only considers local groups as valid groups. If you have your groups defined outside `/etc/group` or `/usr/lib/group`, the rule won't consider those. warning This rule can take a long time to perform the check and might consume a considerable amount of resources depending on the number of files present on the system. It is not a problem in most cases, but especially systems with a large number of files can be affected. See `https://access.redhat.com/articles/6999111`.

Ensure All Files Are Owned by a User

Rule ID	xccdf_org.ssgproject.content_rule_no_files_unowned_by_user
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-no_files_unowned_by_user:def:1
Time	2026-04-19T11:29:36+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95087-3 References: 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, R53, 2.2.6, 2.2
Description	If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. Locate the mount points related to local devices by the following command: $ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems \| paste -sd,) For all mount points listed by the previous command, it is necessary to search for files which do not belong to a valid user using the following command: $ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null
Rationale	Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account, or other similar cases. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.
Warnings	warning For this rule to evaluate centralized user accounts, `getent` must be working properly so that running the command getent passwd returns a list of all users in your organization. If using the System Security Services Daemon (SSSD), enumerate = true must be configured in your organization's domain to return a complete list of users warning This rule can take a long time to perform the check and might consume a considerable amount of resources depending on the number of files present on the system. It is not a problem in most cases, but especially systems with a large number of files can be affected. See `https://access.redhat.com/articles/6999111`.

Verify permissions of log files

Rule ID xccdf_org.ssgproject.content_rule_permissions_local_var_log

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-permissions_local_var_log:def:1

Time 2026-04-19T11:29:36+00:00

Severity medium

Identifiers and References

Identifiers: CCE-94687-1

References: SI-11(a), SI-11(b), SI-11.1(iii), PR.AC-4, PR.DS-5, SRG-OS-000205-GPOS-00083, 10.3.1, 10.3

Description

Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization. Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers.

Rationale

The SUSE Linux Enterprise Micro 6 must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	configure





find -P /var/log/  -perm /u+xs,g+xws,o+xwrt ! -name '*[bw]tmp' ! -name '*lastlog' -type f -regextype posix-extended -regex '.*' -exec chmod u-xs,g-xws,o-xwrt {} \;

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	configure

- name: Find /var/log/ file(s) recursively
  ansible.builtin.command: find -P /var/log/  -perm /u+xs,g+xws,o+xwrt ! -name "*[bw]tmp"
    ! -name "*lastlog" -type f -regextype posix-extended -regex ".*"
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false
  tags:
  - CCE-94687-1
  - NIST-800-53-SI-11(a)
  - NIST-800-53-SI-11(b)
  - NIST-800-53-SI-11.1(iii)
  - PCI-DSSv4-10.3
  - PCI-DSSv4-10.3.1
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - permissions_local_var_log

- name: Set permissions for /var/log/ file(s)
  ansible.builtin.file:
    path: '{{ item }}'
    mode: u-xs,g-xws,o-xwrt
    state: file
  with_items:
  - '{{ files_found.stdout_lines }}'
  tags:
  - CCE-94687-1
  - NIST-800-53-SI-11(a)
  - NIST-800-53-SI-11(b)
  - NIST-800-53-SI-11.1(iii)
  - PCI-DSSv4-10.3
  - PCI-DSSv4-10.3.1
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - permissions_local_var_log

Disable Modprobe Loading of USB Storage Driver

Rule ID	xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-kernel_module_usb-storage_disabled:def:1
Time	2026-04-19T11:29:46+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94722-6 References: 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.21, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, SRG-APP-000141-CTR-000315, 3.4.2, 3.4
Description	To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the `usb-storage` kernel module from being loaded, add the following line to the file `/etc/modprobe.d/usb-storage.conf`: install usb-storage /bin/false This entry will cause a non-zero return value during a `usb-storage` module installation and additionally convey the meaning of the entry to the user in form of an error message. If you would like to omit a non-zero return value and an error message, you may want to add a different line instead (both `/bin/true` and `/bin/false` are allowed by OVAL and will be accepted by the scan): install usb-storage /bin/true This will prevent the `modprobe` program from loading the `usb-storage` module, but will not prevent an administrator (or another program) from using the `insmod` program to load the module manually.
Rationale	USB storage devices such as thumb drives can be used to introduce malicious software.

Add nosuid Option to Removable Media Partitions

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_nosuid_removable_partitions:def:1
Time	2026-04-19T11:29:46+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95063-4 References: 11, 12, 13, 14, 15, 16, 18, 3, 5, 8, 9, APO01.06, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.02, DSS06.03, DSS06.06, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.AC-3, PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227
Description	The `nosuid` mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removable media. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of any removable media partitions.
Rationale	The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs.

Verify that local /var/log/messages is not world-readable

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_local_var_log_messages
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_local_var_log_messages:def:1
Time	2026-04-19T11:29:46+00:00
Severity	medium
Identifiers and References	References: SRG-OS-000206-GPOS-00084
Description	Files containing sensitive information should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user To properly set the permissions of `/var/log/messages`, run the command: $ sudo chmod 0640 /var/log/messages Check that "permissions.local" file contains the correct permissions rules with the following command: # grep -i messages /etc/permissions.local /var/log/messages root:root 640
Rationale	The `/var/log/messages` file contains system error messages. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SUSE operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.

Verify Permissions of Local Logs of audit Tools

Rule ID	xccdf_org.ssgproject.content_rule_permissions_local_audit_binaries
Result	notchecked
Multi-check rule	no
Time	2026-04-19T11:29:46+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94689-7 References: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
Description	The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access. Check that "permissions.local" file contains the correct permissions rules with the following command: grep "^/usr/sbin/au" /etc/permissions.local /usr/sbin/audispd root:root 0750 /usr/sbin/auditctl root:root 0750 /usr/sbin/auditd root:root 0750 /usr/sbin/ausearch root:root 0755 /usr/sbin/aureport root:root 0755 /usr/sbin/autrace root:root 0750 /usr/sbin/augenrules root:root 0750 Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Rationale	Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SUSE operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools.
Evaluation messages info No candidate or applicable check found.

Verify that Local Logs of the audit Daemon are not World-Readable

Rule ID	xccdf_org.ssgproject.content_rule_permissions_local_var_log_audit
Result	notchecked
Multi-check rule	no
Time	2026-04-19T11:29:46+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94666-5 References: AU-9, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
Description	Files containing sensitive information should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user. Check that "permissions.local" file contains the correct permissions rules with the following command: # grep -i audit /etc/permissions.local /var/log/audit/ root:root 600 /var/log/audit/audit.log root:root 600 /etc/audit/audit.rules root:root 640 /etc/audit/rules.d/audit.rules root:root 640
Rationale	Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Evaluation messages info No candidate or applicable check found.

Restrict Exposed Kernel Pointer Addresses Access

Rule ID xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_kernel_kptr_restrict:def:1

Time 2026-04-19T11:29:46+00:00

Severity medium

Identifiers and References

Identifiers: CCE-94727-5

References: CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4, SC-30, SC-30(2), SC-30(5), CM-6(a), FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPOS-00227, R9, 1409

Description

To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command:

$ sudo sysctl -w kernel.kptr_restrict=2

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.kptr_restrict = 2

Rationale

Exposing kernel pointers (through procfs or seq_printf()) exposes kernel writeable structures which may contain functions pointers. If a write vulnerability occurs in the kernel, allowing write access to any of this structure, the kernel can be compromised. This option disallow any program without the CAP_SYSLOG capability to get the addresses of kernel pointers by replacing them with 0.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if ( rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base ); then

# Comment out any occurrences of kernel.kptr_restrict from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do


  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*kernel.kptr_restrict.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "kernel.kptr_restrict" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE='/etc/sysctl.d/kernel_kptr_restrict.conf'

sysctl_kernel_kptr_restrict_value='2'


#
# Set runtime for kernel.kptr_restrict
#
if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
    /sbin/sysctl -q -n -w kernel.kptr_restrict="$sysctl_kernel_kptr_restrict_value"
fi

#
# If kernel.kptr_restrict present in /etc/sysctl.conf, change value to appropriate value
#	else, add "kernel.kptr_restrict = value" to /etc/sysctl.conf
#

sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.kptr_restrict")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_kernel_kptr_restrict_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.kptr_restrict\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^kernel.kptr_restrict\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    cce="CCE-94727-5"
    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-94727-5
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-30
  - NIST-800-53-SC-30(2)
  - NIST-800-53-SC-30(5)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_kptr_restrict
- name: XCCDF Value sysctl_kernel_kptr_restrict_value # promote to variable
  set_fact:
    sysctl_kernel_kptr_restrict_value: !!str 2
  tags:
    - always

- name: Restrict Exposed Kernel Pointer Addresses Access - Set fact for sysctl paths
  ansible.builtin.set_fact:
    sysctl_paths:
    - /run/sysctl.d/
    - /etc/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /lib/sysctl.d/
  when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  tags:
  - CCE-94727-5
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-30
  - NIST-800-53-SC-30(2)
  - NIST-800-53-SC-30(5)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_kptr_restrict

- name: Restrict Exposed Kernel Pointer Addresses Access - Find all files that contain
    kernel.kptr_restrict
  ansible.builtin.shell:
    cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
      -HP '^\s*kernel.kptr_restrict\s*=\s*.*$'
  register: find_all_values
  check_mode: false
  changed_when: false
  failed_when: false
  when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  tags:
  - CCE-94727-5
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-30
  - NIST-800-53-SC-30(2)
  - NIST-800-53-SC-30(5)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_kptr_restrict

- name: Restrict Exposed Kernel Pointer Addresses Access - Find all files that set
    kernel.kptr_restrict to correct value
  ansible.builtin.shell:
    cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
      -HP '^\s*kernel.kptr_restrict\s*=\s*{{ sysctl_kernel_kptr_restrict_value }}$'
  register: find_correct_value
  check_mode: false
  changed_when: false
  failed_when: false
  when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  tags:
  - CCE-94727-5
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-30
  - NIST-800-53-SC-30(2)
  - NIST-800-53-SC-30(5)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_kptr_restrict

- name: Restrict Exposed Kernel Pointer Addresses Access - Comment out any occurrences
    of kernel.kptr_restrict from config files
  ansible.builtin.replace:
    path: '{{ item | split(":") | first }}'
    regexp: ^[\s]*kernel.kptr_restrict
    replace: '#kernel.kptr_restrict'
  loop: '{{ find_all_values.stdout_lines }}'
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
    | length > find_correct_value.stdout_lines | length
  tags:
  - CCE-94727-5
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-30
  - NIST-800-53-SC-30(2)
  - NIST-800-53-SC-30(5)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_kptr_restrict

- name: Restrict Exposed Kernel Pointer Addresses Access - Comment out any occurrences
    of kernel.kptr_restrict from /etc/sysctl.conf
  ansible.builtin.replace:
    path: '{{ item }}'
    regexp: ^[\s]*kernel.kptr_restrict
    replace: '#kernel.kptr_restrict'
  with_fileglob:
  - /etc/sysctl.conf
  when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  tags:
  - CCE-94727-5
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-30
  - NIST-800-53-SC-30(2)
  - NIST-800-53-SC-30(5)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_kptr_restrict

- name: Restrict Exposed Kernel Pointer Addresses Access - Ensure sysctl kernel.kptr_restrict
    is set
  ansible.posix.sysctl:
    name: kernel.kptr_restrict
    value: '{{ sysctl_kernel_kptr_restrict_value }}'
    sysctl_file: /etc/sysctl.d/kernel_kptr_restrict.conf
    state: present
    reload: true
  when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  tags:
  - CCE-94727-5
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-30
  - NIST-800-53-SC-30(2)
  - NIST-800-53-SC-30(5)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_kptr_restrict

Enable Randomized Layout of Virtual Address Space

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_kernel_randomize_va_space:def:1
Time	2026-04-19T11:29:46+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94728-3 References: 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4, SC-30, SC-30(2), CM-6(a), Req-2.2.1, SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227, SRG-APP-000450-CTR-001105, R9, 1409, 3.3.1.1, 3.3.1, 3.3
Description	To set the runtime status of the `kernel.randomize_va_space` kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.randomize_va_space = 2
Rationale	Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.

Restrict Access to Kernel Message Buffer

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_kernel_dmesg_restrict:def:1
Time	2026-04-19T11:29:46+00:00
Severity	low
Identifiers and References	Identifiers: CCE-94683-0 References: 3.1.5, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11(a), SI-11(b), FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069, SRG-APP-000243-CTR-000600, R9, 1546
Description	To set the runtime status of the `kernel.dmesg_restrict` kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.dmesg_restrict = 1
Rationale	Unprivileged access to the kernel syslog can expose sensitive kernel address information.

Install policycoreutils-python-utils package

Rule ID	xccdf_org.ssgproject.content_rule_package_policycoreutils-python-utils_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_policycoreutils-python-utils_installed:def:1
Time	2026-04-19T11:29:46+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95096-4 References: SRG-OS-000480-GPOS-00227
Description	The `policycoreutils-python-utils` package can be installed with the following command: $ sudo zypper install policycoreutils-python-utils
Rationale	This package is required to operate and manage an SELinux environment and its policies. It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox.

Install policycoreutils Package

Rule ID	xccdf_org.ssgproject.content_rule_package_policycoreutils_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_policycoreutils_installed:def:1
Time	2026-04-19T11:29:46+00:00
Severity	low
Identifiers and References	Identifiers: CCE-95093-1 References: SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068
Description	The `policycoreutils` package can be installed with the following command: $ sudo zypper install policycoreutils
Rationale	Security-enhanced Linux is a feature of the Linux kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement, Role-based Access Control, and Multi-level Security. `policycoreutils` contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include `load_policy` to load SELinux policies, `setfiles` to label filesystems, `newrole` to switch roles, and so on.

Configure SELinux Policy

Rule ID	xccdf_org.ssgproject.content_rule_selinux_policytype
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-selinux_policytype:def:1
Time	2026-04-19T11:29:46+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95094-9 References: 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, FMT_MOF_EXT.1, SRG-OS-000445-GPOS-00199, SRG-APP-000233-CTR-000585, R46, R64, APP.4.4.A4, SYS.1.6.A3, SYS.1.6.A18, SYS.1.6.A21, 1409, 1.2.6, 1.2
Description	The SELinux `targeted` policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in `/etc/selinux/config`: SELINUXTYPE=targeted Other policies, such as `mls`, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
Rationale	Setting the SELinux policy to `targeted` or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in `permissive` mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to `targeted`.

Ensure SELinux State is Enforcing

Rule ID	xccdf_org.ssgproject.content_rule_selinux_state
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-selinux_state:def:1
Time	2026-04-19T11:29:46+00:00
Severity	high
Identifiers and References	Identifiers: CCE-95092-3 References: 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, FMT_MOF_EXT.1, SRG-OS-000445-GPOS-00199, SRG-OS-000134-GPOS-00068, R37, R79, APP.4.4.A4, SYS.1.6.A3, SYS.1.6.A18, SYS.1.6.A21, 1409, 1.2.6, 1.2
Description	The SELinux state should be set to `enforcing` at system boot time. In the file `/etc/selinux/config`, add or correct the following line to configure the system to boot into enforcing mode: SELINUX=enforcing Ensure that all files have correct SELinux labels by running: fixfiles onboot Then reboot the system.
Rationale	Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.

Map System Users To The Appropriate SELinux Role

Rule ID	xccdf_org.ssgproject.content_rule_selinux_user_login_roles
Result	notchecked
Multi-check rule	no
Time	2026-04-19T11:29:46+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95099-8 References: SRG-OS-000324-GPOS-00125
Description	Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. All administrators must be mapped to the `sysadm_u` or `staff_u` users with the appropriate domains (`sysadm_t` and `staff_t`). $ sudo semanage login -m -s sysadm_u USER or $ sudo semanage login -m -s staff_u USER All authorized non-administrative users must be mapped to the `user_u` role or the appropriate domain (user_t). $ sudo semanage login -m -s user_u USER
Rationale	Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.
Evaluation messages info No candidate or applicable check found.

Disable KDump Kernel Crash Analyzer (kdump)

Rule ID	xccdf_org.ssgproject.content_rule_service_kdump_disabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-service_kdump_disabled:def:1
Time	2026-04-19T11:29:46+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95065-9 References: 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, FMT_SMF_EXT.1.1, SRG-OS-000269-GPOS-00103, SRG-OS-000480-GPOS-00227
Description	The `kdump` service provides a kernel crash dump analyzer. It uses the `kexec` system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The `kdump` service can be disabled with the following command: $ sudo systemctl mask --now kdump.service
Rationale	Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service.

Configure System to Forward All Mail For The Root Account

Rule ID xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-postfix_client_configure_mail_alias:def:1

Time 2026-04-19T11:29:46+00:00

Severity medium

Identifiers and References

Identifiers: CCE-94656-6

References: CM-6(a), SRG-OS-000046-GPOS-00022, R75

Description

Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address change_me@localhost is a valid email address reachable from the system in question. Use the following command to configure the alias:

$ sudo echo "root: change_me@localhost" >> /etc/aliases
$ sudo newaliases

Rationale

A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default || rpm --quiet -q kernel-default-base; then

var_postfix_root_mail_alias='change_me@localhost'


# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^root")

# shellcheck disable=SC2059
printf -v formatted_output "%s: %s" "$stripped_key" "$var_postfix_root_mail_alias"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^root\\>" "/etc/aliases"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^root\\>.*/$escaped_formatted_output/gi" "/etc/aliases"
else
    if [[ -s "/etc/aliases" ]] && [[ -n "$(tail -c 1 -- "/etc/aliases" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/aliases"
    fi
    cce="CCE-94656-6"
    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/aliases" >> "/etc/aliases"
    printf '%s\n' "$formatted_output" >> "/etc/aliases"
fi

if [ -f /usr/bin/newaliases ]; then
    newaliases
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	configure

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-94656-6
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - postfix_client_configure_mail_alias
- name: XCCDF Value var_postfix_root_mail_alias # promote to variable
  set_fact:
    var_postfix_root_mail_alias: !!str change_me@localhost
  tags:
    - always

- name: Configure System to Forward All Mail For The Root Account - Make sure that
    "/etc/aliases" has a defined value for root
  ansible.builtin.lineinfile:
    path: /etc/aliases
    line: 'root: {{ var_postfix_root_mail_alias }}'
    regexp: ^(?:[rR][oO][oO][tT]|"[rR][oO][oO][tT]")\s*:\s*(.+)$
    create: true
    state: present
  register: aliases_root_mail_alias_changed
  when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  tags:
  - CCE-94656-6
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - postfix_client_configure_mail_alias

- name: Configure System to Forward All Mail For The Root Account - Check if newaliases
    command is available
  ansible.builtin.stat:
    path: /usr/bin/newaliases
  register: result_newaliases_present
  when: ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  tags:
  - CCE-94656-6
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - postfix_client_configure_mail_alias

- name: Configure System to Forward All Mail For The Root Account - Update postfix
    aliases
  ansible.builtin.command:
    cmd: newaliases
  when:
  - ("kernel-default" in ansible_facts.packages or "kernel-default-base" in ansible_facts.packages)
  - aliases_root_mail_alias_changed is changed
  - result_newaliases_present.stat.exists
  tags:
  - CCE-94656-6
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - postfix_client_configure_mail_alias

A remote time server for Chrony is configured

Rule ID	xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server
Result	notapplicable
Multi-check rule	no
Time	2026-04-19T11:29:46+00:00
Severity	medium
Identifiers and References	References: CM-6(a), AU-8(1)(a), Req-10.4.3, SRG-OS-000355-GPOS-00143, R71, 0988, 1405, 10.6.2, 10.6
Description	`Chrony` is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on `chrony` can be found at https://chrony-project.org/. `Chrony` can be configured to be a client and/or a server. Add or edit server or pool lines to `/etc/chrony.conf` as appropriate: server <remote-server> Alternatively, server or pool directives can be specified in files included via `sourcedir` or `confdir` directives in `/etc/chrony.conf`. When using `sourcedir`, create `.sources` files in the specified directory: # In /etc/chrony.conf: sourcedir /etc/chrony/sources.d # In /etc/chrony/sources.d/ntp.sources: server 0.pool.ntp.org When using `confdir`, create `.conf` files in the specified directory: # In /etc/chrony.conf: confdir /etc/chrony/conf.d # In /etc/chrony/conf.d/ntp-servers.conf: pool 1.pool.ntp.org Multiple servers may be configured.
Rationale	If `chrony` is in use on the system proper configuration is vital to ensuring time synchronization is working properly.

Configure Time Service Maxpoll Interval

Rule ID	xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll
Result	notapplicable
Multi-check rule	no
Time	2026-04-19T11:29:46+00:00
Severity	medium
Identifiers and References	References: 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), AU-8(1)(b), AU-12(1), PR.PT-1, SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000359-GPOS-00146
Description	The `maxpoll` should be configured to 16 in `/etc/ntp.conf` or `/etc/chrony.conf` (or `/etc/chrony.d/`) to continuously poll time servers. To configure `maxpoll` in `/etc/ntp.conf` or `/etc/chrony.conf` (or `/etc/chrony.d/`) add the following after each `server`, `pool` or `peer` entry: maxpoll 16 to `server` directives. If using chrony, any `pool` directives should be configured too.
Rationale	Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).

Remove Host-Based Authentication Files

Rule ID	xccdf_org.ssgproject.content_rule_no_host_based_files
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-no_host_based_files:def:1
Time	2026-04-19T11:29:46+00:00
Severity	high
Identifiers and References	Identifiers: CCE-95051-9 References: SRG-OS-000480-GPOS-00227
Description	The `shosts.equiv` file lists remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: $ sudo rm /[path]/[to]/[file]/shosts.equiv
Rationale	The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.

Remove User Host-Based Authentication Files

Rule ID	xccdf_org.ssgproject.content_rule_no_user_host_based_files
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-no_user_host_based_files:def:1
Time	2026-04-19T11:29:47+00:00
Severity	high
Identifiers and References	Identifiers: CCE-95049-3 References: SRG-OS-000480-GPOS-00227
Description	The `~/.shosts` (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: $ sudo find / -name '.shosts' -type f -delete
Rationale	The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.

Uninstall telnet-server Package

Rule ID	xccdf_org.ssgproject.content_rule_package_telnet-server_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_telnet-server_removed:def:1
Time	2026-04-19T11:29:47+00:00
Severity	high
Identifiers and References	Identifiers: CCE-94643-4 References: 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-2.2.2, SRG-OS-000095-GPOS-00049, R62, 1409, 2.2.4, 2.2
Description	The `telnet-server` package can be removed with the following command: $ sudo zypper remove telnet-server
Rationale	It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain insecure. They increase the risk to the platform by providing additional attack vectors. The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised. Removing the `telnet-server` package decreases the risk of the telnet service's accidental (or intentional) activation.

Set SSH Client Alive Count Max

Rule ID	xccdf_org.ssgproject.content_rule_sshd_set_keepalive
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_set_keepalive:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94685-5 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, 8.2.8, 8.2
Description	The SSH server sends at most `ClientAliveCountMax` messages during a SSH session and waits for a response from the SSH client. The option `ClientAliveInterval` configures timeout after each `ClientAliveCountMax` message. If the SSH server does not receive a response from the client, then the connection is considered unresponsive and terminated. For SSH earlier than v8.2, a `ClientAliveCountMax` value of `0` causes a timeout precisely when the `ClientAliveInterval` is set. Starting with v8.2, a value of `0` disables the timeout functionality completely. If the option is set to a number greater than `0`, then the session will be disconnected after `ClientAliveInterval * ClientAliveCountMax` seconds without receiving a keep alive message.
Rationale	This ensures a user login will be terminated as soon as the `ClientAliveInterval` is reached.

Set SSH Client Alive Interval

Rule ID	xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_set_idle_timeout:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94681-4 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175, 8.2.8, 8.2
Description	SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automatically logged out. To set this timeout interval, edit the following line in `/etc/ssh/sshd_config` as follows: ClientAliveInterval 600 The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in `/etc/ssh/sshd_config`. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
Rationale	Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended.
Warnings	warning SSH disconnecting unresponsive clients will not have desired effect without also configuring ClientAliveCountMax in the SSH service configuration. warning Following conditions may prevent the SSH session to time out: Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens. Any `scp` or `sftp` activity by the same user to the host resets the timeout.

Disable SSH Access via Empty Passwords

Rule ID	xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_disable_empty_passwords:def:1
Time	2026-04-19T11:29:47+00:00
Severity	high
Identifiers and References	Identifiers: CCE-95091-5 References: 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, 5.5.6, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, 3.1.1, 3.1.5, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, FIA_UAU.1, Req-2.2.4, SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPOS-00227, 1546, 2.2.6, 2.2
Description	Disallow SSH login with empty passwords. The default SSH configuration disables logins with empty passwords. The appropriate configuration is used if no value is set for `PermitEmptyPasswords`. To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in `/etc/ssh/sshd_config`: PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.
Rationale	Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.

Disable SSH Root Login

Rule ID	xccdf_org.ssgproject.content_rule_sshd_disable_root_login
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_disable_root_login:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94674-9 References: 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.6, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.1.5, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-6(2), AC-17(a), IA-2, IA-2(5), CM-7(a), CM-7(b), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, FAU_GEN.1, Req-2.2.4, SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227, SRG-APP-000148-CTR-000335, SRG-APP-000190-CTR-000500, R33, 1546, 2.2.6, 2.2
Description	The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in `/etc/ssh/sshd_config`: PermitRootLogin no
Rationale	Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.

Disable SSH Support for User Known Hosts

Rule ID	xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_disable_user_known_hosts:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95068-3 References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, SRG-OS-000480-GPOS-00227, 1546
Description	SSH can allow system users to connect to systems if a cache of the remote systems public keys is available. This should be disabled. To ensure this behavior is disabled, add or correct the following line in `/etc/ssh/sshd_config`: IgnoreUserKnownHosts yes
Rationale	Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.

Disable X11 Forwarding

Rule ID	xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_disable_x11_forwarding:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95072-5 References: CM-6(b), SRG-OS-000480-GPOS-00227, 0484, 2.2.6, 2.2
Description	The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. SSH has the capability to encrypt remote X11 connections when SSH's `X11Forwarding` option is enabled. The default SSH configuration disables X11Forwarding. The appropriate configuration is used if no value is set for `X11Forwarding`. To explicitly disable X11 Forwarding, add or correct the following line in `/etc/ssh/sshd_config`: X11Forwarding no
Rationale	Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders.

Do Not Allow SSH Environment Options

Rule ID	xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_do_not_permit_user_env:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95090-7 References: 11, 3, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, Req-2.2.4, SRG-OS-000480-GPOS-00229, 1546, 2.2.6, 2.2
Description	Ensure that users are not able to override environment variables of the SSH daemon. The default SSH configuration disables environment processing. The appropriate configuration is used if no value is set for `PermitUserEnvironment`. To explicitly disable Environment options, add or correct the following `/etc/ssh/sshd_config`: PermitUserEnvironment no
Rationale	SSH environment options potentially allow users to bypass access restriction in some configurations.

Enable Use of Strict Mode Checking

Rule ID	xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_enable_strictmodes:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95071-7 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6, AC-17(a), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 1409
Description	SSHs `StrictModes` option checks file and ownership permissions in the user's home directory `.ssh` folder before accepting login. If world- writable permissions are found, logon is rejected. The default SSH configuration has `StrictModes` enabled. The appropriate configuration is used if no value is set for `StrictModes`. To explicitly enable `StrictModes` in SSH, add or correct the following line in `/etc/ssh/sshd_config`: StrictModes yes
Rationale	If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.

Enable SSH Warning Banner

Rule ID	xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_enable_warning_banner:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94626-9 References: 1, 12, 15, 16, 5.5.6, DSS05.04, DSS05.10, DSS06.10, 3.1.9, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), AC-17(a), CM-6(a), PR.AC-7, FTA_TAB.1, Req-2.2.4, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, 0484
Description	To enable the warning banner and ensure it is consistent across the system, add or correct the following line in `/etc/ssh/sshd_config`: Banner /etc/issue Another section contains information on how to create an appropriate system-wide warning banner.
Rationale	The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.

Enable SSH Print Last Log

Rule ID	xccdf_org.ssgproject.content_rule_sshd_print_last_log
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_print_last_log:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95045-1 References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-9, AC-9(1), PR.AC-7, SRG-OS-000480-GPOS-00227, 0582, 0846
Description	Ensure that SSH will display the date and time of the last successful account logon. The default SSH configuration enables print of the date and time of the last login. The appropriate configuration is used if no value is set for `PrintLastLog`. To explicitly enable LastLog in SSH, add or correct the following line in `/etc/ssh/sshd_config`: PrintLastLog yes
Rationale	Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.

Set SSH Daemon LogLevel to VERBOSE

Rule ID	xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_set_loglevel_verbose:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94627-7 References: CIP-007-3 R7.1, AC-17(a), AC-17(1), CM-6(a), Req-2.2.4, SRG-OS-000032-GPOS-00013, 2.2.6, 2.2
Description	The `VERBOSE` parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct the following line in `/etc/ssh/sshd_config`: LogLevel VERBOSE
Rationale	SSH provides several logging levels with varying amounts of verbosity. `DEBUG` is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. `INFO` or `VERBOSE` level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.

Use Only FIPS 140-2 Validated Ciphers

Rule ID	xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_use_approved_ciphers:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94647-5 References: 1, 11, 12, 14, 15, 16, 18, 3, 5, 6, 8, 9, 5.5.6, APO11.04, APO13.01, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, MEA02.01, 3.1.13, 3.13.11, 3.13.8, 164.308(b)(1), 164.308(b)(2), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(b)(2)(i), 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), AC-17(a), AC-17(2), SC-13, MA-4(6), IA-5(1)(c), SC-12(2), SC-12(3), PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-1, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 2.2.7, 2.2
Description	Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in `/etc/ssh/sshd_config` demonstrates use of FIPS-approved ciphers: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc The man page `sshd_config(5)` contains a list of supported ciphers. The rule is parametrized to use the following ciphers: `aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se`.
Rationale	Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on SUSE Linux Enterprise Micro 6.
Warnings	warning The system needs to be rebooted for these changes to take effect. warning System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.

Use Only FIPS 140-2 Validated Ciphers

Rule ID	xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers_ordered_stig
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_use_approved_ciphers_ordered_stig:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94646-7 References: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
Description	Limit the ciphers to those algorithms which are FIPS-approved. The following line in `/etc/ssh/sshd_config` demonstrates use of FIPS-approved ciphers: Ciphers aes256-ctr,aes192-ctr,aes128-ctr This rule ensures that there are configured ciphers mentioned above (or their subset), keeping the given order of algorithms.
Rationale	Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on SUSE Linux Enterprise Micro 6.
Warnings	warning The system needs to be rebooted for these changes to take effect. warning System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.

Use Only FIPS 140-2 Validated Key Exchange Algorithms

Rule ID	xccdf_org.ssgproject.content_rule_sshd_use_approved_kex_ordered_stig
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_use_approved_kex_ordered_stig:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94688-9 References: AC-17(2), SRG-OS-000250-GPOS-00093
Description	Limit the key exchange algorithms to those which are FIPS-approved. Add or modify the following line in `/etc/ssh/sshd_config` KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 This rule ensures that only the key exchange algorithms mentioned above (or their subset) are configured for use, keeping the given order of algorithms.
Rationale	FIPS-approved key exchange algorithms are required to be used. The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.
Warnings	warning The system needs to be rebooted for these changes to take effect. warning System crypto modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this requirements, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.

Use Only FIPS 140-2 Validated MACs

Rule ID	xccdf_org.ssgproject.content_rule_sshd_use_approved_macs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_use_approved_macs:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94680-6 References: 1, 12, 13, 15, 16, 5, 8, APO01.06, APO13.01, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.07, DSS06.02, DSS06.03, 3.1.13, 3.13.11, 3.13.8, 164.308(b)(1), 164.308(b)(2), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(b)(2)(i), 4.3.3.5.1, 4.3.3.6.6, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.11.2.6, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), AC-17(a), AC-17(2), SC-13, MA-4(6), SC-12(2), SC-12(3), PR.AC-1, PR.AC-3, PR.DS-5, PR.PT-4, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000394-GPOS-00174, 2.2.7, 2.2
Description	Limit the MACs to those hash algorithms which are FIPS-approved. The following line in `/etc/ssh/sshd_config` demonstrates use of FIPS-approved MACs: MACs hmac-sha2-512,hmac-sha2-256 The man page `sshd_config(5)` contains a list of supported MACs. The rule is parametrized to use the following MACs: `hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com`.
Rationale	FIPS-approved cryptographic hash functions are required to be used. The only SSHv2 hash algorithms meeting this requirement is SHA2.
Warnings	warning The system needs to be rebooted for these changes to take effect. warning System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.

Use Only FIPS 140-2 Validated MACs

Rule ID	xccdf_org.ssgproject.content_rule_sshd_use_approved_macs_ordered_stig
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_use_approved_macs_ordered_stig:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94679-8 References: SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000394-GPOS-00174
Description	Limit the MACs to those hash algorithms which are FIPS-approved. The following line in `/etc/ssh/sshd_config` demonstrates use of FIPS-approved MACs: MACs hmac-sha2-512,hmac-sha2-256 This rule ensures that there are configured MACs mentioned above (or their subset), keeping the given order of algorithms.
Rationale	FIPS-approved cryptographic hash functions are required to be used. The only SSHv2 hash algorithms meeting this requirement is SHA2.
Warnings	warning The system needs to be rebooted for these changes to take effect. warning System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.

Install the OpenSSH Server Package

Rule ID	xccdf_org.ssgproject.content_rule_package_openssh-server_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_openssh-server_installed:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94725-9 References: 13, 14, APO01.06, DSS05.02, DSS05.04, DSS05.07, DSS06.02, DSS06.06, SR 3.1, SR 3.8, SR 4.1, SR 4.2, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.DS-2, PR.DS-5, FIA_UAU.5, FTP_ITC_EXT.1, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190
Description	The `openssh-server` package should be installed. The `openssh-server` package can be installed with the following command: $ sudo zypper install openssh-server
Rationale	Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered.

Enable the OpenSSH Service

Rule ID	xccdf_org.ssgproject.content_rule_service_sshd_enabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-service_sshd_enabled:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94726-7 References: 13, 14, APO01.06, DSS05.02, DSS05.04, DSS05.07, DSS06.02, DSS06.06, 3.1.13, 3.5.4, 3.13.8, SR 3.1, SR 3.8, SR 4.1, SR 4.2, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), SC-8, SC-8(1), SC-8(2), SC-8(3), SC-8(4), PR.DS-2, PR.DS-5, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190
Description	The SSH server service, sshd, is commonly needed. The `sshd` service can be enabled with the following command: $ sudo systemctl enable sshd.service
Rationale	Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.

Verify Permissions on SSH Server Private *_key Key Files

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_sshd_private_key:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95070-9 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.13, 3.13.10, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-2.2.4, SRG-OS-000480-GPOS-00227, R50, 1449, 2.2.6, 2.2
Description	SSH server private keys - files that match the `/etc/ssh/*_key` glob, have to have restricted permissions. If those files are owned by the `root` user and the `root` group, they have to have the `0640` permission or stricter.
Rationale	If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
Warnings	warning Remediation is not possible at bootable container build time because SSH host keys are generated post-deployment.

Verify Permissions on SSH Server Public *.pub Key Files

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_sshd_pub_key:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95069-1 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.13, 3.13.10, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-2.2.4, SRG-OS-000480-GPOS-00227, R50, 2.2.6, 2.2
Description	To properly set the permissions of `/etc/ssh/.pub`, run the command: $ sudo chmod 0644 /etc/ssh/.pub
Rationale	If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
Warnings	warning Remediation is not possible at bootable container build time because SSH host keys are generated post-deployment.

OpenSSH Service Must Use Passcode for Their Private Keys

Rule ID	xccdf_org.ssgproject.content_rule_ssh_private_keys_have_passcode
Result	notchecked
Multi-check rule	no
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94668-1 References: IA-5(2), IA-5(2).1, SRG-OS-000067-GPOS-00035
Description	Verify the SSH private key files have a passcode. For each private key stored on the system, use the following command: $ sudo ssh-keygen -y -f /path/to/file If the contents of the key are displayed, without asking a passphrase this is a finding.
Rationale	If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed.
Evaluation messages info No candidate or applicable check found.

Configure SSSD's Memory Cache to Expire

Rule ID	xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
Result	notapplicable
Multi-check rule	no
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94723-4 References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), IA-5(13), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000383-GPOS-00166
Description	SSSD's memory cache should be configured to set to expire records after `86400` seconds. To configure SSSD to expire memory cache, set `memcache_timeout` to `86400` under the `[nss]` section in `/etc/sssd/sssd.conf`. For example: [nss] memcache_timeout = 86400
Rationale	If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

Configure SSSD to Expire Offline Credentials

Rule ID	xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
Result	notapplicable
Multi-check rule	no
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94724-2 References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), IA-5(13), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000383-GPOS-00166
Description	SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set `offline_credentials_expiration` to `1` under the `[pam]` section in `/etc/sssd/sssd.conf`. For example: [pam] offline_credentials_expiration = 1
Rationale	If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

Record Events that Modify the System's Discretionary Access Controls - fchmod

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_dac_modification_fchmod:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94634-3 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, R73, 10.3.4, 10.3
Description	At a minimum, the audit system should collect file permission changes for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale	The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings	warning Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

Record Events that Modify the System's Discretionary Access Controls - fremovexattr

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_dac_modification_fremovexattr:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94632-7 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000064-GPOS-00033, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, R73, 10.3.4, 10.3
Description	At a minimum, the audit system should collect file permission changes for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale	The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings	warning Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

Record Events that Modify the System's Discretionary Access Controls - lchown

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_dac_modification_lchown:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94633-5 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, R73, 10.3.4, 10.3
Description	At a minimum, the audit system should collect file permission changes for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale	The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings	warning Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

Record Events that Modify the System's Discretionary Access Controls - umount2

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount2
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_dac_modification_umount2:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94636-8 References: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, R73
Description	At a minimum, the audit system should collect file system umount2 changes. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale	The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings	warning Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

Record Any Attempts to Run chacl

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_execution_chacl:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94619-4 References: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Record Any Attempts to Run chmod

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_execution_chmod
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_execution_chmod:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94617-8 References: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Record Any Attempts to Run setfacl

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_execution_setfacl:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94618-6 References: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Record Any Attempts to Run chcon

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_execution_chcon:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94620-2 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, 0582
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Record Any Attempts to Run rm

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_execution_rm
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_execution_rm:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94621-0 References: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Record Any Attempts to Run semanage

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_execution_semanage:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95095-6 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, 0582
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Record Any Attempts to Run setfiles

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_execution_setfiles:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95097-2 References: AU-2(d), AU-12(c), AC-6(9), CM-6(a), SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, 0582
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Record Any Attempts to Run setsebool

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_execution_setsebool:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-95098-0 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, 0582
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Record Unsuccessful Access Attempts to Files - open

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_unsuccessful_file_modification_open:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94649-1 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-APP-000495-CTR-001235, R73, 0582, 0846
Description	At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale	Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings	warning Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

Record Unsuccessful Delete Attempts to Files - rename

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_unsuccessful_file_modification_rename:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94731-7 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270
Description	The audit system should collect unsuccessful file deletion attempts for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`. If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules` file. -a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
Rationale	Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings	warning Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete

Ensure auditd Collects Information on Kernel Module Unloading - delete_module

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_kernel_module_loading_delete:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94653-3 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280, R73
Description	To capture kernel module loading and unloading events, use the following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S delete_module -F key=modules Place to add the line depends on a way `auditd` daemon is configured. If it is configured to use the `augenrules` program (the default), add the line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`. If the `auditd` daemon is configured to use the `auditctl` utility, add the line to file `/etc/audit/audit.rules`.
Rationale	The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_kernel_module_loading_finit:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94654-1 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280, R73
Description	To capture kernel module loading and unloading events, use the following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S finit_module -F key=modules Place to add the line depends on a way `auditd` daemon is configured. If it is configured to use the `augenrules` program (the default), add the line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`. If the `auditd` daemon is configured to use the `auditctl` utility, add the line to file `/etc/audit/audit.rules`.
Rationale	The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

Record Attempts to Alter Logon and Logout Events - lastlog

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_login_events_lastlog:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94629-3 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000470-GPOS-00214, SRG-APP-000495-CTR-001235, SRG-APP-000503-CTR-001275, SRG-APP-000506-CTR-001290, R73, 0582, 10.2.1.3, 10.2.1, 10.2
Description	The audit system already collects login information for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /var/log/lastlog -p wa -k logins If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /var/log/lastlog -p wa -k logins
Rationale	Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.

Record Attempts to Alter Logon and Logout Events - tallylog

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_login_events_tallylog:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94628-5 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.3, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218, SRG-APP-000503-CTR-001275, 0582, 10.2.1.3, 10.2.1, 10.2
Description	The audit system already collects login information for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /var/log/tallylog -p wa -k logins If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /var/log/tallylog -p wa -k logins
Rationale	Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.

Ensure auditd Collects Information on the Use of Privileged Commands - chage

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_privileged_commands_chage:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94611-1 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Ensure auditd Collects Information on the Use of Privileged Commands - chfn

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chfn
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_privileged_commands_chfn:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94614-5 References: AU-3, AU-12(a), AU-12(c), MA-4(1)(a)
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Ensure auditd Collects Information on the Use of Privileged Commands - chsh

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_privileged_commands_chsh:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94609-5 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Ensure auditd Collects Information on the Use of Privileged Commands - crontab

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_privileged_commands_crontab:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94612-9 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_privileged_commands_gpasswd:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94607-9 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Ensure auditd Collects Information on the Use of Privileged Commands - insmod

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_insmod
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_privileged_commands_insmod:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94650-9 References: AU-12(c), AU-12.1(iv), AU-3, AU-3.1, AU-12(a), AU-12.1(ii), MA-4(1)(a), SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, R73
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /sbin/insmod -p x -k modules
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Ensure auditd Collects Information on the Use of Privileged Commands - kmod

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_privileged_commands_kmod:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94616-0 References: AU-3, AU-3.1, AU-12(a), AU-12.1(ii), AU-12.1(iv)AU-12(c), MA-4(1)(a), SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280, R73
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Ensure auditd Collects Information on the Use of Privileged Commands - modprobe

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_modprobe
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_privileged_commands_modprobe:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94652-5 References: AU-12(a), AU-12.1(ii), AU-3, AU-3.1, AU-12(c), AU-12.1(iv), MA-4(1)(a), SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, R73
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /sbin/modprobe -p x -k modules If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -w /sbin/modprobe -p x -k modules
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Ensure auditd Collects Information on the Use of Privileged Commands - newgrp

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_privileged_commands_newgrp:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94608-7 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_privileged_commands_pam_timestamp_check:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94623-6 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Ensure auditd Collects Information on the Use of Privileged Commands - passwd

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_privileged_commands_passwd:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94606-1 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Ensure auditd Collects Information on the Use of Privileged Commands - rmmod

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_rmmod
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_privileged_commands_rmmod:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94651-7 References: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, R73
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /sbin/rmmod -p x -k modules
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Record Any Attempts to Run ssh-agent

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_agent
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_privileged_commands_ssh_agent:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94615-2 References: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_privileged_commands_ssh_keysign:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94605-3 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/libexec/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/libexec/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Ensure auditd Collects Information on the Use of Privileged Commands - su

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_privileged_commands_su:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94624-4 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-OS-000755-GPOS-00220
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Ensure auditd Collects Information on the Use of Privileged Commands - sudo

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_privileged_commands_sudo:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94625-1 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-OS-000755-GPOS-00220, R33
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_privileged_commands_sudoedit:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94613-7 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, SRG-OS-000755-GPOS-00220
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_privileged_commands_unix_chkpwd:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94610-3 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R6.5, AC-2(4), AU-2(d), AU-3, AU-3.1, AU-12(a), AU-12(c), AU-12.1(ii), AU-12.1(iv), AC-6(9), CM-6(a), MA-4(1)(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Ensure auditd Collects Information on the Use of Privileged Commands - usermod

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_privileged_commands_usermod:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94622-8 References: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255
Description	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Ensure auditd Collects Information on Exporting to Media (successful)

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_media_export
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_media_export:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94635-0 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, R73, 10.2.1.7, 10.2.1, 10.2
Description	At a minimum, the audit system should collect media exportation events for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
Rationale	The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.

Record Attempts to Alter Process and Session Initiation Information btmp

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_session_events_btmp
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_session_events_btmp:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94734-1 References: 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-12(c), AU-12.1(iv), SRG-OS-000472-GPOS-00217, R73, 0582, 0846, 10.2.1.3, 10.2.1, 10.2
Description	The audit system already collects process information for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /var/log/btmp -p wa -k session If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /var/log/btmp -p wa -k session
Rationale	Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.

Record Attempts to Alter Process and Session Initiation Information utmp

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_session_events_utmp
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_session_events_utmp:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94732-5 References: 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-12(c), AU-12.1(iv), SRG-OS-000472-GPOS-00217, R73, 0582, 0846, 10.2.1.3, 10.2.1, 10.2
Description	The audit system already collects process information for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /var/run/utmp -p wa -k session If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /var/run/utmp -p wa -k session
Rationale	Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.

Record Attempts to Alter Process and Session Initiation Information wtmp

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_session_events_wtmp
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_session_events_wtmp:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94733-3 References: 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-12(c), AU-12.1(iv), SRG-OS-000472-GPOS-00217, R73, 0582, 0846, 10.2.1.3, 10.2.1, 10.2
Description	The audit system already collects process information for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /var/log/wtmp -p wa -k session If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /var/log/wtmp -p wa -k session
Rationale	Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.

Record Events When Privileged Executables Are Run

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_suid_privilege_function:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94704-4 References: CM-5(1), AU-7(a), AU-7(b), AU-8(b), AU-12(3), AC-6(9), SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127, SRG-APP-000343-CTR-000780, SRG-APP-000381-CTR-000905, SRG-OS-000755-GPOS-00220, 10.2.1.2, 10.2.1, 10.2
Description	Verify the system generates an audit record when privileged functions are executed. If audit is using the "auditctl" tool to load the rules, run the following command: $ sudo grep execve /etc/audit/audit.rules If audit is using the "augenrules" tool to load the rules, run the following command: $ sudo grep -r execve /etc/audit/rules.d -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.
Rationale	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
Warnings	warning Note that these rules can be configured in a number of ways while still achieving the desired effect.

Ensure auditd Collects System Administrator Actions

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_sysadmin_actions:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94648-3 References: 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(7)(b), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.2, Req-10.2.5.b, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-APP-000026-CTR-000070, SRG-APP-000027-CTR-000075, SRG-APP-000028-CTR-000080, SRG-APP-000291-CTR-000675, SRG-APP-000292-CTR-000680, SRG-APP-000293-CTR-000685, SRG-APP-000294-CTR-000690, SRG-APP-000319-CTR-000745, SRG-APP-000320-CTR-000750, SRG-APP-000509-CTR-001305, R73, 0582, 10.2.1.5, 10.2.1, 10.2
Description	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /etc/sudoers -p wa -k actions If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /etc/sudoers -p wa -k actions If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /etc/sudoers.d/ -p wa -k actions If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /etc/sudoers.d/ -p wa -k actions
Rationale	The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.

Record Events that Modify User/Group Information - /etc/group

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_usergroup_modification_group:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94602-0 References: 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, R73, 0582, 10.2.1.5, 10.2.1, 10.2
Description	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /etc/group -p wa -k audit_rules_usergroup_modification If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /etc/group -p wa -k audit_rules_usergroup_modification
Rationale	In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

Record Events that Modify User/Group Information - /etc/security/opasswd

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_usergroup_modification_opasswd:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94604-6 References: 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000503-CTR-001275, R73, 0582, 10.2.1.5, 10.2.1, 10.2
Description	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Rationale	In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

Record Events that Modify User/Group Information - /etc/passwd

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_usergroup_modification_passwd:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94601-2 References: 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, R73, 0582, 10.2.1.5, 10.2.1, 10.2
Description	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /etc/passwd -p wa -k audit_rules_usergroup_modification If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /etc/passwd -p wa -k audit_rules_usergroup_modification
Rationale	In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

Record Events that Modify User/Group Information - /etc/shadow

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_usergroup_modification_shadow:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94603-8 References: 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, R73, 0582, 10.2.1.5, 10.2.1, 10.2
Description	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /etc/shadow -p wa -k audit_rules_usergroup_modification If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /etc/shadow -p wa -k audit_rules_usergroup_modification
Rationale	In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

Configure a Sufficiently Large Partition for Audit Logs

Rule ID	xccdf_org.ssgproject.content_rule_auditd_audispd_configure_sufficiently_large_partition
Result	notchecked
Multi-check rule	no
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94706-9 References: SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133
Description	The SUSE Linux Enterprise Micro 6 operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility. The partition size needed to capture a week's worth of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. Determine which partition the audit records are being written to with the following command: $ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Check the size of the partition that audit records are written to with the following command: $ sudo df -h /var/log/audit/ /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
Rationale	Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Evaluation messages info No candidate or applicable check found.

Configure auditd Disk Full Action when Disk Space Is Full

Rule ID	xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_data_disk_full_action:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94657-4 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, SRG-OS-000047-GPOS-00023
Description	The `auditd` service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file `/etc/audit/auditd.conf`. Add or modify the following line, substituting ACTION appropriately: disk_full_action = ACTION Set this value to `single` to cause the system to switch to single-user mode for corrective action. Acceptable values also include `syslog`, `exec`, `single`, and `halt` For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the `auditd.conf` man page.
Rationale	Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.

Configure auditd mail_acct Action on Low Disk Space

Rule ID	xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_data_retention_action_mail_acct:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94655-8 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, CIP-003-8 R1.3, CIP-003-8 R3, CIP-003-8 R3.1, CIP-003-8 R3.2, CIP-003-8 R3.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-5(1), AU-5(a), AU-5(2), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7.a, SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134
Description	The `auditd` service can be configured to send email to a designated account in certain situations. Add or correct the following line in `/etc/audit/auditd.conf` to ensure that administrators are notified via email for those situations: action_mail_acct = root
Rationale	Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.

Configure auditd space_left Action on Low Disk Space

Rule ID	xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_data_retention_space_left_action:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94711-9 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134, 10.5.1, 10.5
Description	The `auditd` service can be configured to take an action when disk space starts to run low. Edit the file `/etc/audit/auditd.conf`. Modify the following line, substituting ACTION appropriately: space_left_action = ACTION Possible values for ACTION are described in the `auditd.conf` man page. These include: `syslog` `email` `exec` `suspend` `single` `halt` Set this to `email` (instead of the default, which is `suspend`) as it is more likely to get prompt attention. Acceptable values also include `suspend`, `single`, and `halt`.
Rationale	Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

Configure auditd space_left on Low Disk Space

Rule ID	xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_percentage
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_data_retention_space_left_percentage:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94710-1 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134
Description	The `auditd` service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file `/etc/audit/auditd.conf`. Add or modify the following line, substituting PERCENTAGE appropriately: space_left = PERCENTAGE% Set this value to at least 25 to cause the system to notify the user of an issue.
Rationale	Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

Ensure the audit Subsystem is Installed

Rule ID	xccdf_org.ssgproject.content_rule_package_audit_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_audit_installed:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94705-1 References: 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, R33, R73, 0582, 0846, 10.2.1, 10.2
Description	The audit package should be installed.
Rationale	The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.

Enable auditd Service

Rule ID	xccdf_org.ssgproject.content_rule_service_auditd_enabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-service_auditd_enabled:def:1
Time	2026-04-19T11:29:47+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-94631-9 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-APP-000095-CTR-000170, SRG-APP-000409-CTR-000990, SRG-APP-000508-CTR-001300, SRG-APP-000510-CTR-001310, R33, R73, 1409, 10.2.1, 10.2
Description	The `auditd` service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The `auditd` service can be enabled with the following command: $ sudo systemctl enable auditd.service
Rationale	Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the `auditd` service is active ensures audit records generated by the kernel are appropriately recorded. Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

Scroll back to the first rule

Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.