Skip to content

RHEL 9 V2R5 Changes

It's that time again! These are my notes from examining a diff between V2R4 and V2R5. I always write one of these summaries when I get my hands on the new release of the STIG so I know where to spend my time when updating automation content like Ansible Playbooks, Anaconda kickstart files, etc. Unfortunately, there is more fluff than there is substance in this release, and it is riddled with errors. I get the feeling that people rotate in and out of whatever office actually writes the content, and things like consulting the man pages for various features is something that happens as an afterthought, if at all.

Added Rules

  • RHEL-09-654096 - New rule to audit any script or executable called by cron as root or any priv user. (Two audit.rules entries for /etc/cron.d/ and /var/spool/cron/)

Removed Rules

  • RHEL-09-255055 - RHEL 9 SSH daemon must be configured to use system-wide crypto policies
  • RHEL-09-255060 - RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH connections
  • RHEL-09-653115 - RHEL 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access
  • RHEL-09-672025 - RHEL 9 must {blah blah blah krb5.config FIPS cypto}

Rule ID Changes Only

  • RHEL-09-212010
  • RHEL-09-212020
  • RHEL-09-231140
  • RHEL-09-232103
  • RHEL-09-232104
  • RHEL-09-232245
  • RHEL-09-411040
  • RHEL-09-412035
  • RHEL-09-611195

Rule ID and Check Changes

  • RHEL-09-215060 - Adds sudo to check
  • RHEL-09-232180 - Updates sample check output to show results for /var/log/messages instead of /var/log
  • RHEL-09-232175 - Updates sample check output to show results for /var/log/messages instead of /var/log
  • RHEL-09-251035 - Filters previous firewall-cmd output with grep
  • RHEL-09-252065 - Adds N/A caveat where libreswan is no longer required to be installed if there is no operational need for it
  • RHEL-09-255025 - Updates banner checking in sshd
  • RHEL-09-432025 - Check switches to egrep (why) and capitalizes the R in the grep syntax
  • RHEL-09-432030 - More greppery
  • RHEL-09-611085 - Even more greppery (man grep... man grep!)
  • RHEL-09-611160 - Changes check command for cac driver check (typo correction?)
  • RHEL-09-651025 - Updates path from /usr/bin/au to /usr/sbin/au
  • RHEL-09-653090 - Changes how to find the audit logs (spoiler, the previous method was probably more reliable)
  • RHEL-09-653120 - Changes grep to just key on audit_backlog_limit to catch cases where it might be set too low
  • RHEL-09-654220 - Changes check output to reflect the /etc/sudoers.d/ folder and changes the audit key from actions to identity
  • RHEL-09-672020 - Removes errant && echo PASS and updates the language regarding the use of crypto subpolicies (presumably AD-SUPPORT and NO-ENFORCE-EMS)
  • RHEL-09-215015 - Updates check and fix command output, adds language regarding operational need for FTP
  • RHEL-09-651010 - Updates check for determining the aide.conf in use by the system

Audit.rules Check Text Changes That Introduce Errors

These changes create conflicts between the check text and the fix text, and the original syntax given was the correct method according to the man page for audit.rules. In particular, the check text changes the -F accompanying the arch=b32/64 entries to -S, which is reserved for the syscall being audited. DISA didn't change every entry, but they did change a bunch of them. In each case the introduced syntax is wrong and conflicts with the accompanying fix text. The topic is covered in the man pages for audit.rules.

  • RHEL-09-654010 - execve
  • RHEL-09-654015 - chmod, fchmod, and fchmodat
  • RHEL-09-654020 - chown, fchown, fchownat, and lchown
  • RHEL-09-654025 - setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr
  • RHEL-09-654065 - rename, unlink, rmdir, renameat, and unlinkat
  • RHEL-09-654070 - truncate, ftruncate, creat, open, openat, and open_by_handle_at
  • RHEL-09-654075 - delete_module
  • RHEL-09-654080 - init_module and finit_module
  • RHEL-09-654205 - umount
  • RHEL-09-654210 - umount2

Fix Text Changes

  • RHEL-09-231115 - Adds an alternative fix pathway if the SA is not using /etc/fstab to manage this mount point. For most folks, doing it the /etc/fstab way is more direct and easier to understand at a glance
  • RHEL-09-232020 - Changes the check command and offers a bulk fix command for remediating many non-compliant files
  • RHEL-09-232200 - Changes the check command and offers a bulk fix command for remediating many non-compliant files
  • RHEL-09-232205 - Changes the check command and offers a bulk fix command for remediating many non-compliant files
  • RHEL-09-652010 - Corrects rsyslogd package name to rsyslog
  • RHEL-09-215105 - Adds language regarding crypto sub-policies (calling out AD-SUPPORT specifically) and adds instructions for creating and applying a STIG policy submodule
  • RHEL-09-251020 - Updates the check output and changes an interface name in the fix example
  • RHEL-09-611200 - Adds language for finding modifications to rescue.service, prescribes a systemd drop-in config for the unit file
  • RHEL-09-652055 - Changes to hyphenation and check output, fix text removes errant quotation mark
  • RHEL-09-653035 - Allows for ISSM/ISSO discretion at specifying stricter free space thresholds

Fix Changes Involving sysctl Configurations

These items add an explanation straight out of the man pages for how sysctl config files work, then add that if any conflicts are found it is a finding, which directly conflicts with the "this is how it works" explanation earlier in the document. Spoiler alert: Files in /etc/sysctl.d/ take precedence, so make your changes there instead of modifying anything out in /lib or anywhere else where you might open a CAT II from RHEL-09-214030.

It doesn't help that the man page shipped with RHEL is not the full documentation you can find online from places like man7.org. Specifically, these paragraphs would be helpful:

   Packages should install their configuration files in /usr/lib/
   (distribution packages) or /usr/local/lib/ (local installs) [1].
   Files in /etc/ are reserved for the local administrator, who may
   use this logic to override the configuration files installed by
   vendor packages.

   It is recommended to prefix all filenames with a two-digit number
   and a dash to simplify the ordering. It is recommended to use the
   range 10-40 for configuration files in /usr/ and the range 60-90
   for configuration files in /etc/ and /run/, to make sure that
   local and transient configuration files will always take priority
   over configuration files shipped by the OS vendor.

   If the administrator wants to disable a configuration file
   supplied by the vendor, the recommended way is to place a symlink
   to /dev/null in the configuration directory in /etc/, with the
   same filename as the vendor configuration file. If the vendor
   configuration file is included in the initrd image, the image has
   to be regenerated.

Here are the changed items and the prescribed values.

  • RHEL-09-213010 - kernel.dmesg_restrict = 1
  • RHEL-09-213015 - kernel.perf_event_paranoid = 2
  • RHEL-09-213020 - kernel.kexec_load_disabled = 1
  • RHEL-09-213025 - kernel.kptr_restrict = 1
  • RHEL-09-213030 - fs.protected_hardlinks = 1
  • RHEL-09-213035 - fs.protected_symlinks = 1
  • RHEL-09-213040 - kernel.core_pattern = |/bin/false
  • RHEL-09-213070 - kernel.randomize_va_space = 2
  • RHEL-09-213075 - kernel.unprivileged_bpf_disabled = 1
  • RHEL-09-213080 - kernel.yama.ptrace_scope = 1
  • RHEL-09-213105 - user.max_user_namespaces = 0 (Document exceptions for situations like container hosts with your ISSM/ISSO)
  • RHEL-09-251045 - net.core.bpf_jit_harden = 2
  • RHEL-09-253010 - net.ipv4.tcp_syncookies = 1
  • RHEL-09-253015 - net.ipv4.conf.all.accept_redirects = 0
  • RHEL-09-253020 - net.ipv4.conf.all.accept_source_route = 0
  • RHEL-09-253025 - net.ipv4.conf.all.log_martians = 1
  • RHEL-09-253030 - net.ipv4.conf.default.log_martians = 1
  • RHEL-09-253035 - net.ipv4.conf.all.rp_filter = 1
  • RHEL-09-253040 - net.ipv4.conf.default.accept_redirects = 0
  • RHEL-09-253045 - net.ipv4.conf.default.accept_source_route = 0
  • RHEL-09-253050 - net.ipv4.conf.default.rp_filter = 1
  • RHEL-09-253055 - net.ipv4.icmp_echo_ignore_broadcasts = 1
  • RHEL-09-253060 - net.ipv4.icmp_ignore_bogus_error_responses = 1
  • RHEL-09-253065 - net.ipv4.conf.all.send_redirects = 0
  • RHEL-09-253075 - net.ipv4.conf.all.forwarding = 0
  • RHEL-09-254010 - net.ipv6.conf.all.accept_ra = 0
  • RHEL-09-254015 - net.ipv6.conf.all.accept_redirects = 0
  • RHEL-09-254020 - net.ipv6.conf.all.accept_source_route = 0
  • RHEL-09-254025 - net.ipv6.conf.all.forwarding = 0
  • RHEL-09-254030 - net.ipv6.conf.default.accept_ra = 0
  • RHEL-09-254035 - net.ipv6.conf.default.accept_redirects = 0
  • RHEL-09-254040 - net.ipv6.conf.default.accept_source_route = 0