OpenControls Logo

STIG Viewer

RHEL 9 must be configured so that the cryptographic hashes of system files match vendor values.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-257823RHEL-09-214030SV-257823r1051231_ruleCCI-000366medium
Description
The hashes of important files such as system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.
STIGDate
Red Hat Enterprise Linux 9 Security Technical Implementation Guide2025-05-14

Related Frameworks

4 paths across 3 frameworks
NIST 800-531 mapping
CM-6
1.00
  • DISA · 2 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
  • DISA · 2 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
  • DISA · 2 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
  • DISA · 2 · disa_xccdf · related

Details

Check Text (C-257823r1051231_chk)

Verify that RHEL 9 is configured so that the cryptographic hashes of system files match vendor values. List files on the system that have file hashes different from what is expected by the RPM database with the following command: $ sudo rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' If there is output, this is a finding.

Fix Text (F-61488r1051230_fix)

Configure RHEL 9 so that the cryptographic hashes of system files match vendor values. Given output from the check command, identify the package that provides the output and reinstall it. The following trimmed example output shows a package that has failed verification, been identified, and been reinstalled: $ sudo rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' S.5....T. /usr/bin/znew $ sudo dnf provides /usr/bin/znew [...] gzip-1.10-8.el9.x86_64 : The GNU data compression program [...] $ sudo dnf -y reinstall gzip [...] $ sudo rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' [no output]