Documentation to Support DISA OS SRG Mapping These groups exist to document how the Red Hat Enterprise Linux product meets (or does not meet) requirements listed in the DISA OS SRG, for those cases where Groups or Rules elsewhere in scap-security-guide do not clearly relate. Product Meets this Requirement Red Hat Enterprise Linux meets this requirement through design and implementation. RHEL9 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. This requirement is a permanent not a finding. No fix is required. Product Meets this Requirement The Red Hat Enterprise Linux audit system meets this requirement through design and implementation. The RHEL9 auditing system supports this requirement and cannot be configured to be out of compliance. Every audit record in RHEL includes a timestamp, the operation attempted, success or failure of the operation, the subject involved (executable/process), the object involved (file/path), and security labels for the subject and object. It also includes the ability to label events with custom key labels. The auditing system centralizes the recording of audit events for the entire system and includes reduction (ausearch), reporting (aureport), and real-time response (audispd) facilities. This is a permanent not a finding. This requirement is a permanent not a finding. No fix is required. Product Meets this Requirement Red Hat Enterprise Linux meets this requirement through design and implementation. RHEL9 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. This requirement is a permanent not a finding. No fix is required. Guidance Does Not Meet this Requirement Due to Impracticality or Scope The guidance does not meet this requirement. The requirement is impractical or out of scope. RHEL9 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. This requirement is NA. No fix is required. Implementation of the Requirement is Not Supported RHEL9 does not support this requirement. This is a permanent finding. This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented but this finding cannot be considered fixed. Guidance Does Not Meet this Requirement Due to Impracticality or Scope The guidance does not meet this requirement. The requirement is impractical or out of scope. RHEL9 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. This requirement is NA. No fix is required. A process for prompt installation of OS updates must exist. This is a manual inquiry about update procedure. Ask an administrator if a process exists to promptly and automatically apply OS software updates. If such a process does not exist, this is a finding.

If the OS update process limits automatic updates of software packages, where such updates would impede normal system operation, to scheduled maintenance windows, but still within IAVM-dictated timeframes, this is not a finding. Procedures to promptly apply software updates must be established and executed. The Red Hat operating system provides support for automating such a process, by running the yum program through a cron job or by managing the system and its packages through the Red Hat Network or a Satellite Server.