>From a0ab66c2dae999d56c6ffd881f07de6caebbf075 Mon Sep 17 00:00:00 2001 From: Shawn Wells Date: Mon, 23 Dec 2013 08:59:58 -0500 Subject: [PATCH 25/25] Reset all RHEL7 CCEs - All RHEL7 XCCDF checks will require new CCEs. Temporarily setting to RHEL7-CCE-TBD Signed-off-by: Shawn Wells --- :100644 100644 f462149... ef3ef4d... M RHEL/7/input/services/avahi.xml :100644 100644 489a4a2... 4f2c05a... M RHEL/7/input/services/base.xml :100644 100644 983d9ed... e300a7f... M RHEL/7/input/services/cron.xml :100644 100644 38d9770... 93472ec... M RHEL/7/input/services/dhcp.xml :100644 100644 cee3ee1... 8b054fd... M RHEL/7/input/services/dns.xml :100644 100644 ef3ad28... e4f76d4... M RHEL/7/input/services/ftp.xml :100644 100644 c6861c0... 7799dd8... M RHEL/7/input/services/http.xml :100644 100644 7ef54fe... a12b28c... M RHEL/7/input/services/imap.xml :100644 100644 e70720b... 63cc97b... M RHEL/7/input/services/ldap.xml :100644 100644 9f4864f... a2e505d... M RHEL/7/input/services/mail.xml :100644 100644 4df7064... ae886ee... M RHEL/7/input/services/nfs.xml :100644 100644 d5d0c3b... 2e8fe99... M RHEL/7/input/services/ntp.xml :100644 100644 1792120... 84ced10... M RHEL/7/input/services/obsolete.xml :100644 100644 06a3521... 0b0b3a8... M RHEL/7/input/services/printing.xml :100644 100644 b6a2a6f... 2e6f8a0... M RHEL/7/input/services/smb.xml :100644 100644 0e4f8b3... d3022f9... M RHEL/7/input/services/snmp.xml :100644 100644 388c0e9... f7e8b21... M RHEL/7/input/services/squid.xml :100644 100644 69b3f12... c25b6e9... M RHEL/7/input/services/ssh.xml :100644 100644 c2dbbe1... aeae0d6... M RHEL/7/input/services/xorg.xml :100644 100644 0b8dc83... 1988a7e... M RHEL/7/input/system/accounts/banners.xml :100644 100644 9d8155c... 9d430dc... M RHEL/7/input/system/accounts/pam.xml :100644 100644 21b2193... ba66252... M RHEL/7/input/system/accounts/physical.xml :100644 100644 58e9191... 9a1569b... M RHEL/7/input/system/accounts/restrictions/account_expiration.xml :100644 100644 ce8a082... 6608693... M RHEL/7/input/system/accounts/restrictions/password_expiration.xml :100644 100644 9720505... 2d6a7fe... M RHEL/7/input/system/accounts/restrictions/password_storage.xml :100644 100644 119931b... bf51397... M RHEL/7/input/system/accounts/restrictions/root_logins.xml :100644 100644 c4f4f56... 79c4ada... M RHEL/7/input/system/accounts/session.xml :100644 100644 2777db1... 355c7ef... M RHEL/7/input/system/auditing.xml :100644 100644 0e4dec9... c41b6ac... M RHEL/7/input/system/logging.xml :100644 100644 e4fffc3... b05ed1a... M RHEL/7/input/system/network/ipsec.xml :100644 100644 bf31193... 701229d... M RHEL/7/input/system/network/iptables.xml :100644 100644 22f496e... 4b352d3... M RHEL/7/input/system/network/ipv6.xml :100644 100644 5dd0275... 3c8b75f... M RHEL/7/input/system/network/kernel.xml :100644 100644 aab0382... 4811674... M RHEL/7/input/system/network/network.xml :100644 100644 da41c4d... a8266f6... M RHEL/7/input/system/network/uncommon.xml :100644 100644 209b65c... 19b84be... M RHEL/7/input/system/network/wireless.xml :100644 100644 7e9043b... f1c5198... M RHEL/7/input/system/permissions/execution.xml :100644 100644 9db278b... 4464cf7... M RHEL/7/input/system/permissions/files.xml :100644 100644 038aab5... 2956944... M RHEL/7/input/system/permissions/mounting.xml :100644 100644 f74423b... 132b3b1... M RHEL/7/input/system/permissions/partitions.xml :100644 100644 3b6b338... d9948e7... M RHEL/7/input/system/selinux.xml :100644 100644 54b45ae... 8f92ae1... M RHEL/7/input/system/software/disk_partitioning.xml :100644 100644 3d28c78... a2a6921... M RHEL/7/input/system/software/integrity.xml :100644 100644 aef22ec... 0abb3c9... M RHEL/7/input/system/software/updating.xml RHEL/7/input/services/avahi.xml | 12 ++-- RHEL/7/input/services/base.xml | 48 ++++++------- RHEL/7/input/services/cron.xml | 6 +- RHEL/7/input/services/dhcp.xml | 30 ++++---- RHEL/7/input/services/dns.xml | 10 +-- RHEL/7/input/services/ftp.xml | 16 ++--- RHEL/7/input/services/http.xml | 50 ++++++------- RHEL/7/input/services/imap.xml | 12 ++-- RHEL/7/input/services/ldap.xml | 6 +- RHEL/7/input/services/mail.xml | 8 +-- RHEL/7/input/services/nfs.xml | 32 ++++----- RHEL/7/input/services/ntp.xml | 6 +- RHEL/7/input/services/obsolete.xml | 28 ++++---- RHEL/7/input/services/printing.xml | 6 +- RHEL/7/input/services/smb.xml | 8 +-- RHEL/7/input/services/snmp.xml | 8 +-- RHEL/7/input/services/squid.xml | 4 +- RHEL/7/input/services/ssh.xml | 28 ++++---- RHEL/7/input/services/xorg.xml | 4 +- RHEL/7/input/system/accounts/banners.xml | 8 +-- RHEL/7/input/system/accounts/pam.xml | 30 ++++---- RHEL/7/input/system/accounts/physical.xml | 26 +++---- .../accounts/restrictions/account_expiration.xml | 6 +- .../accounts/restrictions/password_expiration.xml | 8 +-- .../accounts/restrictions/password_storage.xml | 8 +-- .../system/accounts/restrictions/root_logins.xml | 14 ++-- RHEL/7/input/system/accounts/session.xml | 16 ++--- RHEL/7/input/system/auditing.xml | 82 +++++++++++----------- RHEL/7/input/system/logging.xml | 26 +++---- RHEL/7/input/system/network/ipsec.xml | 2 +- RHEL/7/input/system/network/iptables.xml | 10 +-- RHEL/7/input/system/network/ipv6.xml | 16 ++--- RHEL/7/input/system/network/kernel.xml | 30 ++++---- RHEL/7/input/system/network/network.xml | 4 +- RHEL/7/input/system/network/uncommon.xml | 8 +-- RHEL/7/input/system/network/wireless.xml | 8 +-- RHEL/7/input/system/permissions/execution.xml | 16 ++--- RHEL/7/input/system/permissions/files.xml | 46 ++++++------ RHEL/7/input/system/permissions/mounting.xml | 28 ++++---- RHEL/7/input/system/permissions/partitions.xml | 22 +++--- RHEL/7/input/system/selinux.xml | 12 ++-- RHEL/7/input/system/software/disk_partitioning.xml | 12 ++-- RHEL/7/input/system/software/integrity.xml | 16 ++--- RHEL/7/input/system/software/updating.xml | 8 +-- 44 files changed, 392 insertions(+), 392 deletions(-) diff --git a/RHEL/7/input/services/avahi.xml b/RHEL/7/input/services/avahi.xml index f462149..ef3ef4d 100644 --- a/RHEL/7/input/services/avahi.xml +++ b/RHEL/7/input/services/avahi.xml @@ -26,7 +26,7 @@ port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted. - + @@ -53,7 +53,7 @@ Similarly, if you are using only IPv6, disable IPv4 sockets with the line: 
use-ipv4=no
- + @@ -73,7 +73,7 @@ the local network at all, this option provides another check to ensure they are not permitted. - + @@ -87,7 +87,7 @@ and ensure the following line appears in the [server] section: This helps ensure that only Avahi is responsible for mDNS traffic coming from that port on the system. - + @@ -103,7 +103,7 @@ This helps ensure that only Avahi is responsible for mDNS traffic coming from that port on the system. - + @@ -132,7 +132,7 @@ disable-publishing. Alternatively, these can be used to restrict the types of published information in the event that some information must be published. - + diff --git a/RHEL/7/input/services/base.xml b/RHEL/7/input/services/base.xml index 489a4a2..4f2c05a 100644 --- a/RHEL/7/input/services/base.xml +++ b/RHEL/7/input/services/base.xml @@ -20,7 +20,7 @@ system such as RHTSupport. Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers. - + @@ -37,7 +37,7 @@ programs. such as laptops or desktops. For other systems, such as servers, it may permit accidental or trivially achievable denial of service situations and disabling it is appropriate. - + @@ -54,7 +54,7 @@ solution to aid in the management of certificates. The services provided by certmonger may be essential for systems fulfilling some roles a PKI infrastructure, but its functionality is not necessary for many other use cases. - + @@ -70,7 +70,7 @@ a system. The cgconfig daemon starts at boot and establishes the predef Unless control groups are used to manage system resources, running the cgconfig service is not necessary. - + @@ -85,7 +85,7 @@ parameters set in the /etc/cgrules.conf configuration file. Unless control groups are used to manage system resources, running the cgred service service is not necessary. - + @@ -102,7 +102,7 @@ provides benefit. Traditionally this has included laptops (to enhance battery li but may also apply to server or desktop environments where conserving power is highly desirable or necessary. - + @@ -121,7 +121,7 @@ deals with removable media or devices. that use removable media or devices, but can be disabled for systems that do not require these. - + @@ -136,7 +136,7 @@ multiple processors. In an environment with multiple processors (now common), the irqbalance service provides potential speedups for handling interrupt requests. - + @@ -151,7 +151,7 @@ crash, which can load information from the crashed kernel for analysis. Unless the system is used for kernel development or testing, there is little need to run the kdump service. - + @@ -166,7 +166,7 @@ RAID setups do not use this service. If software RAID monitoring is not required, there is no need to run this service. - + @@ -186,7 +186,7 @@ it could be a target for attack. However, disabling D-Bus is likely to be impractical for any system which needs to provide a graphical login session. - + @@ -203,7 +203,7 @@ serial consoles are impractical. The netconsole service is not necessary unless there is a need to debug kernel panics, which is not common. - + @@ -222,7 +222,7 @@ system time. are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated. - + @@ -241,7 +241,7 @@ applications. Communication with oddjobd through the system message bus some environments, and can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues. - + @@ -258,7 +258,7 @@ required for other services. The portreserve service provides helpful functionality by preventing conflicting usage of ports in the reserved port range, but it can be disabled if not needed. - + @@ -276,7 +276,7 @@ user activity, such as commands issued by users of the system. view into some user activities. However, it should be noted that the auditing system and its audit records provide more authoritative and comprehensive records. - + @@ -296,7 +296,7 @@ package selection is selected during installation. The qpidd service listens for network connections, which increases the attack surface of the system. If the system is not intended to receive AMQP traffic, then the qpidd service is not needed and should be disabled or removed. - + @@ -316,7 +316,7 @@ last accessed. remain enabled. However, if disk quotas are not used or user notification of disk quota violation is not desired then there is no need to run this service. - + @@ -335,7 +335,7 @@ updated with a corresponding default route. By default this daemon is disabled. information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information. - + @@ -354,7 +354,7 @@ RHN server or satellite and managed as such. system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the system is being managed by RHN or RHN Satellite Server the rhnsd daemon can remain on. - + @@ -373,7 +373,7 @@ additional control over which of their systems are entitled to particular subscriptions. However, for systems that are managed locally or which are not expected to require remote changes to their subscription status, it is unnecessary and can be disabled. - + @@ -393,7 +393,7 @@ based authentication. performing authentication in some directory environments, such as those which use Kerberos and LDAP. For others, however, in which only local files may be consulted, it is not necessary and should be disabled. - + @@ -411,7 +411,7 @@ relay an appropriate warning. service due to failing hardware. Nevertheless, if it is not needed or the system's drives are not SMART-capable (such as solid state drives), it can be disabled. - + @@ -430,7 +430,7 @@ at boot time. boot to reset the statistics, which can be retrieved using programs such as sar and sadc. These may provide useful insight into system operation, but unless used this service can be disabled. - + diff --git a/RHEL/7/input/services/cron.xml b/RHEL/7/input/services/cron.xml index 983d9ed..e300a7f 100644 --- a/RHEL/7/input/services/cron.xml +++ b/RHEL/7/input/services/cron.xml @@ -17,7 +17,7 @@ maintenance tasks, such as notifying root of system activity. Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential. - + @@ -36,7 +36,7 @@ that cron jobs are scheduled to run. On systems which do not require th additional functionality, anacron could needlessly increase the possible attack surface for an intruder. - + @@ -56,7 +56,7 @@ out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with at or batch is not common. - + diff --git a/RHEL/7/input/services/dhcp.xml b/RHEL/7/input/services/dhcp.xml index 38d9770..93472ec 100644 --- a/RHEL/7/input/services/dhcp.xml +++ b/RHEL/7/input/services/dhcp.xml @@ -33,7 +33,7 @@ Unmanaged or unintentionally activated DHCP servers may provide faulty informati to clients, interfering with the operation of a legitimate site DHCP server if there is one. - + @@ -50,7 +50,7 @@ the dhcp package can be uninstalled. Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation. - + @@ -88,7 +88,7 @@ the DHCP server will attempt to act as a Dynamic DNS client. As long as the DNS server itself is correctly configured to reject DDNS attempts, an incorrect ddns-update-style setting on the client is harmless (but should be fixed as a best practice). - + @@ -103,7 +103,7 @@ that it does not consider the lease offered by the server to be valid. By issuing many DHCPDECLINE messages, a malicious client can exhaust the DHCP server's pool of IP addresses, causing the DHCP server to forget old address allocations. - + @@ -118,7 +118,7 @@ support for the bootp protocol by adding or correcting the global option: for this simpler protocol is not needed, it should be disabled to remove attack vectors against the DHCP server. - + @@ -147,13 +147,13 @@ to request much of the above information from the DHCP server. In particular, domain-name, domain-name-servers, and routers are configured via DHCP. These settings are typically necessary for proper network functionality, but are also usually static across machines at a given site. - + @@ -168,7 +168,7 @@ reported by the dhcpd process. By default, dhcpd logs notices to the daemon facility. Sending all daemon messages to a dedicated log file is part of the syslog configuration outlined in the Logging and Auditing section - + @@ -217,7 +217,7 @@ DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances. - + @@ -275,7 +275,7 @@ protocol is not in use. It is necessary to supersede settings for unused services so that they cannot be set by a hostile DHCP server. If an option is set to an empty string, dhclient will typically not attempt to configure the service. - + diff --git a/RHEL/7/input/services/dns.xml b/RHEL/7/input/services/dns.xml index cee3ee1..8b054fd 100644 --- a/RHEL/7/input/services/dns.xml +++ b/RHEL/7/input/services/dns.xml @@ -26,7 +26,7 @@ nameservers. All network services involve some risk of compromise due to implementation flaws and should be disabled if possible. - + @@ -42,7 +42,7 @@ implementation flaws and should be disabled if possible. If there is no need to make DNS server software available, removing it provides a safeguard against its activation. - + @@ -218,7 +218,7 @@ or if you have only one nameserver, it may be possible to use an external configuration management mechanism to distribute zone updates. In that case, it is not necessary to allow zone transfers within BIND itself, so they should be disabled to avoid the potential for abuse. - + @@ -274,7 +274,7 @@ obtained and inserted into named.conf on the primary and secondary servers, the key files Kdns.example.com .+NNN +MMMMM .key and Kdns.example.com .+NNN +MMMMM .private are no longer needed, and may safely be deleted. - + @@ -294,7 +294,7 @@ updates must be allowed, IP-based ACLs are insufficient protection, since they are easily spoofed. Instead, use TSIG keys (see the previous section for an example), and consider using the update-policy directive to restrict changes to only the precise type of change needed. - + diff --git a/RHEL/7/input/services/ftp.xml b/RHEL/7/input/services/ftp.xml index ef3ad28..e4f76d4 100644 --- a/RHEL/7/input/services/ftp.xml +++ b/RHEL/7/input/services/ftp.xml @@ -28,7 +28,7 @@ of attack, and should be disabled if not needed. Furthermore, the FTP protocol is unencrypted and creates a risk of compromising sensitive information. - + @@ -45,7 +45,7 @@ a risk of compromising sensitive information. Removing the vsftpd package decreases the risk of its accidental activation. - + @@ -62,7 +62,7 @@ accidental activation. After RHEL 2.1, Red Hat switched from distributing wu-ftpd with RHEL to distributing vsftpd. For security and for consistency with future Red Hat releases, the use of vsftpd is recommended. - + @@ -99,7 +99,7 @@ If the server_args line is missing or does not include the vsftpd configu the FTP server are logged using the verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log. If verbose logging to vsftpd.log is done, sparse logging of downloads to /var/log/xferlog will not also occur. However, the information about what files were downloaded is included in the information logged to vsftpd.log - + @@ -111,7 +111,7 @@ by default. Add or correct the following configuration options: 
banner_file=/etc/issue
This setting will cause the system greeting banner to be used for FTP connections as well. - + @@ -141,7 +141,7 @@ using a secure protocol like SCP/SFTP? If not, edit the vsftpd configuration fil If non-anonymous FTP logins are necessary, follow the guidance in the remainder of this section to secure these logins as much as possible. The use of non-anonymous FTP logins is strongly discouraged. Since SSH clients and servers are widely available, and since SSH provides support for a transfer mode which resembles FTP in user interface, there is no good reason to allow password-based FTP access. - + @@ -176,7 +176,7 @@ as much as possible. common to have a need to allow unauthenticated users to place files on the FTP server. If this must be done, it is necessary to ensure that files cannot be uploaded and downloaded from the same directory. - + @@ -189,7 +189,7 @@ be used to verify that this directory is on its own partition. these users from filling a disk used by other services. - + diff --git a/RHEL/7/input/services/http.xml b/RHEL/7/input/services/http.xml index c6861c0..7799dd8 100644 --- a/RHEL/7/input/services/http.xml +++ b/RHEL/7/input/services/http.xml @@ -34,7 +34,7 @@ and removed from the system. Running web server software provides a network-based avenue of attack, and should be disabled if not needed. - + @@ -51,7 +51,7 @@ of attack, and should be disabled if not needed. If there is no need to make the web server software available, removing it provides a safeguard against its activation. - + @@ -117,7 +117,7 @@ Information disclosed to clients about the configuration of the web server and s to plan an attack on the given system. This information disclosure should be restricted to a minimum. - + @@ -133,7 +133,7 @@ Add or correct the following directive in /etc/httpd/conf/httpd.conf: Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum. - + @@ -218,7 +218,7 @@ If this functionality is unnecessary, comment out the related module: Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. - + @@ -234,7 +234,7 @@ unnecessary, comment out the related module: Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. - + @@ -250,7 +250,7 @@ If LDAP is to be used, SSL encryption should be used as well. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. - + @@ -269,7 +269,7 @@ supplied data should be encoded to prevent cross-site scripting vulnerabilities. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. - + @@ -283,7 +283,7 @@ is likely extraneous. If its functionality is unnecessary, comment out the relat Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. - + @@ -302,7 +302,7 @@ server that is DAV enabled should be protected by access controls. Minimizing the number of loadable modules available to the web server, reduces risk by limiting the capabilities allowed by the web server. - + @@ -320,7 +320,7 @@ configuration. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. - + @@ -337,7 +337,7 @@ an access control list to restrict access to the information. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. - + @@ -352,7 +352,7 @@ This functionality weakens server security by making site enumeration easier. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. - + @@ -375,7 +375,7 @@ are a security risk. mod_proxy_balancer enables load balancing, but req Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. - + @@ -394,7 +394,7 @@ If caching is required, it should not be enabled for any limited-access content. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. - + @@ -418,7 +418,7 @@ CGI scripts to run as a specified user/group instead of as the server's user/gro Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. - + @@ -495,7 +495,7 @@ The httpd root directory should always have the most restrictive config The Web Server's root directory content should be protected from unauthorized access by web clients. - + @@ -519,7 +519,7 @@ Ensure that this policy is adhered to by altering the related section of the con Access to the web server's directory hierarchy could allow access to unauthorized files by web clients. Following symbolic links could also allow such access. - + @@ -534,7 +534,7 @@ should be used to deny access by default, allowing access only where necessary. Directories accessible from a web client should be configured with the least amount of access possible in order to avoid unauthorized access to restricted content or server information. - + @@ -559,7 +559,7 @@ are limited to the WebDAV protocol. Minimizing the number of available methods to the web client reduces risk by limiting the capabilities allowed by the web server. - + @@ -597,7 +597,7 @@ Install the mod_ssl module: content is transmitted in plain text which could be passively monitored and accessed by unauthorized parties. - + @@ -626,7 +626,7 @@ Install the security module: enabling the administrator to implement content access policies and filters at the application layer. - + @@ -717,7 +717,7 @@ This is its default setting. Access to the web server's log files may allow an unauthorized user or attacker to access information about the web server or alter the server's log files. - + @@ -733,7 +733,7 @@ Access to the web server's configuration files may allow an unauthorized user or to access information about the web server or alter the server's configuration files. - + @@ -748,7 +748,7 @@ to access information about the web server or to alter the server's configuratio - + diff --git a/RHEL/7/input/services/imap.xml b/RHEL/7/input/services/imap.xml index 7ef54fe..a12b28c 100644 --- a/RHEL/7/input/services/imap.xml +++ b/RHEL/7/input/services/imap.xml @@ -24,7 +24,7 @@ POP3 server, the dovecot software should be disabled and removed. Running an IMAP or POP3 server provides a network-based avenue of attack, and should be disabled if not needed. - + @@ -41,7 +41,7 @@ with the following command: If there is no need to make the Dovecot software available, removing it provides a safeguard against its activation. - + @@ -101,7 +101,7 @@ protecting user credentials, mail as it is downloaded, and clients may use SSL certificates to authenticate the server, preventing another system from impersonating the server. - + @@ -122,7 +122,7 @@ Not using SSL to encrypt mail server traffic could allow unauthorized access to credentials and mail messages since they are sent in plain text over the network. - + @@ -143,7 +143,7 @@ Not using SSL to encrypt mail server traffic could allow unauthorized access to credentials and mail messages since they are sent in plain text over the network. - + @@ -158,7 +158,7 @@ or correct the following line: Using plain text authentication to the mail server could allow an attacker access to credentials by monitoring network traffic. - + diff --git a/RHEL/7/input/services/ldap.xml b/RHEL/7/input/services/ldap.xml index e70720b..63cc97b 100644 --- a/RHEL/7/input/services/ldap.xml +++ b/RHEL/7/input/services/ldap.xml @@ -38,7 +38,7 @@ To ensure LDAP is configured to use TLS for all transactions, run the following not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. - + @@ -63,7 +63,7 @@ tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA. - + @@ -98,7 +98,7 @@ The output should show the following: surface of the system. While this software is clearly essential on an LDAP server, it is not necessary on typical desktop or workstation systems. - + diff --git a/RHEL/7/input/services/mail.xml b/RHEL/7/input/services/mail.xml index 9f4864f..a2e505d 100644 --- a/RHEL/7/input/services/mail.xml +++ b/RHEL/7/input/services/mail.xml @@ -37,7 +37,7 @@ recommended to leave this service enabled for local mail delivery. Local mail delivery is essential to some system maintenance and notification tasks. - + @@ -55,7 +55,7 @@ not installed by default. its design prevents it from being effectively contained by SELinux. Postfix should be used instead. - + @@ -83,7 +83,7 @@ This ensures postfix accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack. - + @@ -161,7 +161,7 @@ variant is supported. - + diff --git a/RHEL/7/input/services/nfs.xml b/RHEL/7/input/services/nfs.xml index 4df7064..ae886ee 100644 --- a/RHEL/7/input/services/nfs.xml +++ b/RHEL/7/input/services/nfs.xml @@ -36,7 +36,7 @@ server. If the local machine is not configured to mount NFS filesystems then this service should be disabled. - + @@ -49,7 +49,7 @@ client-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. - + @@ -60,7 +60,7 @@ and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. - + @@ -81,7 +81,7 @@ system somewhat against accidental or malicious changes to /etc/fstab and against flaws in the netfs script itself. - + @@ -142,7 +142,7 @@ your network. Restrict service to always use a given port, so that firewalling can be done effectively. - + @@ -158,7 +158,7 @@ your network. Restricting services to always use a given port enables firewalling to be done more effectively. - + @@ -172,7 +172,7 @@ Where statd-port is a port which is not used by any other service on yo Restricting services to always use a given port enables firewalling to be done more effectively. - + @@ -186,7 +186,7 @@ Where mountd-port is a port which is not used by any other service on y Restricting services to always use a given port enables firewalling to be done more effectively. - + @@ -213,7 +213,7 @@ anongid=-1 Specifying the anonymous UID and GID as -1 ensures that the remote root user is mapped to a local account which has no permissions on the system. - + @@ -238,7 +238,7 @@ If properly configured, the output should look like: 
nfs            	0:off	1:off	2:off	3:off	4:off	5:off	6:off
Unnecessary services should be disabled to decrease the attack surface of the system. - + @@ -255,7 +255,7 @@ RPC then this service should be disabled. Unnecessary services should be disabled to decrease the attack surface of the system. - + @@ -289,7 +289,7 @@ not implemented. Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users. - + @@ -307,7 +307,7 @@ not implemented. NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. - + @@ -376,7 +376,7 @@ Ensure that no line in /etc/exports contains the option no_root_squ If the NFS server allows root access to local file systems from remote hosts, this access could be used to compromise the system. - + @@ -392,7 +392,7 @@ To ensure that the default has not been changed, ensure no line in Allowing client requests to be made from ports higher than 1024 could allow a unprivileged user to initiate an NFS connection. If the unprivileged user account has been compromised, an attacker could gain access to data on the NFS server. - + @@ -415,7 +415,7 @@ To verify insecure file locking has been disabled, run the following command: Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user. - + diff --git a/RHEL/7/input/services/ntp.xml b/RHEL/7/input/services/ntp.xml index d5d0c3b..2e8fe99 100644 --- a/RHEL/7/input/services/ntp.xml +++ b/RHEL/7/input/services/ntp.xml @@ -46,7 +46,7 @@ logs and auditing possible security breaches. The NTP daemon offers all of the functionality of ntpdate, which is now deprecated. Additional information on this is available at http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate - + @@ -72,7 +72,7 @@ In the file, there should be a section similar to the following: to collate system logs from multiple sources or correlate computer events with real time events. - + @@ -91,7 +91,7 @@ accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems. - + diff --git a/RHEL/7/input/services/obsolete.xml b/RHEL/7/input/services/obsolete.xml index 1792120..84ced10 100644 --- a/RHEL/7/input/services/obsolete.xml +++ b/RHEL/7/input/services/obsolete.xml @@ -39,7 +39,7 @@ which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself. - + @@ -58,7 +58,7 @@ If network services are using the xinetd service, this is not applicable. Removing the xinetd package decreases the risk of the xinetd service's accidental (or intentional) activation. - + @@ -85,7 +85,7 @@ all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. - + @@ -101,7 +101,7 @@ the following command: Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation. - + @@ -126,7 +126,7 @@ network services. Removing it decreases the risk of those services' accidental (or intentional) activation. - + @@ -145,7 +145,7 @@ means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. - + @@ -164,7 +164,7 @@ means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. - + @@ -183,7 +183,7 @@ means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. - + @@ -207,7 +207,7 @@ of an Rsh trust relationship. Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system. - + @@ -233,7 +233,7 @@ the following command: Removing the ypserv package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services. - + @@ -250,7 +250,7 @@ a NIS or NIS+ domain, should be disabled. Disabling the ypbind service ensures the system is not acting as a client in a NIS or NIS+ domain. - + @@ -278,7 +278,7 @@ found. Disabling the tftp service ensures the system is not acting as a TFTP server, which does not provide encryption or authentication. - + @@ -296,7 +296,7 @@ as a TFTP server, which does not provide encryption or authentication. Removing the tftp-server package decreases the risk of the accidental (or intentional) activation of tftp services. - + @@ -327,7 +327,7 @@ flag, matching the example below: 
 # grep "server_args" /etc/xinetd.d/tftp
 server_args = -s /var/lib/tftpboot
- + diff --git a/RHEL/7/input/services/printing.xml b/RHEL/7/input/services/printing.xml index 06a3521..0b0b3a8 100644 --- a/RHEL/7/input/services/printing.xml +++ b/RHEL/7/input/services/printing.xml @@ -16,7 +16,7 @@ homepage and more detailed documentation are available at http://www.cups.org. Turn off unneeded services to reduce attack surface. - + @@ -46,7 +46,7 @@ the CUPS print service, can be configured to listen to these broadcasts and add and configure these printers for immediate use. By disabling this browsing capability, the machine will no longer generate or receive such broadcasts. - + @@ -70,7 +70,7 @@ broadcasts, or remote users will still be able to see the locally configured printers, even if they cannot actually print to them. To limit print serving to a particular set of users, use the Policy directive. - + diff --git a/RHEL/7/input/services/smb.xml b/RHEL/7/input/services/smb.xml index b6a2a6f..2e6f8a0 100644 --- a/RHEL/7/input/services/smb.xml +++ b/RHEL/7/input/services/smb.xml @@ -32,7 +32,7 @@ sharing functionality. Running a Samba server provides a network-based avenue of attack, and should be disabled if not needed. - + @@ -93,7 +93,7 @@ machine accounts and shares. Domain member servers and standalone servers may not need administrator access at all. If that is the case, add the invalid users parameter to [global] instead. - + @@ -118,7 +118,7 @@ Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. - + @@ -143,7 +143,7 @@ The output should show either krb5i or ntlmv2i in use. Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. - + diff --git a/RHEL/7/input/services/snmp.xml b/RHEL/7/input/services/snmp.xml index 0e4f8b3..d3022f9 100644 --- a/RHEL/7/input/services/snmp.xml +++ b/RHEL/7/input/services/snmp.xml @@ -26,7 +26,7 @@ activated but is not needed, the software should be disabled and removed. Running SNMP software provides a network-based avenue of attack, and should be disabled if not needed. - + @@ -43,7 +43,7 @@ If there is no need to run SNMP server software, removing the package provides a safeguard against its activation. - + @@ -83,7 +83,7 @@ There should be no output. Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information. - + @@ -102,7 +102,7 @@ There should be no output. Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system. - + diff --git a/RHEL/7/input/services/squid.xml b/RHEL/7/input/services/squid.xml index 388c0e9..f7e8b21 100644 --- a/RHEL/7/input/services/squid.xml +++ b/RHEL/7/input/services/squid.xml @@ -27,7 +27,7 @@ and removed. Running proxy server software provides a network-based avenue of attack, and should be removed if not needed. - + @@ -43,7 +43,7 @@ of attack, and should be removed if not needed. If there is no need to make the proxy server software available, removing it provides a safeguard against its activation. - + diff --git a/RHEL/7/input/services/ssh.xml b/RHEL/7/input/services/ssh.xml index 69b3f12..c25b6e9 100644 --- a/RHEL/7/input/services/ssh.xml +++ b/RHEL/7/input/services/ssh.xml @@ -27,7 +27,7 @@ However, if it can be disabled, do so. This is unusual, as SSH is a common method for encrypted and authenticated remote access. - + @@ -48,7 +48,7 @@ remote access. If inbound SSH connections are not expected, disallowing access to the SSH port will avoid possible exploitation of the port by an attacker. - + @@ -79,7 +79,7 @@ SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used. - + @@ -98,7 +98,7 @@ Where USER1 and USER2 are valid user names. Specifying which accounts are allowed SSH access into the system reduces the possibility of unauthorized access to the system. - + @@ -168,7 +168,7 @@ Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another. - + @@ -192,7 +192,7 @@ If properly configured, output should be: This ensures a user login will be terminated as soon as the ClientAliveCountMax is reached. - + @@ -216,7 +216,7 @@ following line in /etc/ssh/sshd_config: SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. - + @@ -240,7 +240,7 @@ following line in /etc/ssh/sshd_config: SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. - + @@ -263,7 +263,7 @@ Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password. - + @@ -287,7 +287,7 @@ Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. - + @@ -311,7 +311,7 @@ facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. - + @@ -335,7 +335,7 @@ If properly configured, output should be: SSH environment options potentially allow users to bypass access restriction in some configurations. - + @@ -361,7 +361,7 @@ AES and 3DES ciphers. Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance. - + @@ -385,7 +385,7 @@ and replace it with: Restricting SSH access to only trusted network segments reduces exposure of the SSH server to attacks from unauthorized networks. - + diff --git a/RHEL/7/input/services/xorg.xml b/RHEL/7/input/services/xorg.xml index c2dbbe1..aeae0d6 100644 --- a/RHEL/7/input/services/xorg.xml +++ b/RHEL/7/input/services/xorg.xml @@ -27,7 +27,7 @@ The output should show the following: 
id:3:initdefault:
Unnecessary services should be disabled to decrease the attack surface of the system. - + @@ -48,7 +48,7 @@ The output should be: 
package xorg-x11-server-common is not installed
Unnecessary packages should not be installed to decrease the attack surface of the system. - + diff --git a/RHEL/7/input/system/accounts/banners.xml b/RHEL/7/input/system/accounts/banners.xml index 0b8dc83..1988a7e 100644 --- a/RHEL/7/input/system/accounts/banners.xml +++ b/RHEL/7/input/system/accounts/banners.xml @@ -70,7 +70,7 @@ run the following command: An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. - +