Introduction
Test Result
Result ID | Profile | Start time | End time | Benchmark | Benchmark version |
xccdf_org.open-scap_testresult_stig-rhel6-server | stig-rhel6-server | 2013-09-27 19:03 | 2013-09-27 19:04 | embedded | 0.9 |
Target info
Targets
|
Addresses
|
Platforms
|
Score
system | score | max | % | bar |
urn:xccdf:scoring:default | 86.67 | 100.00 | 86.67% |
Results overview
Rule Results Summary
pass | fixed | fail | error | not selected | not checked | not applicable | informational | unknown | total |
163 | 0 | 32 | 1 | 162 | 24 | 0 | 0 | 3 | 385 |
Rule results summary
Results details
Result for Ensure /tmp Located On Separate Partition
Result: pass
Rule ID: partition_for_tmp
Time: 2013-09-27 19:03
Severity: low
The /tmp
directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM.
The /tmp
partition is used as temporary storage by many programs.
Placing /tmp
in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.
Security identifiers
- CCE-26435-8
Result for Ensure /var Located On Separate Partition
Result: pass
Rule ID: partition_for_var
Time: 2013-09-27 19:03
Severity: low
The /var
directory is used by daemons and other system
services to store frequently-changing data. Ensure that /var
has its own partition
or logical volume at installation time, or migrate it using LVM.
Ensuring that /var
is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
system services such as daemons or other programs which use it.
It is not uncommon for the /var
directory to contain
world-writable directories, installed by other software packages.
Security identifiers
- CCE-26639-5
Result for Ensure /var/log Located On Separate Partition
Result: pass
Rule ID: partition_for_var_log
Time: 2013-09-27 19:03
Severity: low
System logs are stored in the /var/log
directory.
Ensure that it has its own partition or logical
volume at installation time, or migrate it using LVM.
Placing /var/log
in its own partition
enables better separation between log files
and other files in /var/
.
Security identifiers
- CCE-26215-4
Result for Ensure /var/log/audit Located On Separate Partition
Result: pass
Rule ID: partition_for_var_log_audit
Time: 2013-09-27 19:03
Severity: low
Audit logs are stored in the /var/log/audit
directory. Ensure that it
has its own partition or logical volume at installation time, or migrate it
later using LVM. Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon.
Placing /var/log/audit
in its own partition
enables better separation between audit files
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space.
Security identifiers
- CCE-26436-6
Result for Ensure /home Located On Separate Partition
Result: pass
Rule ID: partition_for_home
Time: 2013-09-27 19:03
Severity: low
If user home directories will be stored locally, create a separate partition
for /home
at installation time (or migrate it later using LVM). If
/home
will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later.
Ensuring that /home
is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage.
Security identifiers
- CCE-26557-9
Result for Encrypt Partitions
Result: notchecked
Rule ID: encrypt_partitions
Time: 2013-09-27 19:03
Severity: low
Red Hat Enterprise Linux 6 natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.
For manual installations, select the Encrypt
checkbox during
partition creation to encrypt the partition. When this
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered manually
every time the system boots.
For automated/unattended installations, it is possible to use Kickstart by adding
the --encrypted
and --passphrase=
options to the definition of each partition to be
encrypted. For example, the following line would encrypt the root partition:
part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly.
Omitting the --passphrase=
option from the partition definition will cause the
installer to pause and interactively ask for the passphrase during installation.
Detailed information on encrypting partitions using LUKS can be found on the Red Had Documentation web site:
https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html
The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.
Result for Ensure Red Hat GPG Key Installed
Result: pass
Rule ID: ensure_redhat_gpgkey_installed
Time: 2013-09-27 19:03
Severity: high
To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them if desired), the Red Hat GPG key must properly be installed. To ensure the GPG key is installed, run:
# rhn_register
If the system is not connected to the internet, or a local RHN Satellite,
then install the Red Hat GPG key from a secure, static location, such as
the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted
in /mnt/cdrom, use the following command as the root user to import
it into the keyring:
# rpm --import /mnt/cdrom/RPM-GPG-KEY
This key is necessary to cryptographically verify packages are from Red Hat.
Security identifiers
- CCE-26506-6
Result for Ensure gpgcheck Enabled In Main Yum Configuration
Result: pass
Rule ID: ensure_gpgcheck_globally_activated
Time: 2013-09-27 19:03
Severity: high
The gpgcheck
option should be used to ensure
checking of an RPM package's signature always occurs prior to its
installation. To configure yum to check package signatures before installing
them, ensure the following line appears in /etc/yum.conf
in
the [main]
section:
gpgcheck=1
Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering.
Security identifiers
- CCE-26709-6
Result for Ensure gpgcheck Enabled For All Yum Package Repositories
Result: pass
Rule ID: ensure_gpgcheck_never_disabled
Time: 2013-09-27 19:03
Severity: high
To ensure signature checking is not disabled for
any repos, remove any lines from files in /etc/yum.repos.d
of the form:
gpgcheck=0
Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.
Security identifiers
- CCE-26647-8
Result for Ensure Software Patches Installed
Result: notchecked
Rule ID: security_patches_up_to_date
Time: 2013-09-27 19:03
Severity: high
If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates:
# yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages)
can be manually downloaded from the Red Hat Network and installed using rpm
.
Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities.
Result for Install AIDE
Result: pass
Rule ID: package_aide_installed
Time: 2013-09-27 19:03
Severity: medium
Install the AIDE package with the command:
# yum install aide
The AIDE package must be installed if it is to be available for integrity checking.
Security identifiers
- CCE-27024-9
Remediation script
yum -y install aide
Result for Configure Periodic Execution of AIDE
Result: notchecked
Rule ID: aide_periodic_cron_checking
Time: 2013-09-27 19:03
Severity: medium
AIDE should be executed on a periodic basis to check for changes.
To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab
:
05 4 * * * root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example.
By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.
Security identifiers
- CCE-27222-9
Result for Verify File Permissions with RPM
Result: fail
Rule ID: rpm_verify_permissions
Time: 2013-09-27 19:03
Severity: low
The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. The following command will reset permissions to their expected values:
# rpm --setperms package
Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.
Security identifiers
- CCE-26731-0
Result for Verify File Hashes with RPM
Result: pass
Rule ID: rpm_verify_hashes
Time: 2013-09-27 19:04
Severity: low
The RPM package management system can check the hashes of installed software packages, including many that are important to system security. Run the following command to list which files on the system have hashes that differ from what is expected by the RPM database:
# rpm -Va | grep '^..5'
A "c" in the second column indicates that a file is a configuration file,
which may appropriately be expected to change.
If the file that has changed was not expected to then refresh from distribution media or online repositories.
rpm -Uvh affected_package
OR
yum reinstall affected_package
The hash on important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.
Security identifiers
- CCE-27223-7
Result for Install Intrusion Detection Software
Result: notchecked
Rule ID: install_hids
Time: 2013-09-27 19:04
Severity: high
The base Red Hat platform already includes a sophisticated auditing system that
can detect intruder activity, as well as SELinux, which provides host-based
intrusion prevention capabilities by confining privileged programs and user
sessions which may become compromised.
Install an additional intrusion detection tool to provide complementary or
duplicative monitoring, reporting, and reaction capabilities to those of the base
platform. For DoD systems, the McAfee Host Based Security System is provided
to fulfill this role.
Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of system, which may not otherwise exist in an organization's systems management regime.
Result for Install Virus Scanning Software
Result: notchecked
Rule ID: install_antivirus
Time: 2013-09-27 19:04
Severity: low
Install virus scanning software, which uses signatures to search for the presence of viruses on the filesystem. The McAfee uvscan virus scanning tool is provided for DoD systems. Ensure virus definition files are no older than 7 days, or their last release. Configure the virus scanning software to perform scans dynamically on all accessed files. If this is not possible, configure the system to scan all altered files on the system on a daily basis. If the system processes inbound SMTP mail, configure the virus scanner to scan all received mail.
Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.
Result for Add noexec Option to Removable Media Partitions
Result: fail
Rule ID: mountopt_noexec_on_removable_partitions
Time: 2013-09-27 19:04
Severity: low
The noexec
mount option prevents the direct
execution of binaries on the mounted filesystem. Users should not
be allowed to execute binaries that exist on partitions mounted
from removable media (such as a USB key). The noexec
option prevents code from being executed directly from the media
itself, and may therefore provide a line of defense against
certain types of worms or malicious code.
Add the noexec
option to the fourth column of
/etc/fstab
for the line which controls mounting of
any removable media partitions.
Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.
Security identifiers
- CCE-27196-5
Result for Disable Modprobe Loading of USB Storage Driver
Result: pass
Rule ID: kernel_module_usb-storage_disabled
Time: 2013-09-27 19:04
Severity: low
To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the usb-storage
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d
:
install usb-storage /bin/false
This will prevent the modprobe
program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod
program to load the module manually.
USB storage devices such as thumb drives can be used to introduce unauthorized software and other vulnerabilities. Support for these devices should be disabled and the devices themselves should be tightly controlled.
Security identifiers
- CCE-27016-5
Result for Disable the Automounter
Result: pass
Rule ID: service_autofs_disabled
Time: 2013-09-27 19:04
Severity: low
The autofs
daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd
.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it is
almost always possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.
If the autofs
service is not needed to dynamically mount NFS filesystems
or removable media, disable the service for all runlevels:
# chkconfig --level 0123456 autofs off
Stop the service if it is already running:
# service autofs stop
All filesystems that are required for the successful operation of the system
should be explicitly listed in /etc/fstab
by and administrator. New filesystems should
not be arbitrarily introduced via the automounter.
Security identifiers
- CCE-26976-1
Result for Verify User Who Owns shadow File
Result: pass
Rule ID: userowner_shadow_file
Time: 2013-09-27 19:04
Severity: medium
To properly set the owner of /etc/shadow
, run the command:
# chown root /etc/shadow
The /etc/shadow
file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture.
Security identifiers
- CCE-26947-2
Result for Verify Group Who Owns shadow File
Result: pass
Rule ID: groupowner_shadow_file
Time: 2013-09-27 19:04
Severity: medium
To properly set the group owner of /etc/shadow
, run the command:
# chgrp root /etc/shadow
The /etc/shadow
file stores password hashes. Protection of this file is
critical for system security.
Security identifiers
- CCE-26967-0
Result for Verify Permissions on shadow File
Result: pass
Rule ID: perms_shadow_file
Time: 2013-09-27 19:04
Severity: medium
To properly set the permissions of /etc/shadow
, run the command:
# chmod 0000 /etc/shadow
The /etc/shadow
file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture.
Security identifiers
- CCE-26992-8
Result for Verify User Who Owns group File
Result: pass
Rule ID: userowner_group_file
Time: 2013-09-27 19:04
Severity: medium
To properly set the owner of /etc/group
, run the command:
# chown root /etc/group
The /etc/group
file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.
Security identifiers
- CCE-26822-7
Result for Verify Group Who Owns group File
Result: pass
Rule ID: groupowner_group_file
Time: 2013-09-27 19:04
Severity: medium
To properly set the group owner of /etc/group
, run the command:
# chgrp root /etc/group
The /etc/group
file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.
Security identifiers
- CCE-26930-8
Result for Verify Permissions on group File
Result: pass
Rule ID: perms_group_file
Time: 2013-09-27 19:04
Severity: medium
To properly set the permissions of /etc/group
, run the command:
# chmod 644 /etc/group
The /etc/group
file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.
Security identifiers
- CCE-26954-8
Result for Verify User Who Owns gshadow File
Result: pass
Rule ID: userowner_gshadow_file
Time: 2013-09-27 19:04
Severity: medium
To properly set the owner of /etc/gshadow
, run the command:
# chown root /etc/gshadow
The /etc/gshadow
file contains group password hashes. Protection of this file
is critical for system security.
Security identifiers
- CCE-27026-4
Result for Verify Group Who Owns gshadow File
Result: pass
Rule ID: groupowner_gshadow_file
Time: 2013-09-27 19:04
Severity: medium
To properly set the group owner of /etc/gshadow
, run the command:
# chgrp root /etc/gshadow
The /etc/gshadow
file contains group password hashes. Protection of this file
is critical for system security.
Security identifiers
- CCE-26975-3
Result for Verify Permissions on gshadow File
Result: pass
Rule ID: perms_gshadow_file
Time: 2013-09-27 19:04
Severity: medium
To properly set the permissions of /etc/gshadow
, run the command:
# chmod 0000 /etc/gshadow
The /etc/gshadow
file contains group password hashes. Protection of this file
is critical for system security.
Security identifiers
- CCE-26951-4
Result for Verify User Who Owns passwd File
Result: pass
Rule ID: userowner_passwd_file
Time: 2013-09-27 19:04
Severity: medium
To properly set the owner of /etc/passwd
, run the command:
# chown root /etc/passwd
The /etc/passwd
file contains information about the users that are configured on
the system. Protection of this file is critical for system security.
Security identifiers
- CCE-26953-0
Result for Verify Group Who Owns passwd File
Result: pass
Rule ID: groupowner_passwd_file
Time: 2013-09-27 19:04
Severity: medium
To properly set the group owner of /etc/passwd
, run the command:
# chgrp root /etc/passwd
The /etc/passwd
file contains information about the users that are configured on
the system. Protection of this file is critical for system security.
Security identifiers
- CCE-26856-5
Result for Verify Permissions on passwd File
Result: pass
Rule ID: file_permissions_etc_passwd
Time: 2013-09-27 19:04
Severity: medium
To properly set the permissions of /etc/passwd
, run the command:
# chmod 0644 /etc/passwd
If the /etc/passwd
file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the list of
accounts on the system and associated information, and protection of this file
is critical for system security.
Security identifiers
- CCE-26868-0
Result for Verify that Shared Library Files Have Restrictive Permissions
Result: pass
Rule ID: file_permissions_library_dirs
Time: 2013-09-27 19:04
Severity: medium
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are
stored in /lib/modules
. All files in these directories
should not be group-writable or world-writable. If any file in these
directories is found to be group-writable or world-writable, correct
its permission with the following command:
# chmod go-w FILE
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system.
Result for Verify that Shared Library Files Have Root Ownership
Result: pass
Rule ID: file_ownership_library_dirs
Time: 2013-09-27 19:04
Severity: medium
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules
. All files in these directories should be
owned by the root
user. If any file in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
# chown root FILE
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.
Result for Verify that System Executables Have Restrictive Permissions
Result: notchecked
Rule ID: file_permissions_binary_dirs
Time: 2013-09-27 19:04
Severity: medium
System executables are stored in the following directories by default:
/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin
All files in these directories should not be group-writable or world-writable.
If any file FILE in these directories is found
to be group-writable or world-writable, correct its permission with the
following command:
# chmod go-w FILE
System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.
Result for Verify that System Executables Have Root Ownership
Result: notchecked
Rule ID: file_ownership_binary_dirs
Time: 2013-09-27 19:04
Severity: medium
System executables are stored in the following directories by default:
/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin
All files in these directories should be owned by the root
user.
If any file FILE in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
# chown root FILE
System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.
Result for Verify that All World-Writable Directories Have Sticky Bits Set
Result: pass
Rule ID: sticky_world_writable_dirs
Time: 2013-09-27 19:04
Severity: low
When the so-called 'sticky bit' is set on a directory,
only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky
bit prevents users from removing each other's files. In cases where
there is no reason for a directory to be world-writable, a better
solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application,
consult that application's documentation instead of blindly
changing modes.
To set the sticky bit on a world-writable directory DIR, run the
following command:
# chmod +t DIR
Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.
The only authorized public directories are those temporary directories supplied with the system,
or those designed to be temporary file repositories. The setting is normally reserved for directories
used by the system, by users for temporary file storage (such as /tmp
), and for directories
requiring global read/write access.
Security identifiers
- CCE-26840-9
Result for Ensure No World-Writable Files Exist
Result: notchecked
Rule ID: world_writeable_files
Time: 2013-09-27 19:04
Severity: medium
It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account.
Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.
Security identifiers
- CCE-26910-0
Result for Ensure All Files Are Owned by a User
Result: pass
Rule ID: no_files_unowned_by_user
Time: 2013-09-27 19:04
Severity: low
If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user.
Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.
Security identifiers
- CCE-27032-2
Result for Ensure All Files Are Owned by a Group
Result: pass
Rule ID: no_files_unowned_by_group
Time: 2013-09-27 19:04
Severity: low
If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group.
Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.
Security identifiers
- CCE-26872-2
Result for Ensure All World-Writable Directories Are Owned by a System Account
Result: pass
Rule ID: world_writable_files_system_ownership
Time: 2013-09-27 19:04
Severity: low
All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.
Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.
Security identifiers
- CCE-26642-9
Result for Set Daemon Umask
Result: fail
Rule ID: set_daemon_umask
Time: 2013-09-27 19:04
Severity: low
The file /etc/init.d/functions
includes initialization
parameters for most or all daemons started at boot time. The default umask of
022 prevents creation of group- or world-writable files. To set the default
umask for daemons, edit the following line, inserting 022 or 027 for
UMASK appropriately:
umask UMASK
Setting the umask to too restrictive a setting can cause serious errors at
runtime. Many daemons on the system already individually restrict themselves to
a umask of 077 in their own init scripts.
The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.
Security identifiers
- CCE-27031-4
Result for Disable Core Dumps for All Users
Result: pass
Rule ID: disable_users_coredumps
Time: 2013-09-27 19:04
Severity: low
To disable core dumps for all users, add the following line to
/etc/security/limits.conf
:
* hard core 0
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
Security identifiers
- CCE-27033-0
Result for Enable ExecShield
Result: pass
Rule ID: enable_execshield
Time: 2013-09-27 19:04
Severity: medium
To set the runtime status of the kernel.exec-shield
kernel parameter,
run the following command:
# sysctl -w kernel.exec-shield=1
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
kernel.exec-shield = 1
ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range.
Security identifiers
- CCE-27007-4
Result for Enable Randomized Layout of Virtual Address Space
Result: pass
Rule ID: enable_randomize_va_space
Time: 2013-09-27 19:04
Severity: medium
To set the runtime status of the kernel.randomize_va_space
kernel parameter,
run the following command:
# sysctl -w kernel.randomize_va_space=2
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
kernel.randomize_va_space = 2
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.
Security identifiers
- CCE-26999-3
Result for Ensure SELinux Not Disabled in /etc/grub.conf
Result: pass
Rule ID: enable_selinux_bootloader
Time: 2013-09-27 19:04
Severity: medium
SELinux can be disabled at boot time by an argument in
/etc/grub.conf
.
Remove any instances of selinux=0
from the kernel arguments in that
file to prevent SELinux from being disabled at boot.
Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.
Security identifiers
- CCE-26956-3
Result for Ensure SELinux State is Enforcing
Result: pass
Rule ID: set_selinux_state
Time: 2013-09-27 19:04
Severity: medium
The SELinux state should be set to enforcing
at
system boot time. In the file /etc/selinux/config
, add or correct the
following line to configure the system to boot into enforcing mode:
SELINUX=enforcing
Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.
Security identifiers
- CCE-26969-6
Result for Configure SELinux Policy
Result: pass
Rule ID: set_selinux_policy
Time: 2013-09-27 19:04
Severity: low
The SELinux targeted
policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config
:
SELINUXTYPE=targeted
Other policies, such as mls
, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases.
Setting the SELinux policy to targeted
or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
Security identifiers
- CCE-26875-5
Result for Ensure No Device Files are Unlabeled by SELinux
Result: error
Rule ID: selinux_unlabeled_device_files
Time: 2013-09-27 19:04
Severity: low
Device files, which are used for communication with important
system resources, should be labeled with proper SELinux types. If any device
files carry the SELinux type unlabeled_t
, investigate the cause and
correct the file's context.
If a device file carries the SELinux type unlabeled_t
, then SELinux
cannot properly restrict access to the device file.
Security identifiers
- CCE-26774-0
Result for Restrict Virtual Console Root Logins
Result: pass
Rule ID: restrict_root_console_logins
Time: 2013-09-27 19:04
Severity: medium
To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in /etc/securetty
:
vc/1
vc/2
vc/3
vc/4
Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account.
Security identifiers
- CCE-26855-7
Result for Restrict Serial Port Root Logins
Result: pass
Rule ID: restrict_serial_port_logins
Time: 2013-09-27 19:04
Severity: low
To restrict root logins on serial ports,
ensure lines of this form do not appear in /etc/securetty
:
ttyS0
ttyS1
Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.
Security identifiers
- CCE-27047-0
Result for Ensure that System Accounts Do Not Run a Shell Upon Login
Result: notchecked
Rule ID: no_shelllogin_for_systemaccounts
Time: 2013-09-27 19:04
Severity: medium
Some accounts are not associated with a human
user of the system, and exist to perform some administrative
function. Should an attacker be able to log into these accounts,
they should not be granted access to a shell.
The login shell for each local account is stored in the last field of each line
in /etc/passwd
. System accounts are those user accounts with a user ID less than
500. The user ID is stored in the third field.
If any system account SYSACCT (other than root) has a login shell,
disable it with the command:
# usermod -s /sbin/nologin SYSACCT
Do not perform the steps in this section on the root account. Doing so might cause the system to become inaccessible.
Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.
Security identifiers
- CCE-26966-2
Result for Verify Only Root Has UID 0
Result: pass
Rule ID: no_uidzero_except_root
Time: 2013-09-27 19:04
Severity: medium
If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.
Security identifiers
- CCE-26971-2
Result for Prevent Log In to Accounts With Empty Password
Result: pass
Rule ID: no_empty_passwords
Time: 2013-09-27 19:04
Severity: high
If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the nullok
option in /etc/pam.d/system-auth
to
prevent logins with empty passwords.
If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
Security identifiers
- CCE-27038-9
Result for Verify All Account Password Hashes are Shadowed
Result: pass
Rule ID: no_hashes_outside_shadow
Time: 2013-09-27 19:04
Severity: medium
If any password hashes are stored in /etc/passwd
(in the second field,
instead of an x
), the cause of this misconfiguration should be
investigated. The account should have its password reset and the hash should be
properly stored, or the account should be deleted entirely.
The hashes for all user account passwords should be stored in
the file /etc/shadow
and never in /etc/passwd
,
which is readable by all users.
Security identifiers
- CCE-26476-2
Result for All GIDs referenced in /etc/passwd must be defined in /etc/group
Result: notchecked
Rule ID: gid_passwd_group_same
Time: 2013-09-27 19:04
Severity: low
Add a group to the system for each GID referenced without a corresponding group.
Inconsistency in GIDs between /etc/passwd
and /etc/group
could lead to a user having unintended rights.
Result for Verify No netrc Files Exist
Result: pass
Rule ID: no_netrc_files
Time: 2013-09-27 19:04
Severity: medium
The .netrc
files contain login information
used to auto-login into FTP servers and reside in the user's home
directory. These files may contain unencrypted passwords to
remote FTP servers making them susceptible to access by unauthorized
users and should not be used. Any .netrc
files should be removed.
Unencrypted passwords for remote FTP servers may be stored in .netrc
files. DoD policy requires passwords be encrypted in storage and not used
in access scripts.
Security identifiers
- CCE-27225-2
Result for Set Password Minimum Length in login.defs
Result: fail
Rule ID: password_min_len
Time: 2013-09-27 19:04
Severity: medium
To specify password length requirements for new accounts,
edit the file /etc/login.defs
and add or correct the following
lines:
PASS_MIN_LEN 14
The DoD requirement is
14
.
The FISMA requirement is 12
.
If a program consults /etc/login.defs
and also another PAM module
(such as pam_cracklib
) during a password change operation,
then the most restrictive must be satisfied. See PAM section
for more information about enforcing password quality requirements.
Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result.
Security identifiers
- CCE-27002-5
Result for Set Password Minimum Age
Result: pass
Rule ID: password_min_age
Time: 2013-09-27 19:04
Severity: medium
To specify password minimum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line, replacing DAYS appropriately:
PASS_MIN_DAYS DAYS
A value of 1 day is considered for sufficient for many
environments.
The DoD requirement is 1.
Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.
Security identifiers
- CCE-27013-2
Result for Set Password Maximum Age
Result: pass
Rule ID: password_max_age
Time: 2013-09-27 19:04
Severity: medium
To specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line, replacing DAYS appropriately:
PASS_MAX_DAYS DAYS
A value of 180 days is sufficient for many environments.
The DoD requirement is 60.
Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.
Security identifiers
- CCE-26985-2
Result for Set Password Warning Age
Result: pass
Rule ID: password_warn_age
Time: 2013-09-27 19:04
Severity: low
To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file /etc/login.defs
and add or correct
the following line, replacing DAYS appropriately:
PASS_WARN_AGE DAYS
The DoD requirement is 7.
Setting the password warning age enables users to make the change at a practical time.
Security identifiers
- CCE-26988-6
Result for Set Account Expiration Following Inactivity
Result: pass
Rule ID: account_disable_post_pw_expiration
Time: 2013-09-27 19:04
Severity: low
To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following lines in /etc/default/useradd
, substituting
NUM_DAYS
appropriately:
INACTIVE=NUM_DAYS
A value of 35 is recommended.
If a password is currently on the
verge of expiration, then 35 days remain until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 95
days could elapse until the account would be automatically disabled. See the
useradd
man page for more information. Determining the inactivity
timeout must be done with careful consideration of the length of a "normal"
period of inactivity for users in the particular environment. Setting
the timeout too low incurs support costs and also has the potential to impact
availability of the system to legitimate users.
Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
Security identifiers
- CCE-27283-1
Result for Ensure All Accounts on the System Have Unique Names
Result: notchecked
Rule ID: account_unique_name
Time: 2013-09-27 19:04
Severity: low
Change usernames, or delete accounts, so each has a unique name.
Unique usernames allow for accountability on the system.
Security identifiers
- CCE-27609-7
Result for Assign Expiration Date to Temporary Accounts
Result: notchecked
Rule ID: account_temp_expire_date
Time: 2013-09-27 19:04
Severity: low
In the event temporary or emergency accounts are required, configure the system
to terminate them after a documented time period. For every temporary and
emergency account, run the following command to set an expiration date on it,
substituting USER
and YYYY-MM-DD
appropriately:
# chage -E YYYY-MM-DD USER
YYYY-MM-DD
indicates the documented expiration date for the account.
When temporary and emergency accounts are created, there is a risk they may
remain in place and active after the need for them no longer exists. Account
expiration greatly reduces the risk of accounts being misused or hijacked.
Result for Set Last Logon/Access Notification
Result: pass
Rule ID: display_login_attempts
Time: 2013-09-27 19:04
Severity: low
To configure the system to notify users of last logon/access
using pam_lastlog
, add the following line immediately after session required pam_limits.so
:
session required pam_lastlog.so showfailed
Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.
Security identifiers
- CCE-27291-4
Result for Set Password Retry Prompts Permitted Per-Session
Result: pass
Rule ID: password_retry
Time: 2013-09-27 19:04
Severity: low
To configure the number of retry prompts that are permitted per-session:
Edit the pam_cracklib.so
statement in /etc/pam.d/system-auth
to
show retry=3
, or a lower value if site policy is more restrictive.
The DoD requirement is a maximum of 3 prompts per session.
Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module.
Security identifiers
- CCE-27123-9
Result for Set Password to Maximum of Three Consecutive Repeating Characters
Result: notchecked
Rule ID: password_require_consecrepeat
Time: 2013-09-27 19:04
Severity: low
The pam_cracklib module's maxrepeat
parameter controls requirements for
consecutive repeating characters. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters. Add maxrepeat=3
after pam_cracklib.so to prevent a run of four or more identical characters.
Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
Security identifiers
- CCE-27227-8
Result for Set Password Strength Minimum Digit Characters
Result: pass
Rule ID: password_require_digits
Time: 2013-09-27 19:04
Severity: low
The pam_cracklib module's dcredit
parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each digit.
Add dcredit=-1
after pam_cracklib.so to require use of a digit in passwords.
Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
Security identifiers
- CCE-26374-9
Result for Set Password Strength Minimum Uppercase Characters
Result: fail
Rule ID: password_require_uppercases
Time: 2013-09-27 19:04
Severity: low
The pam_cracklib module's ucredit=
parameter controls requirements for
usage of uppercase letters in a password. When set to a negative number, any password will be required to
contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each uppercase character.
Add ucredit=-1
after pam_cracklib.so to require use of an upper case character in passwords.
Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.
Security identifiers
- CCE-26601-5
Result for Set Password Strength Minimum Special Characters
Result: fail
Rule ID: password_require_specials
Time: 2013-09-27 19:04
Severity: low
The pam_cracklib module's ocredit=
parameter controls requirements for
usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to
contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each special character.
Add ocredit=-1
after pam_cracklib.so to require use of a special character in passwords.
Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.
Security identifiers
- CCE-26409-3
Result for Set Password Strength Minimum Lowercase Characters
Result: fail
Rule ID: password_require_lowercases
Time: 2013-09-27 19:04
Severity: low
The pam_cracklib module's lcredit=
parameter controls requirements for
usage of lowercase letters in a password. When set to a negative number, any password will be required to
contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each lowercase character.
Add lcredit=-1
after pam_cracklib.so to require use of a lowercase character in passwords.
Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.
Security identifiers
- CCE-26631-2
Result for Set Password Strength Minimum Different Characters
Result: pass
Rule ID: password_require_diffchars
Time: 2013-09-27 19:04
Severity: low
The pam_cracklib module's difok
parameter controls requirements for
usage of different characters during a password change.
Add difok=NUM
after pam_cracklib.so to require differing
characters when changing passwords, substituting NUM appropriately.
The DoD requirement is 4
.
Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.
Security identifiers
- CCE-26615-5
Result for Set Deny For Failed Password Attempts
Result: fail
Rule ID: deny_password_attempts
Time: 2013-09-27 19:04
Severity: medium
To configure the system to lock out accounts after a number of incorrect login
attempts using pam_faillock.so
:
Add the following lines immediately below the pam_unix.so
statement in AUTH
section of
/etc/pam.d/system-auth
:
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.
Security identifiers
- CCE-26844-1
Result for Set Lockout Time For Failed Password Attempts
Result: notchecked
Rule ID: deny_password_attempts_unlock_time
Time: 2013-09-27 19:04
Severity: medium
To configure the system to lock out accounts after a number of incorrect login
attempts and require an administrator to unlock the account using pam_faillock.so
:
Add the following lines immediately below the pam_env.so
statement in /etc/pam.d/system-auth
:
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.
Security identifiers
- CCE-27110-6
Result for Set Interval For Counting Failed Password Attempts
Result: notchecked
Rule ID: deny_password_attempts_fail_interval
Time: 2013-09-27 19:04
Severity: medium
To configure the system to lock out accounts after a number of incorrect login
attempts within a 15 minute interval using pam_faillock.so
:
Add the following lines immediately below the pam_env.so
statement in /etc/pam.d/system-auth
:
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks.
Security identifiers
- CCE-27215-3
Result for Limit Password Reuse
Result: pass
Rule ID: limiting_password_reuse
Time: 2013-09-27 19:04
Severity: medium
Do not allow users to reuse recent passwords. This can
be accomplished by using the remember
option for the pam_unix
PAM
module. In the file /etc/pam.d/system-auth
, append remember=24
to the
line which refers to the pam_unix.so
module, as shown:
password sufficient pam_unix.so existing_options remember=24
The DoD and FISMA requirement is 24 passwords.
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.
Security identifiers
- CCE-26741-9
Result for Set Password Hashing Algorithm in /etc/pam.d/system-auth
Result: pass
Rule ID: set_password_hashing_algorithm_systemauth
Time: 2013-09-27 19:04
Severity: medium
In /etc/pam.d/system-auth
, the password
section of
the file controls which PAM modules execute during a password change.
Set the pam_unix.so
module in the
password
section to include the argument sha512
, as shown below:
password sufficient pam_unix.so sha512 other arguments...
This will help ensure when local users change their passwords, hashes for the new
passwords will be generated using the SHA-512 algorithm.
This is the default.
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Security identifiers
- CCE-26303-8
Result for Set Password Hashing Algorithm in /etc/login.defs
Result: pass
Rule ID: set_password_hashing_algorithm_logindefs
Time: 2013-09-27 19:04
Severity: medium
In /etc/login.defs
, add or correct the following line to ensure
the system will use SHA-512 as the hashing algorithm:
ENCRYPT_METHOD SHA512
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Security identifiers
- CCE-27228-6
Result for Set Password Hashing Algorithm in /etc/libuser.conf
Result: pass
Rule ID: set_password_hashing_algorithm_libuserconf
Time: 2013-09-27 19:04
Severity: medium
In /etc/libuser.conf
, add or correct the following line in its
[defaults]
section to ensure the system will use the SHA-512
algorithm for password hashing:
crypt_style = sha512
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Security identifiers
- CCE-27229-4
Result for Limit the Number of Concurrent Login Sessions Allowed Per User
Result: pass
Rule ID: max_concurrent_login_sessions
Time: 2013-09-27 19:04
Severity: low
Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. The DoD requirement is 10. To set the number of concurrent
sessions per user add the following line in /etc/security/limits.conf
:
* hard maxlogins 10
Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.
Security identifiers
- CCE-27457-1
Result for Ensure the Default Bash Umask is Set Correctly
Result: pass
Rule ID: user_umask_bashrc
Time: 2013-09-27 19:04
Severity: low
To ensure the default umask for users of the Bash shell is set properly,
add or correct the umask
setting in /etc/bashrc
to read
as follows:
umask 077
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.
Security identifiers
- CCE-26917-5
Result for Ensure the Default C Shell Umask is Set Correctly
Result: pass
Rule ID: user_umask_cshrc
Time: 2013-09-27 19:04
Severity: low
To ensure the default umask for users of the C shell is set properly,
add or correct the umask
setting in /etc/csh.cshrc
to read as follows:
umask 077
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.
Security identifiers
- CCE-27034-8
Result for Ensure the Default Umask is Set Correctly in /etc/profile
Result: pass
Rule ID: user_umask_profile
Time: 2013-09-27 19:04
Severity: low
To ensure the default umask controlled by /etc/profile
is set properly,
add or correct the umask
setting in /etc/profile
to read as follows:
umask 077
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.
Security identifiers
- CCE-26669-2
Result for Ensure the Default Umask is Set Correctly in login.defs
Result: pass
Rule ID: user_umask_logindefs
Time: 2013-09-27 19:04
Severity: low
To ensure the default umask controlled by /etc/login.defs
is set properly,
add or correct the UMASK
setting in /etc/login.defs
to read as follows:
UMASK 077
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users.
Security identifiers
- CCE-26371-5
Result for Verify /etc/grub.conf User Ownership
Result: pass
Rule ID: user_owner_grub_conf
Time: 2013-09-27 19:04
Severity: medium
The file /etc/grub.conf
should
be owned by the root
user to prevent destruction
or modification of the file.
To properly set the owner of /etc/grub.conf
, run the command:
# chown root /etc/grub.conf
Only root should be able to modify important boot parameters.
Security identifiers
- CCE-26995-1
Result for Verify /etc/grub.conf Group Ownership
Result: pass
Rule ID: group_owner_grub_conf
Time: 2013-09-27 19:04
Severity: medium
The file /etc/grub.conf
should
be group-owned by the root
group to prevent
destruction or modification of the file.
To properly set the group owner of /etc/grub.conf
, run the command:
# chgrp root /etc/grub.conf
The root
group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway.
Security identifiers
- CCE-27022-3
Result for Verify /boot/grub/grub.conf Permissions
Result: pass
Rule ID: permissions_grub_conf
Time: 2013-09-27 19:04
Severity: medium
File permissions for /boot/grub/grub.conf
should be set to 600, which
is the default.
To properly set the permissions of /boot/grub/grub.conf
, run the command:
# chmod 600 /boot/grub/grub.conf
Proper permissions ensure that only the root user can modify important boot parameters.
Security identifiers
- CCE-26949-8
Result for Set Boot Loader Password
Result: fail
Rule ID: bootloader_password
Time: 2013-09-27 19:04
Severity: medium
The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command:
# grub-crypt --sha-512
When prompted to enter a password, insert the following line into /etc/grub.conf
immediately after the header comments. (Use the output from grub-crypt
as the
value of password-hash):
password --encrypted password-hash
NOTE: To meet FISMA Moderate, the bootloader password MUST differ from the root password.
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
Security identifiers
- CCE-26911-8
Result for Require Authentication for Single User Mode
Result: pass
Rule ID: require_singleuser_auth
Time: 2013-09-27 19:04
Severity: medium
Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
To require entry of the root password even if the system is
started in single-user mode, add or correct the following line in the
file /etc/sysconfig/init
:
SINGLE=/sbin/sulogin
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
Security identifiers
- CCE-27040-5
Result for Disable Ctrl-Alt-Del Reboot Activation
Result: notchecked
Rule ID: disable_ctrlaltdel_reboot
Time: 2013-09-27 19:04
Severity: high
By default, the system includes the following line in
/etc/init/control-alt-delete.conf
to reboot the system when the Ctrl-Alt-Del key sequence is pressed:
exec /sbin/shutdown -r now "Control-Alt-Delete pressed"
To configure the system to log a message instead of rebooting the system, alter that line to read as follows:
exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"
A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Del sequence is reduced because the user will be prompted before any action is taken.
Result for Disable Interactive Boot
Result: pass
Rule ID: disable_interactive_boot
Time: 2013-09-27 19:04
Severity: medium
To disable the ability for users to perform interactive startups,
edit the file /etc/sysconfig/init
.
Add or correct the line:
PROMPT=no
The PROMPT
option allows the console user to perform an
interactive system startup, in which it is possible to select the
set of services which are started on boot.
Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.
Security identifiers
- CCE-27043-9
Result for Set GNOME Login Inactivity Timeout
Result: fail
Rule ID: set_screensaver_inactivity_timeout
Time: 2013-09-27 19:04
Severity: medium
Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes:
# gconftool-2 \
--direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type int \
--set /apps/gnome-screensaver/idle_delay 15
Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.
Security identifiers
- CCE-26828-4
Result for GNOME Desktop Screensaver Mandatory Use
Result: fail
Rule ID: enable_screensaver_after_idle
Time: 2013-09-27 19:04
Severity: medium
Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity:
# gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/idle_activation_enabled true
Enabling idle activation of the screen saver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.
Security identifiers
- CCE-26600-7
Result for Enable Screen Lock Activation After Idle Period
Result: fail
Rule ID: enable_screensaver_password_lock
Time: 2013-09-27 19:04
Severity: medium
Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated:
# gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/lock_enabled true
Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby.
Security identifiers
- CCE-26235-2
Result for Implement Blank Screen Saver
Result: fail
Rule ID: set_blank_screensaver
Time: 2013-09-27 19:04
Severity: low
Run the following command to set the screensaver mode in the GNOME desktop to a blank screen:
# gconftool-2
--direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type string \
--set /apps/gnome-screensaver/mode blank-only
Setting the screensaver mode to blank-only conceals the contents of the display from passersby.
Security identifiers
- CCE-26638-7
Result for Install the screen Package
Result: pass
Rule ID: package_screen_installed
Time: 2013-09-27 19:04
Severity: low
To enable console screen locking, install the screen
package:
# yum install screen
Instruct users to begin new terminal sessions with the following command:
$ screen
The console can now be locked with the following key combination:
ctrl+a x
Installing screen
ensures a console locking capability is available
for users who may need to suspend console logins.
Security identifiers
- CCE-26940-7
Remediation script
yum -y install screen
Result for Enable Smart Card Login
Result: notchecked
Rule ID: smartcard_auth
Time: 2013-09-27 19:04
Severity: medium
To enable smart card authentication, consult the documentation at:
-
https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html
Smart card login provides two-factor authentication stronger than that provided by a username/password combination. Smart cards leverage a PKI (public key infrastructure) in order to provide and verify credentials.
Result for Modify the System Login Banner
Result: pass
Rule ID: set_system_login_banner
Time: 2013-09-27 19:04
Severity: medium
To configure the system login banner:
Edit /etc/issue
. Replace the default text with a message
compliant with the local site policy or a legal disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only. By using this IS (which includes any
device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes
including, but not limited to, penetration testing, COMSEC monitoring, network
operations and defense, personnel misconduct (PM), law enforcement (LE), and
counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject
to routine monitoring, interception, and search, and may be disclosed or used
for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls)
to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative
searching or monitoring of the content of privileged communications, or work
product, related to personal representation or services by attorneys,
psychotherapists, or clergy, and their assistants. Such communications and work
product are private and confidential. See User Agreement for details.
OR:
I've read & consent to terms in IS user agreem't.
An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.
Security identifiers
- CCE-26974-6
Remediation script
login_banner_text="You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests[\s\n]+--[\s\n]+not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details."
cat <<EOF >/etc/issue
$login_banner_text
EOF
Result for Enable GUI Warning Banner
Result: fail
Rule ID: enable_gdm_login_banner
Time: 2013-09-27 19:04
Severity: medium
To enable displaying a login warning banner in the GNOME Display Manager's login screen, run the following command:
sudo -u gdm gconftool-2 \
--type bool \
--set /apps/gdm/simple-greeter/banner_message_enable true
To display a banner, this setting must be enabled and then
banner text must also be set.
An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.
Security identifiers
- CCE-27195-7
Result for Set GUI Warning Banner Text
Result: notchecked
Rule ID: set_gdm_login_banner_text
Time: 2013-09-27 19:04
Severity: medium
To set the text shown by the GNOME Display Manager in the login screen, run the following command:
sudo -u gdm gconftool-2 \
--type string \
--set /apps/gdm/simple-greeter/banner_message_text \
"Text of the warning banner here"
When entering a warning banner that spans several lines, remember
to begin and end the string with "
. This command writes
directly to the file /var/lib/gdm/.gconf/apps/gdm/simple-greeter/%gconf.xml
,
and this file can later be edited directly if necessary.
An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.
Security identifiers
- CCE-27017-3
Result for Disable Kernel Parameter for Sending ICMP Redirects by Default
Result: pass
Rule ID: disable_sysctl_ipv4_default_send_redirects
Time: 2013-09-27 19:04
Severity: medium
To set the runtime status of the net.ipv4.conf.default.send_redirects
kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.default.send_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
net.ipv4.conf.default.send_redirects = 0
Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.
Security identifiers
- CCE-27001-7
Result for Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces
Result: pass
Rule ID: disable_sysctl_ipv4_all_send_redirects
Time: 2013-09-27 19:04
Severity: medium
To set the runtime status of the net.ipv4.conf.all.send_redirects
kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.all.send_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
net.ipv4.conf.all.send_redirects = 0
Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.
Security identifiers
- CCE-27004-1
Result for Disable Kernel Parameter for IP Forwarding
Result: pass
Rule ID: disable_sysctl_ipv4_ip_forward
Time: 2013-09-27 19:04
Severity: medium
To set the runtime status of the net.ipv4.ip_forward
kernel parameter,
run the following command:
# sysctl -w net.ipv4.ip_forward=0
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
net.ipv4.ip_forward = 0
IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.
Security identifiers
- CCE-26866-4
Result for Disable Kernel Parameter for Accepting Source-Routed Packets for All Interfaces
Result: pass
Rule ID: set_sysctl_net_ipv4_conf_all_accept_source_route
Time: 2013-09-27 19:04
Severity: medium
To set the runtime status of the net.ipv4.conf.all.accept_source_route
kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.all.accept_source_route=0
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
net.ipv4.conf.all.accept_source_route = 0
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
Security identifiers
- CCE-27037-1
Remediation script
#
# Set runtime for net.ipv4.conf.all.accept_source_route
#
sysctl -q -n -w net.ipv4.conf.all.accept_source_route=0
#
# If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to "0"
# else, add "net.ipv4.conf.all.accept_source_route = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.accept_source_route /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route = 0/g' /etc/sysctl.conf
else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.all.accept_source_route to 0 per security requirements" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
fi
Result for Disable Kernel Parameter for Accepting ICMP Redirects for All Interfaces
Result: pass
Rule ID: set_sysctl_net_ipv4_conf_all_accept_redirects
Time: 2013-09-27 19:04
Severity: medium
To set the runtime status of the net.ipv4.conf.all.accept_redirects
kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.all.accept_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
net.ipv4.conf.all.accept_redirects = 0
Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.
Security identifiers
- CCE-27027-2
Remediation script
#
# Set runtime for net.ipv4.conf.all.accept_redirects
#
sysctl -q -n -w net.ipv4.conf.all.accept_redirects=0
#
# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to "0"
# else, add "net.ipv4.conf.all.accept_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.accept_redirects /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = 0/g' /etc/sysctl.conf
else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.all.accept_redirects to 0 per security requirements" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
fi
Result for Disable Kernel Parameter for Accepting Secure Redirects for All Interfaces
Result: pass
Rule ID: set_sysctl_net_ipv4_conf_all_secure_redirects
Time: 2013-09-27 19:04
Severity: medium
To set the runtime status of the net.ipv4.conf.all.secure_redirects
kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.all.secure_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
net.ipv4.conf.all.secure_redirects = 0
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
Security identifiers
- CCE-26854-0
Remediation script
#
# Set runtime for net.ipv4.conf.all.secure_redirects
#
sysctl -q -n -w net.ipv4.conf.all.secure_redirects=0
#
# If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to "0"
# else, add "net.ipv4.conf.all.secure_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.secure_redirects /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.all.secure_redirects.*/net.ipv4.conf.all.secure_redirects = 0/g' /etc/sysctl.conf
else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.all.secure_redirects to 0 per security requirements" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf
fi
Result for Enable Kernel Parameter to Log Martian Packets
Result: pass
Rule ID: set_sysctl_net_ipv4_conf_all_log_martians
Time: 2013-09-27 19:04
Severity: low
To set the runtime status of the net.ipv4.conf.all.log_martians
kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.all.log_martians=1
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
net.ipv4.conf.all.log_martians = 1
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
Security identifiers
- CCE-27066-0
Remediation script
#
# Set runtime for net.ipv4.conf.all.log_martians
#
sysctl -q -n -w net.ipv4.conf.all.log_martians=1
#
# If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to "1"
# else, add "net.ipv4.conf.all.log_martians = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.log_martians /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.all.log_martians.*/net.ipv4.conf.all.log_martians = 1/g' /etc/sysctl.conf
else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.all.log_martians to 1 per security requirements" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf
fi
Result for Disable Kernel Parameter for Accepting Source-Routed Packets By Default
Result: pass
Rule ID: set_sysctl_net_ipv4_conf_default_accept_source_route
Time: 2013-09-27 19:04
Severity: medium
To set the runtime status of the net.ipv4.conf.default.accept_source_route
kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.default.accept_source_route=0
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
net.ipv4.conf.default.accept_source_route = 0
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
Security identifiers
- CCE-26983-7
Remediation script
#
# Set runtime for net.ipv4.conf.default.accept_source_route
#
sysctl -q -n -w net.ipv4.conf.default.accept_source_route=0
#
# If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to "0"
# else, add "net.ipv4.conf.default.accept_source_route = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.accept_source_route /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.default.accept_source_route.*/net.ipv4.conf.default.accept_source_route = 0/g' /etc/sysctl.conf
else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.default.accept_source_route to 0 per security requirements" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
fi
Result for Disable Kernel Parameter for Accepting ICMP Redirects By Default
Result: pass
Rule ID: set_sysctl_net_ipv4_conf_default_accept_redirects
Time: 2013-09-27 19:04
Severity: low
To set the runtime status of the net.ipv4.conf.default.accept_redirects
kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.default.accept_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
net.ipv4.conf.default.accept_redirects = 0
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
Security identifiers
- CCE-27015-7
Remediation script
#
# Set runtime for net.ipv4.conf.default.accept_redirects
#
sysctl -q -n -w net.ipv4.conf.default.accept_redirects=0
#
# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to "0"
# else, add "net.ipv4.conf.default.accept_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.accept_redirects /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.default.accept_redirects.*/net.ipv4.conf.default.accept_redirects = 0/g' /etc/sysctl.conf
else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.default.accept_redirects to 0 per security requirements" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
fi
Result for Disable Kernel Parameter for Accepting Secure Redirects By Default
Result: pass
Rule ID: set_sysctl_net_ipv4_conf_default_secure_redirects
Time: 2013-09-27 19:04
Severity: medium
To set the runtime status of the net.ipv4.conf.default.secure_redirects
kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.default.secure_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
net.ipv4.conf.default.secure_redirects = 0
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
Security identifiers
- CCE-26831-8
Remediation script
#
# Set runtime for net.ipv4.conf.default.secure_redirects
#
sysctl -q -n -w net.ipv4.conf.default.secure_redirects=0
#
# If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value to "0"
# else, add "net.ipv4.conf.default.secure_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.secure_redirects /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.default.secure_redirects.*/net.ipv4.conf.default.secure_redirects = 0/g' /etc/sysctl.conf
else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.default.secure_redirects to 0 per security requirements" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
fi
Result for Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests
Result: pass
Rule ID: set_sysctl_net_ipv4_icmp_echo_ignore_broadcasts
Time: 2013-09-27 19:04
Severity: low
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts
kernel parameter,
run the following command:
# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
net.ipv4.icmp_echo_ignore_broadcasts = 1
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
Security identifiers
- CCE-26883-9
Remediation script
#
# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts
#
sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts=1
#
# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to "1"
# else, add "net.ipv4.icmp_echo_ignore_broadcasts = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.icmp_echo_ignore_broadcasts.*/net.ipv4.icmp_echo_ignore_broadcasts = 1/g' /etc/sysctl.conf
else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.icmp_echo_ignore_broadcasts to 1 per security requirements" >> /etc/sysctl.conf
echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf
fi
Result for Enable Kernel Parameter to Ignore Bogus ICMP Error Responses
Result: pass
Rule ID: set_sysctl_net_ipv4_icmp_ignore_bogus_error_responses
Time: 2013-09-27 19:04
Severity: low
To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses
kernel parameter,
run the following command:
# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
net.ipv4.icmp_ignore_bogus_error_responses = 1
Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.
Security identifiers
- CCE-26993-6
Remediation script
#
# Set runtime for net.ipv4.icmp_ignore_bogus_error_responses
#
sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses=1
#
# If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change value to "1"
# else, add "net.ipv4.icmp_ignore_bogus_error_responses = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.icmp_ignore_bogus_error_responses.*/net.ipv4.icmp_ignore_bogus_error_responses = 1/g' /etc/sysctl.conf
else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.icmp_ignore_bogus_error_responses to 1 per security requirements" >> /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.conf
fi
Result for Enable Kernel Parameter to Use TCP Syncookies
Result: pass
Rule ID: set_sysctl_net_ipv4_tcp_syncookies
Time: 2013-09-27 19:04
Severity: medium
To set the runtime status of the net.ipv4.tcp_syncookies
kernel parameter,
run the following command:
# sysctl -w net.ipv4.tcp_syncookies=1
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
net.ipv4.tcp_syncookies = 1
A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.
Security identifiers
- CCE-27053-8
Remediation script
#
# Set runtime for net.ipv4.tcp_syncookies
#
sysctl -q -n -w net.ipv4.tcp_syncookies=1
#
# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to "1"
# else, add "net.ipv4.tcp_syncookies = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.tcp_syncookies /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies = 1/g' /etc/sysctl.conf
else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.tcp_syncookies to 1 per security requirements" >> /etc/sysctl.conf
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
fi
Result for Enable Kernel Parameter to Use Reverse Path Filtering for All Interfaces
Result: pass
Rule ID: set_sysctl_net_ipv4_conf_all_rp_filter
Time: 2013-09-27 19:04
Severity: medium
To set the runtime status of the net.ipv4.conf.all.rp_filter
kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.all.rp_filter=1
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
net.ipv4.conf.all.rp_filter = 1
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
Security identifiers
- CCE-26979-5
Remediation script
#
# Set runtime for net.ipv4.conf.all.rp_filter
#
sysctl -q -n -w net.ipv4.conf.all.rp_filter=1
#
# If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to "1"
# else, add "net.ipv4.conf.all.rp_filter = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.rp_filter /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter = 1/g' /etc/sysctl.conf
else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.all.rp_filter to 1 per security requirements" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
fi
Result for Enable Kernel Parameter to Use Reverse Path Filtering by Default
Result: pass
Rule ID: set_sysctl_net_ipv4_conf_default_rp_filter
Time: 2013-09-27 19:04
Severity: medium
To set the runtime status of the net.ipv4.conf.default.rp_filter
kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.default.rp_filter=1
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
net.ipv4.conf.default.rp_filter = 1
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
Security identifiers
- CCE-26915-9
Remediation script
#
# Set runtime for net.ipv4.conf.default.rp_filter
#
sysctl -q -n -w net.ipv4.conf.default.rp_filter=1
#
# If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to "1"
# else, add "net.ipv4.conf.default.rp_filter = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.rp_filter /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter = 1/g' /etc/sysctl.conf
else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.default.rp_filter to 1 per security requirements" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf
fi
Result for Disable Bluetooth Service
Result: pass
Rule ID: service_bluetooth_disabled
Time: 2013-09-27 19:04
Severity: medium
The bluetooth
service can be disabled with the following command:
# chkconfig bluetooth off
# service bluetooth stop
Disabling the bluetooth
service prevents the system from attempting
connections to Bluetooth devices, which entails some security risk.
Nevertheless, variation in this risk decision may be expected due to the
utility of Bluetooth connectivity and its limited range.
Security identifiers
- CCE-27081-9
Result for Disable Bluetooth Kernel Modules
Result: pass
Rule ID: kernel_module_bluetooth_disabled
Time: 2013-09-27 19:04
Severity: medium
The kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate /etc/modprobe.d
configuration file
to prevent the loading of the Bluetooth module:
install net-pf-31 /bin/false
install bluetooth /bin/false
If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.
Security identifiers
- CCE-26763-3
Result for Disable IPv6 Networking Support Automatic Loading
Result: pass
Rule ID: disable_ipv6_module_loading
Time: 2013-09-27 19:04
Severity: medium
To prevent the IPv6 kernel module (ipv6
) from loading the
IPv6 networking stack, add the following line to
/etc/modprobe.d/disabled.conf
(or another file in
/etc/modprobe.d
):
options ipv6 disable=1
This permits the IPv6 module to be loaded (and thus satisfy other modules that
depend on it), while disabling support for the IPv6 protocol.
Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.
Security identifiers
- CCE-27153-6
Result for Disable Accepting IPv6 Redirects
Result: pass
Rule ID: set_sysctl_ipv6_default_accept_redirects
Time: 2013-09-27 19:04
Severity: medium
To set the runtime status of the net.ipv6.conf.default.accept_redirects
kernel parameter,
run the following command:
# sysctl -w net.ipv6.conf.default.accept_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
net.ipv6.conf.default.accept_redirects = 0
An illicit ICMP redirect message could result in a man-in-the-middle attack.
Security identifiers
- CCE-27166-8
Result for Verify ip6tables Enabled if Using IPv6
Result: pass
Rule ID: enable_ip6tables
Time: 2013-09-27 19:04
Severity: medium
The ip6tables
service can be enabled with the following command:
# chkconfig --level 2345 ip6tables on
The ip6tables
service provides the system's host-based firewalling
capability for IPv6 and ICMPv6.
Security identifiers
- CCE-27006-6
Result for Verify iptables Enabled
Result: pass
Rule ID: enable_iptables
Time: 2013-09-27 19:04
Severity: medium
The iptables
service can be enabled with the following command:
# chkconfig --level 2345 iptables on
The iptables
service provides the system's host-based firewalling
capability for IPv4 and ICMP.
Security identifiers
- CCE-27018-1
Result for Set Default iptables Policy for Incoming Packets
Result: pass
Rule ID: set_iptables_default_rule
Time: 2013-09-27 19:04
Severity: medium
To set the default policy to DROP (instead of ACCEPT) for
the built-in INPUT chain which processes incoming packets,
add or correct the following line in
/etc/sysconfig/iptables
:
:INPUT DROP [0:0]
In iptables
the default policy is applied only after all
the applicable rules in the table are examined for a match. Setting the
default policy to DROP
implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted.
Security identifiers
- CCE-26444-0
Result for Set Default iptables Policy for Forwarded Packets
Result: notchecked
Rule ID: set_iptables_default_rule_forward
Time: 2013-09-27 19:04
Severity: medium
To set the default policy to DROP (instead of ACCEPT) for
the built-in FORWARD chain which processes packets that will be forwarded from
one interface to another,
add or correct the following line in
/etc/sysconfig/iptables
:
:FORWARD DROP [0:0]
In iptables
the default policy is applied only after all
the applicable rules in the table are examined for a match. Setting the
default policy to DROP
implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted.
Security identifiers
- CCE-27186-6
Result for Disable DCCP Support
Result: pass
Rule ID: disable_protocol_dccp
Time: 2013-09-27 19:04
Severity: medium
The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.
To configure the system to prevent the dccp
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d
:
install dccp /bin/false
Disabling DCCP protects the system against exploitation of any flaws in its implementation.
Security identifiers
- CCE-26448-1
Result for Disable SCTP Support
Result: pass
Rule ID: disable_protocol_sctp
Time: 2013-09-27 19:04
Severity: medium
The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the sctp
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d
:
install sctp /bin/false
Disabling SCTP protects the system against exploitation of any flaws in its implementation.
Security identifiers
- CCE-26410-1
Result for Disable RDS Support
Result: pass
Rule ID: disable_protocol_rds
Time: 2013-09-27 19:04
Severity: low
The Reliable Datagram Sockets (RDS) protocol is a transport
layer protocol designed to provide reliable high- bandwidth,
low-latency communications between nodes in a cluster.
To configure the system to prevent the rds
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d
:
install rds /bin/false
Disabling RDS protects the system against exploitation of any flaws in its implementation.
Security identifiers
- CCE-26239-4
Result for Disable TIPC Support
Result: pass
Rule ID: disable_protocol_tipc
Time: 2013-09-27 19:04
Severity: medium
The Transparent Inter-Process Communication (TIPC) protocol
is designed to provide communications between nodes in a
cluster.
To configure the system to prevent the tipc
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d
:
install tipc /bin/false
Disabling TIPC protects the system against exploitation of any flaws in its implementation.
Security identifiers
- CCE-26696-5
Result for Install openswan Package
Result: pass
Rule ID: install_openswan
Time: 2013-09-27 19:04
Severity: low
The Openswan package provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks.
The openswan
package can be installed with the following command:
# yum install openswan
Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.
Security identifiers
- CCE-27626-1
Result for Ensure rsyslog is Installed
Result: pass
Rule ID: package_rsyslog_installed
Time: 2013-09-27 19:04
Severity: medium
Rsyslog is installed by default.
The rsyslog
package can be installed with the following command:
# yum install rsyslog
The rsyslog package provides the rsyslog daemon, which provides system logging services.
Security identifiers
- CCE-26809-4
Result for Enable rsyslog Service
Result: pass
Rule ID: service_rsyslog_enabled
Time: 2013-09-27 19:04
Severity: medium
The rsyslog
service provides syslog-style logging by default on RHEL 6.
The rsyslog
service can be enabled with the following command:
# chkconfig --level 2345 rsyslog on
The rsyslog
service must be running in order to provide
logging services, which are essential to system administration.
Security identifiers
- CCE-26807-8
Result for Ensure Log Files Are Owned By Appropriate User
Result: pass
Rule ID: userowner_rsyslog_files
Time: 2013-09-27 19:04
Severity: medium
The owner of all log files written by
rsyslog
should be root.
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf
and typically all appear in /var/log
.
For each log file LOGFILE referenced in /etc/rsyslog.conf
,
run the following command to inspect the file's owner:
$ ls -l LOGFILE
If the owner is not root
, run the following command to
correct this:
# chown root LOGFILE
The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.
Security identifiers
- CCE-26812-8
Result for Ensure Log Files Are Owned By Appropriate Group
Result: unknown
Rule ID: groupowner_rsyslog_files
Time: 2013-09-27 19:04
Severity: medium
The group-owner of all log files written by
rsyslog
should be root.
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf
and typically all appear in /var/log
.
For each log file LOGFILE referenced in /etc/rsyslog.conf
,
run the following command to inspect the file's group owner:
$ ls -l LOGFILE
If the owner is not root
, run the following command to
correct this:
# chgrp root LOGFILE
The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.
Security identifiers
- CCE-26821-9
Result for Ensure System Log Files Have Correct Permissions
Result: unknown
Rule ID: rsyslog_file_permissions
Time: 2013-09-27 19:04
Severity: medium
The file permissions for all log files written by
rsyslog
should be set to 600, or more restrictive.
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf
and typically all appear in /var/log
.
For each log file LOGFILE referenced in /etc/rsyslog.conf
,
run the following command to inspect the file's permissions:
$ ls -l LOGFILE
If the permissions are not 600 or more restrictive,
run the following command to correct this:
# chmod 0600 LOGFILE
Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value.
Security identifiers
- CCE-27190-8
Result for Ensure Logs Sent To Remote Host
Result: fail
Rule ID: rsyslog_send_messages_to_logserver
Time: 2013-09-27 19:04
Severity: low
To configure rsyslog to send logs to a remote log server,
open /etc/rsyslog.conf
and read and understand the last section of the file,
which describes the multiple directives necessary to activate remote
logging.
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
substituting loghost.example.com
appropriately.
The choice of protocol depends on the environment of the system;
although TCP and RELP provide more reliable message delivery,
they may not be supported in all environments.
To use UDP for log message delivery:
*.* @loghost.example.com
To use TCP for log message delivery:
*.* @@loghost.example.com
To use RELP for log message delivery:
*.* :omrelp:loghost.example.com
A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.
Security identifiers
- CCE-26801-1
Result for Ensure Logrotate Runs Periodically
Result: unknown
Rule ID: ensure_logrotate_activated
Time: 2013-09-27 19:04
Severity: low
The logrotate
service should be
enabled.
Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.
Security identifiers
- CCE-27014-0
Result for Enable auditd Service
Result: pass
Rule ID: enable_auditd_service
Time: 2013-09-27 19:04
Severity: medium
The auditd
service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The auditd
service can be enabled with the following command:
# chkconfig --level 2345 auditd on
Ensuring the auditd
service is active ensures
audit records generated by the kernel can be written to disk, or that appropriate
actions will be taken if other obstacles exist.
Security identifiers
- CCE-27058-7
Result for Enable Auditing for Processes Which Start Prior to the Audit Daemon
Result: pass
Rule ID: enable_auditd_bootloader
Time: 2013-09-27 19:04
Severity: medium
To ensure all processes can be audited, even
those which start prior to the audit daemon, add the argument
audit=1
to the kernel line in /etc/grub.conf
, in the manner below:
kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1
Each process on the system carries an "auditable" flag which
indicates whether its activities can be audited. Although auditd
takes care of enabling this for all processes which launch after it
does, adding the kernel argument ensures it is set for every
process during boot.
Security identifiers
- CCE-26785-6
Result for Configure auditd Number of Logs Retained
Result: pass
Rule ID: configure_auditd_num_logs
Time: 2013-09-27 19:04
Severity: medium
Determine how many log files
auditd
should retain when it rotates logs.
Edit the file /etc/audit/auditd.conf
. Add or modify the following
line, substituting NUMLOGS with the correct value:
num_logs = NUMLOGS
Set the value to 5 for general-purpose systems.
Note that values less than 2 result in no log rotation.
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
Result for Configure auditd Max Log File Size
Result: pass
Rule ID: configure_auditd_max_log_file
Time: 2013-09-27 19:04
Severity: medium
Determine the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
/etc/audit/auditd.conf
. Add or modify the following line, substituting
the correct value for STOREMB:
max_log_file = STOREMB
Set the value to 6
(MB) or higher for general-purpose systems.
Larger values, of course,
support retention of even more audit data.
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
Result for Configure auditd max_log_file_action Upon Reaching Maximum Log Size
Result: pass
Rule ID: configure_auditd_max_log_file_action
Time: 2013-09-27 19:04
Severity: medium
The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by auditd
, add or correct the line in /etc/audit/auditd.conf
:
max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf
man
page. These include:
-
ignore
-
syslog
-
suspend
-
rotate
-
keep_logs
Set the ACTION
to rotate
to ensure log rotation
occurs. This is the default. The setting is case-insensitive.
Automatically rotating logs (by setting this to rotate
)
minimizes the chances of the system unexpectedly running out of disk space by
being overwhelmed with log data. However, for systems that must never discard
log data, or which use external processes to transfer it and reclaim space,
keep_logs
can be employed.
Security identifiers
- CCE-27237-7
Result for Configure auditd space_left Action on Low Disk Space
Result: pass
Rule ID: configure_auditd_space_left_action
Time: 2013-09-27 19:04
Severity: medium
The auditd
service can be configured to take an action
when disk space starts to run low.
Edit the file /etc/audit/auditd.conf
. Modify the following line,
substituting ACTION appropriately:
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf
man page.
These include:
-
ignore
-
syslog
-
email
-
exec
-
suspend
-
single
-
halt
Set this to email
(instead of the default,
which is suspend
) as it is more likely to get prompt attention. Acceptable values
also include suspend
, single
, and halt
.
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
Security identifiers
- CCE-27238-5
Result for Configure auditd admin_space_left Action on Low Disk Space
Result: pass
Rule ID: configure_auditd_admin_space_left_action
Time: 2013-09-27 19:04
Severity: medium
The auditd
service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf
. Add or modify the following line,
substituting ACTION appropriately:
admin_space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf
man page.
These include:
-
ignore
-
syslog
-
email
-
exec
-
suspend
-
single
-
halt
Set this value to single
to cause the system to switch to single user
mode for corrective action. Acceptable values also include suspend
and
halt
. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined.
Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.
Security identifiers
- CCE-27239-3
Result for Configure auditd mail_acct Action on Low Disk Space
Result: pass
Rule ID: configure_auditd_action_mail_acct
Time: 2013-09-27 19:04
Severity: medium
The auditd
service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in /etc/audit/auditd.conf
to ensure that administrators are notified
via email for those situations:
action_mail_acct = root
Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.
Security identifiers
- CCE-27241-9
Result for Record attempts to alter time through adjtimex
Result: pass
Rule ID: audit_rules_time_adjtimex
Time: 2013-09-27 19:04
Severity: low
On a 32-bit system, add the following to /etc/audit/audit.rules
:
# audit_time_rules
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules
On a 64-bit system, add the following to /etc/audit/audit.rules
:
# audit_time_rules
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime
-k audit_time_rules
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Security identifiers
- CCE-26242-8
Result for Record attempts to alter time through settimeofday
Result: pass
Rule ID: audit_rules_time_settimeofday
Time: 2013-09-27 19:04
Severity: low
On a 32-bit system, add the following to /etc/audit/audit.rules
:
# audit_time_rules
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules
On a 64-bit system, add the following to /etc/audit/audit.rules
:
# audit_time_rules
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime
-k audit_time_rules
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Security identifiers
- CCE-27203-9
Result for Record Attempts to Alter Time Through stime
Result: pass
Rule ID: audit_rules_time_stime
Time: 2013-09-27 19:04
Severity: low
On a 32-bit system, add the following to /etc/audit/audit.rules
:
# audit_time_rules
-a always,exit -F arch=b32 -S stime -k audit_time_rules
On a 64-bit system, the "-S time" is not necessary. The -k option allows for
the specification of a key in string form that can be used for better
reporting capability through ausearch and aureport. Multiple system calls
can be defined on the same line to save space if desired, but is not required.
See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime
-k audit_time_rules
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Security identifiers
- CCE-27169-2
Result for Record Attempts to Alter Time Through clock_settime
Result: pass
Rule ID: audit_rules_time_clock_settime
Time: 2013-09-27 19:04
Severity: low
On a 32-bit system, add the following to /etc/audit/audit.rules
:
# audit_time_rules
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules
On a 64-bit system, add the following to /etc/audit/audit.rules
:
# audit_time_rules
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime
-k audit_time_rules
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Security identifiers
- CCE-27170-0
Result for Record Attempts to Alter the localtime File
Result: pass
Rule ID: audit_rules_time_watch_localtime
Time: 2013-09-27 19:04
Severity: low
Add the following to /etc/audit/audit.rules
:
-w /etc/localtime -p wa -k audit_time_rules
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport and
should always be used.
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Security identifiers
- CCE-27172-6
Result for Record Events that Modify User/Group Information
Result: pass
Rule ID: audit_account_changes
Time: 2013-09-27 19:04
Severity: low
Add the following to /etc/audit/audit.rules
, in order
to capture events that modify account changes:
# audit_account_changes
-w /etc/group -p wa -k audit_account_changes
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Security identifiers
- CCE-26664-3
Result for Record Events that Modify the System's Network Environment
Result: pass
Rule ID: audit_network_modifications
Time: 2013-09-27 19:04
Severity: low
Add the following to /etc/audit/audit.rules
, setting
ARCH to either b32 or b64 as appropriate for your system:
# audit_network_modifications
-a exit,always -F arch=ARCH -S sethostname -S setdomainname -k audit_network_modifications
-w /etc/issue -p wa -k audit_network_modifications
-w /etc/issue.net -p wa -k audit_network_modifications
-w /etc/hosts -p wa -k audit_network_modifications
-w /etc/sysconfig/network -p wa -k audit_network_modifications
The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.
Security identifiers
- CCE-26648-6
Result for System Audit Logs Must Have Mode 0640 or Less Permissive
Result: pass
Rule ID: audit_logs_permissions
Time: 2013-09-27 19:04
Severity: low
Change the mode of the audit log files with the following command:
# chmod 0640 audit_file
If users can write to audit logs, audit trails can be modified or destroyed.
Security identifiers
- CCE-27243-5
Result for Record Events that Modify the System's Mandatory Access Controls
Result: fail
Rule ID: audit_mac_changes
Time: 2013-09-27 19:04
Severity: low
Add the following to /etc/audit/audit.rules
:
-w /etc/selinux/ -p wa -k MAC-policy
The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.
Security identifiers
- CCE-26657-7
Result for Record Events that Modify the System's Discretionary Access Controls - chmod
Result: fail
Rule ID: audit_rules_dac_modification_chmod
Time: 2013-09-27 19:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \
-k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \
-k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-26280-8
Result for Record Events that Modify the System's Discretionary Access Controls - chown
Result: fail
Rule ID: audit_rules_dac_modification_chown
Time: 2013-09-27 19:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \
-k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \
-k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27173-4
Result for Record Events that Modify the System's Discretionary Access Controls - fchmod
Result: fail
Rule ID: audit_rules_dac_modification_fchmod
Time: 2013-09-27 19:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \
-k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \
-k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27174-2
Result for Record Events that Modify the System's Discretionary Access Controls - fchmodat
Result: fail
Rule ID: audit_rules_dac_modification_fchmodat
Time: 2013-09-27 19:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \
-k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \
-k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27175-9
Result for Record Events that Modify the System's Discretionary Access Controls - fchown
Result: fail
Rule ID: audit_rules_dac_modification_fchown
Time: 2013-09-27 19:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \
-k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \
-k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27177-5
Result for Record Events that Modify the System's Discretionary Access Controls - fchownat
Result: fail
Rule ID: audit_rules_dac_modification_fchownat
Time: 2013-09-27 19:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \
-k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \
-k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27178-3
Result for Record Events that Modify the System's Discretionary Access Controls - fremovexattr
Result: fail
Rule ID: audit_rules_dac_modification_fremovexattr
Time: 2013-09-27 19:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27179-1
Result for Record Events that Modify the System's Discretionary Access Controls - fsetxattr
Result: fail
Rule ID: audit_rules_dac_modification_fsetxattr
Time: 2013-09-27 19:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27180-9
Result for Record Events that Modify the System's Discretionary Access Controls - lchown
Result: fail
Rule ID: audit_rules_dac_modification_lchown
Time: 2013-09-27 19:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \
-k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \
-k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27181-7
Result for Record Events that Modify the System's Discretionary Access Controls - lremovexattr
Result: fail
Rule ID: audit_rules_dac_modification_lremovexattr
Time: 2013-09-27 19:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27182-5
Result for Record Events that Modify the System's Discretionary Access Controls - lsetxattr
Result: fail
Rule ID: audit_rules_dac_modification_lsetxattr
Time: 2013-09-27 19:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27183-3
Result for Record Events that Modify the System's Discretionary Access Controls - removexattr
Result: fail
Rule ID: audit_rules_dac_modification_removexattr
Time: 2013-09-27 19:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27184-1
Result for Record Events that Modify the System's Discretionary Access Controls - setxattr
Result: fail
Rule ID: audit_rules_dac_modification_setxattr
Time: 2013-09-27 19:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27185-8
Result for Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
Result: pass
Rule ID: audit_file_access
Time: 2013-09-27 19:04
Severity: low
At a minimum the audit system should collect
unauthorized file accesses for all users and root. Add the following
to /etc/audit/audit.rules
, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
-S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
-S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Security identifiers
- CCE-26712-0
Result for Ensure auditd Collects Information on the Use of Privileged Commands
Result: pass
Rule ID: audit_privileged_commands
Time: 2013-09-27 19:04
Severity: low
At a minimum the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid programs:
# find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null
Then, for each setuid program on the system, add a line of the following form to
/etc/audit/audit.rules
, where SETUID_PROG_PATH is the full path to each setuid program
in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Security identifiers
- CCE-26457-2
Result for Ensure auditd Collects Information on Exporting to Media (successful)
Result: pass
Rule ID: audit_media_exports
Time: 2013-09-27 19:04
Severity: low
At a minimum the audit system should collect media
exportation events for all users and root. Add the following to
/etc/audit/audit.rules
, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export
The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.
Security identifiers
- CCE-26573-6
Result for Ensure auditd Collects File Deletion Events by User
Result: pass
Rule ID: audit_file_deletions
Time: 2013-09-27 19:04
Severity: low
At a minimum the audit system should collect file
deletion events for all users and root. Add the following to
/etc/audit/audit.rules
, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat \
-F auid>=500 -F auid!=4294967295 -k delete
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
Security identifiers
- CCE-26651-0
Result for Ensure auditd Collects System Administrator Actions
Result: pass
Rule ID: audit_sysadmin_actions
Time: 2013-09-27 19:04
Severity: low
At a minimum the audit system should collect
administrator actions for all users and root. Add the following to
/etc/audit/audit.rules
:
-w /etc/sudoers -p wa -k actions
The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.
Security identifiers
- CCE-26662-7
Result for Ensure auditd Collects Information on Kernel Module Loading and Unloading
Result: pass
Rule ID: audit_kernel_module_loading
Time: 2013-09-27 19:04
Severity: low
Add the following to /etc/audit/audit.rules
in order
to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
Security identifiers
- CCE-26611-4
Result for Disable xinetd Service
Result: pass
Rule ID: disable_xinetd
Time: 2013-09-27 19:04
Severity: medium
The xinetd
service can be disabled with the following command:
# chkconfig xinetd off
The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.
Security identifiers
- CCE-27046-2
Result for Uninstall xinetd Package
Result: pass
Rule ID: uninstall_xinetd
Time: 2013-09-27 19:04
Severity: low
The xinetd
package can be uninstalled with the following command:
# yum erase xinetd
Removing the xinetd
package decreases the risk of the
xinetd service's accidental (or intentional) activation.
Security identifiers
- CCE-27005-8
Remediation script
if rpm -qa | grep -q xinetd; then
yum -y remove xinetd
fi
Result for Disable telnet Service
Result: fail
Rule ID: disable_telnet_service
Time: 2013-09-27 19:04
Severity: high
The telnet
service can be disabled with the following command:
# chkconfig telnet off
The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks.
Security identifiers
- CCE-26836-7
Result for Uninstall telnet-server Package
Result: pass
Rule ID: uninstall_telnet_server
Time: 2013-09-27 19:04
Severity: high
The telnet-server
package can be uninstalled with
the following command:
# yum erase telnet-server
Removing the telnet-server
package decreases the risk of the
telnet service's accidental (or intentional) activation.
Security identifiers
- CCE-27073-6
Remediation script
if rpm -qa | grep -q telnet-server; then
yum -y remove telnet-server
fi
Result for Uninstall rsh-server Package
Result: pass
Rule ID: uninstall_rsh-server
Time: 2013-09-27 19:04
Severity: high
The rsh-server
package can be uninstalled with
the following command:
# yum erase rsh-server
The rsh-server
package provides several obsolete and insecure
network services. Removing it
decreases the risk of those services' accidental (or intentional)
activation.
Security identifiers
- CCE-27062-9
Result for Disable rexec Service
Result: pass
Rule ID: disable_rexec
Time: 2013-09-27 19:04
Severity: high
The rexec
service, which is available with
the rsh-server
package and runs as a service through xinetd,
should be disabled.
The rexec
service can be disabled with the following command:
# chkconfig rexec off
The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
Security identifiers
- CCE-27208-8
Result for Disable rsh Service
Result: pass
Rule ID: disable_rsh
Time: 2013-09-27 19:04
Severity: high
The rsh
service, which is available with
the rsh-server
package and runs as a service through xinetd,
should be disabled.
The rsh
service can be disabled with the following command:
# chkconfig rsh off
The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
Security identifiers
- CCE-26994-4
Result for Disable rlogin Service
Result: pass
Rule ID: disable_rlogin
Time: 2013-09-27 19:04
Severity: high
The rlogin
service, which is available with
the rsh-server
package and runs as a service through xinetd,
should be disabled.
The rlogin
service can be disabled with the following command:
# chkconfig rlogin off
The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
Security identifiers
- CCE-26865-6
Result for Remove Rsh Trust Files
Result: pass
Rule ID: no_rsh_trust_files
Time: 2013-09-27 19:04
Severity: high
The files /etc/hosts.equiv
and ~/.rhosts
(in
each user's home directory) list remote hosts and users that are trusted by the
local system when using the rshd daemon.
To remove these files, run the following command to delete them from any
location:
# rm /etc/hosts.equiv
$ rm ~/.rhosts
Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.
Security identifiers
- CCE-27270-8
Result for Uninstall ypserv Package
Result: pass
Rule ID: uninstall_ypserv
Time: 2013-09-27 19:04
Severity: medium
The ypserv
package can be uninstalled with
the following command:
# yum erase ypserv
Removing the ypserv
package decreases the risk of the
accidental (or intentional) activation of NIS or NIS+ services.
Security identifiers
- CCE-27079-3
Remediation script
if rpm -qa | grep -q ypserv; then
yum -y remove ypserv
fi
Result for Disable ypbind Service
Result: pass
Rule ID: disable_ypbind
Time: 2013-09-27 19:04
Severity: medium
The ypbind
service, which allows the system to act as a client in
a NIS or NIS+ domain, should be disabled.
The ypbind
service can be disabled with the following command:
# chkconfig ypbind off
Disabling the ypbind
service ensures the system is not acting
as a client in a NIS or NIS+ domain.
Security identifiers
- CCE-26894-6
Result for Disable tftp Service
Result: pass
Rule ID: disable_tftp
Time: 2013-09-27 19:04
Severity: medium
The tftp
service should be disabled.
The tftp
service can be disabled with the following command:
# chkconfig tftp off
Disabling the tftp
service ensures the system is not acting
as a tftp server, which does not provide encryption or authentication.
Security identifiers
- CCE-27055-3
Result for Uninstall tftp-server Package
Result: pass
Rule ID: uninstall_tftp-server
Time: 2013-09-27 19:04
Severity: medium
The tftp-server
package can be removed with the following command:
# yum erase tftp-server
Removing the tftp-server
package decreases the risk of the
accidental (or intentional) activation of tftp services.
Security identifiers
- CCE-26946-4
Result for Ensure tftp Daemon Uses Secure Mode
Result: pass
Rule ID: tftpd_uses_secure_mode
Time: 2013-09-27 19:04
Severity: high
If running the tftp
service is necessary, it should be configured
to change its root directory at startup. To do so, ensure
/etc/xinetd.d/tftp
includes -s
as a command line argument, as shown in
the following example (which is also the default):
server_args = -s /var/lib/tftpboot
Using the -s
option causes the TFTP service to only serve files from the
given directory. Serving files from an intentionally-specified directory
reduces the risk of sharing files which should remain private.
Security identifiers
- CCE-27272-4
Result for Disable Automatic Bug Reporting Tool (abrtd)
Result: pass
Rule ID: service_abrtd_disabled
Time: 2013-09-27 19:04
Severity: low
The Automatic Bug Reporting Tool (abrtd
) daemon collects
and reports crash data when an application crash is detected. Using a variety
of plugins, abrtd can email crash reports to system administrators, log crash
reports to files, or forward crash reports to a centralized issue tracking
system such as RHTSupport.
The abrtd
service can be disabled with the following command:
# chkconfig abrtd off
Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers.
Security identifiers
- CCE-27247-6
Result for Disable Network Console (netconsole)
Result: pass
Rule ID: service_netconsole_disabled
Time: 2013-09-27 19:04
Severity: low
The netconsole
service is responsible for loading the
netconsole kernel module, which logs kernel printk messages over UDP to a
syslog server. This allows debugging of problems where disk logging fails and
serial consoles are impractical.
The netconsole
service can be disabled with the following command:
# chkconfig netconsole off
The netconsole
service is not necessary unless there is a need to debug
kernel panics, which is not common.
Security identifiers
- CCE-27254-2
Result for Disable ntpdate Service (ntpdate)
Result: pass
Rule ID: service_ntpdate_disabled
Time: 2013-09-27 19:04
Severity: low
The ntpdate service sets the local hardware clock by polling NTP servers
when the system boots. It synchronizes to the NTP servers listed in
/etc/ntp/step-tickers
or /etc/ntp.conf
and then sets the local hardware clock to the newly synchronized
system time.
The ntpdate
service can be disabled with the following command:
# chkconfig ntpdate off
The ntpdate
service may only be suitable for systems which
are rebooted frequently enough that clock drift does not cause problems between
reboots. In any event, the functionality of the ntpdate service is now
available in the ntpd program and should be considered deprecated.
Security identifiers
- CCE-27256-7
Result for Disable Odd Job Daemon (oddjobd)
Result: pass
Rule ID: service_oddjobd_disabled
Time: 2013-09-27 19:04
Severity: low
The oddjobd
service exists to provide an interface and
access control mechanism through which
specified privileged tasks can run tasks for unprivileged client
applications. Communication with oddjobd
through the system message bus.
The oddjobd
service can be disabled with the following command:
# chkconfig oddjobd off
The oddjobd
service may provide necessary functionality in
some environments but it can be disabled if it is not needed. Execution of
tasks by privileged programs, on behalf of unprivileged ones, has traditionally
been a source of privilege escalation security issues.
Security identifiers
- CCE-27257-5
Result for Disable Apache Qpid (qpidd)
Result: pass
Rule ID: service_qpidd_disabled
Time: 2013-09-27 19:04
Severity: low
The qpidd
service provides high speed, secure,
guaranteed delivery services. It is an implementation of the Advanced Message
Queuing Protocol. By default the qpidd service will bind to port 5672 and
listen for connection attempts.
The qpidd
service can be disabled with the following command:
# chkconfig qpidd off
The qpidd service is automatically installed when the "base"
package selection is selected during installation. The qpidd service listens
for network connections which increases the attack surface of the system. If
the system is not intended to receive AMQP traffic then the qpidd
service is not needed and should be disabled or removed.
Security identifiers
- CCE-26928-2
Result for Disable Network Router Discovery Daemon (rdisc)
Result: pass
Rule ID: service_rdisc_disabled
Time: 2013-09-27 19:04
Severity: low
The rdisc
service implements the client side of the ICMP
Internet Router Discovery Protocol (IRDP), which allows discovery of routers on
the local subnet. If a router is discovered then the local routing table is
updated with a corresponding default route. By default this daemon is disabled.
The rdisc
service can be disabled with the following command:
# chkconfig rdisc off
General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.
Security identifiers
- CCE-27261-7
Result for Disable Red Hat Network Service (rhnsd)
Result: pass
Rule ID: service_rhnsd_disabled
Time: 2013-09-27 19:04
Severity: low
The Red Hat Network service automatically queries Red Hat Network
servers to determine whether there are any actions that should be executed,
such as package updates. This only occurs if the system was registered to an
RHN server or satellite and managed as such.
The rhnsd
service can be disabled with the following command:
# chkconfig rhnsd off
Although systems management and patching is extremely important to
system security, management by a system outside the enterprise enclave is not
desirable for some environments. However, if the system is being managed by RHN or
RHN Satellite Server the rhnsd
daemon can remain on.
Security identifiers
- CCE-26846-6
Result for Enable cron Service
Result: pass
Rule ID: enable_cron
Time: 2013-09-27 19:04
Severity: medium
The crond
service is used to execute commands at
preconfigured times. It is required by almost all systems to perform necessary
maintenance tasks, such as notifying root of system activity.
The crond
service can be enabled with the following command:
# chkconfig --level 2345 crond on
Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.
Security identifiers
- CCE-27070-2
Result for Allow Only SSH Protocol 2
Result: pass
Rule ID: sshd_allow_only_protocol2
Time: 2013-09-27 19:04
Severity: high
Only SSH protocol version 2 connections should be
permitted. The default setting in
/etc/ssh/sshd_config
is correct, and can be
verified by ensuring that the following
line appears:
Protocol 2
SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.
Security identifiers
- CCE-27072-8
Result for Set SSH Idle Timeout Interval
Result: fail
Rule ID: sshd_set_idle_timeout
Time: 2013-09-27 19:04
Severity: low
SSH allows administrators to set an idle timeout
interval.
After this interval has passed, the idle user will be
automatically logged out.
To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config
as
follows:
ClientAliveInterval interval
The timeout interval is given in seconds. To have a timeout
of 15 minutes, set interval to 900.
If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.
Security identifiers
- CCE-26919-1
Result for Set SSH Client Alive Count
Result: pass
Rule ID: sshd_set_keepalive
Time: 2013-09-27 19:04
Severity: low
To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax
is set,
edit /etc/ssh/sshd_config
as
follows:
ClientAliveCountMax 0
This ensures a user login will be terminated as soon as the ClientAliveCountMax
is reached.
Security identifiers
- CCE-26282-4
Result for Disable SSH Support for .rhosts Files
Result: pass
Rule ID: sshd_disable_rhosts
Time: 2013-09-27 19:04
Severity: medium
SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via .rhosts
files.
To ensure this behavior is disabled, add or correct the
following line in /etc/ssh/sshd_config
:
IgnoreRhosts yes
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
Security identifiers
- CCE-27124-7
Result for Disable Host-Based Authentication
Result: pass
Rule ID: disable_host_auth
Time: 2013-09-27 19:04
Severity: medium
SSH's cryptographic host-based authentication is
more secure than .rhosts
authentication,
since hosts are cryptographically authenticated. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.
To disable host-based authentication, add or correct the
following line in /etc/ssh/sshd_config
:
HostbasedAuthentication no
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
Security identifiers
- CCE-27091-8
Result for Disable SSH Root Login
Result: pass
Rule ID: sshd_disable_root_login
Time: 2013-09-27 19:04
Severity: medium
The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line
in /etc/ssh/sshd_config
:
PermitRootLogin no
Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.
Security identifiers
- CCE-27100-7
Result for Disable SSH Access via Empty Passwords
Result: pass
Rule ID: sshd_disable_empty_passwords
Time: 2013-09-27 19:04
Severity: high
To explicitly disallow remote login from accounts with
empty passwords, add or correct the following line in
/etc/ssh/sshd_config
:
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration
should prevent users from being able to assign themselves empty passwords.
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
Security identifiers
- CCE-26887-0
Result for Enable SSH Warning Banner
Result: pass
Rule ID: sshd_enable_warning_banner
Time: 2013-09-27 19:04
Severity: medium
To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in /etc/ssh/sshd_config
:
Banner /etc/issue
Another section contains information on how to create an
appropriate system-wide warning banner.
The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.
Security identifiers
- CCE-27112-2
Result for Do Not Allow SSH Environment Options
Result: pass
Rule ID: sshd_do_not_permit_user_env
Time: 2013-09-27 19:04
Severity: low
To ensure users are not able to present
environment options to the SSH daemon, add or correct the following line
in /etc/ssh/sshd_config
:
PermitUserEnvironment no
SSH environment options potentially allow users to bypass access restriction in some configurations.
Security identifiers
- CCE-27201-3
Result for Use Only Approved Ciphers
Result: fail
Rule ID: sshd_use_approved_ciphers
Time: 2013-09-27 19:04
Severity: medium
Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
The man page sshd_config(5)
contains a list of supported ciphers.
Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance.
Security identifiers
- CCE-26555-3
Result for Disable X Windows Startup By Setting Runlevel
Result: pass
Rule ID: disable_xwindows_with_runlevel
Time: 2013-09-27 19:04
Severity: low
Setting the system's runlevel to 3 will prevent automatic startup
of the X server. To do so, ensure the following line in /etc/inittab
features a 3
as shown:
id:3:initdefault:
Unnecessary services should be disabled to decrease the attack surface of the system.
Security identifiers
- CCE-27119-7
Result for Remove the X Windows Package Group
Result: pass
Rule ID: packagegroup_xwindows_remove
Time: 2013-09-27 19:04
Severity: low
Removing all packages which constitute the X Window System ensures users or malicious software cannot start X. To do so, run the following command:
# yum groupremove "X Window System"
Unnecessary packages should not be installed to decrease the attack surface of the system.
Security identifiers
- CCE-27198-1
Result for Disable Avahi Server Software
Result: pass
Rule ID: disable_avahi
Time: 2013-09-27 19:04
Severity: low
The avahi-daemon
service can be disabled with the following command:
# chkconfig avahi-daemon off
Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.
Security identifiers
- CCE-27087-6
Result for Disable DHCP Client
Result: pass
Rule ID: disable_dhcp_client
Time: 2013-09-27 19:04
Severity: low
For each interface on the system (e.g. eth0), edit
/etc/sysconfig/network-scripts/ifcfg-interface
and make the
following changes:
-
Correct the BOOTPROTO line to read:
BOOTPROTO=static
-
Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme:
NETMASK=255.255.255.0 IPADDR=192.168.1.2 GATEWAY=192.168.1.1
DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances.
Security identifiers
- CCE-27021-5
Result for Enable the NTP Daemon
Result: pass
Rule ID: enable_ntpd
Time: 2013-09-27 19:04
Severity: medium
The ntpd
service can be enabled with the following command:
# chkconfig --level 2345 ntpd on
Enabling the ntpd
service ensures that the ntpd
service will be running and that the system will synchronize its time to
any servers specified. This is important whether the system is configured to be
a client (and synchronize only its own clock) or it is also acting as an NTP
server to other systems. Synchronizing time is essential for authentication
services such as Kerberos, but it is also important for maintaining accurate
logs and auditing possible security breaches.
The NTP daemon offers all of the functionality of ntpdate
, which is now
deprecated. Additional information on this is available at
http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate
Security identifiers
- CCE-27093-4
Result for Specify a Remote NTP Server
Result: pass
Rule ID: ntpd_specify_remote_server
Time: 2013-09-27 19:04
Severity: medium
To specify a remote NTP server for time synchronization, edit
the file /etc/ntp.conf
. Add or correct the following lines,
substituting the IP or hostname of a remote NTP server for ntpserver:
server ntpserver
This instructs the NTP software to contact that remote server to obtain time
data.
Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is recommended.
Security identifiers
- CCE-27098-3
Result for Enable Postfix Service
Result: pass
Rule ID: service_postfix_enable
Time: 2013-09-27 19:04
Severity: low
The Postfix mail transfer agent is used for local mail delivery
within the system. The default configuration only listens for connections to
the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is
recommended to leave this service enabled for local mail delivery.
The postfix
service can be enabled with the following command:
# chkconfig --level 2345 postfix on
Local mail delivery is essential to some system maintenance and notification tasks.
Security identifiers
- CCE-26325-1
Result for Uninstall Sendmail Package
Result: pass
Rule ID: package_sendmail_removed
Time: 2013-09-27 19:04
Severity: medium
Sendmail is not the default mail transfer agent and is
not installed by default.
The sendmail
package can be removed with the following command:
# yum erase sendmail
The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.
Security identifiers
- CCE-27515-6
Result for Disable Postfix Network Listening
Result: pass
Rule ID: postfix_network_listening
Time: 2013-09-27 19:04
Severity: medium
Edit the file /etc/postfix/main.cf
to ensure that only the following
inet_interfaces
line appears:
inet_interfaces = localhost
This ensures postfix
accepts mail messages
(such as cron job reports) from the local system only,
and not from the network, which protects it from network attack.
Security identifiers
- CCE-26780-7
Result for Configure LDAP Client to Use TLS For All Transactions
Result: pass
Rule ID: ldap_client_start_tls
Time: 2013-09-27 19:04
Severity: medium
Configure LDAP to enforce TLS use. First, edit the file
/etc/pam_ldap.conf
, and add or correct the following lines:
ssl start_tls
Then review the LDAP server and ensure TLS has been configured.
The ssl directive specifies whether to use ssl or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL.
Security identifiers
- CCE-26690-8
Result for Configure Certificate Directives for LDAP Use of TLS
Result: pass
Rule ID: ldap_client_tls_cacertpath
Time: 2013-09-27 19:04
Severity: medium
Ensure a copy of a trusted CA certificate has been placed in
the file /etc/pki/tls/CA/cacert.pem
. Configure LDAP to enforce TLS
use and to trust certificates signed by that CA. First, edit the file
/etc/pam_ldap.conf
, and add or correct either of the following lines:
tls_cacertdir /etc/pki/tls/CA
or
tls_cacertfile /etc/pki/tls/CA/cacert.pem
Then review the LDAP server and ensure TLS has been configured.
The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA.
Security identifiers
- CCE-27189-0
Result for Uninstall openldap-servers Package
Result: pass
Rule ID: package_openldap-servers_removed
Time: 2013-09-27 19:04
Severity: low
The openldap-servers
package should be removed if not in use.
Is this machine the OpenLDAP server? If not, remove the package.
# yum erase openldap-servers
The openldap-servers RPM is not installed by default on RHEL 6
machines. It is needed only by the OpenLDAP server, not by the
clients which use LDAP for authentication. If the system is not
intended for use as an LDAP Server it should be removed.
Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an LDAP server, it is not necessary on typical desktop or workstation systems.
Security identifiers
- CCE-26858-1
Result for Mount Remote Filesystems with nodev
Result: pass
Rule ID: use_nodev_option_on_nfs_mounts
Time: 2013-09-27 19:04
Severity: medium
Add the nodev
option to the fourth column of
/etc/fstab
for the line which controls mounting of
any NFS mounts.
Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.
Security identifiers
- CCE-27090-0
Result for Mount Remote Filesystems with nosuid
Result: pass
Rule ID: use_nosuid_option_on_nfs_mounts
Time: 2013-09-27 19:04
Severity: medium
Add the nosuid
option to the fourth column of
/etc/fstab
for the line which controls mounting of
any NFS mounts.
NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.
Security identifiers
- CCE-26972-0
Result for Ensure Insecure File Locking is Not Allowed
Result: notchecked
Rule ID: no_insecure_locks_exports
Time: 2013-09-27 19:04
Severity: medium
By default the NFS server requires secure file-lock requests,
which require credentials from the client in order to lock a file. Most NFS
clients send credentials with file lock requests, however, there are a few
clients that do not send credentials when requesting a file-lock, allowing the
client to only be able to lock world-readable files. To get around this, the
insecure_locks
option can be used so these clients can access the
desired export. This poses a security risk by potentially allowing the client
access to data for which it does not have authorization.
Remove any instances of the
insecure_locks
option from the file /etc/exports
.
Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user.
Security identifiers
- CCE-27167-6
Result for Enable Logging of All FTP Transactions
Result: notchecked
Rule ID: ftp_log_transactions
Time: 2013-09-27 19:04
Severity: low
Add or correct the following configuration options within the vsftpd
configuration file, located at /etc/vsftpd/vsftpd.conf
:
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES
If verbose logging to vsftpd.log
is done, sparse logging of downloads to /var/log/xferlog
will not also occur. However, the information about what files were downloaded is included in the information logged to vsftpd.log
To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to
the FTP server are logged using the verbose vsftpd log
format. The default vsftpd log file is /var/log/vsftpd.log
.
Security identifiers
- CCE-27142-9
Result for Create Warning Banners for All FTP Users
Result: notchecked
Rule ID: ftp_present_banner
Time: 2013-09-27 19:04
Severity: medium
Edit the vsftpd configuration file, which resides at /etc/vsftpd/vsftpd.conf
by default. Add or correct the following configuration options:
banner_file=/etc/issue
This setting will cause the system greeting banner to be used for FTP connections as well.
Security identifiers
- CCE-27145-2
Result for Require Client SMB Packet Signing, if using smbclient
Result: pass
Rule ID: require_smb_client_signing
Time: 2013-09-27 19:04
Severity: low
To require samba clients running smbclient
to use
packet signing, add the following to the [global]
section
of the Samba configuration file, /etc/samba/smb.conf
:
client signing = mandatory
Requiring samba clients such as smbclient
to use packet
signing ensures they can
only communicate with servers that support packet signing.
Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.
Security identifiers
- CCE-26328-5
Result for Require Client SMB Packet Signing, if using mount.cifs
Result: pass
Rule ID: require_smb_client_signing_mount.cifs
Time: 2013-09-27 19:04
Severity: low
Require packet signing of clients who mount Samba
shares using the mount.cifs
program (e.g., those who specify shares
in /etc/fstab
). To do so, ensure signing options (either
sec=krb5i
or sec=ntlmv2i
) are used.
See the mount.cifs(8)
man page for more information. A Samba
client should only communicate with servers who can support SMB
packet signing.
Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.
Security identifiers
- CCE-26792-2
Result for Configure SNMP Service to Use Only SNMPv3 or Newer
Result: notchecked
Rule ID: snmpd_use_newer_protocol
Time: 2013-09-27 19:04
Severity: medium
Edit /etc/snmp/snmpd.conf
, removing any references to v1
, v2c
, or com2sec
.
Upon doing that, restart the SNMP service:
# service snmpd restart
Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information.
Result for Ensure Default Password Is Not Used
Result: notchecked
Rule ID: snmpd_not_default_password
Time: 2013-09-27 19:04
Severity: medium
Edit /etc/snmp/snmpd.conf
, remove default community string public
.
Upon doing that, restart the SNMP service:
# service snmpd restart
Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system.