Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/services/ldap.xml | 4 ++++ RHEL6/input/services/nfs.xml | 5 +++-- RHEL6/input/services/xorg.xml | 4 +++- RHEL6/input/system/accounts/pam.xml | 6 ++++++ RHEL6/input/system/accounts/physical.xml | 6 ++++++ RHEL6/input/system/auditing.xml | 21 ++++++++++++++++++++- RHEL6/input/system/software/integrity.xml | 4 ++++ 7 files changed, 46 insertions(+), 4 deletions(-)

diff --git a/RHEL6/input/services/ldap.xml b/RHEL6/input/services/ldap.xml index 7081ba5..ff18f46 100644 --- a/RHEL6/input/services/ldap.xml +++ b/RHEL6/input/services/ldap.xml @@ -55,6 +55,10 @@ or <pre>tls_cacertfile /etc/pki/tls/CA/cacert.pem</pre> Then review the LDAP server and ensure TLS has been configured. </description> +<ocil clause="there is no output, or the lines are commented out"> +To ensure TLS is configured with trust certificates, run the following command: +<pre># grep cert /etc/pam_ldap.conf</pre> +</ocil> <rationale>The tls_cacertdir or tls_cacertfile directives are required when tls_cheekpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the diff --git a/RHEL6/input/services/nfs.xml b/RHEL6/input/services/nfs.xml index bfde1a4..2675fa2 100644 --- a/RHEL6/input/services/nfs.xml +++ b/RHEL6/input/services/nfs.xml @@ -375,8 +375,9 @@ potentially allowing the client access to data for which it does not have author Remove any instances of the <tt>insecure_locks</tt> option from the file <tt>/etc/exports</tt>. </description> -<ocil> -Check the file <tt>/etc/exports</tt> for any instances of the <tt>insecure_locks</tt>. +<ocil clause="there is no output"> +To verify that insecure file lockin has been disabled, run the following command: +<pre># grep insecure_locks /etc/exports</pre> </ocil> <rationale>Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user. diff --git a/RHEL6/input/services/xorg.xml b/RHEL6/input/services/xorg.xml index 3e5211f..0f76543 100644 --- a/RHEL6/input/services/xorg.xml +++ b/RHEL6/input/services/xorg.xml @@ -38,9 +38,11 @@ ensures that users or malicious software cannot start X. To do so, run the following command: <pre># yum groupremove "X Window System"</pre> </description> -<ocil clause="there is output"> +<ocil clause="it is not"> To ensure the X Windows package group is removed, run the following command: <pre>$ rpm -qi xorg-x11-server-common</pre> +The output should be: +<pre>package xorg-x11-server-common is not installed</pre> </ocil> <ident cce="4422-2" /> <oval id="package_xorg-x11-server-common_removed" /> diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml index 162da7b..ec332d9 100644 --- a/RHEL6/input/system/accounts/pam.xml +++ b/RHEL6/input/system/accounts/pam.xml @@ -419,6 +419,12 @@ the password line which uses the <tt>pam_unix</tt> module in the file <pre>password sufficient pam_unix.so existing_options remember=<sub idref="password_history_retain_number" /></pre> Old (and thus no longer valid) passwords are stored in the file <tt>/etc/security/opasswd</tt>. The DoD requirement is currently 24 passwords.</description> +<ocil clause="it does not"> +To verify that the password reuse setting is compliant, run the following command: +<pre>$ grep remember /etc/pam.d/system-auth</pre> +The output should show the following at the end of the line: +<pre>remember=24</pre> +</ocil> <rationale> Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. </rationale> diff --git a/RHEL6/input/system/accounts/physical.xml b/RHEL6/input/system/accounts/physical.xml index 25b326c..ebe132e 100644 --- a/RHEL6/input/system/accounts/physical.xml +++ b/RHEL6/input/system/accounts/physical.xml @@ -88,6 +88,12 @@ after the header comments. (Use the output from <tt>grub-crypt</tt> as the value of <b>password-hash</b>): <pre>password --encrypted <b>password-hash</b></pre> </description> +<ocil clause="it does not"> +To verify the boot loader password has been set and encrypted, run the following command: +<pre># grep password /etc/grub.conf/</pre> +The output should show the following: +<pre>password --encrypted <b>password-hash</b></pre> +</ocil> <rationale> Password protection on the boot loader configuration ensures that users with physical access cannot trivially alter diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml index 2c5f23c..e87154d 100644 --- a/RHEL6/input/system/auditing.xml +++ b/RHEL6/input/system/auditing.xml @@ -1124,7 +1124,11 @@ appropriate for your system: -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid&gt;=500 -F auid!=4294967295 -k access</pre> </description> - +<ocil clause="either command lacks output"> +To verify that the audit system collects unauthorized file accesses, run the following commands: +<pre># grep EACCES /etc/audit/audit.rules</pre> +<pre># grep EPERM /etc/audit/audit.rules</pre> +</ocil> <rationale>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.</rationale> <ident cce="14917-9" /> @@ -1143,6 +1147,13 @@ Then, for each setuid program on the system, add a line of the following form to in the list: <pre>-a always,exit -F path=<i>SETUID_PROG_PATH</i> -F perm=x -F auid&gt;=500 -F auid!=4294967295 -k privileged</pre> </description> +<ocil clause="it is the case"> +To verify that auditing of privileged command use is configured, run the following command to find relevant setuid programs: +<pre># find / -type f -perm -4000 -o -perm -2000 2>/dev/null</pre> +Run the following command to verify entries in the audit rules for all programs found with the previous command: +<pre># grep path /etc/audit/audit.rules</pre> +It should be the case that all relevant setuid programs have a line in the audit rules. +</ocil> <rationale>Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for @@ -1161,6 +1172,10 @@ exportation events for all users and root. Add the following to appropriate for your system: <pre>-a always,exit -F arch=ARCH -S mount -F auid&gt;=500 -F auid!=4294967295 -k export</pre> </description> +<ocil clause="there is not output"> +To verify that auditing is configured for all media exportation events, run the following command: +<pre># grep mount /etc/audit/audit.rules</pre> +</ocil> <rationale>The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information @@ -1200,6 +1215,10 @@ administrator actions for all users and root. Add the following to <tt>/etc/audit/audit.rules</tt>: <pre>-w /etc/sudoers -p wa -k actions</pre> </description> +<ocil clause="there is not output"> +To verify that auditing is configured for system administrator actions, run the following command: +<pre># grep actions /etc/audit/audit.rules</pre> +</ocil> <rationale>The actions taken by system administrators should be audited to keep a record of what was executed on the system as well as for accountability purposes.</rationale> <ident cce="14824-7" /> diff --git a/RHEL6/input/system/software/integrity.xml b/RHEL6/input/system/software/integrity.xml index 96c2dc6..65ed613 100644 --- a/RHEL6/input/system/software/integrity.xml +++ b/RHEL6/input/system/software/integrity.xml @@ -85,6 +85,10 @@ To implement a daily execution of AIDE at 4:05am using cron, add the following l <pre>05 4 * * * root /usr/sbin/aide --check</pre> AIDE can be executed periodically through other means; this is merely one example. </description> +<ocil clause="there is no output"> +To determine that periodic AIDE execution has been scheduled, run the following command: +<pre># grep aide /etc/crontab</pre> +</ocil> <rationale> By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.