On 9/24/12 9:45 AM, Jeffrey Blank wrote:

Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil

RHEL6/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/RHEL6/Makefile b/RHEL6/Makefile index abc44fd..483f6e5 100644 --- a/RHEL6/Makefile +++ b/RHEL6/Makefile @@ -62,7 +62,7 @@ table-srgmap: shorthand-guide shorthand2xccdf # the map-to-items filename must be provided relative to the root of the main document being processed xsltproc -stringparam map-to-items "../$(OUT)/rhel6-xccdf.xml" -o $(OUT)/rhel6-table-srgmap.html $(TRANS)/table-srgmap.xslt $(REFS)/disa-os-srg-v1r1.xml

-table-stigs: +table-stigs: shorthand2xccdf xsltproc -o $(OUT)/rhel5-table-stig.html $(TRANS)/xccdf2table-stig.xslt $(REFS)/disa-stig-rhel5-v1r0.6-xccdf.xml xsltproc -o $(OUT)/rhel5-table-stig-manual.html $(TRANS)/xccdf2table-stig.xslt $(REFS)/disa-stig-rhel5-v1r0.6-xccdf-manual.xml xsltproc --html -o $(OUT)/rhel5-table-stig-manual-ccisorted.html $(TRANS)/table-sortbyref.xslt $(OUT)/rhel5-table-stig-manual.html

Ack

On 9/24/12 9:45 AM, Jeffrey Blank wrote:

Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil

RHEL6/transforms/shorthand2xccdf.xslt | 91 ++++++++++++++++++++++++++++++-- 1 files changed, 85 insertions(+), 6 deletions(-)

diff --git a/RHEL6/transforms/shorthand2xccdf.xslt b/RHEL6/transforms/shorthand2xccdf.xslt index 0d8f56e..07daf3d 100644 --- a/RHEL6/transforms/shorthand2xccdf.xslt +++ b/RHEL6/transforms/shorthand2xccdf.xslt @@ -11,6 +11,7 @@ exclude-result-prefixes="xccdf xhtml">

<xsl:variable name="defaultseverity" select="'low'" />

• <!-- Content:template -->

  <xsl:template match="Benchmark"> xsl:copy

@@ -209,20 +210,61 @@ exclude-result-prefixes="xccdf xhtml">

<!-- convenience macros for XCCDF prose -->
<xsl:template match="sysctl-desc-macro">

• To set the runtime status of the xhtml:code<xsl:value-of select="@sysctl"/></xhtml:code> kernel parameter,
• run the following command:
• xhtml:pre# sysctl -w <xsl:value-of select="@sysctl"/> <xsl:value-of select="@value"/></xhtml:pre>
• </xsl:template>
• <xsl:template match="sysctl-check-macro"> The status of the xhtml:code<xsl:value-of select="@sysctl"/></xhtml:code> kernel parameter can be queried by running the following command: xhtml:pre$ sysctl <xsl:value-of select="@sysctl"/></xhtml:pre> The output of the command should indicate a value of xhtml:code<xsl:value-of select="@value"/></xhtml:code>.
• If this value is not the default value, investigate how it could have been adjusted at runtime, and verify
• that it is not set improperly in <tt>/etc/sysctl.conf</tt>. </xsl:template>

• <xsl:template match="service-disable-macro">
• The xhtml:code<xsl:value-of select="@service"/></xhtml:code> service can be disabled with the following command:
• xhtml:pre# chkconfig <xsl:value-of select="@service"/> off</xhtml:pre>

• <xsl:template match="fileperms-desc-macro">
• To properly set the permissions of xhtml:code<xsl:value-of select="@file"/></xhtml:code>, run the command:
• <xhtml:pre xml:space="preserve"># chmod <xsl:value-of select="@file"/> <xsl:value-of select="@perms"/></xhtml:pre> </xsl:template>

• <xsl:template match="service-enable-macro">
• The xhtml:code<xsl:value-of select="@service"/></xhtml:code> service can be enabled with the following command:
• xhtml:pre# chkconfig <xsl:value-of select="@service"/> on</xhtml:pre>

• <xsl:template match="fileowner-desc-macro">

• To properly set the owner of xhtml:code<xsl:value-of select="@file"/></xhtml:code>, run the command:

• <xhtml:pre xml:space="preserve"># chown <xsl:value-of select="@file"/> <xsl:value-of select="@owner"/></xhtml:pre>

• </xsl:template>

• <xsl:template match="filegroupowner-desc-macro">

• To properly set the group owner of xhtml:code<xsl:value-of select="@file"/></xhtml:code>, run the command:

• <xhtml:pre xml:space="preserve"># chown <xsl:value-of select="@file"/> <xsl:value-of select="@group"/></xhtml:pre>

• </xsl:template>

• <xsl:template match="fileperms-check-macro">

• To check the permissions of xhtml:code<xsl:value-of select="@file"/></xhtml:code>, run the command:

• xhtml:pre$ ls -l <xsl:value-of select="@file"/></xhtml:pre>

• If properly configured, the output should indicate the following permissions:

• xhtml:code<xsl:value-of select="@perms"/></xhtml:code>

• </xsl:template>

• <xsl:template match="fileowner-check-macro">

• To check the ownership of xhtml:code<xsl:value-of select="@file"/></xhtml:code>, run the command:

• xhtml:pre$ ls -l <xsl:value-of select="@file"/></xhtml:pre>

• If properly configured, the output should indicate the following owner:

• xhtml:code<xsl:value-of select="@owner"/></xhtml:code>

• </xsl:template>

• <xsl:template match="filegroupowner-check-macro">

• To check the group ownership of xhtml:code<xsl:value-of select="@file"/></xhtml:code>, run the command:

• xhtml:pre$ ls -l <xsl:value-of select="@file"/></xhtml:pre>

• If properly configured, the output should indicate the following group-owner:

• xhtml:code<xsl:value-of select="@group"/></xhtml:code>

• </xsl:template>

• <xsl:template match="fileperms-check-macro">

• To check the permissions of xhtml:code<xsl:value-of select="@file"/></xhtml:code>, run the command:

• xhtml:pre$ ls -l <xsl:value-of select="@file"/></xhtml:pre>

• If properly configured, the output should indicate the following permissions:

• xhtml:code<xsl:value-of select="@perms"/></xhtml:code> </xsl:template>

  <xsl:template match="package-install-macro">

@@ -241,6 +283,16 @@ exclude-result-prefixes="xccdf xhtml"> It will return a line for xhtml:code<xsl:value-of select="@part"/></xhtml:code> if it is on its own partition. </xsl:template>

• <xsl:template match="service-disable-macro">
• The xhtml:code<xsl:value-of select="@service"/></xhtml:code> service can be disabled with the following command:
• xhtml:pre# chkconfig <xsl:value-of select="@service"/> off</xhtml:pre>
• </xsl:template>
• <xsl:template match="service-enable-macro">
• The xhtml:code<xsl:value-of select="@service"/></xhtml:code> service can be enabled with the following command:
• xhtml:pre# chkconfig <xsl:value-of select="@service"/> on</xhtml:pre>
• </xsl:template>
• <xsl:template match="service-disable-check-macro"> Run the following command to determine the current status of the xhtml:code<xsl:value-of select="@service"/></xhtml:code> service:

@@ -260,6 +312,33 @@ exclude-result-prefixes="xccdf xhtml"> xhtml:pre# rpm -q <xsl:value-of select="@package"/></xhtml:pre> </xsl:template>

• <xsl:template match="module-disable-macro">

+To configure the system to prevent the xhtml:code<xsl:value-of select="@module"/></xhtml:code> +kernel module from being loaded, add the following line to a file in the directory <tt>/etc/modprobe.d</tt>: +<pre xml:space="preserve">install <xsl:value-of select="@module"/> /bin/true</pre>

• </xsl:template>
• <xsl:template match="module-disable-check-macro">

+If the system is configured to prevent the loading of the +xhtml:code<xsl:value-of select="@module"/></xhtml:code> kernel module, +it will contain lines inside any file in <tt>/etc/modprobe.d</tt> or the deprecated<tt>/etc/modprobe.conf</tt>. +These lines instruct the module loading system to run another program (such as +<tt>/bin/true</tt>) upon a module <tt>install</tt> event. +Run the following command to search for such lines in all files in <tt>/etc/modprobe.d</tt> +and the deprecated <tt>/etc/modprobe.conf</tt>: +<pre xml:space="preserve">$ grep -r <xsl:value-of select="@module"/> /etc/modprobe.conf /etc/modprobe.d</pre>

• </xsl:template>
• <xsl:template match="audit-syscall-check-macro">

+To determine if the system is configured to audit calls to +the xhtml:code<xsl:value-of select="@syscall"/></xhtml:code> +system call, run the following command: +<pre xml:space="preserve"># auditctl -l | grep syscall | grep <xsl:value-of select="@syscall"/></pre> +If the system is configured to audit this activity, it will return a line.

• </xsl:template>

• <!-- CORRECTING TERRIBLE ABUSE OF NAMESPACES BELOW -->

  <!-- (expanding xhtml tags back into the xhtml namespace) -->

  <xsl:template match="br">

Ack

On 9/24/12 9:45 AM, Jeffrey Blank wrote:

Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil

RHEL6/input/guide.xslt | 1 - RHEL6/input/profiles/common.xml | 3 - .../accounts/restrictions/nis_inclusions.xml | 67 -------------------- 3 files changed, 0 insertions(+), 71 deletions(-) delete mode 100644 RHEL6/input/system/accounts/restrictions/nis_inclusions.xml

diff --git a/RHEL6/input/guide.xslt b/RHEL6/input/guide.xslt index 0475f04..5a0de5e 100644 --- a/RHEL6/input/guide.xslt +++ b/RHEL6/input/guide.xslt @@ -52,7 +52,6 @@ <xsl:apply-templates select="document('system/accounts/restrictions/password_storage.xml')" /> <xsl:apply-templates select="document('system/accounts/restrictions/password_expiration.xml')" /> <xsl:apply-templates select="document('system/accounts/restrictions/account_expiration.xml')" />

•  <xsl:apply-templates select="document('system/accounts/restrictions/nis_inclusions.xml')" />
  </xsl:copy>
  

  </xsl:template>

diff --git a/RHEL6/input/profiles/common.xml b/RHEL6/input/profiles/common.xml index 543d772..72324e3 100644 --- a/RHEL6/input/profiles/common.xml +++ b/RHEL6/input/profiles/common.xml @@ -47,9 +47,6 @@

<select idref="password_min_age" selected="true"/> <select idref="password_max_age" selected="true"/> <select idref="password_warn_age" selected="true"/> -<select idref="no_nis_inclusions_shadow" selected="true"/> -<select idref="no_nis_inclusions_group" selected="true"/> -<select idref="no_nis_inclusions_passwd" selected="true"/> <select idref="password_retry" selected="true"/> <select idref="password_require_digits" selected="true"/> <select idref="password_require_uppercases" selected="true"/> diff --git a/RHEL6/input/system/accounts/restrictions/nis_inclusions.xml b/RHEL6/input/system/accounts/restrictions/nis_inclusions.xml deleted file mode 100644 index 4187b99..0000000 --- a/RHEL6/input/system/accounts/restrictions/nis_inclusions.xml +++ /dev/null @@ -1,67 +0,0 @@ -<Group id="nis_inclusions"> -<title>Remove Legacy + Entries from Password Files</title> -<description> -The + symbol could be used by systems to include data from NIS -maps into existing files. However, a certain configuration error in -which a NIS inclusion line appears in <tt>/etc/passwd</tt>, but NIS -is not running, could lead to anyone being able to access the system with -the username + and no password. Therefore, it is important to -verify that no such line appears in any of the relevant system -files. -<br /><br /> -The command: -<pre># grep "^+:" /etc/passwd /etc/shadow /etc/group</pre> -should produce no output. -<br /><br /> -The correct way to tell the local system to consult network -databases such as LDAP or NIS for user information is to make -appropriate modifications to <tt>/etc/nsswitch.conf</tt>.</description> - -<Rule id="no_nis_inclusions_shadow"> -<title>Remove Legacy + Entries From /etc/shadow</title> -<description> -The <tt>/etc/shadow</tt> file should include no NIS inclusions, -which are lines beginning with '+:'. -</description> -<rationale> -NIS is obsolete and should not be used. Furthermore, -presence of '+' entries can lead to -unauthenticated login. -</rationale> -<ident cce="14071-5" /> -<oval id="accounts_no_nis_inclusions_etc_shadow" /> -<ref nist="CM-6, CM-7" /> -</Rule> - -<Rule id="no_nis_inclusions_group"> -<title>Remove Legacy + Entries From /etc/group</title> -<description> -The <tt>/etc/group</tt> file should include no NIS inclusions, -which are lines beginning with '+:'. -</description> -<rationale> -NIS is obsolete and should not be used. Furthermore, -presence of '+' entries can lead to -unauthenticated login. -</rationale> -<ident cce="14675-3" /> -<oval id="accounts_no_nis_inclusions_etc_group" /> -<ref nist="CM-6, CM-7" /> -</Rule> - -<Rule id="no_nis_inclusions_passwd"> -<title>Remove Legacy + Entries From /etc/passwd</title> -<description> -The <tt>/etc/password</tt> file should include no NIS inclusions, -which are lines beginning with '+:'. -</description> -<rationale> -NIS is obsolete and should not be used. Furthermore, -presence of '+' entries can lead to -unauthenticated login. -</rationale> -<ident cce="4114-5" /> -<oval id="accounts_no_nis_inclusions_etc_passwd" /> -<ref nist="CM-6, CM-7" /> -</Rule> -</Group>

Ack

On 9/24/12 9:45 AM, Jeffrey Blank wrote:

Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil

RHEL6/input/services/dhcp.xml | 128 ++++++++++++++++++++++++++-------------- RHEL6/input/services/ftp.xml | 11 +++- RHEL6/input/services/http.xml | 12 +++- RHEL6/input/services/imap.xml | 6 ++ RHEL6/input/services/nfs.xml | 9 ++- RHEL6/input/services/ntp.xml | 1 + RHEL6/input/services/snmp.xml | 11 +++- RHEL6/input/services/squid.xml | 11 +++- 8 files changed, 128 insertions(+), 61 deletions(-)

diff --git a/RHEL6/input/services/dhcp.xml b/RHEL6/input/services/dhcp.xml index 8417bb0..51dbba5 100644 --- a/RHEL6/input/services/dhcp.xml +++ b/RHEL6/input/services/dhcp.xml @@ -39,6 +39,7 @@ and removed. any system that does not need to act as a DHCP server.

<service-disable-macro service="dhcpd" /> </description> +<ocil><service-disable-check-macro service="dhcpd" /></ocil> <rationale> Unmanaged or unintentionally activate DHCP servers may provide faulty information to clients, interfering with the operation of a legitimate site @@ -53,9 +54,9 @@ DHCP server if there is one. <title>Uninstall DHCP Server Package</title> <description>If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. -To do so, run the command: -<pre># yum erase dhcp</pre> +<package-remove-macro package="dhcp" /> </description> +<ocil><package-remove-check-macro package="dhcp" /></ocil> <rationale> Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation. @@ -69,18 +70,34 @@ accidentally reactivated and disrupt network operation.

<Group id="dhcp_server_configuration"> <title>Disable DHCP Server</title> -<description>If the system must act as a DHCP server, the configuration information it serves should be minimized. Also, support for other protocols and DNS-updating schemes should be explicitly disabled unless needed. The configuration file for dhcpd is called <tt>/etc/dhcpd.conf</tt>. The file begins with a number of global configuration options. The remainder of the file is divided into sections, one for each block of addresses offered by dhcpd, each of which contains configuration options specific to that address block.</description> +<description>If the system must act as a DHCP server, the configuration +information it serves should be minimized. Also, support for other protocols +and DNS-updating schemes should be explicitly disabled unless needed. The +configuration file for dhcpd is called <tt>/etc/dhcpd.conf</tt>. The file +begins with a number of global configuration options. The remainder of the file +is divided into sections, one for each block of addresses offered by dhcpd, +each of which contains configuration options specific to that address +block.</description>

<Rule id="dhcp_server_disable_ddns"> <title>Do Not Use Dynamic DNS</title> -<description>To prevent the DHCP server from receiving DNS information from clients, edit <tt>/etc/dhcpd.conf</tt>, and add -or correct the following global option: -<pre>ddns-update-style none;</pre> +<description>To prevent the DHCP server from receiving DNS information from +clients, edit <tt>/etc/dhcpd.conf</tt>, and add or correct the following global +option: <pre>ddns-update-style none;</pre> </description> -<rationale>The Dynamic DNS protocol is used to remotely update the data served by a DNS server. DHCP servers can use Dynamic DNS to publish information about their clients. This setup carries security risks, and its use is not recommended. -If Dynamic DNS must be used despite the risks it poses, it is critical that Dynamic DNS transactions be protected using TSIG or some other cryptographic authentication mechanism. See dhcpd.conf(5) for more information about protecting the DHCP server from passing along malicious DNS data from its clients. -</rationale> -<warning category="general">The ddns-update-style option controls only whether the DHCP server will attempt to act as a Dynamic DNS client. As long as the DNS server itself is correctly configured to reject DDNS attempts, an incorrect ddns-update-style setting on the client is harmless (but should be fixed as a best practice).</warning> +<rationale>The Dynamic DNS protocol is used to remotely update the data served +by a DNS server. DHCP servers can use Dynamic DNS to publish information about +their clients. This setup carries security risks, and its use is not +recommended. If Dynamic DNS must be used despite the risks it poses, it is +critical that Dynamic DNS transactions be protected using TSIG or some other +cryptographic authentication mechanism. See dhcpd.conf(5) for more information +about protecting the DHCP server from passing along malicious DNS data from its +clients. </rationale> +<warning category="general">The ddns-update-style option controls only whether +the DHCP server will attempt to act as a Dynamic DNS client. As long as the DNS +server itself is correctly configured to reject DDNS attempts, an incorrect +ddns-update-style setting on the client is harmless (but should be fixed as a +best practice).</warning> <ident cce="4257-2" /> <!--<oval id="dhcp_server_disable_ddns" /> --> <!--<ref nist="CM-6, CM-7" /> --> @@ -88,12 +105,14 @@ If Dynamic DNS must be used despite the risks it poses, it is critical that Dyna

<Rule id="dhcp_server_deny_decline"> <title>Deny Decline Messages</title> -<description>Edit <tt>/etc/dhcpd.conf</tt> and add or correct the following global option to prevent the DHCP server from responding the DHCPDECLINE messages, if possible: -<pre>deny declines;</pre> -</description> -<rationale>The DHCPDECLINE message can be sent by a DHCP client to indicate that it does not consider the lease -offered by the server to be valid. By issuing many DHCPDECLINE messages, a malicious client can exhaust the -DHCP server’s pool of IP addresses, causing the DHCP server to forget old address allocations.</rationale> +<description>Edit <tt>/etc/dhcpd.conf</tt> and add or correct the following +global option to prevent the DHCP server from responding the DHCPDECLINE +messages, if possible: <pre>deny declines;</pre> </description> +<rationale>The DHCPDECLINE message can be sent by a DHCP client to indicate +that it does not consider the lease offered by the server to be valid. By +issuing many DHCPDECLINE messages, a malicious client can exhaust the DHCP +server’s pool of IP addresses, causing the DHCP server to forget old address +allocations.</rationale> <ident cce="4403-2" /> <!--<oval id="dhcp_server_deny_decline" /> --> <!--<ref nist="CM-6, CM-7" /> --> @@ -101,19 +120,24 @@ DHCP server’s pool of IP addresses, causing the DHCP server to forget old addr

<Rule id="dhcp_server_deny_bootp"> <title>Deny BOOTP Queries</title> -<description>Unless your network needs to support older BOOTP clients, disable support for the bootp protocol by adding or correcting the global option: +<description>Unless your network needs to support older BOOTP clients, disable +support for the bootp protocol by adding or correcting the global option: <pre>deny bootp;</pre> </description> -<rationale>The bootp option tells dhcpd to respond to BOOTP queries. If support for this simpler protocol is not needed, it should be disabled to remove attack vectors against the DHCP server. +<rationale>The bootp option tells dhcpd to respond to BOOTP queries. If support +for this simpler protocol is not needed, it should be disabled to remove attack +vectors against the DHCP server. </rationale> <ident cce="4345-5" /> <!--<oval id="dhcp_server_deny_bootp" /> --> <!--<ref nist="CM-6, CM-7" /> --> </Rule>

-<Rule id="dhcp_server_minimize_served_info"> +<Group id="dhcp_server_minimize_served_info">

<title>Minimize Served Information</title> -<description>Edit /etc/dhcpd.conf. Examine each address range section within the file, and ensure that the following options are not defined unless there is an operational need to provide this information via DHCP: +<description>Edit /etc/dhcpd.conf. Examine each address range section within +the file, and ensure that the following options are not defined unless there is +an operational need to provide this information via DHCP: <pre>option domain-name option domain-name-servers option nis-domain @@ -122,30 +146,38 @@ option ntp-servers option routers option time-offset</pre> </description> -<rationale>Because the configuration information provided by the DHCP server could be maliciously provided to clients by a rogue DHCP server, the amount of information provided via DHCP should be minimized. Remove these definitions from the DHCP server configuration to ensure that legitimate clients do not unnecessarily rely on DHCP for this information. +<rationale>Because the configuration information provided by the DHCP server +could be maliciously provided to clients by a rogue DHCP server, the amount of +information provided via DHCP should be minimized. Remove these definitions +from the DHCP server configuration to ensure that legitimate clients do not +unnecessarily rely on DHCP for this information. </rationale> -<warning category="general">By default, the RHEL client installation uses DHCP to request much of the above information from -the DHCP server. In particular, domain-name, domain-name-servers, and routers are configured via DHCP. -These settings are typically necessary for proper network functionality, but are also usually static across machines -at a given site.</warning> -<ident cce="3724-2" /> +<warning category="general">By default, the RHEL client installation uses DHCP +to request much of the above information from the DHCP server. In particular, +domain-name, domain-name-servers, and routers are configured via DHCP. These +settings are typically necessary for proper network functionality, but are also +usually static across machines at a given site.</warning> +<!--<ident cce="3724-2" /> <ident cce="4243-2" /> <ident cce="4389-3" /> <ident cce="3913-1" /> <ident cce="4169-9" /> <ident cce="4318-2" /> -<ident cce="4319-0" /> +<ident cce="4319-0" />--> <!--<oval id="dhcp_server_minimize_served_info" /> --> <!--<ref nist="CM-6, CM-7" /> --> -</Rule> +</Group>

<Rule id="dhcp_server_configure_logging"> <title>Configure Logging</title> -<description>Ensure that the following line exists in <tt>/etc/syslog.conf</tt>: +<description>Ensure that the following line exists in +<tt>/etc/syslog.conf</tt>: <pre>daemon.* /var/log/daemon.log</pre> -Configure logwatch or other log monitoring tools to summarize error conditions reported by the dhcpd -process.</description> -<rationale>By default, dhcpd logs notices to the daemon facility. Sending all daemon messages to a dedicated log file is part of the syslog configuration outlined in the Logging and Auditing section</rationale> +Configure logwatch or other log monitoring tools to summarize error conditions +reported by the dhcpd process.</description> +<rationale>By default, dhcpd logs notices to the daemon facility. Sending all +daemon messages to a dedicated log file is part of the syslog configuration +outlined in the Logging and Auditing section</rationale> <ident cce="3733-3" /> <!--<oval id="dhcp_server_configure_logging" /> --> <!--<ref nist="CM-6, CM-7" /> --> @@ -165,8 +197,9 @@ accountability for network activity. <Rule id="disable_dhcp_client"> <title>Disable DHCP Client</title> <description> -For each interface <i>IFACE</i> on the system (e.g. eth0), -edit <tt>/etc/sysconfig/network-scripts/ifcfg-<i>IFACE</i></tt> and make the following changes: +For each interface <i>IFACE</i> on the system (e.g. eth0), edit +<tt>/etc/sysconfig/network-scripts/ifcfg-<i>IFACE</i></tt> and make the +following changes: <ul> <li> Correct the BOOTPROTO line to read: <pre>BOOTPROTO=static</pre> @@ -180,8 +213,10 @@ GATEWAY=192.168.1.1</pre> </ul> </description> <rationale> -DHCP is inherently insecure and should not be used unless it presents an unacceptable burden to the organization. -</rationale> +DHCP relies on trusting the local network. If the local network is not trusted, +then it should not be used. However, the automatic configuration provided by +DHCP is commonly used and the alternative, manual configuration, presents an +unacceptable burden in many circumstances.</rationale> <ident cce="4191-3" /> <oval id="sysconfig_networking_bootproto_ifcfg" /> <ref nist="CM-6, CM-7" /> @@ -198,14 +233,18 @@ dhclient(8) and dhclient.conf(5) man pages. </description>

<Group id="dhcp_client_restrict_options"> <title>Minimize the DHCP-Configured Options</title> -<description>Create the file <tt>/etc/dhclient.conf</tt>, and add an appropriate setting for each of the ten configuration settings which can be obtained via DHCP. For each setting, setting , do one of the following: -If the setting should not be configured remotely by the DHCP server, select an appropriate static value, and add the line: -supersede <tt>setting value</tt>; +<description>Create the file <tt>/etc/dhclient.conf</tt>, and add an +appropriate setting for each of the ten configuration settings which can be +obtained via DHCP. For each setting, do one of the following: +<br/> +If the setting should <i>not</i> be configured remotely by the DHCP server, +select an appropriate static value, and add the line: +<pre>supersede <tt>setting value</tt>;</pre> If the setting should be configured remotely by the DHCP server, add the lines: -request <tt>setting</tt>; -require <tt>setting</tt>; -For example, suppose the DHCP server should provide only the IP address itself and the subnet mask. Then -the entire file should look like: +<pre>request <tt>setting</tt>; +require <tt>setting</tt>;</pre> +For example, suppose the DHCP server should provide only the IP address itself +and the subnet mask. Then the entire file should look like: <pre>supersede domain-name "example.com"; supersede domain-name-servers 192.168.1.2; supersede nis-domain ""; @@ -214,7 +253,8 @@ supersede ntp-servers "ntp.example.com "; supersede routers 192.168.1.1; supersede time-offset -18000; request subnet-mask; -require subnet-mask;</pre></description> +require subnet-mask;</pre> +</description> <rationale>By default, the DHCP client program, dhclient, requests and applies ten configuration options (in addition to the IP address) from the DHCP server: subnet-mask, broadcast-address, time-offset, routers, domain-name, diff --git a/RHEL6/input/services/ftp.xml b/RHEL6/input/services/ftp.xml index da0a476..7741fc9 100644 --- a/RHEL6/input/services/ftp.xml +++ b/RHEL6/input/services/ftp.xml @@ -19,6 +19,9 @@ data available to the public.</description> <description> <service-disable-macro service="vsftpd" /> </description> +<ocil> +<service-disable-macro service="vsftpd" /> +</ocil> <rationale> Running FTP server software provides a network-based avenue of attack, and should be disabled if not needed. @@ -32,10 +35,12 @@ a risk of compromising sensitive information.

<Rule id="uninstall_vsftpd"> <title>Uninstall vsftpd Package</title> -<description>The <tt>vsftpd</tt> package can be -uninstalled with the following command: -<pre># yum erase vsftpd</pre> +<description> +<package-remove-macro service="vsftpd" /> </description> +<ocil> +<package-check-macro service="vsftpd" /> +</ocil> <rationale> Removing the vsftpd package decreases the risk of its accidental activation. diff --git a/RHEL6/input/services/http.xml b/RHEL6/input/services/http.xml index 7cd3782..679d32a 100644 --- a/RHEL6/input/services/http.xml +++ b/RHEL6/input/services/http.xml @@ -27,7 +27,9 @@ and removed from the system. <description> <service-disable-macro service="httpd" /> </description> -<ocil><service-disable-macro service="httpd" /></ocil> +<ocil> +<service-disable-macro service="httpd" /> +</ocil> <rationale> Running web server software provides a network-based avenue of attack, and should be disabled if not needed. @@ -39,10 +41,12 @@ of attack, and should be disabled if not needed.

<Rule id="uninstall_httpd"> <title>Uninstall httpd Package</title> -<description>The <tt>httpd</tt> package can be uninstalled with -the following command: -<pre># yum erase httpd</pre> +<description> +<package-remove-macro service="httpd" /> </description> +<ocil> +<package-check-macro service="httpd" /> +</ocil> <rationale> If there is no need to make the web server software available, removing it provides a safeguard against its activation. diff --git a/RHEL6/input/services/imap.xml b/RHEL6/input/services/imap.xml index c6a0326..a173122 100644 --- a/RHEL6/input/services/imap.xml +++ b/RHEL6/input/services/imap.xml @@ -17,6 +17,9 @@ POP3 server, the dovecot software should be disabled and removed. <description> <service-disable-macro service="dovecot" /> </description> +<ocil> +<service-disable-check-macro service="dovecot" /> +</ocil> <rationale> Running an IMAP or POP3 server provides a network-based avenue of attack, and should be disabled if not needed. @@ -31,6 +34,9 @@ avenue of attack, and should be disabled if not needed. with the following command: <pre># yum erase dovecot</pre> </description> +<ocil> +<package-check-macro package="dovecot" /> +</ocil> <rationale> If there is no need to make the Dovecot software available, removing it provides a safeguard against its activation. diff --git a/RHEL6/input/services/nfs.xml b/RHEL6/input/services/nfs.xml index abbb12d..31e17c3 100644 --- a/RHEL6/input/services/nfs.xml +++ b/RHEL6/input/services/nfs.xml @@ -345,11 +345,12 @@ however, there are a few clients that do not send credentials when requesting a the client to only be able to lock world-readable files. To get around this, the <tt>insecure_locks</tt> option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. -<br /><br /> -This configuration is not recommended and strongly discouraged. -<br /><br /> -Ensure that no line in <tt>/etc/exports</tt> contains the option <tt>insecure_locks</tt>. +Remove any instances of the +<tt>insecure_locks</tt> option from the file <tt>/etc/exports</tt>. </description> +<ocil> +Check the file <tt>/etc/exports</tt> for any instances of the <tt>insecure_locks</tt>. +</ocil> <rationale>Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user. </rationale> diff --git a/RHEL6/input/services/ntp.xml b/RHEL6/input/services/ntp.xml index c87fedf..b3991ba 100644 --- a/RHEL6/input/services/ntp.xml +++ b/RHEL6/input/services/ntp.xml @@ -37,6 +37,7 @@ time data, is available at http://www.ntp.org. <description> <service-enable-macro service="ntpd" /> </description> +<ocil><service-enable-check-macro service="ntpd" /></ocil> <rationale>Enabling the <tt>ntpd</tt> service ensures that the <tt>ntpd</tt> service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be diff --git a/RHEL6/input/services/snmp.xml b/RHEL6/input/services/snmp.xml index 927119b..e224054 100644 --- a/RHEL6/input/services/snmp.xml +++ b/RHEL6/input/services/snmp.xml @@ -19,6 +19,9 @@ installed and activated, the software should be disabled and removed. <description> <service-disable-macro service="snmpd" /> </description> +<ocil> +<service-disable-check-macro service="snmpd" /> +</ocil> <rationale> Running SNMP software provides a network-based avenue of attack, and should be disabled if not needed. @@ -29,10 +32,12 @@ should be disabled if not needed.

<Rule id="uninstall_net-snmp"> <title>Uninstall <tt>net-snmp</tt> Package</title> -<description>The <tt>net-snmp</tt> package, which provides the snmpd service, -can be uninstalled with the following command: -<pre># yum erase net-snmpd</pre> +<description>The <tt>net-snmp</tt> package provides the snmpd service. +<package-remove-macro package="net-snmpd" /> </description> +<ocil> +<package-check-macro package="net-snmpd" /> +</ocil> <rationale> If there is no need to run SNMP server software, removing the package provides a safeguard against its diff --git a/RHEL6/input/services/squid.xml b/RHEL6/input/services/squid.xml index 4dbfa30..7aa01cb 100644 --- a/RHEL6/input/services/squid.xml +++ b/RHEL6/input/services/squid.xml @@ -20,6 +20,9 @@ and removed. <description> <service-disable-macro service="squid" /> </description> +<ocil> +<service-disable-check-macro service="squid" /> +</ocil> <rationale> Running proxy server software provides a network-based avenue of attack, and should be removed if not needed. @@ -30,10 +33,12 @@ of attack, and should be removed if not needed.

<Rule id="uninstall_squid"> <title>Uninstall squid Package</title> -<description>The <tt>squid</tt> package can be uninstalled with the -following command: -<pre># yum erase squid</pre> +<description> +<package-remove-macro package="squid" /> </description> +<ocil> +<package-check-macro package="squid" /> +</ocil> <rationale> If there is no need to make the proxy server software available, removing it provides a safeguard against its activation.

Ack

On 9/24/12 9:45 AM, Jeffrey Blank wrote:

Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil

RHEL6/input/system/accounts/physical.xml | 25 ++- .../accounts/restrictions/password_storage.xml | 40 +++-- .../system/accounts/restrictions/root_logins.xml | 10 +- RHEL6/input/system/auditing.xml | 204 +++++++++++++++++--- RHEL6/input/system/logging.xml | 13 +- RHEL6/input/system/network/ipsec.xml | 8 +- RHEL6/input/system/network/iptables.xml | 5 + RHEL6/input/system/network/ipv6.xml | 12 ++ RHEL6/input/system/network/kernel.xml | 45 +++++ RHEL6/input/system/network/uncommon.xml | 32 ++-- RHEL6/input/system/network/wireless.xml | 4 + RHEL6/input/system/permissions/execution.xml | 6 +- RHEL6/input/system/permissions/files.xml | 145 ++++++++++----- RHEL6/input/system/selinux.xml | 45 ++--- 14 files changed, 453 insertions(+), 141 deletions(-)

diff --git a/RHEL6/input/system/accounts/physical.xml b/RHEL6/input/system/accounts/physical.xml index 26b697c..568fc59 100644 --- a/RHEL6/input/system/accounts/physical.xml +++ b/RHEL6/input/system/accounts/physical.xml @@ -29,8 +29,12 @@ If any correction is needed for the permissions on <tt>/etc/grub.conf</tt>, (whi

<Rule id="user_owner_grub_conf"> <title>Verify /boot/grub/grub.conf User Ownership</title> -<description>The file <tt>/etc/grub.conf</tt> is a symbolic link to <tt>/boot/grub/grub.conf</tt> which -should be owned by the <tt>root</tt> user to prevent destruction or modification of the file.</description> +<description>The file <tt>/etc/grub.conf</tt> is a symbolic link to +<tt>/boot/grub/grub.conf</tt> which should be owned by the <tt>root</tt> user +to prevent destruction or modification of the file. +<fileowner-desc-macro file="/boot/grub/grub.conf" owner="root"/> +</description> +<ocil><fileowner-check-macro file="/boot/grub/grub.conf" owner="root"/></ocil> <rationale> Only root should be able to modify important boot parameters. </rationale> @@ -41,8 +45,12 @@ Only root should be able to modify important boot parameters.

<Rule id="group_owner_grub_conf"> <title>Verify /boot/grub/grub.conf Group Ownership</title> -<description>The file <tt>/etc/grub.conf</tt> is a symbolic link to <tt>/boot/grub/grub.conf</tt> which -should be group-owned by the <tt>root</tt> group to prevent destruction or modification of the file.</description> +<description>The file <tt>/etc/grub.conf</tt> is a symbolic link to +<tt>/boot/grub/grub.conf</tt> which should be group-owned by the <tt>root</tt> +group to prevent destruction or modification of the file. +<filegroupowner-desc-macro file="/boot/grub/grub.conf" owner="root"/> +</description> +<ocil><filegroupowner-check-macro file="/boot/grub/grub.conf" owner="root"/></ocil> <rationale> The <tt>root</tt> group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway. @@ -55,10 +63,13 @@ file should not have any access privileges anyway. <Rule id="permissions_grub_conf"> <title>Verify /boot/grub/grub.conf Permissions</title> <description>File permissions for <tt>/boot/grub/grub.conf</tt> should be set to 600, which -is the default.</description> +is the default. +<fileperms-desc-macro file="/boot/grub/grub.conf" owner="600"/> +</description> +<ocil><fileperms-check-macro file="/boot/grub/grub.conf" owner="-rw-------"/></ocil> <rationale> -This ensures that only the root user should be able to modify important boot parameters contained in -this file. +Proper permissions ensure that only the root user can modify important boot +parameters. </rationale> <ident cce="3923-0" /> <oval id="file_permissions_grub_conf" /> diff --git a/RHEL6/input/system/accounts/restrictions/password_storage.xml b/RHEL6/input/system/accounts/restrictions/password_storage.xml index 29572f2..b030ad4 100644 --- a/RHEL6/input/system/accounts/restrictions/password_storage.xml +++ b/RHEL6/input/system/accounts/restrictions/password_storage.xml @@ -20,15 +20,16 @@ should allow administrators to avoid such misconfiguration. <title>Prevent Log In to Accounts With Empty Password</title> <description>If an account is configured for password authentication but does not have an assigned password, it may be possible to log -into the account without authentication. Ensuring that the <tt>nullok</tt> -option is <b>NOT</b> used in the <tt>/etc/pam.d/system-auth-ac</tt> -prevents logins with empty passwords. -<br /><br /> -To verify manually, the following command can be used: -<pre># grep nullok /etc/pam.d/system-auth /etc/pam.d/system-auth-ac</pre> -If this produces any output, fix the problem by removing any instance -of <tt>nullok</tt> in <tt>/etc/pam.d/system-auth-ac</tt>. +into the account without authentication. Remove any instances of the <tt>nullok</tt> +option in <tt>/etc/pam.d/system-auth-ac</tt> to +prevent logins with empty passwords. </description> +<ocil> +To verify that null passwords cannot be used, run the following command: +<pre># grep nullok /etc/pam.d/system-auth /etc/pam.d/system-auth-ac</pre> +If this produces any output, it may be possible to log into accounts +with empty passwords. +</ocil> <rationale> If an account has an empty password, anybody may log in and run commands with the privileges of that account. Accounts with @@ -42,10 +43,19 @@ environments.

<Rule id="no_hashes_outside_shadow"> <title>Verify All Account Password Hashes are Shadowed</title> -<description>To ensure that no password hashes are stored in -<tt>/etc/passwd</tt>, the following command should have no output: -<pre># awk -F: '($2 != "x") {print}' /etc/passwd</pre> +<description> +If any password hashes are stored in <tt>/etc/passwd</tt> (in the second field, +instead of an <tt>x</tt>), the cause of this misconfiguration should be +investigated. The account should have its password reset and the hash should be +properly stored, or the account should be deleted entirely. </description> +<ocil> +To check that no password hashes are stored in +<tt>/etc/passwd</tt>, run the following command: +<pre># awk -F: '($2 != "x") {print}' /etc/passwd</pre> +If it produces any output, then a password hash is +stored in <tt>/etc/passwd</tt>. +</ocil> <rationale> The hashes for all user account passwords should be stored in the file <tt>/etc/shadow</tt> and never in <tt>/etc/passwd</tt>, @@ -62,12 +72,14 @@ which is readable by all users. used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized -users and should not be used. -<br /><br /> +users and should not be used. Any <tt>.netrc</tt> files should be removed. +</description> +<ocil> To check the system for the existence of any <tt>.netrc</tt> files, run the following command: <pre># find / -name .netrc</pre> -</description> +<!-- needs fixup to limit search to home dirs --> +</ocil> <rationale> Unencrypted passwords for remote FTP servers may be stored in <tt>.netrc</tt> files. DoD policy requires passwords be encrypted in storage and not used diff --git a/RHEL6/input/system/accounts/restrictions/root_logins.xml b/RHEL6/input/system/accounts/restrictions/root_logins.xml index 0ee4e8b..f08b702 100644 --- a/RHEL6/input/system/accounts/restrictions/root_logins.xml +++ b/RHEL6/input/system/accounts/restrictions/root_logins.xml @@ -134,12 +134,16 @@ become inaccessible. <Rule id="no_uidzero_except_root"> <title>Verify Only Root Has UID 0</title> <description> -This command will print all password file entries for +If any account other than root has a UID of 0, +this misconfiguration should be investigated and the +accounts other than root should be removed or have their UID changed. +</description> +<ocil> +To list all password file entries for accounts with UID 0: <pre># awk -F: '($3 == "0") {print}' /etc/passwd</pre> This should print only one line, for the user root. -<br /><br /> -</description> +</ocil> <rationale> An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml index 1649cfc..5cdb2ff 100644 --- a/RHEL6/input/system/auditing.xml +++ b/RHEL6/input/system/auditing.xml @@ -87,6 +87,7 @@ the Linux Auditing System, as it is responsible for writing audit records to disk. <service-enable-macro service="auditd" /> </description> +<ocil><service-enable-check-macro service="auditd" /></ocil> <rationale>Ensuring that the <tt>auditd</tt> service is active ensures that audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist. @@ -103,6 +104,10 @@ those which start prior to the audit daemon, add the argument <tt>audit=1</tt> to the kernel line in <tt>/etc/grub.conf</tt>, in the manner below: <pre>kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1</pre> </description> +<ocil> +Inspect the kernel boot arguments (which follow the word <tt>kernel</tt>) in +<tt>/etc/grub.conf</tt> to ensure that they include <tt>audit=1</tt>. +</ocil> <rationale> Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although <tt>auditd</tt> @@ -226,10 +231,15 @@ normally.</i> <description>Determine how many log files <tt>auditd</tt> should retain when it rotates logs. Edit the file <tt>/etc/audit/auditd.conf</tt>. Add or modify the following -line, substituting <i>NUMLOGS</i> with an appropriate value: +line, substituting <i>NUMLOGS</i> with the correct value: <pre>num_logs = <i>NUMLOGS</i></pre> -The default value of 5 is recommended for general-purpose systems. Note that -values less than 2 result in no log rotation.</description> +Set the value to 5 for general-purpose systems. +Note that values less than 2 result in no log rotation.</description> +<ocil> +Inspect <tt>/etc/audit/auditd.conf</tt> and locate the following line to +determine how many logs the system is configured to retain after rotation: +<pre>num_logs = 5</pre> +</ocil> <rationale>The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maxium log file size and the number of logs retained.</rationale> @@ -242,11 +252,16 @@ file size and the number of logs retained.</rationale> <description>Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file <tt>/etc/audit/auditd.conf</tt>. Add or modify the following line, substituting -<i>STOREMB</i> with an appropriate value: +the correct value for <i>STOREMB</i>: <pre>max_log_file = <i>STOREMB</i></pre> -The default value of 6 (MB) or even higher is recommended for general-purpose systems. +Set the value to <tt>6</tt> (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.</description> +<ocil> +Inspect <tt>/etc/audit/auditd.conf</tt> and locate the following line to +determine how much data the system will retain in each audit log file: +<pre>max_log_file = 6</pre> +</ocil> <rationale>The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maxium log file size and the number of logs retained.</rationale> @@ -260,13 +275,23 @@ log file size and the number of logs retained.</rationale> is to rotate the log files, discarding the oldest one. To configure the action taken by <tt>auditd</tt>, add or correct the line: <pre>max_log_file_action = <i>ACTION</i></pre> -Valid values for <i>ACTION</i> are described in the <tt>auditd.conf</tt> man page, and include -<tt>ignore</tt>, <tt>syslog</tt>, <tt>suspend</tt>, <tt>rotate</tt>, -and <tt>keep_logs</tt>. -<br/><br/> -The default (case-insensitive) setting, -<tt>rotate</tt>, is recommended for most environments. +Possible values for <i>ACTION</i> are described in the <tt>auditd.conf</tt> man +page. These include: +<ul> +<li><tt>ignore</tt></li> +<li><tt>syslog</tt></li> +<li><tt>suspend</tt></li> +<li><tt>rotate</tt></li> +<li><tt>keep_logs</tt></li> +</ul> +Set the <tt><i>ACTION</i></tt> to <tt>rotate</tt> to ensure log rotation +occurs. This is the default. The setting is case-insensitive. </description> +<ocil> +Inspect <tt>/etc/audit/auditd.conf</tt> and locate the following line to +determine if the system is configured to rotate logs when they reach their +maximum size: <pre>max_log_file_action <tt>rotate</tt></pre> +</ocil> <rationale>Automatically rotating logs (by setting this to <tt>rotate</tt>) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard @@ -293,16 +318,29 @@ installation time. The partition should be larger than the maximum space which <title>Configure auditd space_left Action on Low Disk Space</title> <description>The <tt>auditd</tt> service can be configured to take an action when disk space <i>starts</i> to run low. -Edit the file <tt>/etc/audit/auditd.conf</tt>. Add or modify the following line, +Edit the file <tt>/etc/audit/auditd.conf</tt>. Modify the following line, substituting <i>ACTION</i> appropriately: <pre>space_left_action = <i>ACTION</i></pre> -Valid values for <i>ACTION</i> are described in the <tt>auditd.conf</tt> man page, and include -<tt>ignore</tt>, <tt>syslog</tt>, <tt>email</tt>, <tt>exec</tt>, -<tt>suspend</tt>, <tt>single</tt> and <tt>halt</tt>. -<br/><br/> -Setting this to <tt>email</tt> is recommended over the default -(<tt>suspend</tt>) as it may be more likely to get prompt attention. +Possible values for <i>ACTION</i> are described in the <tt>auditd.conf</tt> man page. +These include: +<ul> +<li><tt>ignore</tt></li> +<li><tt>syslog</tt></li> +<li><tt>email</tt></li> +<li><tt>exec</tt></li> +<li><tt>suspend</tt></li> +<li><tt>single</tt></li> +<li><tt>halt</tt></li> +</ul> +Set this to <tt>email</tt> (instead of the default, +which is <tt>suspend</tt>) as it is more likely to get prompt attention. </description> +<ocil> +Inspect <tt>/etc/audit/auditd.conf</tt> and locate the following line to +determine if the system is configured to email the administrator when +disk space is starting to run low: +<pre>space_left_action email</pre> +</ocil> <rationale>Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.</rationale> <oval id="auditd_data_retention_space_left_action" value="var_auditd_space_left_action"/> @@ -317,14 +355,28 @@ when disk space is running low but prior to running out of space completely. Edit the file <tt>/etc/audit/auditd.conf</tt>. Add or modify the following line, substituting <i>ACTION</i> appropriately: <pre>admin_space_left_action = <i>ACTION</i></pre> -Valid values for <i>ACTION</i> include are described in the <tt>auditd.conf</tt> man page, and include -<tt>ignore</tt>, <tt>syslog</tt>, <tt>email</tt>, <tt>exec</tt>, -<tt>suspend</tt>, <tt>single</tt> and <tt>halt</tt>. The default setting is -<tt>suspend</tt>, which may not be noticed by some administrators. -<br/><br/> -Setting this value to <tt>single</tt> will cause the system to switch to -single user mode for corrective action, and is recommended. +Possible values for <i>ACTION</i> are described in the <tt>auditd.conf</tt> man page. +These include: +<ul> +<li><tt>ignore</tt></li> +<li><tt>syslog</tt></li> +<li><tt>email</tt></li> +<li><tt>exec</tt></li> +<li><tt>suspend</tt></li> +<li><tt>single</tt></li> +<li><tt>halt</tt></li> +</ul> +Set this value to <tt>single</tt> to cause the system to switch to single user +mode for corrective action. For certain systems, the need for availability +outweighs the need to log all actions, and a different setting should be +determined. </description> +<ocil> +Inspect <tt>/etc/audit/auditd.conf</tt> and locate the following line to +determine if the system is configured to switch to single user mode +when disk space has run low: +<pre>admin_space_left_action single</pre> +</ocil> <rationale>Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. @@ -342,6 +394,12 @@ in <tt>/etc/audit/auditd.conf</tt> to ensure that administrators are notified via email for those situations: <pre>action_mail_acct = root</pre> </description> +<ocil> +Inspect <tt>/etc/audit/auditd.conf</tt> and locate the following line to +determine if the system is configured to send email to an +account when it needs to notify an administrator: +<pre>action_mail_acct = root</pre> +</ocil> <rationale>Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.</rationale> <oval id="auditd_data_retention_action_mail_acct" value="var_auditd_action_mail_acct" /> @@ -412,6 +470,9 @@ desired, but is not required. See an example of multiple combined syscalls: <pre>-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules</pre> </description> +<ocil> +<audit-syscall-check-macro syscall="fchmod" /> +</ocil> <rationale>Arbitrary changes to the system time can be used to obfuscate nefarious activites in log files as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes @@ -437,6 +498,9 @@ desired, but is not required. See an example of multiple combined syscalls: <pre>-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules</pre> </description> +<ocil> +<audit-syscall-check-macro syscall="fchmod" /> +</ocil> <rationale>Arbitrary changes to the system time can be used to obfuscate nefarious activites in log files as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes @@ -460,6 +524,9 @@ See an example of multiple combined syscalls: <pre>-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules</pre> </description> +<ocil> +<audit-syscall-check-macro syscall="fchmod" /> +</ocil> <rationale>Arbitrary changes to the system time can be used to obfuscate nefarious activites in log files as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes @@ -485,6 +552,9 @@ desired, but is not required. See an example of multiple combined syscalls: <pre>-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules</pre> </description> +<ocil> +<audit-syscall-check-macro syscall="fchmod" /> +</ocil> <rationale>Arbitrary changes to the system time can be used to obfuscate nefarious activites in log files as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes @@ -503,6 +573,13 @@ The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used. </description> +<ocil> +To determine if the system is configured to audit attempts to +alter time via the /etc/localtime file, run the following +command: +<pre># auditctl -l | grep "watch=/etc/localtime"</pre> +If the system is configured to audit this activity, it will return a line. +</ocil> <rationale>Arbitrary changes to the system time can be used to obfuscate nefarious activites in log files as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes @@ -525,9 +602,16 @@ to capture events that modify account changes: -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes</pre> </description> +<ocil> +To determine if the system is configured to audit account changes, +run the following command: +<pre>auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'</pre> +If the system is configured to watch for account changes, lines should be returned for +each file specified (and with <tt>perm=wa</tt> for each). +</ocil> <rationale>In addition to auditing new user and group accounts, these watches -will alert the system administrator(s) to any modifications. It is recommended -that any unexpected users, groups, or modifications be investigated for +will alert the system administrator(s) to any modifications. Any +unexpected users, groups, or modifications should be investigated for legitimacy.</rationale> <ident cce="14829-6" /> <oval id="audit_rules_usergroup_modification" /> @@ -545,6 +629,13 @@ ARCH to either b32 or b64 as appropriate for your system: -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications</pre> </description> +<ocil> +To determine if the system is configured to audit changes to its network configuration, +run the following command: +<pre>auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'</pre> +If the system is configured to watch for account changes, a line should be returned for +each file specified (and <tt>perm=wa</tt> should be indicated for each). +</ocil> <rationale>The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.</rationale> @@ -560,7 +651,14 @@ Controls</title> <description>Add the following to <tt>/etc/audit/audit.rules</tt>: <pre>-w /etc/selinux/ -p wa -k MAC-policy</pre> </description> -<!-- TODO add info for selinux system calls which load new policy? --> +<ocil> +To determine if the system is configured to audit changes to its SELinux +configuration files, run the following command: +<pre># auditctl -l | grep "dir=selinux"</pre> +If the system is configured to watch for changes to its SELinux +configuration, a line should be returned (including +<tt>perm=wa</tt> indicating permissions that are watched). +</ocil> <rationale>The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.</rationale> @@ -618,6 +716,9 @@ If the system is 64 bit then also add the following: gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users.</rationale> +<ocil> +<audit-syscall-check-macro syscall="fchmod" /> +</ocil> <warning category="general">Note that these rules can be configured in a number of ways while still acheiving the desired effect. Here the system calls have been placed independant of other system calls. Grouping these system @@ -640,6 +741,9 @@ If the system is 64 bit then also add the following: <pre>-a always,exit -F arch=b64 -S chown -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod</pre> </description> +<ocil> +<audit-syscall-check-macro syscall="fchmod" /> +</ocil> <rationale>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and @@ -666,6 +770,9 @@ If the system is 64 bit then also add the following: <pre>-a always,exit -F arch=b64 -S fchmod -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod</pre> </description> +<ocil> +<audit-syscall-check-macro syscall="fchmod" /> +</ocil> <rationale>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and @@ -692,6 +799,9 @@ If the system is 64 bit then also add the following: <pre>-a always,exit -F arch=b64 -S fchmodat -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod</pre> </description> +<ocil> +<audit-syscall-check-macro syscall="fchmodat" /> +</ocil> <rationale>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and @@ -718,6 +828,9 @@ If the system is 64 bit then also add the following: <pre>-a always,exit -F arch=b64 -S fchown -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod</pre> </description> +<ocil> +<audit-syscall-check-macro syscall="fchown" /> +</ocil> <rationale>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and @@ -744,6 +857,9 @@ If the system is 64 bit then also add the following: <pre>-a always,exit -F arch=b64 -S fchownat -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod</pre> </description> +<ocil> +<audit-syscall-check-macro syscall="fchownat" /> +</ocil> <rationale>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and @@ -770,6 +886,9 @@ If the system is 64 bit then also add the following: <pre>-a always,exit -F arch=b64 -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod</pre> </description> +<ocil> +<audit-syscall-check-macro syscall="fremovexattr" /> +</ocil> <rationale>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and @@ -796,6 +915,9 @@ If the system is 64 bit then also add the following: <pre>-a always,exit -F arch=b64 -S fsetxattr -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod</pre> </description> +<ocil> +<audit-syscall-check-macro syscall="fsetxattr" /> +</ocil> <rationale>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and @@ -822,6 +944,9 @@ If the system is 64 bit then also add the following: <pre>-a always,exit -F arch=b64 -S lchown -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod</pre> </description> +<ocil> +<audit-syscall-check-macro syscall="fchmod" /> +</ocil> <rationale>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and @@ -848,6 +973,9 @@ If the system is 64 bit then also add the following: <pre>-a always,exit -F arch=b64 -S lremovexattr -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod</pre> </description> +<ocil> +<audit-syscall-check-macro syscall="lremovexattr" /> +</ocil> <rationale>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and @@ -874,6 +1002,9 @@ If the system is 64 bit then also add the following: <pre>-a always,exit -F arch=b64 -S lsetxattr -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod</pre> </description> +<ocil> +<audit-syscall-check-macro syscall="lsetxattr" /> +</ocil> <rationale>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and @@ -900,6 +1031,9 @@ If the system is 64 bit then also add the following: <pre>-a always,exit -F arch=b64 -S removexattr -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod</pre> </description> +<ocil> +<audit-syscall-check-macro syscall="removexattr" /> +</ocil> <rationale>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and @@ -926,6 +1060,9 @@ If the system is 64 bit then also add the following: <pre>-a always,exit -F arch=b64 -S setxattr -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod</pre> </description> +<ocil> +<audit-syscall-check-macro syscall="setxattr" /> +</ocil> <rationale>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and @@ -985,6 +1122,7 @@ appropriate for your system: -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid&gt;=500 -F auid!=4294967295 -k access</pre> </description> + <rationale>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.</rationale> <ident cce="14917-9" /> @@ -1039,6 +1177,12 @@ appropriate for your system: <pre>-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat \ -F auid&gt;=500 -F auid!=4294967295 -k delete</pre> </description> +<ocil> +<audit-syscall-check-macro syscall="unlink" /> +<audit-syscall-check-macro syscall="unlinkat" /> +<audit-syscall-check-macro syscall="rename" /> +<audit-syscall-check-macro syscall="renameat" /> +</ocil> <rationale>Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting as well as detecting malicious processes that attempt to delete log files to conceal their presence.</rationale> @@ -1071,6 +1215,10 @@ to capture kernel module loading and unloading events: -w /sbin/modprobe -p x -k modules -a always,exit -S init_module -S delete_module -k modules</pre> </description> +<ocil> +<audit-syscall-check-macro syscall="init_module" /> +<audit-syscall-check-macro syscall="delete_module" /> +</ocil> <rationale>The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.</rationale> diff --git a/RHEL6/input/system/logging.xml b/RHEL6/input/system/logging.xml index ea30340..d24b421 100644 --- a/RHEL6/input/system/logging.xml +++ b/RHEL6/input/system/logging.xml @@ -20,12 +20,12 @@ monitor logs.</description> <Rule id="package_rsyslog_installed"> <title>Ensure rsyslog is Installed</title> <description> -Rsyslog is installed by default. Ensure that it is installed -by running: -<pre>$ rpm -q rsyslog</pre> -If it is not installed, install it by running: -<pre># yum install rsyslog</pre> +Rsyslog is installed by default. +<package-install-macro service="rsyslog" /> </description> +<ocil> +<package-check-macro package="rsyslog" /> +</ocil> <rationale> The rsyslog package provides the rsyslog daemon, which provides system logging services. @@ -41,6 +41,9 @@ system logging services. <description>The <tt>rsyslog</tt> service provides syslog-style logging by default on RHEL 6. <service-enable-macro service="rsyslog" /> </description> +<ocil> +<service-enable-check-macro service="rsyslog" /> +</ocil> <rationale>The <tt>rsyslog</tt> service must be running in order to provide logging services, which are essential to system administration. </rationale> diff --git a/RHEL6/input/system/network/ipsec.xml b/RHEL6/input/system/network/ipsec.xml index a9bc1a7..a738354 100644 --- a/RHEL6/input/system/network/ipsec.xml +++ b/RHEL6/input/system/network/ipsec.xml @@ -8,10 +8,12 @@ is provided in RHEL 6 with Openswan. <title>Install openswan Package</title> <description>The Openswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over -untrusted networks. The <tt>openswan</tt> package can be installed -with the following command: -<pre># yum install openswan</pre> +untrusted networks. +<package-install-macro package="openswan" /> </description> +<ocil> +<package-check-macro package="openswan" /> +</ocil> <rationale>Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network. diff --git a/RHEL6/input/system/network/iptables.xml b/RHEL6/input/system/network/iptables.xml index 31237b7..9aae35d 100644 --- a/RHEL6/input/system/network/iptables.xml +++ b/RHEL6/input/system/network/iptables.xml @@ -71,6 +71,7 @@ IPv6 lacks reliable connection-tracking functionality.</description> <description> <service-enable-macro service="ip6tables" /> </description> +<ocil><service-enable-check-macro service="ip6tables" /></ocil> <rationale>The <tt>ip6tables</tt> service provides the system's host-based firewalling capability for IPv6 and ICMPv6. </rationale> @@ -84,6 +85,7 @@ capability for IPv6 and ICMPv6. <description> <service-enable-macro service="iptables" /> </description> +<ocil><service-enable-check-macro service="iptables" /></ocil> <rationale> The <tt>iptables</tt> service provides the system's host-based firewalling capability for IPv4 and ICMP. @@ -133,6 +135,9 @@ add or correct the following line in <tt>/etc/sysconfig/iptables</tt>: <pre>:INPUT DROP [0:0]</pre> </description> +<ocil>Inspect the file <tt>/etc/sysconfig/iptables</tt> to determine +the default policy for the INPUT chain. It should be set to DROP. +</ocil> <rationale>In <tt>iptables</tt> the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to <tt>DROP</tt> implements proper design for a firewall, i.e. diff --git a/RHEL6/input/system/network/ipv6.xml b/RHEL6/input/system/network/ipv6.xml index 7b43edd..b703e1d 100644 --- a/RHEL6/input/system/network/ipv6.xml +++ b/RHEL6/input/system/network/ipv6.xml @@ -22,6 +22,18 @@ instruct the IPv6 kernel module not to load it.</description> This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol. </description> +<ocil> +If the system is configured to prevent the loading of the +<tt>ipv6</tt> kernel module, it will contain a line +of the form +<pre>options ipv6 disable=1</pre> +inside any file in <tt>/etc/modprobe.d</tt> or the deprecated<tt>/etc/modprobe.conf</tt>. +This permits insertion of the IPv6 kernel module (which other parts of the system +expect to be present), but otherwise keeps it inactive. +Run the following command to search for such lines in all files in <tt>/etc/modprobe.d</tt> +and the deprecated <tt>/etc/modprobe.conf</tt>: +<pre xml:space="preserve">$ grep -r ipv6 /etc/modprobe.conf /etc/modprobe.d</pre> +</ocil> <rationale> Any networking stack, including IPv6, that does not need to be active should be disabled in order to reduce the system's vulnerability diff --git a/RHEL6/input/system/network/kernel.xml b/RHEL6/input/system/network/kernel.xml index 63bb1f5..5485fcd 100644 --- a/RHEL6/input/system/network/kernel.xml +++ b/RHEL6/input/system/network/kernel.xml @@ -16,6 +16,9 @@ of network traffic.</description> <description> <sysctl-desc-macro sysctl="net.ipv4.conf.default.send_redirects" value="0" /> </description> +<ocil> +<sysctl-check-macro sysctl="net.ipv4.conf.default.send_redirects" value="0" /> +</ocil> <rationale>Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for routers.</rationale> @@ -29,6 +32,9 @@ only appropriate for routers.</rationale> <description> <sysctl-desc-macro sysctl="net.ipv4.conf.all.send_redirects" value="0" /> </description> +<ocil> +<sysctl-check-macro sysctl="net.ipv4.conf.all.send_redirects" value="0" /> +</ocil> <rationale>Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for routers.</rationale> @@ -42,6 +48,9 @@ only appropriate for routers.</rationale> <description> <sysctl-desc-macro sysctl="net.ipv4.ip_forward" value="0" /> </description> +<ocil> +<sysctl-check-macro sysctl="net.ipv4.ip_forward" value="0" /> +</ocil> <rationale>IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for routers.</rationale> @@ -190,6 +199,9 @@ operator="equals" interactive="0"> <description> <sysctl-desc-macro sysctl="net.ipv4.conf.all.accept_source_route" value="0" /> </description> +<ocil> +<sysctl-check-macro sysctl="net.ipv4.conf.all.accept_source_route" value="0" /> +</ocil> <rationale>Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</rationale> <ident cce="4236-6" /> @@ -202,6 +214,9 @@ uses. It should be disabled unless it is absolutely required.</rationale> <description> <sysctl-desc-macro sysctl="net.ipv4.conf.all.accept_redirects" value="0" /> </description> +<ocil> +<sysctl-check-macro sysctl="net.ipv4.conf.all.accept_redirects" value="0" /> +</ocil> <rationale>Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.</rationale> <ident cce="4217-6" /> @@ -215,6 +230,9 @@ uses. It should be disabled unless it is absolutely required.</rationale> <description> <sysctl-desc-macro sysctl="net.ipv4.conf.all.secure_redirects" value="0" /> </description> +<ocil> +<sysctl-check-macro sysctl="net.ipv4.conf.all.secure_redirects" value="0" /> +</ocil> <rationale>Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.</rationale> @@ -228,6 +246,9 @@ absolutely required.</rationale> <description> <sysctl-desc-macro sysctl="net.ipv4.conf.all.log_martians" value="1" /> </description> +<ocil> +<sysctl-check-macro sysctl="net.ipv4.conf.all.log_martians" value="1" /> +</ocil> <rationale>The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity @@ -243,6 +264,9 @@ to be detected.</rationale> <description> <sysctl-desc-macro sysctl="net.ipv4.conf.default.accept_source_route" value="0" /> </description> +<ocil> +<sysctl-check-macro sysctl="net.ipv4.conf.default.accept_source_route" value="0" /> +</ocil> <rationale>Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</rationale> <ident cce="4091-5" /> @@ -256,6 +280,9 @@ uses. It should be disabled unless it is absolutely required.</rationale> <description> <sysctl-desc-macro sysctl="net.ipv4.conf.default.accept_redirects" value="0" /> </description> +<ocil> +<sysctl-check-macro sysctl="net.ipv4.conf.default.accept_redirects" value="0" /> +</ocil> <rationale>This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</rationale> <ident cce="4186-3" /> @@ -269,6 +296,9 @@ uses. It should be disabled unless it is absolutely required.</rationale> <description> <sysctl-desc-macro sysctl="net.ipv4.conf.default.secure_redirects" value="0" /> </description> +<ocil> +<sysctl-check-macro sysctl="net.ipv4.conf.default.secure_redirects" value="0" /> +</ocil> <rationale>Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.</rationale> @@ -283,6 +313,9 @@ absolutely required.</rationale> <description> <sysctl-desc-macro sysctl="net.ipv4.icmp_echo_ignore_broadcasts" value="1" /> </description> +<ocil> +<sysctl-check-macro sysctl="net.ipv4.icmp_echo_ignore_broadcasts" value="1" /> +</ocil> <rationale>Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network. </rationale> @@ -297,6 +330,9 @@ addresses makes the system slightly more difficult to enumerate on the network. <description> <sysctl-desc-macro sysctl="net.ipv4.icmp_ignore_bogus_error_responses" value="1" /> </description> +<ocil> +<sysctl-check-macro sysctl="net.ipv4.icmp_ignore_bogus_error_responses" value="1" /> +</ocil> <rationale>Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.</rationale> <ident cce="4133-5" /> @@ -309,6 +345,9 @@ log size, although some activity would not be logged.</rationale> <description> <sysctl-desc-macro sysctl="net.ipv4.tcp_syncookies" value="1" /> </description> +<ocil> +<sysctl-check-macro sysctl="net.ipv4.tcp_syncookies" value="1" /> +</ocil> <rationale> A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, @@ -326,6 +365,9 @@ enables the system to continue servicing valid connection requests. <description> <sysctl-desc-macro sysctl="net.ipv4.conf.all.rp_filter" value="1" /> </description> +<ocil> +<sysctl-check-macro sysctl="net.ipv4.conf.all.rp_filter" value="1" /> +</ocil> <rationale>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for @@ -341,6 +383,9 @@ networks.</rationale> <description> <sysctl-desc-macro sysctl="net.ipv4.conf.default.rp_filter" value="1" /> </description> +<ocil> +<sysctl-check-macro sysctl="net.ipv4.conf.default.rp_filter" value="1" /> +</ocil> <rationale>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for diff --git a/RHEL6/input/system/network/uncommon.xml b/RHEL6/input/system/network/uncommon.xml index 75e35d7..84697d5 100644 --- a/RHEL6/input/system/network/uncommon.xml +++ b/RHEL6/input/system/network/uncommon.xml @@ -14,13 +14,15 @@ prior to disabling them.

<Rule id="disable_protocol_dccp" severity="medium"> <title>Disable DCCP Support</title> -<description>To prevent the DCCP kernel module from being loaded, -add the following line to the appropriate <tt>/etc/modprobe.d</tt> configuration file.: -<pre>install dccp /bin/true</pre> +<description> The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. +<module-disable-macro module="dccp" /> </description> +<ocil> +<module-disable-check-macro module="dccp" /> +</ocil> <rationale> Disabling DCCP protects the system against exploitation of any flaws in its implementation. @@ -33,14 +35,16 @@ the system against exploitation of any flaws in its implementation.

<Rule id="disable_protocol_sctp" severity="medium"> <title>Disable SCTP Support</title> -<description>To prevent the SCTP kernel module from being loaded, -add the following line to the appropriate <tt>/etc/modprobe.d</tt> configuration file.: -<pre>install sctp /bin/true</pre> +<description> The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. +<module-disable-macro module="sctp" /> </description> +<ocil> +<module-disable-check-macro module="sctp" /> +</ocil> <rationale> Disabling SCTP protects the system against exploitation of any flaws in its implementation. @@ -53,13 +57,15 @@ the system against exploitation of any flaws in its implementation.

<Rule id="disable_protocol_rds"> <title>Disable RDS Support</title> -<description>To prevent the RDS kernel module from being loaded, -add the following line to the appropriate <tt>/etc/modprobe.d</tt> configuration file.: -<pre>install rds /bin/true</pre> +<description> The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high- bandwidth, low-latency communications between nodes in a cluster. +<module-disable-macro module="rds" /> </description> +<ocil> +<module-disable-check-macro module="rds" /> +</ocil> <rationale> Disabling RDS protects the system against exploitation of any flaws in its implementation. @@ -72,13 +78,15 @@ the system against exploitation of any flaws in its implementation.

<Rule id="disable_protocol_tipc" severity="medium"> <title>Disable TIPC Support</title> -<description>To prevent the TIPC kernel module from being loaded, -add the following line to the appropriate <tt>/etc/modprobe.d</tt> configuration file.: -<pre>install tipc /bin/true</pre> +<description> The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. +<module-disable-macro module="tipc" /> </description> +<ocil> +<module-disable-check-macro module="tipc" /> +</ocil> <rationale> Disabling TIPC protects the system against exploitation of any flaws in its implementation. diff --git a/RHEL6/input/system/network/wireless.xml b/RHEL6/input/system/network/wireless.xml index 689fe69..7686390 100644 --- a/RHEL6/input/system/network/wireless.xml +++ b/RHEL6/input/system/network/wireless.xml @@ -90,6 +90,9 @@ the need to install such a driver first. <description> <service-disable-macro service="bluetooth" /> </description> +<ocil> +<service-disable-check-macro service="bluetooth" /> +</ocil> <rationale>Disabling the <tt>bluetooth</tt> service prevents the system from attempting connections to to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the @@ -108,6 +111,7 @@ to prevent the loading of the Bluetooth module: <pre>install net-pf-31 /bin/true install bluetooth /bin/true</pre> </description> + <rationale>If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.</rationale> diff --git a/RHEL6/input/system/permissions/execution.xml b/RHEL6/input/system/permissions/execution.xml index c7e4034..6d32805 100644 --- a/RHEL6/input/system/permissions/execution.xml +++ b/RHEL6/input/system/permissions/execution.xml @@ -69,7 +69,8 @@ value of 0 is recommended.</description>

<Rule id="disable_users_coredumps"> <title>Disable Core Dumps for All Users</title> -<description>To disable core dumps for all users, add the following line to <tt>/etc/security/limits.conf</tt>: +<description>To disable core dumps for all users, add the following line to +<tt>/etc/security/limits.conf</tt>: <pre>* hard core 0</pre> </description> <rationale>A core dump includes a memory image taken at the time the operating system @@ -84,6 +85,7 @@ only for developers trying to debug problems.</rationale> <Rule id="disable_setuid_coredumps"> <title>Disable Core Dumps for SUID programs</title> <description><sysctl-desc-macro sysctl="fs.suid_dumpable" value="0" /></description> +<ocil><sysctl-check-macro sysctl="fs.suid_dumpable" value="0" /></ocil> <rationale>The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any @@ -109,6 +111,7 @@ controlled through <tt>sysctl</tt> variables <tt>kernel.exec-shield</tt> and <Rule id="enable_execshield"> <title>Enable ExecShield</title> <description><sysctl-desc-macro sysctl="kernel.exec-shield" value="1" /></description> +<ocil><sysctl-check-macro sysctl="kernel.exec-shield" value="1" /></ocil> <rationale>ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to @@ -124,6 +127,7 @@ address range.</rationale> <Rule id="enable_randomize_va_space"> <title>Enable Randomized Layout of Virtual Address Space</title> <description><sysctl-desc-macro sysctl="kernel.randomize_va_space" value="1" /></description> +<ocil><sysctl-check-macro sysctl="kernel.randomize_va_space" value="1" /></ocil> <rationale> Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. ASLR also diff --git a/RHEL6/input/system/permissions/files.xml b/RHEL6/input/system/permissions/files.xml index b82c024..59f0a3a 100644 --- a/RHEL6/input/system/permissions/files.xml +++ b/RHEL6/input/system/permissions/files.xml @@ -19,8 +19,8 @@ passwords, and should never be enabled.</description>

<Rule id="userowner_shadow_file"> <title>Verify User Who Owns <tt>shadow</tt> File</title> -<description>The <tt>/etc/shadow</tt> file should be owned by -root.</description> +<description><fileowner-desc-macro file="/etc/shadow" owner="root"/></description> +<ocil><fileowner-check-macro file="/etc/shadow" owner="root"/></ocil> <rationale>The <tt>/etc/shadow</tt> file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file @@ -33,8 +33,8 @@ which could weaken the system security posture.</rationale>

<Rule id="groupowner_shadow_file"> <title>Verify Group Who Owns <tt>shadow</tt> File</title> -<description>The <tt>/etc/shadow</tt> file should be group-owned by -root.</description> +<description><filegroupowner-desc-macro file="/etc/shadow" group="root"/></description> +<ocil><filegroupowner-check-macro file="/etc/shadow" group="root"/></ocil> <rationale>The <tt>/etc/shadow</tt> file stores password hashes. Protection of this file is critical for system security.</rationale> <ident cce="3988-3" /> @@ -44,8 +44,8 @@ critical for system security.</rationale>

<Rule id="perms_shadow_file"> <title>Verify Permissions on <tt>shadow</tt> File</title> -<description>File permissions for <tt>/etc/shadow</tt> should be set -to 0000.</description> +<description><fileperms-desc-macro file="/etc/shadow" perms="0000"/></description> +<ocil><fileperms-check-macro file="/etc/shadow" perms="----------"/></ocil> <rationale>The <tt>/etc/shadow</tt> file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file @@ -58,8 +58,8 @@ which could weaken the system security posture.</rationale>

<Rule id="userowner_group_file"> <title>Verify User Who Owns <tt>group</tt> File</title> -<description>The <tt>/etc/group</tt> file should be owned by -root.</description> +<description><fileowner-desc-macro file="/etc/group" owner="root"/></description> +<ocil><fileowner-check-macro file="/etc/group" owner="root"/></ocil> <rationale>The <tt>/etc/group</tt> file contains information regarding groups that are configured on the system. Protection of this file is important for system security.</rationale> <ident cce="3276-3" /> @@ -69,8 +69,8 @@ on the system. Protection of this file is important for system security.</ration

<Rule id="groupowner_group_file"> <title>Verify Group Who Owns <tt>group</tt> File</title> -<description>The <tt>/etc/group</tt> file should be group-owned by -root.</description> +<description><filegroupowner-desc-macro file="/etc/group" group="root"/></description> +<ocil><filegroupowner-check-macro file="/etc/group" group="root"/></ocil> <rationale>The <tt>/etc/group</tt> file contains information regarding groups that are configured on the system. Protection of this file is important for system security.</rationale> <ident cce="3883-6" /> @@ -80,8 +80,8 @@ on the system. Protection of this file is important for system security.</ration

<Rule id="perms_group_file"> <title>Verify Permissions on <tt>group</tt> File</title> -<description>File permissions for <tt>/etc/group</tt> should be set -correctly.</description> +<description><fileperms-desc-macro file="/etc/group" perms="644"/></description> +<ocil><fileowner-check-macro file="/etc/group" perms="-rw-r--r--"/></ocil> <rationale>The <tt>/etc/group</tt> file contains information regarding groups that are configured on the system. Protection of this file is important for system security.</rationale> <ident cce="3967-7" /> @@ -91,8 +91,8 @@ on the system. Protection of this file is important for system security.</ration

<Rule id="userowner_gshadow_file"> <title>Verify User Who Owns <tt>gshadow</tt> File</title> -<description>The <tt>/etc/gshadow</tt> file should be group-owned by -root.</description> +<description><fileowner-desc-macro file="/etc/gshadow" owner="root"/></description> +<ocil><fileowner-check-macro file="/etc/gshadow" owner="root"/></ocil> <rationale>The <tt>/etc/gshadow</tt> file contains group password hashes. Protection of this file is critical for system security.</rationale> <ident cce="4210-1" /> @@ -102,8 +102,8 @@ is critical for system security.</rationale>

<Rule id="groupowner_gshadow_file"> <title>Verify Group Who Owns <tt>gshadow</tt> File</title> -<description>The <tt>/etc/gshadow</tt> file should be group-owned by -root.</description> +<description><filegroupowner-desc-macro file="/etc/gshadow" group="root"/></description> +<ocil><filegroupowner-check-macro file="/etc/gshadow" group="root"/></ocil> <rationale>The <tt>/etc/gshadow</tt> file contains group password hashes. Protection of this file is critical for system security.</rationale> <ident cce="4064-2" /> @@ -113,8 +113,8 @@ is critical for system security.</rationale>

<Rule id="perms_gshadow_file"> <title>Verify Permissions on <tt>gshadow</tt> File</title> -<description>File permissions for <tt>/etc/gshadow</tt> should be set -correctly.</description> +<description><fileperms-desc-macro file="/etc/gshadow" perms="0000"/></description> +<ocil><fileperms-check-macro file="/etc/gshadow" perms="----------"/></ocil> <rationale>The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.</rationale> <ident cce="3932-1" /> @@ -124,6 +124,8 @@ is critical for system security.</rationale>

<Rule id="userowner_passwd_file"> <title>Verify User Who Owns <tt>passwd</tt> File</title> +<description><fileowner-desc-macro file="/etc/passwd" owner="root"/></description> +<ocil><fileowner-check-macro file="/etc/passwd" owner="root"/></ocil> <description>The <tt>/etc/passwd</tt> file should be owned by root.</description> <rationale>The <tt>/etc/passwd</tt> contains information about the users that are configured on @@ -135,8 +137,8 @@ the system. Protection of this file is critical for system security.</rationale>

<Rule id="groupowner_passwd_file"> <title>Verify Group Who Owns <tt>passwd</tt> File</title> -<description>The <tt>/etc/passwd</tt> file should be group-owned by -root.</description> +<description><filegroupowner-desc-macro file="/etc/passwd" group="root"/></description> +<ocil><filegroupowner-check-macro file="/etc/passwd" group="root"/></ocil> <rationale>The <tt>/etc/passwd</tt> file contains information about the users that are configured on the system. Protection of this file is critical for system security.</rationale> <ident cce="3495-9" /> @@ -146,8 +148,8 @@ the system. Protection of this file is critical for system security.</rationale>

<Rule id="file_permissions_etc_passwd"> <title>Verify Permissions on <tt>passwd</tt> File</title> -<description>File permissions for <tt>/etc/passwd</tt> should be set -to 0644 or less permissive.</description> +<description><fileperms-desc-macro file="/etc/passwd" perms="0644"/></description> +<ocil><fileperms-check-macro file="/etc/passwd" perms="-rw-r--r--"/></ocil> <rationale>If the <tt>/etc/passwd</tt> file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of acounts on the system and associated information, and protection of this file @@ -184,6 +186,11 @@ Kernel modules, which can be added to the kernel during runtime, are stored in <tt>/lib/modules</tt>. All files in these directories should not be group-writable or world-writable. </description> +<ocil> +To find shared libraries that are group-writable or world-writable, +run the following command for each directory <i>DIR</i> which contains shared libraries: +<pre>$ find <i>DIR</i> -perm /022</pre> +</ocil> <rationale>Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system. @@ -204,6 +211,11 @@ Kernel modules, which can be added to the kernel during runtime, are also stored in <tt>/lib/modules</tt>. All files in these directories should be owned by the <tt>root</tt> user. </description> +<ocil> +To find shared libraries that are not owned by <tt>root</tt>, +run the following command for each directory <i>DIR</i> which contains shared libraries: +<pre>$ find <i>DIR</i> \! -user root</pre> +</ocil> <rationale>Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. @@ -223,6 +235,11 @@ System executables are stored in the following directories by default: /usr/local/sbin</pre> All files in these directories should not be group-writable or world-writable. </description> +<ocil> +To find system executables that are group-writable or world-writable, +run the following command for each directory <i>DIR</i> which contains system executables: +<pre>$ find <i>DIR</i> -perm /022</pre> +</ocil> <rationale>System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. @@ -241,6 +258,11 @@ System executables are stored in the following directories by default: /usr/local/sbin</pre> All files in these directories should be owned by the <tt>root</tt> user. </description> +<ocil> +To find system executables that are not owned by <tt>root</tt>, +run the following command for each directory <i>DIR</i> which contains system executables: +<pre>$ find <i>DIR</i> \! -user root</pre> +</ocil> <rationale>System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. @@ -261,7 +283,16 @@ there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly -changing modes.</description> +changing modes. +<br/> +To set the sticky bit on a world-writable directory <i>DIR</i>, run the +following command: +<pre># chmod +t <i>DIR</i></pre> +</description> +<ocil> +To find world-writable directories that lack the sticky bit, run the following command: +<pre># find / -type d -perm -002 ! -perm -1000</pre> +</ocil> <ident cce="3399-3" /> <oval id="dir_perms_world_writable_sticky_bits" /> <ref nist="CM-6"/> @@ -281,6 +312,10 @@ documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account.</description> +<ocil> +To find world-writable files, run the following command: +<pre># find / -type f -perm -002</pre> +</ocil> <ident cce="3795-2" /> <ref nist="CM-6"/> </Rule> @@ -293,6 +328,10 @@ unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SGID files. </description> +<ocil> +To find world-writable files, run the following command: +<pre># find / -type f -perm -002</pre> +</ocil> <rationale>Executable files with the SGID permission run with the privileges of the owner of the file. SGID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be @@ -310,6 +349,10 @@ unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SUID files. </description> +<ocil> +To find world-writable files, run the following command: +<pre># find / -type f -perm -002</pre> +</ocil> <rationale>Executable files with the SUID permission run with the privileges of the owner of the file. SUID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be @@ -322,16 +365,20 @@ strictly controlled on the system.</rationale>

<Rule id="no_files_unowned_by_user"> <title>Ensure All Files Are Owned by a User</title> -<description>The following command will discover and print any -files on local partitions which do not belong to a valid user and a -valid group. Run it once for each local partition PART: -<pre># find PART -xdev \( -nouser -o -nogroup \) -print</pre> -If this command prints any results, investigate each reported file and -either assign it to an appropriate user and group or remove it. +<description>If any files are not owned by a user, then the +cause of their lack of ownership should be investigated. +Following this, the files should be deleted or assigned to an +appropriate user. </description> +<ocil> +The following command will discover and print any +files on local partitions which do not belong to a valid user. +Run it once for each local partition <i>PART</i>: +<pre># find <i>PART</i> -xdev -nouser -print</pre> +</ocil> <rationale> Unowned files do not directly imply a security problem, but they are generally -a sign that something is wrong with some system process. They may +a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so that they @@ -345,16 +392,20 @@ and the cause should be discovered and addressed.

<Rule id="no_files_unowned_by_group"> <title>Ensure All Files Are Owned by a Group</title> -<description>The following command will discover and print any -files on local partitions which do not belong to a valid user and a -valid group. Run it once for each local partition PART: -<pre># find PART -xdev \( -nouser -o -nogroup \) -print</pre> -If this command prints any results, investigate each reported file and -either assign it to an appropriate user and group or remove it. +<description>If any files are not owned by a group, then the +cause of their lack of group-ownership should be investigated. +Following this, the files should be deleted or assigned to an +appropriate group. </description> +<ocil> +The following command will discover and print any +files on local partitions which do not belong to a valid group. +Run it once for each local partition <i>PART</i>: +<pre># find <i>PART</i> -xdev -nogroup -print</pre> +</ocil> <rationale> Unowned files do not directly imply a security problem, but they are generally -a sign that something is wrong with some system process. They may +a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so that they @@ -368,15 +419,19 @@ and the cause should be discovered and addressed.

<Rule id="world_writable_files_system_ownership"> <title>Ensure All World-Writable Directories Are Owned by a System Account</title> -<description>Locate any directories in local partitions which are -world-writable and ensure that they are owned by root or another -system account. The following command will discover and print these -(assuming only system accounts have a uid lower than 500). Run it -once for each local partition PART: -<pre># find PART -xdev -type d -perm -0002 -uid +500 -print</pre> -If this command produces any output, investigate why the -current owner is not root or another system account. +<description>All directories in local partitions which are +world-writable should be owned by root or another +system account. If any world-writable directories are not +owned by a system account, this should be investigated. +Following this, the files should be deleted or assigned to an +appropriate group. </description> +<ocil> +The following command will discover and print world-writable directories that +are not owned by a system account, given the assumption that only system +accounts have a uid lower than 500. Run it once for each local partition <i>PART</i>: +<pre># find <i>PART</i> -xdev -type d -perm -0002 -uid +500 -print</pre> +</ocil> <rationale> Allowing a user account to own a world-writeable directory is undesirable because it allows the owner of that directory to remove diff --git a/RHEL6/input/system/selinux.xml b/RHEL6/input/system/selinux.xml index 1565d5f..3d68315 100644 --- a/RHEL6/input/system/selinux.xml +++ b/RHEL6/input/system/selinux.xml @@ -84,18 +84,15 @@ and to protect the boot process.

<Rule id="enable_selinux_bootloader"> <title>Ensure SELinux Not Disabled in /etc/grub.conf</title> -<description>SELinux can be disabled at boot time by an argument -in <tt>/etc/grub.conf</tt>. -To ensure that SELinux is not disabled at boot time, ensure that <tt>selinux=0</tt> is not -found in the kernel arguments in that file. +<description>SELinux can be disabled at boot time by an argument in +<tt>/etc/grub.conf</tt>. +Remove any instances of <tt>selinux=0</tt> from the kernel arguments in that +file to prevent SELinux from being being disabled at boot. </description> <ocil> -Run the following command to determine if SELinux has been -disabled at boot time: -<pre># grep selinux=0 /etc/grub.conf</pre> -If it doesn't reurn a value, then it hasn't been disabled. ex: -<pre># grep selinux=0 /etc/grub.conf</pre> -<pre># &lt;---Flashing cursor</pre> +Inspect <tt>/etc/grub.conf</tt> for any instances of <tt>selinux=0</tt> +in the kernel boot arguments. Presences of <tt>selinux=0</tt> indicates +that SELinux is disabled at boot time. </ocil> <rationale> Disabling a major host protection feature such as SELinux at boot time prevents @@ -109,13 +106,15 @@ the chances that it remain off during system operation.

<Rule id="set_selinux_state"> <title>Ensure SELinux State is Enforcing</title> -<description>The SELinux state should be set to <tt>enforcing</tt> during -normal system operation.</description> -<ocil>To ensure the system is configured to boot into enforcing mode, add -or correct the following line in: <tt>/etc/selinux/config</tt> by ensuring the -following text is present: <tt>SELINUX=enforcing</tt> -<pre># grep "SELINUX=enforcing" /etc/selinux/config</pre> -If needed add the text to the file, and save it.</ocil> +<description>The SELinux state should be set to <tt>enforcing</tt> at +system boot time. In the file <tt>/etc/selinux/config</tt>, add or correct the +line <tt>SELINUX=enforcing</tt> to configure the system to boot into enforcing +mode. +</description> +<ocil> +Check the file <tt>/etc/selinux/config</tt> and ensure the following line appears: +<pre>SELINUX=enforcing</pre> +</ocil> <rationale> Setting the SELinux state to enforcing ensures that SELinux is able to confine potentially compromised processes to the security policy, which is designed to @@ -135,13 +134,13 @@ To configure the system to use this policy, add or correct the following line in <tt>/etc/selinux/config</tt>: <pre>SELINUXTYPE=targeted</pre> Other policies, such as <tt>mls</tt>, provide additional security labeling -and greater confinement. +and greater confinement but are not compatible with many general-purpose +use cases. </description> -<ocil>To ensure the system is configured to boot into targeted mode, add -or correct the following line in: <tt>/etc/selinux/config</tt> by ensuring the -following text is present: <tt>SELINUX=targeted</tt> -<pre># grep "SELINUX=targeted" /etc/selinux/config</pre> -If needed add the text to the file, and save it.</ocil> +<ocil> +Check the file <tt>/etc/selinux/config</tt> and ensure the following line appears: +<pre>SELINUXTYPE=targeted</pre> +</ocil> <rationale> Setting the SELinux policy to <tt>targeted</tt> or a more specialized policy ensures that the system will confine processes that are likely to be

I didn't know you'd be working on any of this, so this will conflict with my patches & content, but ack since you pushed your patches out first.

Likely need to have a status call on content on who is working on what. It's clear we both spent several hours working on the same content, which was a gross duplication of effort.