CCE ID | Rule Title | Description | Rationale | Variable Setting | NIST 800-53 Mapping |
CCE-26435-8 | Ensure /tmp Located On Separate Partition |
The /tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM.
|
The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.
|
SC-32 |
|
CCE-26639-5 | Ensure /var Located On Separate Partition | The /var directory is used by daemons and other system
services to store frequently-changing data. Ensure that /var has its own partition
or logical volume at installation time, or migrate it using LVM.
|
Ensuring that /var is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
system services such as daemons or other programs which use it.
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages.
|
SC-32 |
|
CCE-26215-4 | Ensure /var/log Located On Separate Partition |
System logs are stored in the /var/log directory.
Ensure that it has its own partition or logical
volume at installation time, or migrate it using LVM.
|
Placing /var/log in its own partition
enables better separation between log files
and other files in /var/ .
|
AU-9 SC-32 |
|
CCE-26436-6 | Ensure /var/log/audit Located On Separate Partition |
Audit logs are stored in the /var/log/audit directory. Ensure that it
has its own partition or logical volume at installation time, or migrate it
later using LVM. Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon.
|
Placing /var/log/audit in its own partition
enables better separation between audit files
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space.
|
AU-4 AU-9 SC-32 |
|
CCE-26557-9 | Ensure /home Located On Separate Partition |
If user home directories will be stored locally, create a separate partition
for /home at installation time (or migrate it later using LVM). If
/home will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later.
|
Ensuring that /home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage.
|
SC-32 |
|
CCE-26506-6 | Ensure Red Hat GPG Key Installed |
To ensure the system can cryptographically verify base software
packages come from Red Hat (and to connect to the Red Hat Network to
receive them), the Red Hat GPG key must properly be installed.
To install the Red Hat GPG key, run:
$ sudo rhn_registerIf the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom , use the following command as the root user to import
it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY |
The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. | SI-7 MA-1(b) |
|
CCE-26846-6 | Disable Red Hat Network Service (rhnsd) | The Red Hat Network service automatically queries Red Hat Network
servers to determine whether there are any actions that should be executed,
such as package updates. This only occurs if the system was registered to an
RHN server or satellite and managed as such.
The rhnsd service can be disabled with the following command:
$ sudo chkconfig rhnsd off |
Although systems management and patching is extremely important to
system security, management by a system outside the enterprise enclave is not
desirable for some environments. However, if the system is being managed by RHN or
RHN Satellite Server the rhnsd daemon can remain on. |
CM-7 |
|
CCE-27635-2 | Ensure Software Patches Installed | If the system is joined to the Red Hat Network, a Red Hat Satellite Server,
or a yum server, run the following command to install updates:
$ sudo yum updateIf the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm .
|
Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. | SI-2 MA-1(b) |
|
CCE-26709-6 | Ensure gpgcheck Enabled In Main Yum Configuration | The gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure yum to check package signatures before installing
them, ensure the following line appears in /etc/yum.conf in
the [main] section:
gpgcheck=1 |
Ensuring the validity of packages' cryptographic signatures prior to installation ensures the authenticity of the software and protects against malicious tampering. | SI-7 MA-1(b) |
|
CCE-26647-8 | Ensure gpgcheck Enabled For All Yum Package Repositories | To ensure signature checking is not disabled for
any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0 |
Ensuring all packages' cryptographic signatures are valid prior to installation ensures the authenticity of the software and protects against malicious tampering. | SI-7 MA-1(b) |
|
CCE-27024-9 | Install AIDE |
Install the AIDE package with the command:
$ sudo yum install aide |
The AIDE package must be installed if it is to be available for integrity checking. | CM-3(d) CM-3(e) CM-6(d) SC-28 SI-7 |
|
CCE-26956-3 | Ensure SELinux Not Disabled in /etc/grub.conf | SELinux can be disabled at boot time by an argument in
/etc/grub.conf .
Remove any instances of selinux=0 from the kernel arguments in that
file to prevent SELinux from being disabled at boot.
|
Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. | AC-3 AC-3(3) AC-6 AU-9 |
|
CCE-27270-8 | Remove Rsh Trust Files | The files /etc/hosts.equiv and ~/.rhosts (in
each user's home directory) list remote hosts and users that are trusted by the
local system when using the rshd daemon.
To remove these files, run the following command to delete them from any
location:
$ sudo rm /etc/hosts.equiv $ rm ~/.rhosts |
Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system. | CM-7 |
|
CCE-26969-6 | Ensure SELinux State is Enforcing | The SELinux state should be set to at
system boot time. In the file /etc/selinux/config , add or correct the
following line to configure the system to boot into enforcing mode:
SELINUX= |
Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. | AC-3 AC-3(3) AC-4 AC-6 AU-9 |
|
CCE-26875-5 | Configure SELinux Policy | The SELinux targeted policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config :
SELINUXTYPE=Other policies, such as mls , provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases.
|
Setting the SELinux policy to targeted or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
Note: During the development or debugging of SELinux modules, it is common to
temporarily place non-production systems in permissive mode. In such
temporary cases, SELinux policies should be developed, and once work
is completed, the system should be reconfigured to
.
|
AC-3 AC-3(3) AC-4 AC-6 AU-9 |
|
CCE-26774-0 | Ensure No Device Files are Unknown to SELinux | Device files, which are used for communication with important
system resources, should be labeled with proper SELinux types. If any device
files carry the SELinux type device_t , report the bug so that policy can be corrected. Supply information about what the device is and what programs use it.
|
If a device file carries the SELinux type device_t , then SELinux
cannot properly restrict access to the device file.
|
AC-6 AU-9 CM-7 |
|
CCE-26855-7 | Restrict Virtual Console Root Logins |
To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in /etc/securetty :
vc/1 vc/2 vc/3 vc/4 |
Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. | AC-6(2) |
|
CCE-27047-0 | Restrict Serial Port Root Logins | To restrict root logins on serial ports,
ensure lines of this form do not appear in /etc/securetty :
ttyS0 ttyS1 |
Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account. | AC-6(2) |
|
CCE-26966-2 | Ensure that System Accounts Do Not Run a Shell Upon Login |
Some accounts are not associated with a human
user of the system, and exist to perform some administrative
function. Should an attacker be able to log into these accounts,
they should not be granted access to a shell.
The login shell for each local account is stored in the last field of each line in /etc/passwd . System accounts are those user accounts with a user ID less than
500. The user ID is stored in the third field.
If any system account SYSACCT (other than root) has a login shell,
disable it with the command:
$ sudo usermod -s /sbin/nologin SYSACCT |
Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts. | AC-2 |
|
CCE-27038-9 | Prevent Log In to Accounts With Empty Password | If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
onto the account without authentication. Remove any instances of the nullok
option in /etc/pam.d/system-auth to
prevent logins with empty passwords.
|
If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. | IA-5(b) IA-5(c) IA-5(1)(a) |
|
CCE-26476-2 | Verify All Account Password Hashes are Shadowed |
If any password hashes are stored in /etc/passwd (in the second field,
instead of an x ), the cause of this misconfiguration should be
investigated. The account should have its password reset and the hash should be
properly stored, or the account should be deleted entirely.
|
The hashes for all user account passwords should be stored in
the file /etc/shadow and never in /etc/passwd ,
which is readable by all users.
|
IA-5(h) |
|
CCE-26971-2 | Verify Only Root Has UID 0 | If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. | An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. | AC-6 IA-2(1) |
|
CCE-26947-2 | Verify User Who Owns shadow File |
To properly set the owner of /etc/shadow , run the command:
$ sudo chown root /etc/shadow |
The /etc/shadow file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture. |
AC-6 |
|
CCE-26967-0 | Verify Group Who Owns shadow File |
To properly set the group owner of /etc/shadow , run the command:
$ sudo chgrp root /etc/shadow |
The /etc/shadow file stores password hashes. Protection of this file is
critical for system security. |
AC-6 |
|
CCE-26992-8 | Verify Permissions on shadow File |
To properly set the permissions of /etc/shadow , run the command:
$ sudo chmod 0000 /etc/shadow |
The /etc/shadow file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture. |
AC-6 |
|
CCE-27026-4 | Verify User Who Owns gshadow File |
To properly set the owner of /etc/gshadow , run the command:
$ sudo chown root /etc/gshadow |
The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. |
AC-6 |
|
CCE-26975-3 | Verify Group Who Owns gshadow File |
To properly set the group owner of /etc/gshadow , run the command:
$ sudo chgrp root /etc/gshadow |
The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. |
AC-6 |
|
CCE-26951-4 | Verify Permissions on gshadow File |
To properly set the permissions of /etc/gshadow , run the command:
$ sudo chmod 0000 /etc/gshadow |
The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. |
AC-6 |
|
CCE-26953-0 | Verify User Who Owns passwd File |
To properly set the owner of /etc/passwd , run the command:
$ sudo chown root /etc/passwd |
The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. |
AC-6 |
|
CCE-26856-5 | Verify Group Who Owns passwd File |
To properly set the group owner of /etc/passwd , run the command:
$ sudo chgrp root /etc/passwd |
The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. |
AC-6 |
|
CCE-26868-0 | Verify Permissions on passwd File |
To properly set the permissions of /etc/passwd , run the command:
$ sudo chmod 0644 /etc/passwd |
If the /etc/passwd file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the list of
accounts on the system and associated information, and protection of this file
is critical for system security. |
AC-6 |
|
CCE-26822-7 | Verify User Who Owns group File |
To properly set the owner of /etc/group , run the command:
$ sudo chown root /etc/group |
The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. |
AC-6 |
|
CCE-26930-8 | Verify Group Who Owns group File |
To properly set the group owner of /etc/group , run the command:
$ sudo chgrp root /etc/group |
The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. |
AC-6 |
|
CCE-26954-8 | Verify Permissions on group File |
To properly set the permissions of /etc/group , run the command:
$ sudo chmod 644 /etc/group |
The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. |
AC-6 |
|
CCE-27381-3 | Verify that Shared Library Files Have Restrictive Permissions | System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib /lib64 /usr/lib /usr/lib64Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules . All files in these directories
should not be group-writable or world-writable. If any file in these
directories is found to be group-writable or world-writable, correct
its permission with the following command:
$ sudo chmod go-w FILE |
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system. | AC-6 |
|
CCE-27424-1 | Verify that Shared Library Files Have Root Ownership | System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib /lib64 /usr/lib /usr/lib64Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules . All files in these directories should be
owned by the root user. If the directory, or any file in these
directories, is found to be owned by a user other than root correct its
ownership with the following command:
$ sudo chown root FILE |
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. | AC-6 |
|
CCE-27289-8 | Verify that System Executables Have Restrictive Permissions |
System executables are stored in the following directories by default:
/bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbinAll files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod go-w FILE |
System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. | AC-6 |
|
CCE-27623-8 | Verify that System Executables Have Root Ownership |
System executables are stored in the following directories by default:
/bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbinAll files in these directories should be owned by the root user.
If any file FILE in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
$ sudo chown root FILE |
System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. | AC-6 |
|
CCE-27243-5 | System Audit Logs Must Have Mode 0640 or Less Permissive |
If log_group in /etc/audit/auditd.conf is set to a group other than the root
group account, change the mode of the audit log files with the following command:
$ sudo chmod 0640 audit_file Otherwise, change the mode of the audit log files with the following command: $ sudo chmod 0600 audit_file |
If users can write to audit logs, audit trails can be modified or destroyed. | AC-6 AU-1(b) AU-9 IR-5 |
|
CCE-27002-5 | Set Password Minimum Length in login.defs | To specify password length requirements for new accounts,
edit the file /etc/login.defs and add or correct the following
lines:
PASS_MIN_LEN The DoD requirement is 14 .
The FISMA requirement is 12 .
If a program consults /etc/login.defs and also another PAM module
(such as pam_cracklib ) during a password change operation,
then the most restrictive must be satisfied. See PAM section
for more information about enforcing password quality requirements.
|
Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. | IA-5(f) IA-5(1)(a) |
|
CCE-27013-2 | Set Password Minimum Age | To specify password minimum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MIN_DAYSA value of 1 day is considered for sufficient for many environments. The DoD requirement is 1. |
Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement. | IA-5(f) IA-5(1)(d) |
|
CCE-26985-2 | Set Password Maximum Age | To specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MAX_DAYSA value of 180 days is sufficient for many environments. The DoD requirement is 60. |
Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise. | IA-5(f) IA-5(g) IA-5(1)(d) |
|
CCE-26988-6 | Set Password Warning Age | To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file /etc/login.defs and add or correct
the following line:
PASS_WARN_AGEThe DoD requirement is 7. |
Setting the password warning age enables users to make the change at a practical time. | AC-2(2) IA-5(f) |
|
CCE-27123-9 | Set Password Retry Prompts Permitted Per-Session | To configure the number of retry prompts that are permitted per-session:
Edit the pam_cracklib.so statement in /etc/pam.d/system-auth to
show retry= , or a lower value if site policy is more restrictive.
The DoD requirement is a maximum of 3 prompts per session. |
Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. | IA-5(c) |
|
CCE-26374-9 | Set Password Strength Minimum Digit Characters | The pam_cracklib module's dcredit parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each digit.
Add dcredit=-1 after pam_cracklib.so to require use of a digit in passwords.
|
Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. | IA-5(b) IA-5(c) 194 |
|
CCE-26601-5 | Set Password Strength Minimum Uppercase Characters | The pam_cracklib module's ucredit= parameter controls requirements for
usage of uppercase letters in a password. When set to a negative number, any password will be required to
contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each uppercase character.
Add ucredit=-1 after pam_cracklib.so to require use of an upper case character in passwords.
|
Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space. | IA-5(b) IA-5(c) IA-5(1)(a) |
|
CCE-26409-3 | Set Password Strength Minimum Special Characters | The pam_cracklib module's ocredit= parameter controls requirements for
usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to
contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each special character.
Add ocredit= after pam_cracklib.so to require use of a special character in passwords.
|
Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. | IA-5(b) IA-5(c) IA-5(1)(a) |
|
CCE-26631-2 | Set Password Strength Minimum Lowercase Characters | The pam_cracklib module's lcredit= parameter controls requirements for
usage of lowercase letters in a password. When set to a negative number, any password will be required to
contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each lowercase character.
Add lcredit=-1 after pam_cracklib.so to require use of a lowercase character in passwords.
|
Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. | IA-5(b) IA-5(c) IA-5(1)(a) |
|
CCE-26615-5 | Set Password Strength Minimum Different Characters | The pam_cracklib module's difok parameter controls requirements for
usage of different characters during a password change.
Add difok= after pam_cracklib.so to require differing
characters when changing passwords. The DoD requirement is 4 .
|
Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however. | IA-5(b) IA-5(c) IA-5(1)(b) |
|
CCE-26844-1 | Set Deny For Failed Password Attempts |
To configure the system to lock out accounts after a number of incorrect login
attempts using pam_faillock.so , modify the content of both
/etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:
|
Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. | AC-7(a) |
|
CCE-26303-8 | Set Password Hashing Algorithm in /etc/pam.d/system-auth |
In /etc/pam.d/system-auth , the password section of
the file controls which PAM modules execute during a password change.
Set the pam_unix.so module in the
password section to include the argument sha512 , as shown below:
password sufficient pam_unix.so sha512 other arguments...This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. |
Using a stronger hashing algorithm makes password cracking attacks more difficult. | IA-5(b) IA-5(c) IA-5(1)(c) IA-7 |
|
CCE-27228-6 | Set Password Hashing Algorithm in /etc/login.defs |
In /etc/login.defs , add or correct the following line to ensure
the system will use SHA-512 as the hashing algorithm:
ENCRYPT_METHOD SHA512 |
Using a stronger hashing algorithm makes password cracking attacks more difficult. | IA-5(b) IA-5(c) IA-5(1)(c) IA-7 |
|
CCE-27229-4 | Set Password Hashing Algorithm in /etc/libuser.conf |
In /etc/libuser.conf , add or correct the following line in its
[defaults] section to ensure the system will use the SHA-512
algorithm for password hashing:
crypt_style = sha512 |
Using a stronger hashing algorithm makes password cracking attacks more difficult. | IA-5(b) IA-5(c) IA-5(1)(c) IA-7 |
|
CCE-26995-1 | Verify /etc/grub.conf User Ownership | The file /etc/grub.conf should
be owned by the root user to prevent destruction
or modification of the file.
To properly set the owner of /etc/grub.conf , run the command:
$ sudo chown root /etc/grub.conf |
Only root should be able to modify important boot parameters. | AC-6(7) |
|
CCE-27022-3 | Verify /etc/grub.conf Group Ownership | The file /etc/grub.conf should
be group-owned by the root group to prevent
destruction or modification of the file.
To properly set the group owner of /etc/grub.conf , run the command:
$ sudo chgrp root /etc/grub.conf |
The root group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway.
|
AC-6(7) |
|
CCE-26949-8 | Verify /boot/grub/grub.conf Permissions | File permissions for /boot/grub/grub.conf should be set to 600, which
is the default.
To properly set the permissions of /boot/grub/grub.conf , run the command:
$ sudo chmod 600 /boot/grub/grub.conf |
Proper permissions ensure that only the root user can modify important boot parameters. | AC-6(7) |
|
CCE-26911-8 | Set Boot Loader Password | The grub boot loader should have password protection
enabled to protect boot-time settings.
To do so, select a password and then generate a hash from it by running the following command:
$ grub-crypt --sha-512When prompted to enter a password, insert the following line into /etc/grub.conf
immediately after the header comments. (Use the output from grub-crypt as the
value of password-hash):
password --encrypted password-hashNOTE: To meet FISMA Moderate, the bootloader password MUST differ from the root password. |
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. | IA-2(1) IA-5(e) AC-3 |
|
CCE-27040-5 | Require Authentication for Single User Mode | Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file /etc/sysconfig/init :
SINGLE=/sbin/sulogin |
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. | IA-2(1) AC-3 |
|
CCE-27043-9 | Disable Interactive Boot |
To disable the ability for users to perform interactive startups, perform both
of the following:
PROMPT option of the /etc/sysconfig/init file and
the confirm kernel boot argument of the /etc/grub.conf file
allow the console user to perform an interactive system startup, in which it is
possible to select the set of services which are started on boot.
|
Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security. | SC-2 AC-3 |
|
CCE-26940-7 | Install the screen Package |
To enable console screen locking, install the screen package:
$ sudo yum install screenInstruct users to begin new terminal sessions with the following command: $ screenThe console can now be locked with the following key combination: ctrl+a x |
Installing screen ensures a console locking capability is available
for users who may need to suspend console logins.
|
||
CCE-26974-6 | Modify the System Login Banner |
To configure the system login banner:
Edit /etc/issue . Replace the default text with a message
compliant with the local site policy or a legal disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only. By using this IS (which includes any
device attached to this IS), you consent to the following conditions:
OR: Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.
OR: I've read & consent to terms in IS user agreem't.
|
An appropriate warning message reinforces policy awareness during the login process and facilitates possible legal action against attackers. | AC-8(a) AC-8(b) AC-8(c) |
|
CCE-26999-3 | Enable Randomized Layout of Virtual Address Space |
To set the runtime status of the kernel.randomize_va_space kernel parameter,
run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2If this is not the system's default value, add the following line to /etc/sysctl.conf :
kernel.randomize_va_space = 2 |
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. | SC-30(2) |
|
CCE-27007-4 | Enable ExecShield |
To set the runtime status of the kernel.exec-shield kernel parameter,
run the following command:
$ sudo sysctl -w kernel.exec-shield=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
kernel.exec-shield = 1 |
ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. | SC-39 |
|
CCE-27001-7 | Disable Kernel Parameter for Sending ICMP Redirects by Default |
To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.send_redirects = 0 |
Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers. | AC-4 CM-7 SC-5 SC-7 |
|
CCE-27004-1 | Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces |
To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.send_redirects = 0 |
Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers. | CM-7 SC-5(1) |
|
CCE-26866-4 | Disable Kernel Parameter for IP Forwarding |
To set the runtime status of the net.ipv4.ip_forward kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.ip_forward=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.ip_forward = 0 |
IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. | CM-7 SC-5 |
|
CCE-27037-1 | Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces |
To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.accept_source_route = 0 |
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. | CM-7 SC-5 |
|
CCE-27027-2 | Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces |
To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.accept_redirects = 0 |
Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required. | CM-7 SC-5 |
|
CCE-26854-0 | Configure Kernel Parameter for Accepting Secure Redirects for All Interfaces |
To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.secure_redirects = 0 |
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. | AC-4 CM-7 SC-5 |
|
CCE-27066-0 | Configure Kernel Parameter to Log Martian Packets |
To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.conf.all.log_martians=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.log_martians = 1 |
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. | AC-3(10) CM-7 SC-5(3) |
|
CCE-26983-7 | Configure Kernel Parameter for Accepting Source-Routed Packets By Default |
To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.accept_source_route = 0 |
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. | AC-4 CM-7 SC-5 SC-7 |
|
CCE-26831-8 | Configure Kernel Parameter for Accepting Secure Redirects By Default |
To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.secure_redirects = 0 |
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. | AC-4 CM-7 SC-5 SC-7 |
|
CCE-27015-7 | Configure Kernel Parameter for Accepting ICMP Redirects By Default |
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.accept_redirects = 0 |
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. | AC-4 CM-7 SC-5 SC-7 |
|
CCE-26883-9 | Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests |
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.icmp_echo_ignore_broadcasts = 1 |
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network. | CM-7 SC-5 |
|
CCE-26993-6 | Configure Kernel Parameter to Ignore Bogus ICMP Error Responses |
To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.icmp_ignore_bogus_error_responses = 1 |
Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. | CM-7 SC-5 |
|
CCE-27053-8 | Configure Kernel Parameter to Use TCP Syncookies |
To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.tcp_syncookies=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.tcp_syncookies = 1 |
A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests. | AC-4 SC-5(2) SC-5(3) |
|
CCE-26979-5 | Configure Kernel Parameter to Use Reverse Path Filtering for All Interfaces |
To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.rp_filter = 1 |
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. | AC-4 SC-5 SC-7 |
|
CCE-26915-9 | Configure Kernel Parameter to Use Reverse Path Filtering by Default |
To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.rp_filter = 1 |
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. | AC-4 SC-5 SC-7 |
|
CCE-27153-6 | Disable IPv6 Networking Support Automatic Loading | To prevent the IPv6 kernel module (ipv6 ) from binding to the
IPv6 networking stack, add the following line to
/etc/modprobe.d/disabled.conf (or another file in
/etc/modprobe.d ):
options ipv6 disable=1This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol. |
Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation. | CM-7 |
|
CCE-27166-8 | Configure Accepting IPv6 Redirects |
To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv6.conf.default.accept_redirects = 0 |
An illicit ICMP redirect message could result in a man-in-the-middle attack. | CM-7 |
|
CCE-27006-6 | Verify ip6tables Enabled if Using IPv6 |
The ip6tables service can be enabled with the following command:
$ sudo chkconfig --level 2345 ip6tables on |
The ip6tables service provides the system's host-based firewalling
capability for IPv6 and ICMPv6.
|
AC-4 CA-3(c) CM-7 |
|
CCE-27018-1 | Verify iptables Enabled |
The iptables service can be enabled with the following command:
$ sudo chkconfig --level 2345 iptables on |
The iptables service provides the system's host-based firewalling
capability for IPv4 and ICMP.
|
AC-4 CA-3(c) CM-7 |
|
CCE-26444-0 | Set Default iptables Policy for Incoming Packets | To set the default policy to DROP (instead of ACCEPT) for
the built-in INPUT chain which processes incoming packets,
add or correct the following line in
/etc/sysconfig/iptables :
:INPUT DROP [0:0] |
In iptables the default policy is applied only after all
the applicable rules in the table are examined for a match. Setting the
default policy to DROP implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted. |
CM-7 |
|
CCE-27317-7 | Set Default ip6tables Policy for Incoming Packets | To set the default policy to DROP (instead of ACCEPT) for
the built-in INPUT chain which processes incoming packets,
add or correct the following line in
/etc/sysconfig/ip6tables :
:INPUT DROP [0:0]If changes were required, reload the ip6tables rules: $ sudo service ip6tables reload |
In ip6tables , the default policy is applied only after all
the applicable rules in the table are examined for a match. Setting the
default policy to DROP implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted. |
CM-7 |
|
CCE-26448-1 | Disable DCCP Support |
The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.
To configure the system to prevent the dccp
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install dccp /bin/true |
Disabling DCCP protects the system against exploitation of any flaws in its implementation. | CM-7 |
|
CCE-26410-1 | Disable SCTP Support |
The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the sctp
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install sctp /bin/true |
Disabling SCTP protects the system against exploitation of any flaws in its implementation. | CM-7 |
|
CCE-26239-4 | Disable RDS Support |
The Reliable Datagram Sockets (RDS) protocol is a transport
layer protocol designed to provide reliable high- bandwidth,
low-latency communications between nodes in a cluster.
To configure the system to prevent the rds
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install rds /bin/true |
Disabling RDS protects the system against exploitation of any flaws in its implementation. | CM-7 |
|
CCE-26696-5 | Disable TIPC Support |
The Transparent Inter-Process Communication (TIPC) protocol
is designed to provide communications between nodes in a
cluster.
To configure the system to prevent the tipc
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install tipc /bin/true |
Disabling TIPC protects the system against exploitation of any flaws in its implementation. | CM-7 |
|
CCE-26809-4 | Ensure rsyslog is Installed |
Rsyslog is installed by default.
The rsyslog package can be installed with the following command:
$ sudo yum install rsyslog |
The rsyslog package provides the rsyslog daemon, which provides system logging services. | AU-9(2) |
|
CCE-26807-8 | Enable rsyslog Service | The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 6.
The rsyslog service can be enabled with the following command:
$ sudo chkconfig --level 2345 rsyslog on |
The rsyslog service must be running in order to provide
logging services, which are essential to system administration.
|
AU-12 |
|
CCE-26812-8 | Ensure Log Files Are Owned By Appropriate User | The owner of all log files written by
rsyslog should be root.
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf and typically all appear in /var/log .
For each log file LOGFILE referenced in /etc/rsyslog.conf ,
run the following command to inspect the file's owner:
$ ls -l LOGFILEIf the owner is not root , run the following command to
correct this:
$ sudo chown root LOGFILE |
The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. | AC-6 SI-11 |
|
CCE-26821-9 | Ensure Log Files Are Owned By Appropriate Group | The group-owner of all log files written by
rsyslog should be root.
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf and typically all appear in /var/log .
For each log file LOGFILE referenced in /etc/rsyslog.conf ,
run the following command to inspect the file's group owner:
$ ls -l LOGFILEIf the owner is not root , run the following command to
correct this:
$ sudo chgrp root LOGFILE |
The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. | AC-6 SI-11 |
|
CCE-27190-8 | Ensure System Log Files Have Correct Permissions | The file permissions for all log files written by
rsyslog should be set to 600, or more restrictive.
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf and typically all appear in /var/log .
For each log file LOGFILE referenced in /etc/rsyslog.conf ,
run the following command to inspect the file's permissions:
$ ls -l LOGFILEIf the permissions are not 600 or more restrictive, run the following command to correct this: $ sudo chmod 0600 LOGFILE |
Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value. | SI-11 |
|
CCE-26801-1 | Ensure Logs Sent To Remote Host |
To configure rsyslog to send logs to a remote log server,
open /etc/rsyslog.conf and read and understand the last section of the file,
which describes the multiple directives necessary to activate remote
logging.
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
substituting loghost.example.com appropriately.
The choice of protocol depends on the environment of the system;
although TCP and RELP provide more reliable message delivery,
they may not be supported in all environments.
To use UDP for log message delivery: *.* @loghost.example.com To use TCP for log message delivery: *.* @@loghost.example.com To use RELP for log message delivery: *.* :omrelp:loghost.example.com |
A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. | AU-3(2) AU-9 |
|
CCE-27014-0 | Ensure Logrotate Runs Periodically | The logrotate utility allows for the automatic rotation of
log files. The frequency of rotation is specified in /etc/logrotate.conf ,
which triggers a cron task. To configure logrotate to run daily, add or correct
the following line in /etc/logrotate.conf :
# rotate log files frequency daily |
Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full. | AU-9 |
|
CCE-27058-7 | Enable auditd Service | The auditd service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The auditd service can be enabled with the following command:
$ sudo chkconfig --level 2345 auditd on |
Ensuring the auditd service is active ensures
audit records generated by the kernel can be written to disk, or that appropriate
actions will be taken if other obstacles exist.
|
AC-17(1) AU-1(b) AU-10 AU-12(a) AU-12(c) IR-5 |
|
CCE-26785-6 | Enable Auditing for Processes Which Start Prior to the Audit Daemon | To ensure all processes can be audited, even
those which start prior to the audit daemon, add the argument
audit=1 to the kernel line in /etc/grub.conf , in the manner below:
kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1 |
Each process on the system carries an "auditable" flag which
indicates whether its activities can be audited. Although auditd
takes care of enabling this for all processes which launch after it
does, adding the kernel argument ensures it is set for every
process during boot.
|
AC-17(1) AU-14(1) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-10 IR-5 |
|
CCE-27522-2 | Configure auditd Number of Logs Retained | Determine how many log files
auditd should retain when it rotates logs.
Edit the file /etc/audit/auditd.conf . Add or modify the following
line, substituting NUMLOGS with the correct value of :
num_logs = NUMLOGSSet the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation. |
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. | AU-1(b) AU-11 IR-5 |
|
CCE-27550-3 | Configure auditd Max Log File Size | Determine the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
/etc/audit/auditd.conf . Add or modify the following line, substituting
the correct value of for STOREMB:
max_log_file = STOREMBSet the value to 6 (MB) or higher for general-purpose systems.
Larger values, of course,
support retention of even more audit data. |
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. | AU-1(b) AU-11 IR-5 |
|
CCE-27237-7 | Configure auditd max_log_file_action Upon Reaching Maximum Log Size | The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by auditd , add or correct the line in /etc/audit/auditd.conf :
max_log_file_action = ACTIONPossible values for ACTION are described in the auditd.conf man
page. These include:
ACTION to rotate to ensure log rotation
occurs. This is the default. The setting is case-insensitive.
|
Automatically rotating logs (by setting this to rotate )
minimizes the chances of the system unexpectedly running out of disk space by
being overwhelmed with log data. However, for systems that must never discard
log data, or which use external processes to transfer it and reclaim space,
keep_logs can be employed. |
AU-1(b) AU-4 AU-11 IR-5 |
|
CCE-27239-3 | Configure auditd admin_space_left Action on Low Disk Space | The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf . Add or modify the following line,
substituting ACTION appropriately:
admin_space_left_action = ACTIONSet this value to single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include suspend and
halt . For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page.
|
Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. | AU-1(b) AU-4 AU-5(b) IR-5 |
|
CCE-26242-8 | Record attempts to alter time through adjtimex | On a 32-bit system, add the following to /etc/audit/audit.rules :
# audit_time_rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rulesOn a 64-bit system, add the following to /etc/audit/audit.rules :
# audit_time_rules -a always,exit -F arch=b64 -S adjtimex -k audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules |
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-27203-9 | Record attempts to alter time through settimeofday | On a 32-bit system, add the following to /etc/audit/audit.rules :
# audit_time_rules -a always,exit -F arch=b32 -S settimeofday -k audit_time_rulesOn a 64-bit system, add the following to /etc/audit/audit.rules :
# audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules |
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-27169-2 | Record Attempts to Alter Time Through stime | Add the following line to /etc/audit/audit.rules for both
32-bit and 64-bit systems:
# audit_time_rules -a always,exit -F arch=b32 -S stime -k audit_time_rulesSince the 64-bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64-bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32-bit and 64-bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules |
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-27170-0 | Record Attempts to Alter Time Through clock_settime | On a 32-bit system, add the following to /etc/audit/audit.rules :
# time-change -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-changeOn a 64-bit system, add the following to /etc/audit/audit.rules :
# time-change -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-changeThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules |
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-27172-6 | Record Attempts to Alter the localtime File | Add the following to /etc/audit/audit.rules :
-w /etc/localtime -p wa -k audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used. |
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-26664-3 | Record Events that Modify User/Group Information | Add the following to /etc/audit/audit.rules , in order
to capture events that modify account changes:
# audit_rules_usergroup_modification -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | AC-2(4) AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-26648-6 | Record Events that Modify the System's Network Environment | Add the following to /etc/audit/audit.rules , setting
ARCH to either b32 or b64 as appropriate for your system:
# audit_rules_networkconfig_modification -a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification |
The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-26657-7 | Record Events that Modify the System's Mandatory Access Controls | Add the following to /etc/audit/audit.rules :
-w /etc/selinux/ -p wa -k MAC-policy |
The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-26280-8 | Record Events that Modify the System's Discretionary Access Controls - chmod | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-27173-4 | Record Events that Modify the System's Discretionary Access Controls - chown | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-27174-2 | Record Events that Modify the System's Discretionary Access Controls - fchmod | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-27175-9 | Record Events that Modify the System's Discretionary Access Controls - fchmodat | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-27177-5 | Record Events that Modify the System's Discretionary Access Controls - fchown | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-27178-3 | Record Events that Modify the System's Discretionary Access Controls - fchownat | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-27179-1 | Record Events that Modify the System's Discretionary Access Controls - fremovexattr | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-27180-9 | Record Events that Modify the System's Discretionary Access Controls - fsetxattr | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-27181-7 | Record Events that Modify the System's Discretionary Access Controls - lchown | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-27182-5 | Record Events that Modify the System's Discretionary Access Controls - lremovexattr | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-27183-3 | Record Events that Modify the System's Discretionary Access Controls - lsetxattr | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-27184-1 | Record Events that Modify the System's Discretionary Access Controls - removexattr | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-27185-8 | Record Events that Modify the System's Discretionary Access Controls - setxattr | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-26712-0 | Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) | At a minimum the audit system should collect
unauthorized file accesses for all users and root. Add the following
to /etc/audit/audit.rules :
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k accessIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-26457-2 | Ensure auditd Collects Information on the Use of Privileged Commands | At a minimum the audit system should collect the
execution of privileged commands for all users and root.
To find the relevant setuid / setgid programs, run the following command
for each local partition PART:
$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/nullThen, for each setuid / setgid program on the system, add a line of the following form to /etc/audit/audit.rules , where
SETUID_PROG_PATH is the full path to each setuid / setgid program
in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged |
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. | AC-3(10)) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AC-6(9) AU-12(a) AU-12(c) IR-5 |
|
CCE-26573-6 | Ensure auditd Collects Information on Exporting to Media (successful) | At a minimum the audit system should collect media
exportation events for all users and root. Add the following to
/etc/audit/audit.rules , setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export |
The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-26651-0 | Ensure auditd Collects File Deletion Events by User | At a minimum the audit system should collect file
deletion events for all users and root. Add the following to
/etc/audit/audit.rules , setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete |
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-26662-7 | Ensure auditd Collects System Administrator Actions | At a minimum the audit system should collect
administrator actions for all users and root. Add the following to
/etc/audit/audit.rules :
-w /etc/sudoers -p wa -k actions |
The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. | AC-2(7)(b) AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-26611-4 | Ensure auditd Collects Information on Kernel Module Loading and Unloading | Add the following to /etc/audit/audit.rules in order
to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules |
The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. | AC-3(10) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
|
CCE-27046-2 | Disable xinetd Service |
The xinetd service can be disabled with the following command:
$ sudo chkconfig xinetd off |
The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself. | CM-7 |
|
CCE-27005-8 | Uninstall xinetd Package | The xinetd package can be uninstalled with the following command:
$ sudo yum erase xinetd |
Removing the xinetd package decreases the risk of the
xinetd service's accidental (or intentional) activation.
|
CM-7 |
|
CCE-27073-6 | Uninstall telnet-server Package | The telnet-server package can be uninstalled with
the following command:
$ sudo yum erase telnet-server |
Removing the telnet-server package decreases the risk of the
telnet service's accidental (or intentional) activation.
|
CM-7 |
|
CCE-26836-7 | Disable telnet Service |
The telnet service can be disabled with the following command:
$ sudo chkconfig telnet off |
The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. | CM-7 IA-5(1)(c) |
|
CCE-27062-9 | Uninstall rsh-server Package | The rsh-server package can be uninstalled with
the following command:
$ sudo yum erase rsh-server |
The rsh-server package provides several obsolete and insecure
network services. Removing it
decreases the risk of those services' accidental (or intentional)
activation.
|
CM-7 |
|
CCE-26994-4 | Disable rsh Service | The rsh service, which is available with
the rsh-server package and runs as a service through xinetd,
should be disabled.
The rsh service can be disabled with the following command:
$ sudo chkconfig rsh off |
The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. | CM-7 IA-5(1)(c) |
|
CCE-27208-8 | Disable rexec Service | The rexec service, which is available with
the rsh-server package and runs as a service through xinetd,
should be disabled.
The rexec service can be disabled with the following command:
$ sudo chkconfig rexec off |
The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. | CM-7 |
|
CCE-26865-6 | Disable rlogin Service | The rlogin service, which is available with
the rsh-server package and runs as a service through xinetd,
should be disabled.
The rlogin service can be disabled with the following command:
$ sudo chkconfig rlogin off |
The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. | CM-7 IA-5(1)(c) |
|
CCE-27079-3 | Uninstall ypserv Package | The ypserv package can be uninstalled with
the following command:
$ sudo yum erase ypserv |
Removing the ypserv package decreases the risk of the
accidental (or intentional) activation of NIS or NIS+ services.
|
CM-7 |
|
CCE-26894-6 | Disable ypbind Service | The ypbind service, which allows the system to act as a client in
a NIS or NIS+ domain, should be disabled.
The ypbind service can be disabled with the following command:
$ sudo chkconfig ypbind off |
Disabling the ypbind service ensures the system is not acting
as a client in a NIS or NIS+ domain.
|
CM-7 |
|
CCE-26946-4 | Uninstall tftp-server Package |
The tftp-server package can be removed with the following command:
$ sudo yum erase tftp-server |
Removing the tftp-server package decreases the risk of the
accidental (or intentional) activation of tftp services.
|
CM-7 |
|
CCE-27055-3 | Disable tftp Service | The tftp service should be disabled.
The tftp service can be disabled with the following command:
$ sudo chkconfig tftp off |
Disabling the tftp service ensures the system is not acting
as a TFTP server, which does not provide encryption or authentication.
|
CM-7 |
|
CCE-27070-2 | Enable cron Service | The crond service is used to execute commands at
preconfigured times. It is required by almost all systems to perform necessary
maintenance tasks, such as notifying root of system activity.
The crond service can be enabled with the following command:
$ sudo chkconfig --level 2345 crond on |
Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential. | CM-7 |
|
CCE-27072-8 | Allow Only SSH Protocol 2 | Only SSH protocol version 2 connections should be
permitted. The default setting in
/etc/ssh/sshd_config is correct, and can be
verified by ensuring that the following
line appears:
Protocol 2 |
SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used. | AC-3(10) IA-5(1)(c) |
|
CCE-26919-1 | Set SSH Idle Timeout Interval | SSH allows administrators to set an idle timeout
interval.
After this interval has passed, the idle user will be
automatically logged out.
To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as
follows:
ClientAliveIntervalThe timeout interval is given in seconds. To have a timeout of 15 minutes, set interval to 900. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle. |
Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another. | AC-2(5) SA-8 |
|
CCE-26282-4 | Set SSH Client Alive Count | To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set,
edit /etc/ssh/sshd_config as
follows:
ClientAliveCountMax 0 |
This ensures a user login will be terminated as soon as the ClientAliveCountMax
is reached.
|
AC-2(5) SA-8 |
|
CCE-27124-7 | Disable SSH Support for .rhosts Files | SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via .rhosts files.
To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config :
IgnoreRhosts yes |
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. | AC-3 |
|
CCE-27091-8 | Disable Host-Based Authentication | SSH's cryptographic host-based authentication is
more secure than .rhosts authentication. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.
To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config :
HostbasedAuthentication no |
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. | AC-3 |
|
CCE-27100-7 | Disable SSH Root Login | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line
in /etc/ssh/sshd_config :
PermitRootLogin no |
Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password. | AC-3 AC-6(2) IA-2(1) |
|
CCE-26887-0 | Disable SSH Access via Empty Passwords | To explicitly disallow remote login from accounts with
empty passwords, add or correct the following line in
/etc/ssh/sshd_config :
PermitEmptyPasswords noAny accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. |
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. | AC-3 |
|
CCE-27112-2 | Enable SSH Warning Banner |
To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in /etc/ssh/sshd_config :
Banner /etc/issueAnother section contains information on how to create an appropriate system-wide warning banner. |
The warning message reinforces policy awareness during the login process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. | AC-8(a) |
|
CCE-27201-3 | Do Not Allow SSH Environment Options | To ensure users are not able to present
environment options to the SSH daemon, add or correct the following line
in /etc/ssh/sshd_config :
PermitUserEnvironment no |
SSH environment options potentially allow users to bypass access restriction in some configurations. | ||
CCE-26555-3 | Use Only Approved Ciphers | Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbcThe man page sshd_config(5) contains a list of supported ciphers.
|
Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance. | AC-3 AC-17(2) SI-7 IA-5(1)(c) IA-7 |
|
CCE-27087-6 | Disable Avahi Server Software |
The avahi-daemon service can be disabled with the following command:
$ sudo chkconfig avahi-daemon off |
Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted. | CM-7 |
|
CCE-27093-4 | Enable the NTP Daemon |
The ntpd service can be enabled with the following command:
$ sudo chkconfig --level 2345 ntpd on |
Enabling the ntpd service ensures that the ntpd
service will be running and that the system will synchronize its time to
any servers specified. This is important whether the system is configured to be
a client (and synchronize only its own clock) or it is also acting as an NTP
server to other systems. Synchronizing time is essential for authentication
services such as Kerberos, but it is also important for maintaining accurate
logs and auditing possible security breaches.
The NTP daemon offers all of the functionality of ntpdate , which is now
deprecated. Additional information on this is available at
http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate |
AU-8(1) |
|
CCE-27098-3 | Specify a Remote NTP Server | To specify a remote NTP server for time synchronization, edit
the file /etc/ntp.conf . Add or correct the following lines,
substituting the IP or hostname of a remote NTP server for ntpserver:
server ntpserverThis instructs the NTP software to contact that remote server to obtain time data. |
Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. | AU-8(1) |
|
CCE-26780-7 | Disable Postfix Network Listening |
Edit the file /etc/postfix/main.cf to ensure that only the following
inet_interfaces line appears:
inet_interfaces = localhost |
This ensures postfix accepts mail messages
(such as cron job reports) from the local system only,
and not from the network, which protects it from network attack.
|
CM-7 |
|
CCE-26690-8 | Configure LDAP Client to Use TLS For All Transactions | Configure LDAP to enforce TLS use. First, edit the file
/etc/pam_ldap.conf , and add or correct the following lines:
ssl start_tlsThen review the LDAP server and ensure TLS has been configured. |
The ssl directive specifies whether to use ssl or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. | CM-7 |
|
CCE-27189-0 | Configure Certificate Directives for LDAP Use of TLS | Ensure a copy of a trusted CA certificate has been placed in
the file /etc/pki/tls/CA/cacert.pem . Configure LDAP to enforce TLS
use and to trust certificates signed by that CA. First, edit the file
/etc/pam_ldap.conf , and add or correct either of the following lines:
tls_cacertdir /etc/pki/tls/CAor tls_cacertfile /etc/pki/tls/CA/cacert.pemThen review the LDAP server and ensure TLS has been configured. |
The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA. | CM-7 |
|
CCE-26858-1 | Uninstall openldap-servers Package | The openldap-servers package should be removed if not in use.
Is this machine the OpenLDAP server? If not, remove the package.
$ sudo yum erase openldap-serversThe openldap-servers RPM is not installed by default on Red Hat Enterprise Linux 6 machines. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed. |
Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an LDAP server, it is not necessary on typical desktop or workstation systems. | CM-7 |
|
CCE-26828-4 | Set GNOME Login Inactivity Timeout |
Run the following command to set the idle time-out value for
inactivity in the GNOME desktop to minutes:
$ sudo gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /desktop/gnome/session/idle_delay |
Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby. | AC-11(a) |
|
CCE-26600-7 | GNOME Desktop Screensaver Mandatory Use |
Run the following command to activate the screensaver
in the GNOME desktop after a period of inactivity:
$ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true |
Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area. | AC-11(a) |
|
CCE-26235-2 | Enable Screen Lock Activation After Idle Period |
Run the following command to activate locking of the screensaver
in the GNOME desktop when it is activated:
$ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/lock_enabled true |
Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby. | AC-11(a) |
|
CCE-26638-7 | Implement Blank Screensaver |
Run the following command to set the screensaver mode
in the GNOME desktop to a blank screen:
$ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome-screensaver/mode blank-only |
Setting the screensaver mode to blank-only conceals the contents of the display from passersby. | AC-11(b) |
|
CCE-27247-6 | Disable Automatic Bug Reporting Tool (abrtd) | The Automatic Bug Reporting Tool (abrtd ) daemon collects
and reports crash data when an application crash is detected. Using a variety
of plugins, abrtd can email crash reports to system administrators, log crash
reports to files, or forward crash reports to a centralized issue tracking
system such as RHTSupport.
The abrtd service can be disabled with the following command:
$ sudo chkconfig abrtd off |
Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers. | CM-7 |
|
CCE-27249-2 | Disable At Service (atd) | The at and batch commands can be used to
schedule tasks that are meant to be executed only once. This allows delayed
execution in a manner similar to cron, except that it is not
recurring. The daemon atd keeps track of tasks scheduled via
at and batch , and executes them at the specified time.
The atd service can be disabled with the following command:
$ sudo chkconfig atd off |
The atd service could be used by an unsophisticated insider to carry
out activities outside of a normal login session, which could complicate
accountability. Furthermore, the need to schedule tasks with at or
batch is not common.
|
CM-7 |
|
CCE-26976-1 | Disable the Automounter | The autofs daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd .
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.
The autofs service can be disabled with the following command:
$ sudo chkconfig autofs off |
Disabling the automounter permits the administrator to
statically control filesystem mounting through /etc/fstab .
|
AC-19(a) AC-19(d) AC-19(e) |
|
CCE-27256-7 | Disable ntpdate Service (ntpdate) | The ntpdate service sets the local hardware clock by polling NTP servers
when the system boots. It synchronizes to the NTP servers listed in
/etc/ntp/step-tickers or /etc/ntp.conf
and then sets the local hardware clock to the newly synchronized
system time.
The ntpdate service can be disabled with the following command:
$ sudo chkconfig ntpdate off |
The ntpdate service may only be suitable for systems which
are rebooted frequently enough that clock drift does not cause problems between
reboots. In any event, the functionality of the ntpdate service is now
available in the ntpd program and should be considered deprecated. |
CM-7 |
|
CCE-27257-5 | Disable Odd Job Daemon (oddjobd) | The oddjobd service exists to provide an interface and
access control mechanism through which
specified privileged tasks can run tasks for unprivileged client
applications. Communication with oddjobd through the system message bus.
The oddjobd service can be disabled with the following command:
$ sudo chkconfig oddjobd off |
The oddjobd service may provide necessary functionality in
some environments, and can be disabled if it is not needed. Execution of
tasks by privileged programs, on behalf of unprivileged ones, has traditionally
been a source of privilege escalation security issues. |
CM-7 |
|
CCE-26928-2 | Disable Apache Qpid (qpidd) | The qpidd service provides high speed, secure,
guaranteed delivery services. It is an implementation of the Advanced Message
Queuing Protocol. By default the qpidd service will bind to port 5672 and
listen for connection attempts.
The qpidd service can be disabled with the following command:
$ sudo chkconfig qpidd off |
The qpidd service is automatically installed when the "base"
package selection is selected during installation. The qpidd service listens
for network connections, which increases the attack surface of the system. If
the system is not intended to receive AMQP traffic, then the qpidd
service is not needed and should be disabled or removed. |
CM-7 |
|
CCE-27261-7 | Disable Network Router Discovery Daemon (rdisc) | The rdisc service implements the client side of the ICMP
Internet Router Discovery Protocol (IRDP), which allows discovery of routers on
the local subnet. If a router is discovered then the local routing table is
updated with a corresponding default route. By default this daemon is disabled.
The rdisc service can be disabled with the following command:
$ sudo chkconfig rdisc off |
General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information. | AC-4 CM-7 |
|
CCE-27090-0 | Mount Remote Filesystems with nodev |
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
any NFS mounts.
|
Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users. | CM-7 MP-2 |
|
CCE-26972-0 | Mount Remote Filesystems with nosuid |
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
any NFS mounts.
|
NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. | ||
CCE-27196-5 | Add noexec Option to Removable Media Partitions | The noexec mount option prevents the direct
execution of binaries on the mounted filesystem.
Preventing the direct execution of binaries from removable media (such as a USB
key) provides a defense against malicious software that may be present on such
untrusted media.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions.
|
Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise. | AC-19(a) AC-19(d) AC-19(e) CM-7 MP-2 |
|
CCE-26328-5 | Require Client SMB Packet Signing, if using smbclient |
To require samba clients running smbclient to use
packet signing, add the following to the [global] section
of the Samba configuration file, /etc/samba/smb.conf :
client signing = mandatoryRequiring samba clients such as smbclient to use packet
signing ensures they can
only communicate with servers that support packet signing.
|
Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. | ||
CCE-26792-2 | Require Client SMB Packet Signing, if using mount.cifs | Require packet signing of clients who mount Samba
shares using the mount.cifs program (e.g., those who specify shares
in /etc/fstab ). To do so, ensure signing options (either
sec=krb5i or sec=ntlmv2i ) are used.
See the mount.cifs(8) man page for more information. A Samba
client should only communicate with servers who can support SMB
packet signing.
|
Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. | ||
CCE-26741-9 | Limit Password Reuse | Do not allow users to reuse recent passwords. This can be
accomplished by using the remember option for the pam_unix
or pam_pwhistory PAM modules. In the file
/etc/pam.d/system-auth , append remember=
to the line which refers to the pam_unix.so or
pam_pwhistory.so module, as shown below:
|
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. | IA-5(f) IA-5(1)(e) |