Introduction

Test Result

Result ID Profile Start time End time Benchmark Benchmark version
xccdf_org.open-scap_testresult_usgcb-rhel6-server usgcb-rhel6-server 2014-10-23 11:44 2014-10-23 11:47 embedded 0.9

Target info

Targets

  • localhost.localdomain

Addresses

  • 127.0.0.1
  • 192.168.122.100
  • 0:0:0:0:0:0:0:1
  • fe80:0:0:0:5054:ff:fefd:7609

Applicable platforms

  • cpe:/o:redhat:enterprise_linux:6

Score

system score max % bar
urn:xccdf:scoring:default 60.90 100.00 60.90%

Results overview

Rule Results Summary

pass fixed fail error not selected not checked not applicable informational unknown total
90 61 55 11 176 4 0 0 2 399
Title Result
Ensure /tmp Located On Separate Partition pass
Ensure /var Located On Separate Partition pass
Ensure /var/log Located On Separate Partition pass
Ensure /var/log/audit Located On Separate Partition pass
Ensure /home Located On Separate Partition pass
Ensure Red Hat GPG Key Installed pass
Ensure gpgcheck Enabled In Main Yum Configuration pass
Ensure gpgcheck Enabled For All Yum Package Repositories pass
Ensure Software Patches Installed notchecked
Install AIDE pass
Verify and Correct File Permissions with RPM fail
Verify File Hashes with RPM pass
Add nodev Option to Non-Root Local Partitions fail
Add nodev Option to Removable Media Partitions fail
Add noexec Option to Removable Media Partitions fail
Add nosuid Option to Removable Media Partitions fail
Add nodev Option to /tmp fail
Add noexec Option to /tmp fail
Add nosuid Option to /tmp fail
Add nodev Option to /dev/shm fail
Add noexec Option to /dev/shm fail
Add nosuid Option to /dev/shm fail
Bind Mount /var/tmp To /tmp fail
Disable the Automounter error
Disable Mounting of cramfs fixed
Disable Mounting of freevxfs fixed
Disable Mounting of jffs2 fixed
Disable Mounting of hfs fixed
Disable Mounting of hfsplus fixed
Disable Mounting of squashfs fixed
Disable Mounting of udf fixed
Verify User Who Owns shadow File pass
Verify Group Who Owns shadow File pass
Verify Permissions on shadow File pass
Verify User Who Owns group File pass
Verify Group Who Owns group File pass
Verify Permissions on group File pass
Verify User Who Owns gshadow File pass
Verify Group Who Owns gshadow File pass
Verify Permissions on gshadow File pass
Verify User Who Owns passwd File pass
Verify Group Who Owns passwd File pass
Verify Permissions on passwd File pass
Verify that All World-Writable Directories Have Sticky Bits Set pass
Ensure No World-Writable Files Exist pass
Ensure All SGID Executables Are Authorized pass
Ensure All SUID Executables Are Authorized pass
Ensure All Files Are Owned by a User pass
Ensure All Files Are Owned by a Group pass
Ensure All World-Writable Directories Are Owned by a System Account pass
Set Daemon Umask fixed
Disable Core Dumps for All Users fixed
Disable Core Dumps for SUID programs fixed
Enable ExecShield fixed
Enable Randomized Layout of Virtual Address Space fixed
Install PAE Kernel on Supported 32-bit x86 Systems notchecked
Ensure SELinux Not Disabled in /etc/grub.conf pass
Ensure SELinux State is Enforcing pass
Configure SELinux Policy pass
Ensure No Daemons are Unconfined by SELinux notchecked
Ensure No Device Files are Unlabeled by SELinux pass
Restrict Virtual Console Root Logins fixed
Restrict Serial Port Root Logins pass
Verify Only Root Has UID 0 pass
Prevent Log In to Accounts With Empty Password fixed
Verify All Account Password Hashes are Shadowed pass
Set Password Minimum Length in login.defs fixed
Set Password Maximum Age fixed
Set Password Warning Age fixed
Set Account Expiration Following Inactivity fixed
Set Password Retry Prompts Permitted Per-Session pass
Set Password Strength Minimum Digit Characters fixed
Set Password Strength Minimum Uppercase Characters fixed
Set Password Strength Minimum Special Characters fixed
Set Password Strength Minimum Lowercase Characters fixed
Set Password Strength Minimum Different Characters fixed
Set Deny For Failed Password Attempts fixed
Limit Password Reuse fixed
Set Password Hashing Algorithm in /etc/pam.d/system-auth pass
Set Password Hashing Algorithm in /etc/login.defs pass
Ensure that Root's Path Does Not Include Relative Paths or Null Directories pass
Ensure that Root's Path Does Not Include World or Group-Writable Directories fail
Ensure that User Home Directories are not Group-Writable or World-Readable fail
Ensure the Default Bash Umask is Set Correctly fixed
Ensure the Default C Shell Umask is Set Correctly fixed
Ensure the Default Umask is Set Correctly in /etc/profile fixed
Ensure the Default Umask is Set Correctly in login.defs pass
Verify /etc/grub.conf User Ownership pass
Verify /etc/grub.conf Group Ownership pass
Verify /boot/grub/grub.conf Permissions pass
Set Boot Loader Password pass
Disable Interactive Boot fixed
Set GNOME Login Inactivity Timeout fail
GNOME Desktop Screensaver Mandatory Use fail
Enable Screen Lock Activation After Idle Period fail
Implement Blank Screensaver fail
Modify the System Login Banner fixed
Enable GUI Warning Banner fail
Disable Zeroconf Networking fixed
Disable Kernel Parameter for Sending ICMP Redirects by Default fixed
Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces fixed
Disable Kernel Parameter for IP Forwarding pass
Disable Kernel Parameter for Accepting ICMP Redirects for All Interfaces fixed
Disable Kernel Parameter for Accepting Secure Redirects for All Interfaces fixed
Enable Kernel Parameter to Log Martian Packets fixed
Disable Kernel Parameter for Accepting Source-Routed Packets By Default fixed
Disable Kernel Parameter for Accepting ICMP Redirects By Default fixed
Disable Kernel Parameter for Accepting Secure Redirects By Default fixed
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests fixed
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses fixed
Enable Kernel Parameter to Use TCP Syncookies fixed
Enable Kernel Parameter to Use Reverse Path Filtering for All Interfaces fixed
Enable Kernel Parameter to Use Reverse Path Filtering by Default fixed
Disable WiFi or Bluetooth in BIOS notchecked
Deactivate Wireless Network Interfaces pass
Disable Bluetooth Service error
Disable Bluetooth Kernel Modules fail
Disable IPv6 Networking Support Automatic Loading fail
Disable Support for RPC IPv6 fail
Disable Accepting IPv6 Router Advertisements fixed
Disable Accepting IPv6 Redirects fixed
Verify ip6tables Enabled if Using IPv6 pass
Verify iptables Enabled pass
Set Default iptables Policy for Incoming Packets fixed
Set Default iptables Policy for Forwarded Packets fixed
Disable DCCP Support fixed
Disable SCTP Support fixed
Disable RDS Support fixed
Disable TIPC Support fixed
Ensure rsyslog is Installed pass
Enable rsyslog Service pass
Ensure Log Files Are Owned By Appropriate User pass
Ensure Log Files Are Owned By Appropriate Group unknown
Ensure System Log Files Have Correct Permissions unknown
Ensure Logs Sent To Remote Host fail
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server pass
Ensure Logrotate Runs Periodically pass
Enable auditd Service pass
Enable Auditing for Processes Which Start Prior to the Audit Daemon fixed
Record attempts to alter time through adjtimex fail
Record attempts to alter time through settimeofday fail
Record Attempts to Alter Time Through stime pass
Record Attempts to Alter Time Through clock_settime fail
Record Attempts to Alter the localtime File fail
Record Events that Modify User/Group Information fail
Record Events that Modify the System's Network Environment fail
Record Events that Modify the System's Mandatory Access Controls fail
Record Events that Modify the System's Discretionary Access Controls - chmod fail
Record Events that Modify the System's Discretionary Access Controls - chown fail
Record Events that Modify the System's Discretionary Access Controls - fchmod fail
Record Events that Modify the System's Discretionary Access Controls - fchmodat fail
Record Events that Modify the System's Discretionary Access Controls - fchown fail
Record Events that Modify the System's Discretionary Access Controls - fchownat fail
Record Events that Modify the System's Discretionary Access Controls - fremovexattr fail
Record Events that Modify the System's Discretionary Access Controls - fsetxattr fail
Record Events that Modify the System's Discretionary Access Controls - lchown fail
Record Events that Modify the System's Discretionary Access Controls - lremovexattr fail
Record Events that Modify the System's Discretionary Access Controls - lsetxattr fail
Record Events that Modify the System's Discretionary Access Controls - removexattr fail
Record Events that Modify the System's Discretionary Access Controls - setxattr fail
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) fail
Ensure auditd Collects Information on the Use of Privileged Commands fail
Ensure auditd Collects Information on Exporting to Media (successful) fail
Ensure auditd Collects File Deletion Events by User fail
Ensure auditd Collects System Administrator Actions fail
Ensure auditd Collects Information on Kernel Module Loading and Unloading fail
Make the auditd Configuration Immutable fail
Disable xinetd Service fail
Uninstall xinetd Package fixed
Disable telnet Service pass
Uninstall telnet-server Package pass
Uninstall rsh-server Package pass
Uninstall ypserv Package pass
Disable ypbind Service pass
Disable tftp Service pass
Uninstall tftp-server Package pass
Disable KDump Kernel Crash Analyzer (kdump) error
Disable Portreserve (portreserve) error
Disable Red Hat Network Service (rhnsd) error
Enable cron Service pass
Disable At Service (atd) error
Allow Only SSH Protocol 2 pass
Set SSH Idle Timeout Interval fixed
Set SSH Client Alive Count fixed
Disable SSH Support for .rhosts Files pass
Disable Host-Based Authentication pass
Disable SSH Root Login fixed
Disable SSH Access via Empty Passwords fixed
Enable SSH Warning Banner fixed
Do Not Allow SSH Environment Options fixed
Use Only Approved Ciphers fixed
Disable Avahi Server Software pass
Disable DHCP Service pass
Uninstall DHCP Server Package pass
Enable the NTP Daemon error
Specify a Remote NTP Server pass
Uninstall Sendmail Package pass
Disable Postfix Network Listening pass
Configure LDAP Client to Use TLS For All Transactions pass
Configure Certificate Directives for LDAP Use of TLS pass
Uninstall openldap-servers Package pass
Disable Network File System Lock Service (nfslock) error
Disable Secure RPC Client Service (rpcgssd) error
Disable RPC ID Mapping Service (rpcidmapd) error
Disable Network File Systems (netfs) error
Disable Secure RPC Server Service (rpcsvcgssd) pass
Mount Remote Filesystems with nodev pass
Mount Remote Filesystems with nosuid pass
Disable DNS Server pass
Uninstall bind Package pass
Disable vsftpd Service pass
Uninstall vsftpd Package pass
Disable httpd Service pass
Uninstall httpd Package fail
Disable Dovecot Service pass
Uninstall dovecot Package fail
Disable Samba pass
Require Client SMB Packet Signing, if using smbclient fail
Require Client SMB Packet Signing, if using mount.cifs pass
Disable Squid pass
Uninstall squid Package pass
Disable snmpd Service pass
Uninstall net-snmp Package fail

Results details

Result for Ensure /tmp Located On Separate Partition

Result: pass

Rule ID: partition_for_tmp

Time: 2014-10-23 11:44

Severity: low

The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.

The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

Security identifiers

  • CCE-26435-8

Result for Ensure /var Located On Separate Partition

Result: pass

Rule ID: partition_for_var

Time: 2014-10-23 11:44

Severity: low

The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM.

Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages.

Security identifiers

  • CCE-26639-5

Result for Ensure /var/log Located On Separate Partition

Result: pass

Rule ID: partition_for_var_log

Time: 2014-10-23 11:44

Severity: low

System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.

Placing /var/log in its own partition enables better separation between log files and other files in /var/.

Security identifiers

  • CCE-26215-4

Result for Ensure /var/log/audit Located On Separate Partition

Result: pass

Rule ID: partition_for_var_log_audit

Time: 2014-10-23 11:44

Severity: low

Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.

Security identifiers

  • CCE-26436-6

Result for Ensure /home Located On Separate Partition

Result: pass

Rule ID: partition_for_home

Time: 2014-10-23 11:44

Severity: low

If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.

Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.

Security identifiers

  • CCE-26557-9

Result for Ensure Red Hat GPG Key Installed

Result: pass

Rule ID: ensure_redhat_gpgkey_installed

Time: 2014-10-23 11:44

Severity: high

To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run:

$ sudo rhn_register
If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY

The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat.

Security identifiers

  • CCE-26506-6

Result for Ensure gpgcheck Enabled In Main Yum Configuration

Result: pass

Rule ID: ensure_gpgcheck_globally_activated

Time: 2014-10-23 11:44

Severity: high

The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section:

gpgcheck=1

Ensuring the validity of packages' cryptographic signatures prior to installation ensures the authenticity of the software and protects against malicious tampering.

Security identifiers

  • CCE-26709-6

Result for Ensure gpgcheck Enabled For All Yum Package Repositories

Result: pass

Rule ID: ensure_gpgcheck_never_disabled

Time: 2014-10-23 11:44

Severity: high

To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form:

gpgcheck=0

Ensuring all packages' cryptographic signatures are valid prior to installation ensures the authenticity of the software and protects against malicious tampering.

Security identifiers

  • CCE-26647-8

Result for Ensure Software Patches Installed

Result: notchecked

Rule ID: security_patches_up_to_date

Time: 2014-10-23 11:44

Severity: high

If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates:

$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm.

Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities.

Security identifiers

  • CCE-27635-2

Result for Install AIDE

Result: pass

Rule ID: package_aide_installed

Time: 2014-10-23 11:44

Severity: medium

Install the AIDE package with the command:

$ sudo yum install aide

The AIDE package must be installed if it is to be available for integrity checking.

Security identifiers

  • CCE-27024-9

Remediation script

                yum -y install aide

              

Result for Verify and Correct File Permissions with RPM

Result: fail

Rule ID: rpm_verify_permissions

Time: 2014-10-23 11:46

Severity: low

The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, run the following command to determine which package owns it:

$ rpm -qf FILENAME
Next, run the following command to reset its permissions to the correct values:
$ sudo rpm --setperms PACKAGENAME

Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Security identifiers

  • CCE-26731-0

Result for Verify File Hashes with RPM

Result: pass

Rule ID: rpm_verify_hashes

Time: 2014-10-23 11:46

Severity: low

The RPM package management system can check the hashes of installed software packages, including many that are important to system security. Run the following command to list which files on the system have hashes that differ from what is expected by the RPM database:

$ rpm -Va | grep '^..5'
A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file:
$ rpm -qf FILENAME
The package can be reinstalled from a yum repository using the command:
$ sudo yum reinstall PACKAGENAME
Alternatively, the package can be reinstalled from trusted media using the command:
$ sudo rpm -Uvh PACKAGENAME

The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.

Security identifiers

  • CCE-27223-7

Result for Add nodev Option to Non-Root Local Partitions

Result: fail

Rule ID: mountopt_nodev_on_nonroot_partitions

Time: 2014-10-23 11:46

Severity: low

The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any non-root local partitions.

The nodev mount option prevents files from being interpreted as character or block devices. The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails, for which it is not advised to set nodev on these filesystems.

Security identifiers

  • CCE-27045-4

Result for Add nodev Option to Removable Media Partitions

Result: fail

Rule ID: mountopt_nodev_on_removable_partitions

Time: 2014-10-23 11:46

Severity: low

The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.

The only legitimate location for device files is the /dev directory located on the root partition. An exception to this is chroot jails, and it is not advised to set nodev on partitions which contain their root filesystems.

Security identifiers

  • CCE-26860-7

Result for Add noexec Option to Removable Media Partitions

Result: fail

Rule ID: mount_option_noexec_removable_partitions

Time: 2014-10-23 11:46

Severity: low

The noexec mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binaries from removable media (such as a USB key) provides a defense against malicious software that may be present on such untrusted media. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.

Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.

Security identifiers

  • CCE-27196-5

Result for Add nosuid Option to Removable Media Partitions

Result: fail

Rule ID: mountopt_nosuid_on_removable_partitions

Time: 2014-10-23 11:46

Severity: low

The nosuid mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.

The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs.

Security identifiers

  • CCE-27056-1

Result for Add nodev Option to /tmp

Result: fail

Rule ID: mount_option_tmp_nodev

Time: 2014-10-23 11:46

Severity: low

The nodev mount option can be used to prevent device files from being created in /tmp. Legitimate character and block devices should not exist within temporary directories like /tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Security identifiers

  • CCE-26499-4

Result for Add noexec Option to /tmp

Result: fail

Rule ID: mount_option_tmp_noexec

Time: 2014-10-23 11:46

Severity: low

The noexec mount option can be used to prevent binaries from being executed out of /tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.

Allowing users to execute binaries from world-writable directories such as /tmp should never be necessary in normal operation and can expose the system to potential compromise.

Security identifiers

  • CCE-26720-3

Result for Add nosuid Option to /tmp

Result: fail

Rule ID: mount_option_tmp_nosuid

Time: 2014-10-23 11:46

Severity: low

The nosuid mount option can be used to prevent execution of setuid programs in /tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.

Security identifiers

  • CCE-26762-5

Result for Add nodev Option to /dev/shm

Result: fail

Rule ID: mount_option_dev_shm_nodev

Time: 2014-10-23 11:46

Severity: low

The nodev mount option can be used to prevent creation of device files in /dev/shm. Legitimate character and block devices should not exist within temporary directories like /dev/shm. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Security identifiers

  • CCE-26778-1

Result for Add noexec Option to /dev/shm

Result: fail

Rule ID: mount_option_dev_shm_noexec

Time: 2014-10-23 11:46

Severity: low

The noexec mount option can be used to prevent binaries from being executed out of /dev/shm. It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /dev/shm. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.

Allowing users to execute binaries from world-writable directories such as /dev/shm can expose the system to potential compromise.

Security identifiers

  • CCE-26622-1

Result for Add nosuid Option to /dev/shm

Result: fail

Rule ID: mount_option_dev_shm_nosuid

Time: 2014-10-23 11:46

Severity: low

The nosuid mount option can be used to prevent execution of setuid programs in /dev/shm. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.

Security identifiers

  • CCE-26486-1

Result for Bind Mount /var/tmp To /tmp

Result: fail

Rule ID: mount_option_var_tmp_bind_var

Time: 2014-10-23 11:46

Severity: low

The /var/tmp directory is a world-writable directory. Bind-mount it to /tmp in order to consolidate temporary storage into one location protected by the same techniques as /tmp. To do so, edit /etc/fstab and add the following line:

/tmp     /var/tmp     none     rw,nodev,noexec,nosuid,bind     0 0
See the mount(8) man page for further explanation of bind mounting.

Having multiple locations for temporary storage is not required. Unless absolutely necessary to meet requirements, the storage location /var/tmp should be bind mounted to /tmp and thus share the same protections.

Security identifiers

  • CCE-26582-7

Result for Disable the Automounter

Result: error

Rule ID: service_autofs_disabled

Time: 2014-10-23 11:47

Severity: low

The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter.

The autofs service can be disabled with the following command:

# chkconfig autofs off

Disabling the automounter permits the administrator to statically control filesystem mounting through /etc/fstab.

Security identifiers

  • CCE-26976-1

Remediation script

                #
# Disable autofs for all run levels
#
chkconfig --level 0123456 autofs off

#
# Stop autofs if currently running
#
service autofs stop

              

Result for Disable Mounting of cramfs

Result: fixed

Rule ID: kernel_module_cramfs_disabled

Time: 2014-10-23 11:47

Severity: low

To configure the system to prevent the cramfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install cramfs /bin/false
This effectively prevents usage of this uncommon filesystem.

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Security identifiers

  • CCE-26340-0

Remediation script

                echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf

              

Result for Disable Mounting of freevxfs

Result: fixed

Rule ID: kernel_module_freevxfs_disabled

Time: 2014-10-23 11:47

Severity: low

To configure the system to prevent the freevxfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install freevxfs /bin/false
This effectively prevents usage of this uncommon filesystem.

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Security identifiers

  • CCE-26544-7

Remediation script

                echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf

              

Result for Disable Mounting of jffs2

Result: fixed

Rule ID: kernel_module_jffs2_disabled

Time: 2014-10-23 11:47

Severity: low

To configure the system to prevent the jffs2 kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install jffs2 /bin/false
This effectively prevents usage of this uncommon filesystem.

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Security identifiers

  • CCE-26670-0

Remediation script

                echo "install jffs2 /bin/false" > /etc/modprobe.d/jffs2.conf

              

Result for Disable Mounting of hfs

Result: fixed

Rule ID: kernel_module_hfs_disabled

Time: 2014-10-23 11:47

Severity: low

To configure the system to prevent the hfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install hfs /bin/false
This effectively prevents usage of this uncommon filesystem.

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Security identifiers

  • CCE-26800-3

Remediation script

                echo "install hfs /bin/false" > /etc/modprobe.d/hfs.conf

              

Result for Disable Mounting of hfsplus

Result: fixed

Rule ID: kernel_module_hfsplus_disabled

Time: 2014-10-23 11:47

Severity: low

To configure the system to prevent the hfsplus kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install hfsplus /bin/false
This effectively prevents usage of this uncommon filesystem.

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Security identifiers

  • CCE-26361-6

Remediation script

                echo "install hfsplus /bin/false" > /etc/modprobe.d/hfsplus.conf

              

Result for Disable Mounting of squashfs

Result: fixed

Rule ID: kernel_module_squashfs_disabled

Time: 2014-10-23 11:47

Severity: low

To configure the system to prevent the squashfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install squashfs /bin/false
This effectively prevents usage of this uncommon filesystem.

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Security identifiers

  • CCE-26404-4

Remediation script

                echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf

              

Result for Disable Mounting of udf

Result: fixed

Rule ID: kernel_module_udf_disabled

Time: 2014-10-23 11:47

Severity: low

To configure the system to prevent the udf kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install udf /bin/false
This effectively prevents usage of this uncommon filesystem.

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Security identifiers

  • CCE-26677-5

Remediation script

                echo "install udf /bin/false" > /etc/modprobe.d/udf.conf

              

Result for Verify User Who Owns shadow File

Result: pass

Rule ID: userowner_shadow_file

Time: 2014-10-23 11:46

Severity: medium

To properly set the owner of /etc/shadow, run the command:

# chown root /etc/shadow 

The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

Security identifiers

  • CCE-26947-2

Remediation script

                chown root /etc/shadow

              

Result for Verify Group Who Owns shadow File

Result: pass

Rule ID: groupowner_shadow_file

Time: 2014-10-23 11:46

Severity: medium

To properly set the group owner of /etc/shadow, run the command:

# chgrp root /etc/shadow 

The /etc/shadow file stores password hashes. Protection of this file is critical for system security.

Security identifiers

  • CCE-26967-0

Remediation script

                chgrp root /etc/shadow

              

Result for Verify Permissions on shadow File

Result: pass

Rule ID: file_permissions_etc_shadow

Time: 2014-10-23 11:46

Severity: medium

To properly set the permissions of /etc/shadow, run the command:

# chmod 0000 /etc/shadow

The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

Security identifiers

  • CCE-26992-8

Remediation script

                chmod 0000 /etc/shadow

              

Result for Verify User Who Owns group File

Result: pass

Rule ID: file_owner_etc_group

Time: 2014-10-23 11:46

Severity: medium

To properly set the owner of /etc/group, run the command:

# chown root /etc/group 

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Security identifiers

  • CCE-26822-7

Remediation script

                chown root /etc/group

              

Result for Verify Group Who Owns group File

Result: pass

Rule ID: file_groupowner_etc_group

Time: 2014-10-23 11:46

Severity: medium

To properly set the group owner of /etc/group, run the command:

# chgrp root /etc/group 

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Security identifiers

  • CCE-26930-8

Remediation script

                chgrp root /etc/group

              

Result for Verify Permissions on group File

Result: pass

Rule ID: file_permissions_etc_group

Time: 2014-10-23 11:46

Severity: medium

To properly set the permissions of /etc/group, run the command:

# chmod 644 /etc/group

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Security identifiers

  • CCE-26954-8

Remediation script

                chmod 644 /etc/group

              

Result for Verify User Who Owns gshadow File

Result: pass

Rule ID: file_owner_etc_gshadow

Time: 2014-10-23 11:46

Severity: medium

To properly set the owner of /etc/gshadow, run the command:

# chown root /etc/gshadow 

The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.

Security identifiers

  • CCE-27026-4

Remediation script

                chown root /etc/gshadow

              

Result for Verify Group Who Owns gshadow File

Result: pass

Rule ID: file_groupowner_etc_gshadow

Time: 2014-10-23 11:46

Severity: medium

To properly set the group owner of /etc/gshadow, run the command:

# chgrp root /etc/gshadow 

The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.

Security identifiers

  • CCE-26975-3

Remediation script

                chgrp root /etc/gshadow

              

Result for Verify Permissions on gshadow File

Result: pass

Rule ID: file_permissions_etc_gshadow

Time: 2014-10-23 11:46

Severity: medium

To properly set the permissions of /etc/gshadow, run the command:

# chmod 0000 /etc/gshadow

The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.

Security identifiers

  • CCE-26951-4

Remediation script

                chmod 0000 /etc/gshadow

              

Result for Verify User Who Owns passwd File

Result: pass

Rule ID: file_owner_etc_passwd

Time: 2014-10-23 11:46

Severity: medium

To properly set the owner of /etc/passwd, run the command:

# chown root /etc/passwd 

The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.

Security identifiers

  • CCE-26953-0

Remediation script

                chown root /etc/passwd

              

Result for Verify Group Who Owns passwd File

Result: pass

Rule ID: file_groupowner_etc_passwd

Time: 2014-10-23 11:46

Severity: medium

To properly set the group owner of /etc/passwd, run the command:

# chgrp root /etc/passwd 

The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.

Security identifiers

  • CCE-26856-5

Remediation script

                chgrp root /etc/passwd

              

Result for Verify Permissions on passwd File

Result: pass

Rule ID: file_permissions_etc_passwd

Time: 2014-10-23 11:46

Severity: medium

To properly set the permissions of /etc/passwd, run the command:

# chmod 0644 /etc/passwd

If the /etc/passwd file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.

Security identifiers

  • CCE-26868-0

Remediation script

                chmod 0644 /etc/passwd

              

Result for Verify that All World-Writable Directories Have Sticky Bits Set

Result: pass

Rule ID: sticky_world_writable_dirs

Time: 2014-10-23 11:46

Severity: low

When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command:

$ sudo chmod +t DIR

Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.

The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as /tmp), and for directories requiring global read/write access.

Security identifiers

  • CCE-26840-9

Remediation script

                df --local -P | awk {'if (NR!=1) print $6'} \
| xargs -I '{}' find '{}' -xdev -type d \
\( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \
| xargs chmod a+t

              

Result for Ensure No World-Writable Files Exist

Result: pass

Rule ID: world_writeable_files

Time: 2014-10-23 11:46

Severity: medium

It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account.

Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.

Security identifiers

  • CCE-26910-0

Result for Ensure All SGID Executables Are Authorized

Result: pass

Rule ID: no_unpackaged_sgid_files

Time: 2014-10-23 11:46

Severity: low

The SGID (set group id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SGID files.

Executable files with the SGID permission run with the privileges of the owner of the file. SGID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system.

Security identifiers

  • CCE-26769-0

Result for Ensure All SUID Executables Are Authorized

Result: pass

Rule ID: no_unpackaged_suid_files

Time: 2014-10-23 11:47

Severity: low

The SUID (set user id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SUID files.

Executable files with the SUID permission run with the privileges of the owner of the file. SUID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system.

Security identifiers

  • CCE-26497-8

Result for Ensure All Files Are Owned by a User

Result: pass

Rule ID: no_files_unowned_by_user

Time: 2014-10-23 11:47

Severity: low

If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user.

Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.

Security identifiers

  • CCE-27032-2

Result for Ensure All Files Are Owned by a Group

Result: pass

Rule ID: no_files_unowned_by_group

Time: 2014-10-23 11:47

Severity: low

If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group.

Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.

Security identifiers

  • CCE-26872-2

Result for Ensure All World-Writable Directories Are Owned by a System Account

Result: pass

Rule ID: world_writable_files_system_ownership

Time: 2014-10-23 11:47

Severity: low

All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.

Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.

Security identifiers

  • CCE-26642-9

Result for Set Daemon Umask

Result: fixed

Rule ID: umask_for_daemons

Time: 2014-10-23 11:47

Severity: low

The file /etc/init.d/functions includes initialization parameters for most or all daemons started at boot time. The default umask of 022 prevents creation of group- or world-writable files. To set the default umask for daemons, edit the following line, inserting 022 or 027 for umask appropriately:

umask 027
Setting the umask to too restrictive a setting can cause serious errors at runtime. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts.

The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.

Security identifiers

  • CCE-27031-4

Remediation script

                var_umask_for_daemons="027"
grep -q ^umask /etc/init.d/functions && \
  sed -i "s/umask.*/umask $var_umask_for_daemons/g" /etc/init.d/functions
if ! [ $? -eq 0 ]; then
    echo "umask $var_umask_for_daemons" >> /etc/init.d/functions
fi

              

Result for Disable Core Dumps for All Users

Result: fixed

Rule ID: disable_users_coredumps

Time: 2014-10-23 11:47

Severity: low

To disable core dumps for all users, add the following line to /etc/security/limits.conf:

*     hard   core    0

A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.

Security identifiers

  • CCE-27033-0

Remediation script

                echo "*     hard   core    0" >> /etc/security/limits.conf

              

Result for Disable Core Dumps for SUID programs

Result: fixed

Rule ID: sysctl_fs_suid_dumpable

Time: 2014-10-23 11:47

Severity: low

To set the runtime status of the fs.suid_dumpable kernel parameter, run the following command:

# sysctl -w fs.suid_dumpable=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
fs.suid_dumpable = 0

The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.

Security identifiers

  • CCE-27044-7

Remediation script

                #
# Set runtime for fs.suid_dumpable
#
/sbin/sysctl -q -n -w fs.suid_dumpable=0

#
# If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0"
#	else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf
#
if grep --silent ^fs.suid_dumpable /etc/sysctl.conf ; then
	sed -i 's/^fs.suid_dumpable.*/fs.suid_dumpable = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set fs.suid_dumpable to 0 per security requirements" >> /etc/sysctl.conf
	echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf
fi

              

Result for Enable ExecShield

Result: fixed

Rule ID: sysctl_kernel_exec_shield

Time: 2014-10-23 11:47

Severity: medium

To set the runtime status of the kernel.exec-shield kernel parameter, run the following command:

# sysctl -w kernel.exec-shield=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
kernel.exec-shield = 1

ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range.

Security identifiers

  • CCE-27007-4

Remediation script

                #
# Set runtime for kernel.exec-shield
#
/sbin/sysctl -q -n -w kernel.exec-shield=1

#
# If kernel.exec-shield present in /etc/sysctl.conf, change value to "1"
#	else, add "kernel.exec-shield = 1" to /etc/sysctl.conf
#
if grep --silent ^kernel.exec-shield /etc/sysctl.conf ; then
	sed -i 's/^kernel.exec-shield.*/kernel.exec-shield = 1/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set kernel.exec-shield to 1 per security requirements" >> /etc/sysctl.conf
	echo "kernel.exec-shield = 1" >> /etc/sysctl.conf
fi

              

Result for Enable Randomized Layout of Virtual Address Space

Result: fixed

Rule ID: sysctl_kernel_randomize_va_space

Time: 2014-10-23 11:47

Severity: medium

To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:

# sysctl -w kernel.randomize_va_space=2
If this is not the system's default value, add the following line to /etc/sysctl.conf:
kernel.randomize_va_space = 2

Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.

Security identifiers

  • CCE-26999-3

Remediation script

                #
# Set runtime for kernel.randomize_va_space
#
/sbin/sysctl -q -n -w kernel.randomize_va_space=2

#
# If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2"
#	else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf
#
if grep --silent ^kernel.randomize_va_space /etc/sysctl.conf ; then
	sed -i 's/^kernel.randomize_va_space.*/kernel.randomize_va_space = 2/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set kernel.randomize_va_space to 2 per security requirements" >> /etc/sysctl.conf
	echo "kernel.randomize_va_space = 2" >> /etc/sysctl.conf
fi

              

Result for Install PAE Kernel on Supported 32-bit x86 Systems

Result: notchecked

Rule ID: install_PAE_kernel_on_x86-32

Time: 2014-10-23 11:47

Severity: low

Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package should be installed to enable XD or NX support:

$ sudo yum install kernel-PAE
The installation process should also have configured the bootloader to load the new kernel at boot. Verify this at reboot and modify /etc/grub.conf if necessary.

The kernel-PAE package should not be installed on older systems that do not support the XD or NX bit, as this may prevent them from booting.

On 32-bit systems that support the XD or NX bit, the vendor-supplied PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.

Security identifiers

  • CCE-27010-8

Result for Ensure SELinux Not Disabled in /etc/grub.conf

Result: pass

Rule ID: enable_selinux_bootloader

Time: 2014-10-23 11:47

Severity: medium

SELinux can be disabled at boot time by an argument in /etc/grub.conf. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot.

Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.

Security identifiers

  • CCE-26956-3

Remediation script

                sed -i "s/selinux=0//gI" /etc/grub.conf
sed -i "s/enforcing=0//gI" /etc/grub.conf

              

Result for Ensure SELinux State is Enforcing

Result: pass

Rule ID: selinux_state

Time: 2014-10-23 11:47

Severity: medium

The SELinux state should be set to enforcing at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode:

SELINUX=enforcing

Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.

Security identifiers

  • CCE-26969-6

Remediation script

                var_selinux_state="enforcing"
grep -q ^SELINUX= /etc/selinux/config && \
  sed -i "s/SELINUX=.*/SELINUX=$var_selinux_state/g" /etc/selinux/config
if ! [ $? -eq 0 ]; then
    echo "SELINUX=$var_selinux_state" >> /etc/selinux/config
fi

              

Result for Configure SELinux Policy

Result: pass

Rule ID: selinux_policytype

Time: 2014-10-23 11:47

Severity: low

The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config:

SELINUXTYPE=targeted
Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.

Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Security identifiers

  • CCE-26875-5

Remediation script

                var_selinux_policy_name="targeted"
grep -q ^SELINUXTYPE /etc/selinux/config && \
  sed -i "s/SELINUXTYPE=.*/SELINUXTYPE=$var_selinux_policy_name/g" /etc/selinux/config
if ! [ $? -eq 0 ]; then
    echo "SELINUXTYPE=$var_selinux_policy_name" >> /etc/selinux/config
fi

              

Result for Ensure No Daemons are Unconfined by SELinux

Result: notchecked

Rule ID: selinux_confinement_of_daemons

Time: 2014-10-23 11:47

Severity: medium

Daemons for which the SELinux policy does not contain rules will inherit the context of the parent process. Because daemons are launched during startup and descend from the init process, they inherit the initrc_t context.

To check for unconfined daemons, run the following command:

$ sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
It should produce no output in a well-configured system.

Daemons which run with the initrc_t context may cause AVC denials, or allow privileges that the daemon does not require.

Security identifiers

  • CCE-27111-4

Result for Ensure No Device Files are Unlabeled by SELinux

Result: pass

Rule ID: selinux_all_devicefiles_labeled

Time: 2014-10-23 11:47

Severity: low

Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type unlabeled_t, investigate the cause and correct the file's context.

If a device file carries the SELinux type unlabeled_t, then SELinux cannot properly restrict access to the device file.

Security identifiers

  • CCE-26774-0

Result for Restrict Virtual Console Root Logins

Result: fixed

Rule ID: securetty_root_login_console_only

Time: 2014-10-23 11:47

Severity: medium

To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in /etc/securetty:

vc/1
vc/2
vc/3
vc/4

Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account.

Security identifiers

  • CCE-26855-7

Remediation script

                sed -i '/^vc\//d' /etc/securetty

              

Result for Restrict Serial Port Root Logins

Result: pass

Rule ID: restrict_serial_port_logins

Time: 2014-10-23 11:47

Severity: low

To restrict root logins on serial ports, ensure lines of this form do not appear in /etc/securetty:

ttyS0
ttyS1

Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.

Security identifiers

  • CCE-27047-0

Result for Verify Only Root Has UID 0

Result: pass

Rule ID: accounts_no_uid_except_zero

Time: 2014-10-23 11:47

Severity: medium

If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.

An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.

Security identifiers

  • CCE-26971-2

Remediation script

                awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs passwd -l

              

Result for Prevent Log In to Accounts With Empty Password

Result: fixed

Rule ID: no_empty_passwords

Time: 2014-10-23 11:47

Severity: high

If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.

If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

Security identifiers

  • CCE-27038-9

Remediation script

                sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/system-auth

              

Result for Verify All Account Password Hashes are Shadowed

Result: pass

Rule ID: accounts_password_all_shadowed

Time: 2014-10-23 11:47

Severity: medium

If any password hashes are stored in /etc/passwd (in the second field, instead of an x), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.

The hashes for all user account passwords should be stored in the file /etc/shadow and never in /etc/passwd, which is readable by all users.

Security identifiers

  • CCE-26476-2

Result for Set Password Minimum Length in login.defs

Result: fixed

Rule ID: accounts_password_minlen_login_defs

Time: 2014-10-23 11:47

Severity: medium

To specify password length requirements for new accounts, edit the file /etc/login.defs and add or correct the following lines:

PASS_MIN_LEN 12


The DoD requirement is 14. The FISMA requirement is 12. If a program consults /etc/login.defs and also another PAM module (such as pam_cracklib) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements.

Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result.

Security identifiers

  • CCE-27002-5

Remediation script

                var_accounts_password_minlen_login_defs="12"
grep -q ^PASS_MIN_LEN /etc/login.defs && \
  sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN     $var_accounts_password_minlen_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
    echo "PASS_MIN_LEN      $var_accounts_password_minlen_login_defs" >> /etc/login.defs
fi

              

Result for Set Password Maximum Age

Result: fixed

Rule ID: accounts_maximum_age_login_defs

Time: 2014-10-23 11:47

Severity: medium

To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line:

PASS_MAX_DAYS 60
A value of 180 days is sufficient for many environments. The DoD requirement is 60.

Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.

Security identifiers

  • CCE-26985-2

Remediation script

                var_accounts_maximum_age_login_defs="60"
grep -q ^PASS_MAX_DAYS /etc/login.defs && \
  sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS     $var_accounts_maximum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
    echo "PASS_MAX_DAYS      $var_accounts_maximum_age_login_defs" >> /etc/login.defs
fi

              

Result for Set Password Warning Age

Result: fixed

Rule ID: accounts_password_warn_age_login_defs

Time: 2014-10-23 11:47

Severity: low

To specify how many days prior to password expiration that a warning will be issued to users, edit the file /etc/login.defs and add or correct the following line:

PASS_WARN_AGE 14
The DoD requirement is 7.

Setting the password warning age enables users to make the change at a practical time.

Security identifiers

  • CCE-26988-6

Remediation script

                var_accounts_password_warn_age_login_defs="14"
grep -q ^PASS_WARN_AGE /etc/login.defs && \
  sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE     $var_accounts_password_warn_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
    echo "PASS_WARN_AGE      $var_accounts_password_warn_age_login_defs" >> /etc/login.defs
fi

              

Result for Set Account Expiration Following Inactivity

Result: fixed

Rule ID: account_disable_post_pw_expiration

Time: 2014-10-23 11:47

Severity: low

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in /etc/default/useradd, substituting NUM_DAYS appropriately:

INACTIVE=NUM_DAYS
A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.

Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.

Security identifiers

  • CCE-27283-1

Remediation script

                var_account_disable_post_pw_expiration="30"
grep -q ^INACTIVE /etc/default/useradd && \
  sed -i "s/INACTIVE.*/INACTIVE=$var_account_disable_post_pw_expiration/g" /etc/default/useradd
if ! [ $? -eq 0 ]; then
    echo "INACTIVE=$var_account_disable_post_pw_expiration" >> /etc/default/useradd
fi

              

Result for Set Password Retry Prompts Permitted Per-Session

Result: pass

Rule ID: accounts_password_pam_retry

Time: 2014-10-23 11:47

Severity: low

To configure the number of retry prompts that are permitted per-session:

Edit the pam_cracklib.so statement in /etc/pam.d/system-auth to show retry=3, or a lower value if site policy is more restrictive.

The DoD requirement is a maximum of 3 prompts per session.

Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module.

Security identifiers

  • CCE-27123-9

Result for Set Password Strength Minimum Digit Characters

Result: fixed

Rule ID: accounts_password_pam_dcredit

Time: 2014-10-23 11:47

Severity: low

The pam_cracklib module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add dcredit=-1 after pam_cracklib.so to require use of a digit in passwords.

Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.

Security identifiers

  • CCE-26374-9

Remediation script

                var_password_pam_dcredit="-1"
if grep -q "dcredit=" /etc/pam.d/system-auth; then
	sed -i --follow-symlink "s/\(dcredit *= *\).*/\1$var_password_pam_dcredit/" /etc/pam.d/system-auth
else
	sed -i --follow-symlink "/pam_cracklib.so/ s/$/ dcredit=$var_password_pam_dcredit/" /etc/pam.d/system-auth
fi

              

Result for Set Password Strength Minimum Uppercase Characters

Result: fixed

Rule ID: accounts_password_pam_ucredit

Time: 2014-10-23 11:47

Severity: low

The pam_cracklib module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add ucredit=-1 after pam_cracklib.so to require use of an upper case character in passwords.

Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.

Security identifiers

  • CCE-26601-5

Remediation script

                var_password_pam_ucredit="-1"
if grep -q "ucredit=" /etc/pam.d/system-auth; then   
	sed -i --follow-symlink "s/\(ucredit *= *\).*/\1$var_password_pam_ucredit/" /etc/pam.d/system-auth
else
	sed -i --follow-symlink "/pam_cracklib.so/ s/$/ ucredit=$var_password_pam_ucredit/" /etc/pam.d/system-auth
fi

              

Result for Set Password Strength Minimum Special Characters

Result: fixed

Rule ID: accounts_password_pam_ocredit

Time: 2014-10-23 11:47

Severity: low

The pam_cracklib module's ocredit= parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Add ocredit=-1 after pam_cracklib.so to require use of a special character in passwords.

Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.

Security identifiers

  • CCE-26409-3

Remediation script

                var_password_pam_ocredit="-1"
if grep -q "ocredit=" /etc/pam.d/system-auth; then   
	sed -i --follow-symlink "s/\(ocredit *= *\).*/\1$var_password_pam_ocredit/" /etc/pam.d/system-auth
else
	sed -i --follow-symlink "/pam_cracklib.so/ s/$/ ocredit=$var_password_pam_ocredit/" /etc/pam.d/system-auth
fi

              

Result for Set Password Strength Minimum Lowercase Characters

Result: fixed

Rule ID: accounts_password_pam_lcredit

Time: 2014-10-23 11:47

Severity: low

The pam_cracklib module's lcredit= parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. Add lcredit=-1 after pam_cracklib.so to require use of a lowercase character in passwords.

Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.

Security identifiers

  • CCE-26631-2

Remediation script

                var_password_pam_lcredit="-1"
if grep -q "lcredit=" /etc/pam.d/system-auth; then   
	sed -i --follow-symlink "s/\(lcredit *= *\).*/\1$var_password_pam_lcredit/" /etc/pam.d/system-auth
else
	sed -i --follow-symlink "/pam_cracklib.so/ s/$/ lcredit=$var_password_pam_lcredit/" /etc/pam.d/system-auth
fi

              

Result for Set Password Strength Minimum Different Characters

Result: fixed

Rule ID: accounts_password_pam_difok

Time: 2014-10-23 11:47

Severity: low

The pam_cracklib module's difok parameter controls requirements for usage of different characters during a password change. Add difok=3 after pam_cracklib.so to require differing characters when changing passwords. The DoD requirement is 4.

Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.

Security identifiers

  • CCE-26615-5

Remediation script

                var_password_pam_difok="3"
if grep -q "difok=" /etc/pam.d/system-auth; then   
	sed -i --follow-symlink "s/\(difok *= *\).*/\1$var_password_pam_difok/" /etc/pam.d/system-auth
else
	sed -i --follow-symlink "/pam_cracklib.so/ s/$/ difok=$var_password_pam_difok/" /etc/pam.d/system-auth
fi

              

Result for Set Deny For Failed Password Attempts

Result: fixed

Rule ID: accounts_passwords_pam_faillock_deny

Time: 2014-10-23 11:47

Severity: medium

To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • add the following line immediately before the pam_unix.so statement in the AUTH section:

    auth required pam_faillock.so preauth silent deny=5 unlock_time=604800 fail_interval=900

  • add the following line immediately after the pam_unix.so statement in the AUTH section:

    auth [default=die] pam_faillock.so authfail deny=5 unlock_time=604800 fail_interval=900

  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section:

    account required pam_faillock.so

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.

Security identifiers

  • CCE-26844-1

Remediation script

                var_accounts_passwords_pam_faillock_deny="5"
AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"

for pamFile in "${AUTH_FILES[@]}"
do
	
	# pam_faillock.so already present?
	if grep -q "^auth.*pam_faillock.so.*" $pamFile; then

		# pam_faillock.so present, deny directive present?
		if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*deny=" $pamFile; then

			# both pam_faillock.so & deny present, just correct deny directive value
			sed -i --follow-symlink "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
			sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile

		# pam_faillock.so present, but deny directive not yet
		else

			# append correct deny value to appropriate places
			sed -i --follow-symlink "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
			sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
		fi

	# pam_faillock.so not present yet
	else

		# insert pam_faillock.so preauth & authfail rows with proper value of the 'deny' option
		sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
		sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
		sed -i --follow-symlink "/^account.*required.*pam_unix.so/i account     required      pam_faillock.so" $pamFile
	fi
done

              

Result for Limit Password Reuse

Result: fixed

Rule ID: accounts_password_pam_unix_remember

Time: 2014-10-23 11:47

Severity: medium

Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix PAM module. In the file /etc/pam.d/system-auth, append remember=24 to the line which refers to the pam_unix.so module, as shown:

password sufficient pam_unix.so existing_options remember=24
The DoD STIG requirement is 5 passwords.

Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.

Security identifiers

  • CCE-26741-9

Remediation script

                var_password_pam_unix_remember="24"
if grep -q "remember=" /etc/pam.d/system-auth; then   
	sed -i --follow-symlink "s/\(remember *= *\).*/\1$var_password_pam_unix_remember/" /etc/pam.d/system-auth
else
	sed -i --follow-symlink "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth
fi

              

Result for Set Password Hashing Algorithm in /etc/pam.d/system-auth

Result: pass

Rule ID: set_password_hashing_algorithm_systemauth

Time: 2014-10-23 11:47

Severity: medium

In /etc/pam.d/system-auth, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below:

password    sufficient    pam_unix.so sha512 other arguments...
This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.

Using a stronger hashing algorithm makes password cracking attacks more difficult.

Security identifiers

  • CCE-26303-8

Remediation script

                if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" /etc/pam.d/system-auth; then   
	sed -i --follow-symlink "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" /etc/pam.d/system-auth
fi

              

Result for Set Password Hashing Algorithm in /etc/login.defs

Result: pass

Rule ID: set_password_hashing_algorithm_logindefs

Time: 2014-10-23 11:47

Severity: medium

In /etc/login.defs, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm:

ENCRYPT_METHOD SHA512

Using a stronger hashing algorithm makes password cracking attacks more difficult.

Security identifiers

  • CCE-27228-6

Remediation script

                if grep --silent ^ENCRYPT_METHOD /etc/login.defs ; then
	sed -i 's/^ENCRYPT_METHOD.*/ENCRYPT_METHOD SHA512/g' /etc/login.defs
else
	echo "" >> /etc/login.defs
	echo "ENCRYPT_METHOD SHA512" >> /etc/login.defs
fi

              

Result for Ensure that Root's Path Does Not Include Relative Paths or Null Directories

Result: pass

Rule ID: root_path_no_dot

Time: 2014-10-23 11:47

Severity: low

Ensure that none of the directories in root's path is equal to a single . character, or that it contains any instances that lead to relative path traversal, such as .. or beginning a path without the slash (/) character. Also ensure that there are no "empty" elements in the path, such as in these examples:

PATH=:/bin
PATH=/bin:
PATH=/bin::/sbin
These empty elements have the same effect as a single . character.

Including these entries increases the risk that root could execute code from an untrusted location.

Security identifiers

  • CCE-26826-8

Result for Ensure that Root's Path Does Not Include World or Group-Writable Directories

Result: fail

Rule ID: root_path_no_groupother_writable

Time: 2014-10-23 11:47

Severity: low

For each element in root's path, run:

$ sudo ls -ld DIR
and ensure that write permissions are disabled for group and other.

Such entries increase the risk that root could execute code provided by unprivileged users, and potentially malicious code.

Security identifiers

  • CCE-26768-2

Result for Ensure that User Home Directories are not Group-Writable or World-Readable

Result: fail

Rule ID: homedir_perms_no_groupwrite_worldread

Time: 2014-10-23 11:47

Severity: low

For each human user of the system, view the permissions of the user's home directory:

$ sudo ls -ld /home/USER
Ensure that the directory is not group-writable and that it is not world-readable. If necessary, repair the permissions:
$ sudo chmod g-w /home/USER
$ sudo chmod o-rwx /home/USER

This action may involve modifying user home directories. Notify your user community, and solicit input if appropriate, before making this type of change.

User home directories contain many configuration files which affect the behavior of a user's account. No user should ever have write permission to another user's home directory. Group shared directories can be configured in sub-directories or elsewhere in the filesystem if they are needed. Typically, user home directories should not be world-readable, as it would disclose file names to other users. If a subset of users need read access to one another's home directories, this can be provided using groups or ACLs.

Security identifiers

  • CCE-26981-1

Result for Ensure the Default Bash Umask is Set Correctly

Result: fixed

Rule ID: accounts_umask_bashrc

Time: 2014-10-23 11:47

Severity: low

To ensure the default umask for users of the Bash shell is set properly, add or correct the umask setting in /etc/bashrc to read as follows:

umask 077

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.

Security identifiers

  • CCE-26917-5

Remediation script

                var_accounts_user_umask="077"
grep -q umask /etc/bashrc && \
  sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/bashrc
if ! [ $? -eq 0 ]; then
    echo "umask $var_accounts_user_umask" >> /etc/bashrc
fi

              

Result for Ensure the Default C Shell Umask is Set Correctly

Result: fixed

Rule ID: accounts_umask_cshrc

Time: 2014-10-23 11:47

Severity: low

To ensure the default umask for users of the C shell is set properly, add or correct the umask setting in /etc/csh.cshrc to read as follows:

umask 077

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.

Security identifiers

  • CCE-27034-8

Remediation script

                var_accounts_user_umask="077"
grep -q umask /etc/csh.cshrc && \
  sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/csh.cshrc
if ! [ $? -eq 0 ]; then
    echo "umask $var_accounts_user_umask" >> /etc/csh.cshrc
fi

              

Result for Ensure the Default Umask is Set Correctly in /etc/profile

Result: fixed

Rule ID: accounts_umask_etc_profile

Time: 2014-10-23 11:47

Severity: low

To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows:

umask 077

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.

Security identifiers

  • CCE-26669-2

Remediation script

                var_accounts_user_umask="077"
grep -q umask /etc/profile && \
  sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/profile
if ! [ $? -eq 0 ]; then
    echo "umask $var_accounts_user_umask" >> /etc/profile
fi

              

Result for Ensure the Default Umask is Set Correctly in login.defs

Result: pass

Rule ID: accounts_umask_login_defs

Time: 2014-10-23 11:47

Severity: low

To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows:

UMASK 077

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users.

Security identifiers

  • CCE-26371-5

Remediation script

                var_accounts_user_umask="077"
grep -q UMASK /etc/login.defs && \
  sed -i "s/UMASK.*/UMASK $var_accounts_user_umask/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
    echo "UMASK $var_accounts_user_umask" >> /etc/login.defs
fi

              

Result for Verify /etc/grub.conf User Ownership

Result: pass

Rule ID: user_owner_grub_conf

Time: 2014-10-23 11:47

Severity: medium

The file /etc/grub.conf should be owned by the root user to prevent destruction or modification of the file. To properly set the owner of /etc/grub.conf, run the command:

# chown root /etc/grub.conf 

Only root should be able to modify important boot parameters.

Security identifiers

  • CCE-26995-1

Result for Verify /etc/grub.conf Group Ownership

Result: pass

Rule ID: group_owner_grub_conf

Time: 2014-10-23 11:47

Severity: medium

The file /etc/grub.conf should be group-owned by the root group to prevent destruction or modification of the file. To properly set the group owner of /etc/grub.conf, run the command:

# chgrp root /etc/grub.conf 

The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.

Security identifiers

  • CCE-27022-3

Result for Verify /boot/grub/grub.conf Permissions

Result: pass

Rule ID: permissions_grub_conf

Time: 2014-10-23 11:47

Severity: medium

File permissions for /boot/grub/grub.conf should be set to 600, which is the default. To properly set the permissions of /boot/grub/grub.conf, run the command:

# chmod 600 /boot/grub/grub.conf

Proper permissions ensure that only the root user can modify important boot parameters.

Security identifiers

  • CCE-26949-8

Result for Set Boot Loader Password

Result: pass

Rule ID: bootloader_password

Time: 2014-10-23 11:47

Severity: medium

The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command:

$ grub-crypt --sha-512
When prompted to enter a password, insert the following line into /etc/grub.conf immediately after the header comments. (Use the output from grub-crypt as the value of password-hash):
password --encrypted password-hash
NOTE: To meet FISMA Moderate, the bootloader password MUST differ from the root password.

Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.

Security identifiers

  • CCE-26911-8

Result for Disable Interactive Boot

Result: fixed

Rule ID: disable_interactive_boot

Time: 2014-10-23 11:47

Severity: medium

To disable the ability for users to perform interactive startups, edit the file /etc/sysconfig/init. Add or correct the line:

PROMPT=no
The PROMPT option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot.

Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.

Security identifiers

  • CCE-27043-9

Remediation script

                grep -q ^PROMPT /etc/sysconfig/init && \
  sed -i "s/PROMPT.*/PROMPT=no/g" /etc/sysconfig/init
if ! [ $? -eq 0 ]; then
    echo "PROMPT=no" >> /etc/sysconfig/init
fi

              

Result for Set GNOME Login Inactivity Timeout

Result: fail

Rule ID: set_screensaver_inactivity_timeout

Time: 2014-10-23 11:47

Severity: medium

Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes:

$ sudo gconftool-2 \
  --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type int \
  --set /desktop/gnome/session/idle_delay 15

Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.

Security identifiers

  • CCE-26828-4

Result for GNOME Desktop Screensaver Mandatory Use

Result: fail

Rule ID: enable_screensaver_after_idle

Time: 2014-10-23 11:47

Severity: medium

Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity:

$ sudo gconftool-2 --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type bool \
  --set /apps/gnome-screensaver/idle_activation_enabled true

Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.

Security identifiers

  • CCE-26600-7

Result for Enable Screen Lock Activation After Idle Period

Result: fail

Rule ID: enable_screensaver_password_lock

Time: 2014-10-23 11:47

Severity: medium

Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated:

$ sudo gconftool-2 --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type bool \
  --set /apps/gnome-screensaver/lock_enabled true

Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby.

Security identifiers

  • CCE-26235-2

Result for Implement Blank Screensaver

Result: fail

Rule ID: set_blank_screensaver

Time: 2014-10-23 11:47

Severity: low

Run the following command to set the screensaver mode in the GNOME desktop to a blank screen:

$ sudo gconftool-2 --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type string \
  --set /apps/gnome-screensaver/mode blank-only

Setting the screensaver mode to blank-only conceals the contents of the display from passersby.

Security identifiers

  • CCE-26638-7

Result for Modify the System Login Banner

Result: fixed

Rule ID: set_system_login_banner

Time: 2014-10-23 11:47

Severity: medium

To configure the system login banner:

Edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.


OR:

I've read & consent to terms in IS user agreem't.

An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.

Security identifiers

  • CCE-26974-6

Remediation script

                login_banner_text="
-- WARNING --[\s\n]*This system is for the use of authorized users only. Individuals[\s\n]*using this computer system without authority or in excess of their[\s\n]*authority are subject to having all their activities on this system[\s\n]*monitored and recorded by system personnel. Anyone using this[\s\n]*system expressly consents to such monitoring and is advised that[\s\n]*if such monitoring reveals possible evidence of criminal activity[\s\n]*system personal may provide the evidence of such monitoring to law[\s\n]*enforcement officials."
# There was a regular-expression matching various banners, needs to be expanded
expanded=$(echo "$login_banner_text" | sed 's/\[\\s\\n\][*+]/ /g;s/\\//g;')

cat <<EOF >/etc/issue
$expanded
EOF

              

Result for Enable GUI Warning Banner

Result: fail

Rule ID: enable_gdm_login_banner

Time: 2014-10-23 11:47

Severity: medium

To enable displaying a login warning banner in the GNOME Display Manager's login screen, run the following command:

$ sudo gconftool-2 --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type bool \
  --set /apps/gdm/simple-greeter/banner_message_enable true
To display a banner, this setting must be enabled and then banner text must also be set.

An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.

Security identifiers

  • CCE-27195-7

Result for Disable Zeroconf Networking

Result: fixed

Rule ID: network_disable_zeroconf

Time: 2014-10-23 11:47

Severity: low

Zeroconf networking allows the system to assign itself an IP address and engage in IP communication without a statically-assigned address or even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not recommended. To disable Zeroconf automatic route assignment in the 169.254.0.0 subnet, add or correct the following line in /etc/sysconfig/network:

NOZEROCONF=yes

Zeroconf addresses are in the network 169.254.0.0. The networking scripts add entries to the system's routing table for these addresses. Zeroconf address assignment commonly occurs when the system is configured to use DHCP but fails to receive an address assignment from the DHCP server.

Security identifiers

  • CCE-27151-0

Remediation script

                echo "NOZEROCONF=yes" >> /etc/sysconfig/network

              

Result for Disable Kernel Parameter for Sending ICMP Redirects by Default

Result: fixed

Rule ID: sysctl_net_ipv4_conf_default_send_redirects

Time: 2014-10-23 11:47

Severity: medium

To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.default.send_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.default.send_redirects = 0

Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.

Security identifiers

  • CCE-27001-7

Remediation script

                #
# Set runtime for net.ipv4.conf.default.send_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects=0

#
# If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.conf.default.send_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.send_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.default.send_redirects.*/net.ipv4.conf.default.send_redirects = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.default.send_redirects to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
fi

              

Result for Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces

Result: fixed

Rule ID: sysctl_net_ipv4_conf_all_send_redirects

Time: 2014-10-23 11:47

Severity: medium

To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.all.send_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.all.send_redirects = 0

Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.

Security identifiers

  • CCE-27004-1

Remediation script

                #
# Set runtime for net.ipv4.conf.all.send_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects=0

#
# If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.conf.all.send_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.send_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.all.send_redirects.*/net.ipv4.conf.all.send_redirects = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.all.send_redirects to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
fi

              

Result for Disable Kernel Parameter for IP Forwarding

Result: pass

Rule ID: sysctl_ipv4_ip_forward

Time: 2014-10-23 11:47

Severity: medium

To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command:

# sysctl -w net.ipv4.ip_forward=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.ip_forward = 0

IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.

Security identifiers

  • CCE-26866-4

Result for Disable Kernel Parameter for Accepting ICMP Redirects for All Interfaces

Result: fixed

Rule ID: sysctl_net_ipv4_conf_all_accept_redirects

Time: 2014-10-23 11:47

Severity: medium

To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.all.accept_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.all.accept_redirects = 0

Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.

Security identifiers

  • CCE-27027-2

Remediation script

                #
# Set runtime for net.ipv4.conf.all.accept_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects=0

#
# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.conf.all.accept_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.accept_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.all.accept_redirects to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
fi

              

Result for Disable Kernel Parameter for Accepting Secure Redirects for All Interfaces

Result: fixed

Rule ID: sysctl_net_ipv4_conf_all_secure_redirects

Time: 2014-10-23 11:47

Severity: medium

To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.all.secure_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.all.secure_redirects = 0

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Security identifiers

  • CCE-26854-0

Remediation script

                #
# Set runtime for net.ipv4.conf.all.secure_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.secure_redirects=0

#
# If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.conf.all.secure_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.secure_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.all.secure_redirects.*/net.ipv4.conf.all.secure_redirects = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.all.secure_redirects to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf
fi

              

Result for Enable Kernel Parameter to Log Martian Packets

Result: fixed

Rule ID: sysctl_net_ipv4_conf_all_log_martians

Time: 2014-10-23 11:47

Severity: low

To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.all.log_martians=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.all.log_martians = 1

The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

Security identifiers

  • CCE-27066-0

Remediation script

                #
# Set runtime for net.ipv4.conf.all.log_martians
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.log_martians=1

#
# If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to "1"
#	else, add "net.ipv4.conf.all.log_martians = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.log_martians /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.all.log_martians.*/net.ipv4.conf.all.log_martians = 1/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.all.log_martians to 1 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf
fi

              

Result for Disable Kernel Parameter for Accepting Source-Routed Packets By Default

Result: fixed

Rule ID: sysctl_net_ipv4_conf_default_accept_source_route

Time: 2014-10-23 11:47

Severity: medium

To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.default.accept_source_route=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.default.accept_source_route = 0

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Security identifiers

  • CCE-26983-7

Remediation script

                #
# Set runtime for net.ipv4.conf.default.accept_source_route
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route=0

#
# If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.conf.default.accept_source_route = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.accept_source_route /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.default.accept_source_route.*/net.ipv4.conf.default.accept_source_route = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.default.accept_source_route to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
fi

              

Result for Disable Kernel Parameter for Accepting ICMP Redirects By Default

Result: fixed

Rule ID: sysctl_net_ipv4_conf_default_accept_redirects

Time: 2014-10-23 11:47

Severity: low

To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.default.accept_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.default.accept_redirects = 0

This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Security identifiers

  • CCE-27015-7

Remediation script

                #
# Set runtime for net.ipv4.conf.default.accept_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects=0

#
# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.conf.default.accept_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.accept_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.default.accept_redirects.*/net.ipv4.conf.default.accept_redirects = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.default.accept_redirects to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
fi

              

Result for Disable Kernel Parameter for Accepting Secure Redirects By Default

Result: fixed

Rule ID: sysctl_net_ipv4_conf_default_secure_redirects

Time: 2014-10-23 11:47

Severity: medium

To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.default.secure_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.default.secure_redirects = 0

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Security identifiers

  • CCE-26831-8

Remediation script

                #
# Set runtime for net.ipv4.conf.default.secure_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.secure_redirects=0

#
# If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.conf.default.secure_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.secure_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.default.secure_redirects.*/net.ipv4.conf.default.secure_redirects = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.default.secure_redirects to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
fi

              

Result for Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests

Result: fixed

Rule ID: sysctl_net_ipv4_icmp_echo_ignore_broadcasts

Time: 2014-10-23 11:47

Severity: low

To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command:

# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.icmp_echo_ignore_broadcasts = 1

Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.

Security identifiers

  • CCE-26883-9

Remediation script

                #
# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts
#
/sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts=1

#
# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to "1"
#	else, add "net.ipv4.icmp_echo_ignore_broadcasts = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.icmp_echo_ignore_broadcasts.*/net.ipv4.icmp_echo_ignore_broadcasts = 1/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.icmp_echo_ignore_broadcasts to 1 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf
fi

              

Result for Enable Kernel Parameter to Ignore Bogus ICMP Error Responses

Result: fixed

Rule ID: sysctl_net_ipv4_icmp_ignore_bogus_error_responses

Time: 2014-10-23 11:47

Severity: low

To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command:

# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.icmp_ignore_bogus_error_responses = 1

Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.

Security identifiers

  • CCE-26993-6

Remediation script

                #
# Set runtime for net.ipv4.icmp_ignore_bogus_error_responses
#
/sbin/sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses=1

#
# If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change value to "1"
#	else, add "net.ipv4.icmp_ignore_bogus_error_responses = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.icmp_ignore_bogus_error_responses.*/net.ipv4.icmp_ignore_bogus_error_responses = 1/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.icmp_ignore_bogus_error_responses to 1 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.conf
fi

              

Result for Enable Kernel Parameter to Use TCP Syncookies

Result: fixed

Rule ID: sysctl_net_ipv4_tcp_syncookies

Time: 2014-10-23 11:47

Severity: medium

To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command:

# sysctl -w net.ipv4.tcp_syncookies=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.tcp_syncookies = 1

A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.

Security identifiers

  • CCE-27053-8

Remediation script

                #
# Set runtime for net.ipv4.tcp_syncookies
#
/sbin/sysctl -q -n -w net.ipv4.tcp_syncookies=1

#
# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to "1"
#	else, add "net.ipv4.tcp_syncookies = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.tcp_syncookies /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies = 1/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.tcp_syncookies to 1 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
fi

              

Result for Enable Kernel Parameter to Use Reverse Path Filtering for All Interfaces

Result: fixed

Rule ID: sysctl_net_ipv4_conf_all_rp_filter

Time: 2014-10-23 11:47

Severity: medium

To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.all.rp_filter=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.all.rp_filter = 1

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

Security identifiers

  • CCE-26979-5

Remediation script

                #
# Set runtime for net.ipv4.conf.all.rp_filter
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.rp_filter=1

#
# If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to "1"
#	else, add "net.ipv4.conf.all.rp_filter = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.rp_filter /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter = 1/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.all.rp_filter to 1 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
fi

              

Result for Enable Kernel Parameter to Use Reverse Path Filtering by Default

Result: fixed

Rule ID: sysctl_net_ipv4_conf_default_rp_filter

Time: 2014-10-23 11:47

Severity: medium

To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.default.rp_filter=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.default.rp_filter = 1

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

Security identifiers

  • CCE-26915-9

Remediation script

                #
# Set runtime for net.ipv4.conf.default.rp_filter
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.rp_filter=1

#
# If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to "1"
#	else, add "net.ipv4.conf.default.rp_filter = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.rp_filter /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter = 1/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.default.rp_filter to 1 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf
fi

              

Result for Disable WiFi or Bluetooth in BIOS

Result: notchecked

Rule ID: wireless_disable_in_bios

Time: 2014-10-23 11:47

Severity: low

Some systems that include built-in wireless support offer the ability to disable the device through the BIOS. This is system-specific; consult your hardware manual or explore the BIOS setup during boot.

Disabling wireless support in the BIOS prevents easy activation of the wireless interface, generally requiring administrators to reboot the system first.

Security identifiers

  • CCE-26878-9

Result for Deactivate Wireless Network Interfaces

Result: pass

Rule ID: deactivate_wireless_interfaces

Time: 2014-10-23 11:47

Severity: low

Deactivating wireless network interfaces should prevent normal usage of the wireless capability.

First, identify the interfaces available with the command:

$ ifconfig -a
Additionally, the following command may be used to determine whether wireless support is included for a particular interface, though this may not always be a clear indicator:
$ iwconfig
After identifying any wireless interfaces (which may have names like wlan0, ath0, wifi0, em1 or eth0), deactivate the interface with the command:
$ sudo ifdown interface
These changes will only last until the next reboot. To disable the interface for future boots, remove the appropriate interface file from /etc/sysconfig/network-scripts:
$ sudo rm /etc/sysconfig/network-scripts/ifcfg-interface

Wireless networking allows attackers within physical proximity to launch network-based attacks against systems, including those against local LAN protocols which were not designed with security in mind.

Security identifiers

  • CCE-27057-9

Result for Disable Bluetooth Service

Result: error

Rule ID: service_bluetooth_disabled

Time: 2014-10-23 11:47

Severity: medium

The bluetooth service can be disabled with the following command:

# chkconfig bluetooth off
$ sudo service bluetooth stop

Disabling the bluetooth service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.

Security identifiers

  • CCE-27081-9

Remediation script

                #
# Disable bluetooth for all run levels
#
chkconfig --level 0123456 bluetooth off

#
# Stop bluetooth if currently running
#
service bluetooth stop

              

Result for Disable Bluetooth Kernel Modules

Result: fail

Rule ID: kernel_module_bluetooth_disabled

Time: 2014-10-23 11:47

Severity: medium

The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate /etc/modprobe.d configuration file to prevent the loading of the Bluetooth module:

install net-pf-31 /bin/false
install bluetooth /bin/false

If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

Security identifiers

  • CCE-26763-3

Result for Disable IPv6 Networking Support Automatic Loading

Result: fail

Rule ID: kernel_module_ipv6_option_disabled

Time: 2014-10-23 11:47

Severity: medium

To prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack, add the following line to /etc/modprobe.d/disabled.conf (or another file in /etc/modprobe.d):

options ipv6 disable=1
This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol.

Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.

Security identifiers

  • CCE-27153-6

Result for Disable Support for RPC IPv6

Result: fail

Rule ID: network_ipv6_disable_rpc

Time: 2014-10-23 11:47

Severity: low

RPC services for NFSv4 try to load transport modules for udp6 and tcp6 by default, even if IPv6 has been disabled in /etc/modprobe.d. To prevent RPC services such as rpc.mountd from attempting to start IPv6 network listeners, remove or comment out the following two lines in /etc/netconfig:

udp6       tpi_clts      v     inet6    udp     -       -
tcp6       tpi_cots_ord  v     inet6    tcp     -       -

Security identifiers

  • CCE-27232-8

Result for Disable Accepting IPv6 Router Advertisements

Result: fixed

Rule ID: sysctl_net_ipv6_conf_default_accept_ra

Time: 2014-10-23 11:47

Severity: low

To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command:

# sysctl -w net.ipv6.conf.default.accept_ra=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv6.conf.default.accept_ra = 0

An illicit router advertisement message could result in a man-in-the-middle attack.

Security identifiers

  • CCE-27164-3

Remediation script

                #
# Set runtime for net.ipv6.conf.default.accept_ra
#
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra=0

#
# If net.ipv6.conf.default.accept_ra present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv6.conf.default.accept_ra = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv6.conf.default.accept_ra /etc/sysctl.conf ; then
	sed -i 's/^net.ipv6.conf.default.accept_ra.*/net.ipv6.conf.default.accept_ra = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv6.conf.default.accept_ra to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.conf
fi

              

Result for Disable Accepting IPv6 Redirects

Result: fixed

Rule ID: sysctl_net_ipv6_conf_default_accept_redirects

Time: 2014-10-23 11:47

Severity: medium

To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command:

# sysctl -w net.ipv6.conf.default.accept_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv6.conf.default.accept_redirects = 0

An illicit ICMP redirect message could result in a man-in-the-middle attack.

Security identifiers

  • CCE-27166-8

Remediation script

                #
# Set runtime for net.ipv6.conf.default.accept_redirects
#
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_redirects=0

#
# If net.ipv6.conf.default.accept_redirects present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv6.conf.default.accept_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv6.conf.default.accept_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv6.conf.default.accept_redirects.*/net.ipv6.conf.default.accept_redirects = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv6.conf.default.accept_redirects to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv6.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
fi

              

Result for Verify ip6tables Enabled if Using IPv6

Result: pass

Rule ID: service_ip6tables_enabled

Time: 2014-10-23 11:47

Severity: medium

The ip6tables service can be enabled with the following command:

# chkconfig --level 2345 ip6tables on

The ip6tables service provides the system's host-based firewalling capability for IPv6 and ICMPv6.

Security identifiers

  • CCE-27006-6

Remediation script

                #
# Enable ip6tables for all run levels
#
chkconfig --level 0123456 ip6tables on

#
# Start ip6tables if not currently running
#
service ip6tables start

              

Result for Verify iptables Enabled

Result: pass

Rule ID: service_iptables_enabled

Time: 2014-10-23 11:47

Severity: medium

The iptables service can be enabled with the following command:

# chkconfig --level 2345 iptables on

The iptables service provides the system's host-based firewalling capability for IPv4 and ICMP.

Security identifiers

  • CCE-27018-1

Remediation script

                #
# Enable iptables for all run levels
#
chkconfig --level 0123456 iptables on

#
# Start iptables if not currently running
#
service iptables start

              

Result for Set Default iptables Policy for Incoming Packets

Result: fixed

Rule ID: set_iptables_default_rule

Time: 2014-10-23 11:47

Severity: medium

To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/iptables:

:INPUT DROP [0:0]

In iptables the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.

Security identifiers

  • CCE-26444-0

Remediation script

                sed -i 's/^:INPUT ACCEPT.*/:INPUT DROP [0:0]/g' /etc/sysconfig/iptables

              

Result for Set Default iptables Policy for Forwarded Packets

Result: fixed

Rule ID: set_iptables_default_rule_forward

Time: 2014-10-23 11:47

Severity: medium

To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in /etc/sysconfig/iptables:

:FORWARD DROP [0:0]

In iptables, the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.

Security identifiers

  • CCE-27186-6

Remediation script

                sed -i 's/^:FORWARD ACCEPT.*/:FORWARD DROP [0:0]/g' /etc/sysconfig/iptables

              

Result for Disable DCCP Support

Result: fixed

Rule ID: kernel_module_dccp_disabled

Time: 2014-10-23 11:47

Severity: medium

The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the dccp kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install dccp /bin/false

Disabling DCCP protects the system against exploitation of any flaws in its implementation.

Security identifiers

  • CCE-26448-1

Remediation script

                echo "install dccp /bin/false" > /etc/modprobe.d/dccp.conf

              

Result for Disable SCTP Support

Result: fixed

Rule ID: kernel_module_sctp_disabled

Time: 2014-10-23 11:47

Severity: medium

The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the sctp kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install sctp /bin/false

Disabling SCTP protects the system against exploitation of any flaws in its implementation.

Security identifiers

  • CCE-26410-1

Remediation script

                echo "install sctp /bin/false" > /etc/modprobe.d/sctp.conf

              

Result for Disable RDS Support

Result: fixed

Rule ID: kernel_module_rds_disabled

Time: 2014-10-23 11:47

Severity: low

The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high- bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the rds kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install rds /bin/false

Disabling RDS protects the system against exploitation of any flaws in its implementation.

Security identifiers

  • CCE-26239-4

Remediation script

                echo "install rds /bin/false" > /etc/modprobe.d/rds.conf

              

Result for Disable TIPC Support

Result: fixed

Rule ID: kernel_module_tipc_disabled

Time: 2014-10-23 11:47

Severity: medium

The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the tipc kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install tipc /bin/false

Disabling TIPC protects the system against exploitation of any flaws in its implementation.

Security identifiers

  • CCE-26696-5

Remediation script

                echo "install tipc /bin/false" > /etc/modprobe.d/tipc.conf

              

Result for Ensure rsyslog is Installed

Result: pass

Rule ID: package_rsyslog_installed

Time: 2014-10-23 11:47

Severity: medium

Rsyslog is installed by default. The rsyslog package can be installed with the following command:

# yum install rsyslog

The rsyslog package provides the rsyslog daemon, which provides system logging services.

Security identifiers

  • CCE-26809-4

Remediation script

                yum -y install rsyslog

              

Result for Enable rsyslog Service

Result: pass

Rule ID: service_rsyslog_enabled

Time: 2014-10-23 11:47

Severity: medium

The rsyslog service provides syslog-style logging by default on RHEL 6. The rsyslog service can be enabled with the following command:

# chkconfig --level 2345 rsyslog on

The rsyslog service must be running in order to provide logging services, which are essential to system administration.

Security identifiers

  • CCE-26807-8

Remediation script

                #
# Enable rsyslog for all run levels
#
chkconfig --level 0123456 rsyslog on

#
# Start rsyslog if not currently running
#
service rsyslog start

              

Result for Ensure Log Files Are Owned By Appropriate User

Result: pass

Rule ID: userowner_rsyslog_files

Time: 2014-10-23 11:47

Severity: medium

The owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's owner:

$ ls -l LOGFILE
If the owner is not root, run the following command to correct this:
$ sudo chown root LOGFILE

The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.

Security identifiers

  • CCE-26812-8

Result for Ensure Log Files Are Owned By Appropriate Group

Result: unknown

Rule ID: groupowner_rsyslog_files

Time: 2014-10-23 11:47

Severity: medium

The group-owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's group owner:

$ ls -l LOGFILE
If the owner is not root, run the following command to correct this:
$ sudo chgrp root LOGFILE

The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.

Security identifiers

  • CCE-26821-9

Result for Ensure System Log Files Have Correct Permissions

Result: unknown

Rule ID: rsyslog_file_permissions

Time: 2014-10-23 11:47

Severity: medium

The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's permissions:

$ ls -l LOGFILE
If the permissions are not 600 or more restrictive, run the following command to correct this:
$ sudo chmod 0600 LOGFILE

Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value.

Security identifiers

  • CCE-27190-8

Result for Ensure Logs Sent To Remote Host

Result: fail

Rule ID: rsyslog_send_messages_to_logserver

Time: 2014-10-23 11:47

Severity: low

To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting loghost.example.com appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery:

*.* @loghost.example.com

To use TCP for log message delivery:
*.* @@loghost.example.com

To use RELP for log message delivery:
*.* :omrelp:loghost.example.com

A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.

Security identifiers

  • CCE-26801-1

Result for Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server

Result: pass

Rule ID: rsyslog_accept_remote_messages_none

Time: 2014-10-23 11:47

Severity: low

The rsyslog daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure the following lines are not found in /etc/rsyslog.conf:

$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun port

Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network.

Security identifiers

  • CCE-26803-7

Result for Ensure Logrotate Runs Periodically

Result: pass

Rule ID: ensure_logrotate_activated

Time: 2014-10-23 11:47

Severity: low

The logrotate utility allows for the automatic rotation of log files. The frequency of rotation is specified in /etc/logrotate.conf, which triggers a cron task. To configure logrotate to run daily, add or correct the following line in /etc/logrotate.conf:

# rotate log files frequency
daily

Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.

Security identifiers

  • CCE-27014-0

Result for Enable auditd Service

Result: pass

Rule ID: service_auditd_enabled

Time: 2014-10-23 11:47

Severity: medium

The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:

# chkconfig --level 2345 auditd on

Ensuring the auditd service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.

Security identifiers

  • CCE-27058-7

Remediation script

                #
# Enable auditd for all run levels
#
chkconfig --level 0123456 auditd on

#
# Start auditd if not currently running
#
service auditd start

              

Result for Enable Auditing for Processes Which Start Prior to the Audit Daemon

Result: fixed

Rule ID: bootloader_audit_argument

Time: 2014-10-23 11:47

Severity: medium

To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the kernel line in /etc/grub.conf, in the manner below:

kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1

Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.

Security identifiers

  • CCE-26785-6

Remediation script

                /sbin/grubby --update-kernel=ALL --args="audit=1"

              

Result for Record attempts to alter time through adjtimex

Result: fail

Rule ID: audit_rules_time_adjtimex

Time: 2014-10-23 11:47

Severity: low

On a 32-bit system, add the following to /etc/audit/audit.rules:

# audit_time_rules
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules
On a 64-bit system, add the following to /etc/audit/audit.rules:
# audit_time_rules
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime 
-k audit_time_rules

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Security identifiers

  • CCE-26242-8

Result for Record attempts to alter time through settimeofday

Result: fail

Rule ID: audit_rules_time_settimeofday

Time: 2014-10-23 11:47

Severity: low

On a 32-bit system, add the following to /etc/audit/audit.rules:

# audit_time_rules
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules
On a 64-bit system, add the following to /etc/audit/audit.rules:
# audit_time_rules
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime 
-k audit_time_rules

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Security identifiers

  • CCE-27203-9

Result for Record Attempts to Alter Time Through stime

Result: pass

Rule ID: audit_rules_time_stime

Time: 2014-10-23 11:47

Severity: low

On a 32-bit system, add the following to /etc/audit/audit.rules:

# audit_time_rules
-a always,exit -F arch=b32 -S stime -k audit_time_rules
On a 64-bit system, the "-S stime" is not necessary. The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime 
-k audit_time_rules

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Security identifiers

  • CCE-27169-2

Result for Record Attempts to Alter Time Through clock_settime

Result: fail

Rule ID: audit_rules_time_clock_settime

Time: 2014-10-23 11:47

Severity: low

On a 32-bit system, add the following to /etc/audit/audit.rules:

# audit_time_rules
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules
On a 64-bit system, add the following to /etc/audit/audit.rules:
# audit_time_rules
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime 
-k audit_time_rules

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Security identifiers

  • CCE-27170-0

Result for Record Attempts to Alter the localtime File

Result: fail

Rule ID: audit_rules_time_watch_localtime

Time: 2014-10-23 11:47

Severity: low

Add the following to /etc/audit/audit.rules:

-w /etc/localtime -p wa -k audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Security identifiers

  • CCE-27172-6

Result for Record Events that Modify User/Group Information

Result: fail

Rule ID: audit_account_changes

Time: 2014-10-23 11:47

Severity: low

Add the following to /etc/audit/audit.rules, in order to capture events that modify account changes:

# audit_account_changes
-w /etc/group -p wa -k audit_account_changes
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

Security identifiers

  • CCE-26664-3

Result for Record Events that Modify the System's Network Environment

Result: fail

Rule ID: audit_network_modifications

Time: 2014-10-23 11:47

Severity: low

Add the following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system:

# audit_network_modifications
-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_network_modifications
-w /etc/issue -p wa -k audit_network_modifications
-w /etc/issue.net -p wa -k audit_network_modifications
-w /etc/hosts -p wa -k audit_network_modifications
-w /etc/sysconfig/network -p wa -k audit_network_modifications

The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.

Security identifiers

  • CCE-26648-6

Result for Record Events that Modify the System's Mandatory Access Controls

Result: fail

Rule ID: audit_mac_changes

Time: 2014-10-23 11:47

Severity: low

Add the following to /etc/audit/audit.rules:

-w /etc/selinux/ -p wa -k MAC-policy

The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.

Security identifiers

  • CCE-26657-7

Result for Record Events that Modify the System's Discretionary Access Controls - chmod

Result: fail

Rule ID: audit_rules_dac_modification_chmod

Time: 2014-10-23 11:47

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S chmod  -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-26280-8

Result for Record Events that Modify the System's Discretionary Access Controls - chown

Result: fail

Rule ID: audit_rules_dac_modification_chown

Time: 2014-10-23 11:47

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27173-4

Result for Record Events that Modify the System's Discretionary Access Controls - fchmod

Result: fail

Rule ID: audit_rules_dac_modification_fchmod

Time: 2014-10-23 11:47

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27174-2

Result for Record Events that Modify the System's Discretionary Access Controls - fchmodat

Result: fail

Rule ID: audit_rules_dac_modification_fchmodat

Time: 2014-10-23 11:47

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27175-9

Result for Record Events that Modify the System's Discretionary Access Controls - fchown

Result: fail

Rule ID: audit_rules_dac_modification_fchown

Time: 2014-10-23 11:47

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27177-5

Result for Record Events that Modify the System's Discretionary Access Controls - fchownat

Result: fail

Rule ID: audit_rules_dac_modification_fchownat

Time: 2014-10-23 11:47

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27178-3

Result for Record Events that Modify the System's Discretionary Access Controls - fremovexattr

Result: fail

Rule ID: audit_rules_dac_modification_fremovexattr

Time: 2014-10-23 11:47

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27179-1

Result for Record Events that Modify the System's Discretionary Access Controls - fsetxattr

Result: fail

Rule ID: audit_rules_dac_modification_fsetxattr

Time: 2014-10-23 11:47

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27180-9

Result for Record Events that Modify the System's Discretionary Access Controls - lchown

Result: fail

Rule ID: audit_rules_dac_modification_lchown

Time: 2014-10-23 11:47

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27181-7

Result for Record Events that Modify the System's Discretionary Access Controls - lremovexattr

Result: fail

Rule ID: audit_rules_dac_modification_lremovexattr

Time: 2014-10-23 11:47

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27182-5

Result for Record Events that Modify the System's Discretionary Access Controls - lsetxattr

Result: fail

Rule ID: audit_rules_dac_modification_lsetxattr

Time: 2014-10-23 11:47

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27183-3

Result for Record Events that Modify the System's Discretionary Access Controls - removexattr

Result: fail

Rule ID: audit_rules_dac_modification_removexattr

Time: 2014-10-23 11:47

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27184-1

Result for Record Events that Modify the System's Discretionary Access Controls - setxattr

Result: fail

Rule ID: audit_rules_dac_modification_setxattr

Time: 2014-10-23 11:47

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27185-8

Result for Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)

Result: fail

Rule ID: audit_rules_unsuccessful_file_modification

Time: 2014-10-23 11:47

Severity: low

At a minimum the audit system should collect unauthorized file accesses for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Security identifiers

  • CCE-26712-0

Result for Ensure auditd Collects Information on the Use of Privileged Commands

Result: fail

Rule ID: audit_rules_privileged_commands

Time: 2014-10-23 11:47

Severity: low

At a minimum the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs:

$ sudo find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null
Then, for each setuid / setgid program on the system, add a line of the following form to /etc/audit/audit.rules, where SETUID_PROG_PATH is the full path to each setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Security identifiers

  • CCE-26457-2

Result for Ensure auditd Collects Information on Exporting to Media (successful)

Result: fail

Rule ID: audit_media_exports

Time: 2014-10-23 11:47

Severity: low

At a minimum the audit system should collect media exportation events for all users and root. Add the following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export

The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.

Security identifiers

  • CCE-26573-6

Result for Ensure auditd Collects File Deletion Events by User

Result: fail

Rule ID: audit_rules_file_deletion_events

Time: 2014-10-23 11:47

Severity: low

At a minimum the audit system should collect file deletion events for all users and root. Add the following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete

Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.

Security identifiers

  • CCE-26651-0

Result for Ensure auditd Collects System Administrator Actions

Result: fail

Rule ID: audit_sysadmin_actions

Time: 2014-10-23 11:47

Severity: low

At a minimum the audit system should collect administrator actions for all users and root. Add the following to /etc/audit/audit.rules:

-w /etc/sudoers -p wa -k actions

The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.

Security identifiers

  • CCE-26662-7

Result for Ensure auditd Collects Information on Kernel Module Loading and Unloading

Result: fail

Rule ID: audit_rules_kernel_module_loading

Time: 2014-10-23 11:47

Severity: low

Add the following to /etc/audit/audit.rules in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=ARCH -S init_module -S delete_module -k modules

The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

Security identifiers

  • CCE-26611-4

Result for Make the auditd Configuration Immutable

Result: fail

Rule ID: audit_config_immutable

Time: 2014-10-23 11:47

Severity: low

Add the following to /etc/audit/audit.rules in order to make the configuration immutable:

-e 2
With this setting, a reboot will be required to change any audit rules.

Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation

Security identifiers

  • CCE-26612-2

Result for Disable xinetd Service

Result: fail

Rule ID: disable_xinetd

Time: 2014-10-23 11:47

Severity: medium

The xinetd service can be disabled with the following command:

# chkconfig xinetd off

The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.

Security identifiers

  • CCE-27046-2

Result for Uninstall xinetd Package

Result: fixed

Rule ID: uninstall_xinetd

Time: 2014-10-23 11:47

Severity: low

The xinetd package can be uninstalled with the following command:

$ sudo yum erase xinetd

Removing the xinetd package decreases the risk of the xinetd service's accidental (or intentional) activation.

Security identifiers

  • CCE-27005-8

Remediation script

                if rpm -qa | grep -q xinetd; then
	yum -y remove xinetd
fi

              

Result for Disable telnet Service

Result: pass

Rule ID: disable_telnet_service

Time: 2014-10-23 11:47

Severity: high

The telnet service can be disabled with the following command:

# chkconfig telnet off

The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks.

Security identifiers

  • CCE-26836-7

Result for Uninstall telnet-server Package

Result: pass

Rule ID: uninstall_telnet_server

Time: 2014-10-23 11:47

Severity: high

The telnet-server package can be uninstalled with the following command:

$ sudo yum erase telnet-server

Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation.

Security identifiers

  • CCE-27073-6

Remediation script

                if rpm -qa | grep -q telnet-server; then
	yum -y remove telnet-server
fi

              

Result for Uninstall rsh-server Package

Result: pass

Rule ID: uninstall_rsh-server

Time: 2014-10-23 11:47

Severity: high

The rsh-server package can be uninstalled with the following command:

$ sudo yum erase rsh-server

The rsh-server package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.

Security identifiers

  • CCE-27062-9

Result for Uninstall ypserv Package

Result: pass

Rule ID: uninstall_ypserv

Time: 2014-10-23 11:47

Severity: medium

The ypserv package can be uninstalled with the following command:

$ sudo yum erase ypserv

Removing the ypserv package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.

Security identifiers

  • CCE-27079-3

Remediation script

                if rpm -qa | grep -q ypserv; then
	yum -y remove ypserv
fi

              

Result for Disable ypbind Service

Result: pass

Rule ID: disable_ypbind

Time: 2014-10-23 11:47

Severity: medium

The ypbind service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The ypbind service can be disabled with the following command:

# chkconfig ypbind off

Disabling the ypbind service ensures the system is not acting as a client in a NIS or NIS+ domain.

Security identifiers

  • CCE-26894-6

Result for Disable tftp Service

Result: pass

Rule ID: disable_tftp

Time: 2014-10-23 11:47

Severity: medium

The tftp service should be disabled. The tftp service can be disabled with the following command:

# chkconfig tftp off

Disabling the tftp service ensures the system is not acting as a TFTP server, which does not provide encryption or authentication.

Security identifiers

  • CCE-27055-3

Result for Uninstall tftp-server Package

Result: pass

Rule ID: uninstall_tftp-server

Time: 2014-10-23 11:47

Severity: medium

The tftp-server package can be removed with the following command:

# yum erase tftp-server

Removing the tftp-server package decreases the risk of the accidental (or intentional) activation of tftp services.

Security identifiers

  • CCE-26946-4

Result for Disable KDump Kernel Crash Analyzer (kdump)

Result: error

Rule ID: service_kdump_disabled

Time: 2014-10-23 11:47

Severity: low

The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The kdump service can be disabled with the following command:

# chkconfig kdump off

Unless the system is used for kernel development or testing, there is little need to run the kdump service.

Security identifiers

  • CCE-26850-8

Remediation script

                #
# Disable kdump for all run levels
#
chkconfig --level 0123456 kdump off

#
# Stop kdump if currently running
#
service kdump stop

              

Result for Disable Portreserve (portreserve)

Result: error

Rule ID: service_portreserve_disabled

Time: 2014-10-23 11:47

Severity: low

The portreserve service is a TCP port reservation utility that can be used to prevent portmap from binding to well known TCP ports that are required for other services. The portreserve service can be disabled with the following command:

# chkconfig portreserve off

The portreserve service provides helpful functionality by preventing conflicting usage of ports in the reserved port range, but it can be disabled if not needed.

Security identifiers

  • CCE-27258-3

Remediation script

                #
# Disable portreserve for all run levels
#
chkconfig --level 0123456 portreserve off

#
# Stop portreserve if currently running
#
service portreserve stop

              

Result for Disable Red Hat Network Service (rhnsd)

Result: error

Rule ID: service_rhnsd_disabled

Time: 2014-10-23 11:47

Severity: low

The Red Hat Network service automatically queries Red Hat Network servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system was registered to an RHN server or satellite and managed as such. The rhnsd service can be disabled with the following command:

# chkconfig rhnsd off

Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the system is being managed by RHN or RHN Satellite Server the rhnsd daemon can remain on.

Security identifiers

  • CCE-26846-6

Remediation script

                #
# Disable rhnsd for all run levels
#
chkconfig --level 0123456 rhnsd off

#
# Stop rhnsd if currently running
#
service rhnsd stop

              

Result for Enable cron Service

Result: pass

Rule ID: service_crond_enabled

Time: 2014-10-23 11:47

Severity: medium

The crond service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The crond service can be enabled with the following command:

# chkconfig --level 2345 crond on

Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.

Security identifiers

  • CCE-27070-2

Remediation script

                #
# Enable crond for all run levels
#
chkconfig --level 0123456 crond on

#
# Start crond if not currently running
#
service crond start

              

Result for Disable At Service (atd)

Result: error

Rule ID: service_atd_disabled

Time: 2014-10-23 11:47

Severity: low

The at and batch commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon atd keeps track of tasks scheduled via at and batch, and executes them at the specified time. The atd service can be disabled with the following command:

# chkconfig atd off

The atd service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with at or batch is not common.

Security identifiers

  • CCE-27249-2

Remediation script

                #
# Disable atd for all run levels
#
chkconfig --level 0123456 atd off

#
# Stop atd if currently running
#
service atd stop

              

Result for Allow Only SSH Protocol 2

Result: pass

Rule ID: sshd_allow_only_protocol2

Time: 2014-10-23 11:47

Severity: high

Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears:

Protocol 2

SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.

Security identifiers

  • CCE-27072-8

Remediation script

                grep -qi ^Protocol /etc/ssh/sshd_config && \
  sed -i "s/Protocol.*/Protocol 2/gI" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "Protocol 2" >> /etc/ssh/sshd_config
fi

              

Result for Set SSH Idle Timeout Interval

Result: fixed

Rule ID: sshd_set_idle_timeout

Time: 2014-10-23 11:47

Severity: low

SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows:

ClientAliveInterval 300
The timeout interval is given in seconds. To have a timeout of 15 minutes, set interval to 900.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.

Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.

Security identifiers

  • CCE-26919-1

Remediation script

                sshd_idle_timeout_value="300"
grep -q ^ClientAliveInterval /etc/ssh/sshd_config && \
  sed -i "s/ClientAliveInterval.*/ClientAliveInterval $sshd_idle_timeout_value/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "ClientAliveInterval $sshd_idle_timeout_value" >> /etc/ssh/sshd_config
fi

              

Result for Set SSH Client Alive Count

Result: fixed

Rule ID: sshd_set_keepalive

Time: 2014-10-23 11:47

Severity: low

To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set, edit /etc/ssh/sshd_config as follows:

ClientAliveCountMax 0

This ensures a user login will be terminated as soon as the ClientAliveCountMax is reached.

Security identifiers

  • CCE-26282-4

Remediation script

                grep -q ^ClientAliveCountMax /etc/ssh/sshd_config && \
  sed -i "s/ClientAliveCountMax.*/ClientAliveCountMax 0/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
fi

              

Result for Disable SSH Support for .rhosts Files

Result: pass

Rule ID: sshd_disable_rhosts

Time: 2014-10-23 11:47

Severity: medium

SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:

IgnoreRhosts yes

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

Security identifiers

  • CCE-27124-7

Remediation script

                grep -q ^IgnoreRhosts /etc/ssh/sshd_config && \
  sed -i "s/IgnoreRhosts.*/IgnoreRhosts yes/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "IgnoreRhosts yes" >> /etc/ssh/sshd_config
fi

              

Result for Disable Host-Based Authentication

Result: pass

Rule ID: disable_host_auth

Time: 2014-10-23 11:47

Severity: medium

SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config:

HostbasedAuthentication no

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

Security identifiers

  • CCE-27091-8

Remediation script

                grep -q ^HostbasedAuthentication /etc/ssh/sshd_config && \
  sed -i "s/HostbasedAuthentication.*/HostbasedAuthentication no/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config
fi

              

Result for Disable SSH Root Login

Result: fixed

Rule ID: sshd_disable_root_login

Time: 2014-10-23 11:47

Severity: medium

The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config:

PermitRootLogin no

Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.

Security identifiers

  • CCE-27100-7

Remediation script

                
SSHD_CONFIG='/etc/ssh/sshd_config'

# Obtain line number of first uncommented case-insensitive occurrence of Match
# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)

# Obtain line number of first uncommented case-insensitive occurence of
# PermitRootLogin directive (possibly prefixed with whitespace) present in
# $SSHD_CONFIG
FIRST_PERMIT_ROOT_LOGIN=$(sed -n '/^[[:space:]]*PermitRootLogin[^\n]*/I{=;q}' $SSHD_CONFIG)

# Case: Match block directive not present in $SSHD_CONFIG
if [ -z "$FIRST_MATCH_BLOCK" ]
then

    # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet
    if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ]
    then
        # Append 'PermitRootLogin no' at the end of $SSHD_CONFIG
        echo -e "\nPermitRootLogin no" >> $SSHD_CONFIG

    # Case: PermitRootLogin directive present in $SSHD_CONFIG already
    else
        # Replace first uncommented case-insensitive occurrence
        # of PermitRootLogin directive
        sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG
    fi

# Case: Match block directive present in $SSHD_CONFIG
else

    # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet
    if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ]
    then
        # Prepend 'PermitRootLogin no' before first uncommented
        # case-insensitive occurrence of Match block directive
        sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG

    # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed
    #       before first Match block directive
    elif [ "$FIRST_PERMIT_ROOT_LOGIN" -lt "$FIRST_MATCH_BLOCK" ]
    then
        # Replace first uncommented case-insensitive occurrence
        # of PermitRootLogin directive
        sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG

    # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed
    # after first Match block directive
    else
         # Prepend 'PermitRootLogin no' before first uncommented
         # case-insensitive occurrence of Match block directive
         sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG
    fi
fi

              

Result for Disable SSH Access via Empty Passwords

Result: fixed

Rule ID: sshd_disable_empty_passwords

Time: 2014-10-23 11:47

Severity: high

To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config:

PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.

Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.

Security identifiers

  • CCE-26887-0

Remediation script

                grep -q ^PermitEmptyPasswords /etc/ssh/sshd_config && \
  sed -i "s/PermitEmptyPasswords.*/PermitEmptyPasswords no/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config
fi

              

Result for Enable SSH Warning Banner

Result: fixed

Rule ID: sshd_enable_warning_banner

Time: 2014-10-23 11:47

Severity: medium

To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config:

Banner /etc/issue
Another section contains information on how to create an appropriate system-wide warning banner.

The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.

Security identifiers

  • CCE-27112-2

Remediation script

                grep -q ^Banner /etc/ssh/sshd_config && \
  sed -i "s/Banner.*/Banner \/etc\/issue/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "Banner /etc/issue" >> /etc/ssh/sshd_config
fi

              

Result for Do Not Allow SSH Environment Options

Result: fixed

Rule ID: sshd_do_not_permit_user_env

Time: 2014-10-23 11:47

Severity: low

To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in /etc/ssh/sshd_config:

PermitUserEnvironment no

SSH environment options potentially allow users to bypass access restriction in some configurations.

Security identifiers

  • CCE-27201-3

Remediation script

                grep -q ^PermitUserEnvironment /etc/ssh/sshd_config && \
  sed -i "s/PermitUserEnvironment.*/PermitUserEnvironment no/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config
fi

              

Result for Use Only Approved Ciphers

Result: fixed

Rule ID: sshd_use_approved_ciphers

Time: 2014-10-23 11:47

Severity: medium

Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
The man page sshd_config(5) contains a list of supported ciphers.

Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance.

Security identifiers

  • CCE-26555-3

Remediation script

                grep -q ^Ciphers /etc/ssh/sshd_config && \
  sed -i "s/Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc" >> /etc/ssh/sshd_config
fi

              

Result for Disable Avahi Server Software

Result: pass

Rule ID: disable_avahi

Time: 2014-10-23 11:47

Severity: low

The avahi-daemon service can be disabled with the following command:

# chkconfig avahi-daemon off

Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.

Security identifiers

  • CCE-27087-6

Result for Disable DHCP Service

Result: pass

Rule ID: disable_dhcp_server

Time: 2014-10-23 11:47

Severity: medium

The dhcpd service should be disabled on any system that does not need to act as a DHCP server. The dhcpd service can be disabled with the following command:

# chkconfig dhcpd off

Unmanaged or unintentionally activated DHCP servers may provide faulty information to clients, interfering with the operation of a legitimate site DHCP server if there is one.

Security identifiers

  • CCE-27074-4

Result for Uninstall DHCP Server Package

Result: pass

Rule ID: uninstall_dhcp_server

Time: 2014-10-23 11:47

Severity: medium

If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The dhcp package can be removed with the following command:

# yum erase dhcp

Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation.

Security identifiers

  • CCE-27120-5

Result for Enable the NTP Daemon

Result: error

Rule ID: service_ntpd_enabled

Time: 2014-10-23 11:47

Severity: medium

The ntpd service can be enabled with the following command:

# chkconfig --level 2345 ntpd on

Enabling the ntpd service ensures that the ntpd service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.

The NTP daemon offers all of the functionality of ntpdate, which is now deprecated. Additional information on this is available at http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate

Security identifiers

  • CCE-27093-4

Remediation script

                #
# Enable ntpd for all run levels
#
chkconfig --level 0123456 ntpd on

#
# Start ntpd if not currently running
#
service ntpd start

              

Result for Specify a Remote NTP Server

Result: pass

Rule ID: ntpd_specify_remote_server

Time: 2014-10-23 11:47

Severity: medium

To specify a remote NTP server for time synchronization, edit the file /etc/ntp.conf. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver:

server ntpserver
This instructs the NTP software to contact that remote server to obtain time data.

Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events.

Security identifiers

  • CCE-27098-3

Result for Uninstall Sendmail Package

Result: pass

Rule ID: package_sendmail_removed

Time: 2014-10-23 11:47

Severity: medium

Sendmail is not the default mail transfer agent and is not installed by default. The sendmail package can be removed with the following command:

# yum erase sendmail

The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.

Security identifiers

  • CCE-27515-6

Result for Disable Postfix Network Listening

Result: pass

Rule ID: postfix_network_listening

Time: 2014-10-23 11:47

Severity: medium

Edit the file /etc/postfix/main.cf to ensure that only the following inet_interfaces line appears:

inet_interfaces = localhost

This ensures postfix accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.

Security identifiers

  • CCE-26780-7

Result for Configure LDAP Client to Use TLS For All Transactions

Result: pass

Rule ID: ldap_client_start_tls

Time: 2014-10-23 11:47

Severity: medium

Configure LDAP to enforce TLS use. First, edit the file /etc/pam_ldap.conf, and add or correct the following lines:

ssl start_tls
Then review the LDAP server and ensure TLS has been configured.

The ssl directive specifies whether to use ssl or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL.

Security identifiers

  • CCE-26690-8

Result for Configure Certificate Directives for LDAP Use of TLS

Result: pass

Rule ID: ldap_client_tls_cacertpath

Time: 2014-10-23 11:47

Severity: medium

Ensure a copy of a trusted CA certificate has been placed in the file /etc/pki/tls/CA/cacert.pem. Configure LDAP to enforce TLS use and to trust certificates signed by that CA. First, edit the file /etc/pam_ldap.conf, and add or correct either of the following lines:

tls_cacertdir /etc/pki/tls/CA
or
tls_cacertfile /etc/pki/tls/CA/cacert.pem
Then review the LDAP server and ensure TLS has been configured.

The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA.

Security identifiers

  • CCE-27189-0

Result for Uninstall openldap-servers Package

Result: pass

Rule ID: package_openldap-servers_removed

Time: 2014-10-23 11:47

Severity: low

The openldap-servers package should be removed if not in use. Is this machine the OpenLDAP server? If not, remove the package.

$ sudo yum erase openldap-servers
The openldap-servers RPM is not installed by default on RHEL 6 machines. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed.

Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an LDAP server, it is not necessary on typical desktop or workstation systems.

Security identifiers

  • CCE-26858-1

Result for Disable Network File System Lock Service (nfslock)

Result: error

Rule ID: service_nfslock_disabled

Time: 2014-10-23 11:47

Severity: low

The Network File System Lock (nfslock) service starts the required remote procedure call (RPC) processes which allow clients to lock files on the server. If the local machine is not configured to mount NFS filesystems then this service should be disabled. The nfslock service can be disabled with the following command:

# chkconfig nfslock off

Security identifiers

  • CCE-27104-9

Remediation script

                #
# Disable nfslock for all run levels
#
chkconfig --level 0123456 nfslock off

#
# Stop nfslock if currently running
#
service nfslock stop

              

Result for Disable Secure RPC Client Service (rpcgssd)

Result: error

Rule ID: service_rpcgssd_disabled

Time: 2014-10-23 11:47

Severity: low

The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the client-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. The rpcgssd service can be disabled with the following command:

# chkconfig rpcgssd off

Security identifiers

  • CCE-26864-9

Remediation script

                #
# Disable rpcgssd for all run levels
#
chkconfig --level 0123456 rpcgssd off

#
# Stop rpcgssd if currently running
#
service rpcgssd stop

              

Result for Disable RPC ID Mapping Service (rpcidmapd)

Result: error

Rule ID: service_rpcidmapd_disabled

Time: 2014-10-23 11:47

Severity: low

The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. The rpcidmapd service can be disabled with the following command:

# chkconfig rpcidmapd off

Security identifiers

  • CCE-26870-6

Remediation script

                #
# Disable rpcidmapd for all run levels
#
chkconfig --level 0123456 rpcidmapd off

#
# Stop rpcidmapd if currently running
#
service rpcidmapd stop

              

Result for Disable Network File Systems (netfs)

Result: error

Rule ID: service_netfs_disabled

Time: 2014-10-23 11:47

Severity: low

The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or malicious changes to /etc/fstab and against flaws in the netfs script itself. The netfs service can be disabled with the following command:

# chkconfig netfs off

Security identifiers

  • CCE-27137-9

Remediation script

                #
# Disable netfs for all run levels
#
chkconfig --level 0123456 netfs off

#
# Stop netfs if currently running
#
service netfs stop

              

Result for Disable Secure RPC Server Service (rpcsvcgssd)

Result: pass

Rule ID: service_rpcsvcgssd_disabled

Time: 2014-10-23 11:47

Severity: low

The rpcsvcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd service is the server-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. The rpcsvcgssd service can be disabled with the following command:

# chkconfig rpcsvcgssd off

Unnecessary services should be disabled to decrease the attack surface of the system.

Security identifiers

  • CCE-27122-1

Remediation script

                #
# Disable rpcsvcgssd for all run levels
#
chkconfig --level 0123456 rpcsvcgssd off

#
# Stop rpcsvcgssd if currently running
#
service rpcsvcgssd stop

              

Result for Mount Remote Filesystems with nodev

Result: pass

Rule ID: use_nodev_option_on_nfs_mounts

Time: 2014-10-23 11:47

Severity: medium

Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.

Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.

Security identifiers

  • CCE-27090-0

Result for Mount Remote Filesystems with nosuid

Result: pass

Rule ID: use_nosuid_option_on_nfs_mounts

Time: 2014-10-23 11:47

Severity: medium

Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.

NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.

Security identifiers

  • CCE-26972-0

Result for Disable DNS Server

Result: pass

Rule ID: disable_dns_server

Time: 2014-10-23 11:47

Severity: low

The named service can be disabled with the following command:

# chkconfig named off

All network services involve some risk of compromise due to implementation flaws and should be disabled if possible.

Security identifiers

  • CCE-26873-0

Result for Uninstall bind Package

Result: pass

Rule ID: uninstall_bind

Time: 2014-10-23 11:47

Severity: low

To remove the bind package, which contains the named service, run the following command:

$ sudo yum erase bind

If there is no need to make DNS server software available, removing it provides a safeguard against its activation.

Security identifiers

  • CCE-27030-6

Result for Disable vsftpd Service

Result: pass

Rule ID: disable_vsftpd

Time: 2014-10-23 11:47

Severity: low

The vsftpd service can be disabled with the following command:

# chkconfig vsftpd off

Running FTP server software provides a network-based avenue of attack, and should be disabled if not needed. Furthermore, the FTP protocol is unencrypted and creates a risk of compromising sensitive information.

Security identifiers

  • CCE-26948-0

Remediation script

                if service vsftpd status >/dev/null; then
	service vsftpd stop
fi

              

Result for Uninstall vsftpd Package

Result: pass

Rule ID: uninstall_vsftpd

Time: 2014-10-23 11:47

Severity: low

The vsftpd package can be removed with the following command:

# yum erase vsftpd

Removing the vsftpd package decreases the risk of its accidental activation.

Security identifiers

  • CCE-26687-4

Result for Disable httpd Service

Result: pass

Rule ID: disable_httpd

Time: 2014-10-23 11:47

Severity: low

The httpd service can be disabled with the following command:

# chkconfig httpd off

Running web server software provides a network-based avenue of attack, and should be disabled if not needed.

Security identifiers

  • CCE-27075-1

Result for Uninstall httpd Package

Result: fail

Rule ID: uninstall_httpd

Time: 2014-10-23 11:47

Severity: low

The httpd package can be removed with the following command:

# yum erase httpd

If there is no need to make the web server software available, removing it provides a safeguard against its activation.

Security identifiers

  • CCE-27133-8

Result for Disable Dovecot Service

Result: pass

Rule ID: disable_dovecot

Time: 2014-10-23 11:47

Severity: low

The dovecot service can be disabled with the following command:

# chkconfig dovecot off

Running an IMAP or POP3 server provides a network-based avenue of attack, and should be disabled if not needed.

Security identifiers

  • CCE-26922-5

Result for Uninstall dovecot Package

Result: fail

Rule ID: uninstall_dovecot

Time: 2014-10-23 11:47

Severity: low

The dovecot package can be uninstalled with the following command:

$ sudo yum erase dovecot

If there is no need to make the Dovecot software available, removing it provides a safeguard against its activation.

Security identifiers

  • CCE-27039-7

Result for Disable Samba

Result: pass

Rule ID: disable_smb_server

Time: 2014-10-23 11:47

Severity: low

The smb service can be disabled with the following command:

# chkconfig smb off

Running a Samba server provides a network-based avenue of attack, and should be disabled if not needed.

Security identifiers

  • CCE-27143-7

Result for Require Client SMB Packet Signing, if using smbclient

Result: fail

Rule ID: require_smb_client_signing

Time: 2014-10-23 11:47

Severity: low

To require samba clients running smbclient to use packet signing, add the following to the [global] section of the Samba configuration file, /etc/samba/smb.conf:

client signing = mandatory
Requiring samba clients such as smbclient to use packet signing ensures they can only communicate with servers that support packet signing.

Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.

Security identifiers

  • CCE-26328-5

Result for Require Client SMB Packet Signing, if using mount.cifs

Result: pass

Rule ID: require_smb_client_signing_mount.cifs

Time: 2014-10-23 11:47

Severity: low

Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who specify shares in /etc/fstab). To do so, ensure signing options (either sec=krb5i or sec=ntlmv2i) are used.

See the mount.cifs(8) man page for more information. A Samba client should only communicate with servers who can support SMB packet signing.

Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.

Security identifiers

  • CCE-26792-2

Result for Disable Squid

Result: pass

Rule ID: disable_squid

Time: 2014-10-23 11:47

Severity: low

The squid service can be disabled with the following command:

# chkconfig squid off

Running proxy server software provides a network-based avenue of attack, and should be removed if not needed.

Security identifiers

  • CCE-27146-0

Result for Uninstall squid Package

Result: pass

Rule ID: uninstall_squid

Time: 2014-10-23 11:47

Severity: low

The squid package can be removed with the following command:

# yum erase squid

If there is no need to make the proxy server software available, removing it provides a safeguard against its activation.

Security identifiers

  • CCE-26977-9

Result for Disable snmpd Service

Result: pass

Rule ID: disable_snmpd

Time: 2014-10-23 11:47

Severity: low

The snmpd service can be disabled with the following command:

# chkconfig snmpd off

Running SNMP software provides a network-based avenue of attack, and should be disabled if not needed.

Security identifiers

  • CCE-26906-8

Result for Uninstall net-snmp Package

Result: fail

Rule ID: uninstall_net-snmp

Time: 2014-10-23 11:47

Severity: low

The net-snmp package provides the snmpd service. The net-snmpd package can be removed with the following command:

# yum erase net-snmpd

If there is no need to run SNMP server software, removing the package provides a safeguard against its activation.

Security identifiers

  • CCE-26332-7