Introduction

Test Result

Result ID Profile Start time End time Benchmark Benchmark version
xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_pci-dss xccdf_org.ssgproject.content_profile_pci-dss 2015-11-03 08:02 2015-11-03 08:05 embedded 0.1.26

Target info

Targets

  • localhost.localdomain

Addresses

  • 127.0.0.1
  • 192.168.100.203
  • 0:0:0:0:0:0:0:1
  • fe80:0:0:0:5054:ff:fec4:56df

Applicable platforms

  • cpe:/o:redhat:enterprise_linux:6

Score

system score max % bar
urn:xccdf:scoring:default 42.46 100.00 42.46%

Results overview

Rule Results Summary

pass fixed fail error not selected not checked not applicable informational unknown total
32 49 8 1 312 2 0 0 2 406
Title Result
Ensure Red Hat GPG Key Installed pass
Ensure gpgcheck Enabled In Main Yum Configuration pass
Ensure gpgcheck Enabled For All Yum Package Repositories pass
Ensure Software Patches Installed notchecked
Install AIDE fixed
Disable Prelinking fixed
Build and Test AIDE Database fail
Configure Periodic Execution of AIDE fixed
Verify and Correct File Permissions with RPM fail
Verify File Hashes with RPM pass
Install Intrusion Detection Software notchecked
Verify User Who Owns shadow File pass
Verify Group Who Owns shadow File pass
Verify Permissions on shadow File pass
Verify User Who Owns group File pass
Verify Group Who Owns group File pass
Verify Permissions on group File pass
Verify User Who Owns passwd File pass
Verify Group Who Owns passwd File pass
Verify Permissions on passwd File pass
Prevent Log In to Accounts With Empty Password fixed
Verify All Account Password Hashes are Shadowed pass
All GIDs referenced in /etc/passwd must be defined in /etc/group pass
Set Password Maximum Age fixed
Set Account Expiration Following Inactivity fixed
Ensure All Accounts on the System Have Unique Names pass
Set Last Login/Access Notification fixed
Set Password Strength Minimum Digit Characters fixed
Set Password Minimum Length fail
Set Password Strength Minimum Uppercase Characters fixed
Set Password Strength Minimum Lowercase Characters fixed
Set Deny For Failed Password Attempts fixed
Set Lockout Time For Failed Password Attempts fixed
Limit Password Reuse fixed
Set Password Hashing Algorithm in /etc/pam.d/system-auth pass
Set Password Hashing Algorithm in /etc/login.defs pass
Set Password Hashing Algorithm in /etc/libuser.conf pass
Verify /etc/grub.conf User Ownership pass
Verify /etc/grub.conf Group Ownership pass
Set GNOME Login Inactivity Timeout fixed
GNOME Desktop Screensaver Mandatory Use fixed
Enable Screen Lock Activation After Idle Period fixed
Implement Blank Screensaver fixed
Enable Smart Card Login fail
Install openswan Package fixed
Ensure Log Files Are Owned By Appropriate User pass
Ensure Log Files Are Owned By Appropriate Group unknown
Ensure System Log Files Have Correct Permissions unknown
Ensure Logrotate Runs Periodically pass
Enable auditd Service pass
Enable Auditing for Processes Which Start Prior to the Audit Daemon fixed
Configure auditd Number of Logs Retained pass
Configure auditd Max Log File Size pass
Configure auditd max_log_file_action Upon Reaching Maximum Log Size pass
Configure auditd space_left Action on Low Disk Space fixed
Configure auditd admin_space_left Action on Low Disk Space fixed
Configure auditd mail_acct Action on Low Disk Space pass
Configure auditd to use audispd's syslog plugin fail
Record attempts to alter time through adjtimex fixed
Record attempts to alter time through settimeofday fail
Record Attempts to Alter Time Through stime fail
Record Attempts to Alter Time Through clock_settime fixed
Record Attempts to Alter the localtime File fixed
Record Events that Modify User/Group Information fixed
Record Events that Modify the System's Network Environment fixed
System Audit Logs Must Have Mode 0640 or Less Permissive pass
System Audit Logs Must Be Owned By Root pass
Record Events that Modify the System's Mandatory Access Controls fixed
Record Events that Modify the System's Discretionary Access Controls - chmod fixed
Record Events that Modify the System's Discretionary Access Controls - chown fixed
Record Events that Modify the System's Discretionary Access Controls - fchmod fixed
Record Events that Modify the System's Discretionary Access Controls - fchmodat fixed
Record Events that Modify the System's Discretionary Access Controls - fchown fixed
Record Events that Modify the System's Discretionary Access Controls - fchownat fixed
Record Events that Modify the System's Discretionary Access Controls - fremovexattr fixed
Record Events that Modify the System's Discretionary Access Controls - fsetxattr fixed
Record Events that Modify the System's Discretionary Access Controls - lchown fixed
Record Events that Modify the System's Discretionary Access Controls - lremovexattr fixed
Record Events that Modify the System's Discretionary Access Controls - lsetxattr fixed
Record Events that Modify the System's Discretionary Access Controls - removexattr fixed
Record Events that Modify the System's Discretionary Access Controls - setxattr fixed
Record Attempts to Alter Login and Logout Events fail
Record Attempts to Alter Process and Session Initiation Information fixed
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) fixed
Ensure auditd Collects Information on the Use of Privileged Commands error
Ensure auditd Collects Information on Exporting to Media (successful) fixed
Ensure auditd Collects File Deletion Events by User fixed
Ensure auditd Collects System Administrator Actions fixed
Ensure auditd Collects Information on Kernel Module Loading and Unloading fixed
Make the auditd Configuration Immutable fixed
Set SSH Idle Timeout Interval fixed
Enable the NTP Daemon fixed
Specify a Remote NTP Server pass
Specify Additional Remote NTP Servers pass

Results details

Result for Ensure Red Hat GPG Key Installed

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed

Time: 2015-11-03 08:02

Severity: high

To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run:

$ sudo rhn_register
If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY

The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat.

Security identifiers

  • CCE-26506-6
  • DISA FSO RHEL-06-000008

Remediation script

                # The two fingerprints below are retrieved from https://access.redhat.com/security/team/key
readonly REDHAT_RELEASE_2_FINGERPRINT="567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51"
readonly REDHAT_AUXILIARY_FINGERPRINT="43A6 E49C 4A38 F4BE 9ABF 2A53 4568 9C88 2FA6 58E0"
# Location of the key we would like to import (once it's integrity verified)
readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"

RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")")

# Verify /etc/pki/rpm-gpg directory permissions are safe
if [ "${RPM_GPG_DIR_PERMS}" -le "755" ]
then
  # If they are safe, try to obtain fingerprints from the key file
  # (to ensure there won't be e.g. CRC error)
  IFS=$'\n' GPG_OUT=($(gpg --with-fingerprint "${REDHAT_RELEASE_KEY}"))
  GPG_RESULT=$?
  # No CRC error, safe to proceed
  if [ "${GPG_RESULT}" -eq "0" ]
  then
    for ITEM in "${GPG_OUT[@]}"
    do
      # Filter just hexadecimal fingerprints from gpg's output from
      # processing of a key file
      RESULT=$(echo ${ITEM} | sed -n "s/[[:space:]]*Key fingerprint = \(.*\)/\1/p" | tr -s '[:space:]')
      # If fingerprint matches Red Hat's release 2 or auxiliary key import the key
      if [[ ${RESULT} ]] && ([[ ${RESULT} = "${REDHAT_RELEASE_2_FINGERPRINT}" ]] || \
                             [[ ${RESULT} = "${REDHAT_AUXILIARY_FINGERPRINT}" ]])
      then
        rpm --import "${REDHAT_RELEASE_KEY}"
      fi
    done
  fi
fi

              

Result for Ensure gpgcheck Enabled In Main Yum Configuration

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated

Time: 2015-11-03 08:02

Severity: medium

The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section:

gpgcheck=1

Ensuring the validity of packages' cryptographic signatures prior to installation ensures the authenticity of the software and protects against malicious tampering.

Security identifiers

  • CCE-26709-6
  • DISA FSO RHEL-06-000013

Result for Ensure gpgcheck Enabled For All Yum Package Repositories

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled

Time: 2015-11-03 08:02

Severity: low

To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form:

gpgcheck=0

Ensuring all packages' cryptographic signatures are valid prior to installation ensures the authenticity of the software and protects against malicious tampering.

Security identifiers

  • CCE-26647-8
  • DISA FSO RHEL-06-000015

Result for Ensure Software Patches Installed

Result: notchecked

Rule ID: xccdf_org.ssgproject.content_rule_security_patches_up_to_date

Time: 2015-11-03 08:02

Severity: medium

If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates:

$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm.

Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities.

Security identifiers

  • CCE-27635-2
  • DISA FSO RHEL-06-000011

Result for Install AIDE

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_package_aide_installed

Time: 2015-11-03 08:03

Severity: medium

Install the AIDE package with the command:

$ sudo yum install aide

The AIDE package must be installed if it is to be available for integrity checking.

Security identifiers

  • CCE-27024-9
  • DISA FSO RHEL-06-000016

Remediation script

                yum -y install aide

              

Result for Disable Prelinking

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_disable_prelink

Time: 2015-11-03 08:04

Severity: low

The prelinking feature changes binaries in an attempt to decrease their startup time. In order to disable it, change or add the following line inside the file /etc/sysconfig/prelink:

PRELINKING=no
Next, run the following command to return binaries to a normal, non-prelinked state:
$ sudo /usr/sbin/prelink -ua

The prelinking feature can interfere with the operation of AIDE, because it changes binaries.

Security identifiers

  • CCE-27221-1

Remediation script

                #
# Disable prelinking altogether
#
if grep -q ^PRELINKING /etc/sysconfig/prelink
then
  sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
else
  echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink
  echo "PRELINKING=no" >> /etc/sysconfig/prelink
fi

#
# Undo previous prelink changes to binaries
#
/usr/sbin/prelink -ua

              

Result for Build and Test AIDE Database

Result: fail

Rule ID: xccdf_org.ssgproject.content_rule_aide_build_database

Time: 2015-11-03 08:02

Severity: medium

Run the following command to generate a new database:

$ sudo /usr/sbin/aide --init
By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows:
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To initiate a manual check, run the following command:
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate.

For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.

Security identifiers

  • CCE-27135-3
  • DISA FSO RHEL-06-000018

Result for Configure Periodic Execution of AIDE

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking

Time: 2015-11-03 08:04

Severity: medium

To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:

05 4 * * * root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example.

By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Security identifiers

  • CCE-27222-9
  • DISA FSO RHEL-06-000306

Remediation script

                echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab

              

Result for Verify and Correct File Permissions with RPM

Result: fail

Rule ID: xccdf_org.ssgproject.content_rule_rpm_verify_permissions

Time: 2015-11-03 08:03

Severity: low

The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, run the following command to determine which package owns it:

$ rpm -qf FILENAME
Next, run the following command to reset its permissions to the correct values:
$ sudo rpm --setperms PACKAGENAME

Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Security identifiers

  • CCE-26731-0
  • DISA FSO RHEL-06-000518

group ownership of all files matches local rpm database

nameepochversionreleasearchfilepathextended namesize differsmode differsmd5 differsdevice differslink mismatchownership differsgroup differsmtime differscapabilities differconfiguration filedocumentation fileghost filelicense filereadme file
gdm12.30.464.el6x86_64/var/log/gdmgdm-1:2.30.4-64.el6.x86_64passfailnot performedpasspasspassfailpasspassfalsefalsefalsefalsefalse

mode of all files matches local rpm database

nameepochversionreleasearchfilepathextended namesize differsmode differsmd5 differsdevice differslink mismatchownership differsgroup differsmtime differscapabilities differconfiguration filedocumentation fileghost filelicense filereadme file
gdm12.30.464.el6x86_64/var/log/gdmgdm-1:2.30.4-64.el6.x86_64passfailnot performedpasspasspassfailpasspassfalsefalsefalsefalsefalse
gdm12.30.464.el6x86_64/var/run/gdmgdm-1:2.30.4-64.el6.x86_64passfailnot performedpasspasspasspasspasspassfalsefalsefalsefalsefalse
rhn-client-tools(none)1.0.0.132.el6noarch/etc/sysconfig/rhn/up2daterhn-client-tools-0:1.0.0.1-32.el6.noarchfailfailnot performedpasspasspasspassfailpasstruefalsefalsefalsefalse

Result for Verify File Hashes with RPM

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_rpm_verify_hashes

Time: 2015-11-03 08:03

Severity: low

The RPM package management system can check the hashes of installed software packages, including many that are important to system security. Run the following command to list which files on the system have hashes that differ from what is expected by the RPM database:

$ rpm -Va | grep '^..5'
A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file:
$ rpm -qf FILENAME
The package can be reinstalled from a yum repository using the command:
$ sudo yum reinstall PACKAGENAME
Alternatively, the package can be reinstalled from trusted media using the command:
$ sudo rpm -Uvh PACKAGENAME

The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.

Security identifiers

  • CCE-27223-7
  • DISA FSO RHEL-06-000519

Result for Install Intrusion Detection Software

Result: notchecked

Rule ID: xccdf_org.ssgproject.content_rule_install_hids

Time: 2015-11-03 08:03

Severity: medium

The base Red Hat platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user sessions which may become compromised.
In DoD environments, supplemental intrusion detection tools, such as, the McAfee Host-based Security System, are available to integrate with existing infrastructure. When these supplemental tools interfere with the proper functioning of SELinux, SELinux takes precedence.

Host-based intrusion detection tools provide a system-level defense when an intruder gains access to a system or network.

Security identifiers

  • CCE-27409-2
  • DISA FSO RHEL-06-000285

Result for Verify User Who Owns shadow File

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_userowner_shadow_file

Time: 2015-11-03 08:03

Severity: medium

To properly set the owner of /etc/shadow, run the command:

$ sudo chown root /etc/shadow 

The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

Security identifiers

  • CCE-26947-2
  • DISA FSO RHEL-06-000033

Remediation script

                chown root /etc/shadow

              

Result for Verify Group Who Owns shadow File

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_groupowner_shadow_file

Time: 2015-11-03 08:03

Severity: medium

To properly set the group owner of /etc/shadow, run the command:

$ sudo chgrp root /etc/shadow 

The /etc/shadow file stores password hashes. Protection of this file is critical for system security.

Security identifiers

  • CCE-26967-0
  • DISA FSO RHEL-06-000034

Remediation script

                chgrp root /etc/shadow

              

Result for Verify Permissions on shadow File

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow

Time: 2015-11-03 08:03

Severity: medium

To properly set the permissions of /etc/shadow, run the command:

$ sudo chmod 0000 /etc/shadow

The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

Security identifiers

  • CCE-26992-8
  • DISA FSO RHEL-06-000035

Remediation script

                chmod 0000 /etc/shadow

              

Result for Verify User Who Owns group File

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_file_owner_etc_group

Time: 2015-11-03 08:03

Severity: medium

To properly set the owner of /etc/group, run the command:

$ sudo chown root /etc/group 

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Security identifiers

  • CCE-26822-7
  • DISA FSO RHEL-06-000042

Remediation script

                chown root /etc/group

              

Result for Verify Group Who Owns group File

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_file_groupowner_etc_group

Time: 2015-11-03 08:03

Severity: medium

To properly set the group owner of /etc/group, run the command:

$ sudo chgrp root /etc/group 

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Security identifiers

  • CCE-26930-8
  • DISA FSO RHEL-06-000043

Remediation script

                chgrp root /etc/group

              

Result for Verify Permissions on group File

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_file_permissions_etc_group

Time: 2015-11-03 08:03

Severity: medium

To properly set the permissions of /etc/group, run the command:

$ sudo chmod 644 /etc/group

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Security identifiers

  • CCE-26954-8
  • DISA FSO RHEL-06-000044

Remediation script

                chmod 644 /etc/group

              

Result for Verify User Who Owns passwd File

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_file_owner_etc_passwd

Time: 2015-11-03 08:03

Severity: medium

To properly set the owner of /etc/passwd, run the command:

$ sudo chown root /etc/passwd 

The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.

Security identifiers

  • CCE-26953-0
  • DISA FSO RHEL-06-000039

Remediation script

                chown root /etc/passwd

              

Result for Verify Group Who Owns passwd File

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd

Time: 2015-11-03 08:03

Severity: medium

To properly set the group owner of /etc/passwd, run the command:

$ sudo chgrp root /etc/passwd 

The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.

Security identifiers

  • CCE-26856-5
  • DISA FSO RHEL-06-000040

Remediation script

                chgrp root /etc/passwd

              

Result for Verify Permissions on passwd File

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd

Time: 2015-11-03 08:03

Severity: medium

To properly set the permissions of /etc/passwd, run the command:

$ sudo chmod 0644 /etc/passwd

If the /etc/passwd file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.

Security identifiers

  • CCE-26868-0
  • DISA FSO RHEL-06-000041

Remediation script

                chmod 0644 /etc/passwd

              

Result for Prevent Log In to Accounts With Empty Password

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_no_empty_passwords

Time: 2015-11-03 08:04

Severity: high

If an account is configured for password authentication but does not have an assigned password, it may be possible to log onto the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.

If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

Security identifiers

  • CCE-27038-9
  • DISA FSO RHEL-06-000030

Remediation script

                sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/system-auth

              

Result for Verify All Account Password Hashes are Shadowed

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed

Time: 2015-11-03 08:03

Severity: medium

If any password hashes are stored in /etc/passwd (in the second field, instead of an x), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.

The hashes for all user account passwords should be stored in the file /etc/shadow and never in /etc/passwd, which is readable by all users.

Security identifiers

  • CCE-26476-2
  • DISA FSO RHEL-06-000031

Result for All GIDs referenced in /etc/passwd must be defined in /etc/group

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_gid_passwd_group_same

Time: 2015-11-03 08:03

Severity: low

Add a group to the system for each GID referenced without a corresponding group.

Inconsistency in GIDs between /etc/passwd and /etc/group could lead to a user having unintended rights.

Security identifiers

  • CCE-27379-7
  • DISA FSO RHEL-06-000294

Result for Set Password Maximum Age

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs

Time: 2015-11-03 08:04

Severity: medium

To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line:

PASS_MAX_DAYS 
A value of 180 days is sufficient for many environments. The DoD requirement is 60.

Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.

Security identifiers

  • CCE-26985-2
  • DISA FSO RHEL-06-000053

Remediation script

                var_accounts_maximum_age_login_defs="90"
grep -q ^PASS_MAX_DAYS /etc/login.defs && \
  sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS     $var_accounts_maximum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
    echo "PASS_MAX_DAYS      $var_accounts_maximum_age_login_defs" >> /etc/login.defs
fi

              

Result for Set Account Expiration Following Inactivity

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration

Time: 2015-11-03 08:04

Severity: low

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in /etc/default/useradd, substituting NUM_DAYS appropriately:

INACTIVE=UNDEFINED_SUB
A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.

Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.

Security identifiers

  • CCE-27283-1
  • DISA FSO RHEL-06-000334

Remediation script

                var_account_disable_post_pw_expiration="90"
grep -q ^INACTIVE /etc/default/useradd && \
  sed -i "s/INACTIVE.*/INACTIVE=$var_account_disable_post_pw_expiration/g" /etc/default/useradd
if ! [ $? -eq 0 ]; then
    echo "INACTIVE=$var_account_disable_post_pw_expiration" >> /etc/default/useradd
fi

              

Result for Ensure All Accounts on the System Have Unique Names

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_account_unique_name

Time: 2015-11-03 08:03

Severity: low

Change usernames, or delete accounts, so each has a unique name.

Unique usernames allow for accountability on the system.

Security identifiers

  • CCE-27609-7
  • DISA FSO RHEL-06-000296

Result for Set Last Login/Access Notification

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_display_login_attempts

Time: 2015-11-03 08:04

Severity: low

To configure the system to notify users of last login/access using pam_lastlog, add the following line immediately after session required pam_limits.so:

session       required     pam_lastlog.so showfailed

Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.

Security identifiers

  • CCE-27291-4
  • DISA FSO RHEL-06-000372

Remediation script

                sed -i --follow-symlinks '/pam_limits.so/a session\t    required\t  pam_lastlog.so showfailed' /etc/pam.d/system-auth

              

Result for Set Password Strength Minimum Digit Characters

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit

Time: 2015-11-03 08:04

Severity: low

The pam_cracklib module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add dcredit=-1 after pam_cracklib.so to require use of a digit in passwords.

Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.

Security identifiers

  • CCE-26374-9
  • DISA FSO RHEL-06-000056

Remediation script

                var_password_pam_dcredit="-1"
if grep -q "dcredit=" /etc/pam.d/system-auth; then
	sed -i --follow-symlink "s/\(dcredit *= *\).*/\1$var_password_pam_dcredit/" /etc/pam.d/system-auth
else
	sed -i --follow-symlink "/pam_cracklib.so/ s/$/ dcredit=$var_password_pam_dcredit/" /etc/pam.d/system-auth
fi

              

Result for Set Password Minimum Length

Result: fail

Rule ID: xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen

Time: 2015-11-03 08:03

Severity: low

The pam_cracklib module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.

Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Security identifiers

  • CCE-26615-5

Result for Set Password Strength Minimum Uppercase Characters

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit

Time: 2015-11-03 08:04

Severity: low

The pam_cracklib module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add ucredit=-1 after pam_cracklib.so to require use of an upper case character in passwords.

Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.

Security identifiers

  • CCE-26601-5
  • DISA FSO RHEL-06-000057

Remediation script

                var_password_pam_ucredit="-1"
if grep -q "ucredit=" /etc/pam.d/system-auth; then   
	sed -i --follow-symlink "s/\(ucredit *= *\).*/\1$var_password_pam_ucredit/" /etc/pam.d/system-auth
else
	sed -i --follow-symlink "/pam_cracklib.so/ s/$/ ucredit=$var_password_pam_ucredit/" /etc/pam.d/system-auth
fi

              

Result for Set Password Strength Minimum Lowercase Characters

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit

Time: 2015-11-03 08:04

Severity: low

The pam_cracklib module's lcredit= parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. Add lcredit=-1 after pam_cracklib.so to require use of a lowercase character in passwords.

Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.

Security identifiers

  • CCE-26631-2
  • DISA FSO RHEL-06-000059

Remediation script

                var_password_pam_lcredit="-1"
if grep -q "lcredit=" /etc/pam.d/system-auth; then   
	sed -i --follow-symlink "s/\(lcredit *= *\).*/\1$var_password_pam_lcredit/" /etc/pam.d/system-auth
else
	sed -i --follow-symlink "/pam_cracklib.so/ s/$/ lcredit=$var_password_pam_lcredit/" /etc/pam.d/system-auth
fi

              

Result for Set Deny For Failed Password Attempts

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny

Time: 2015-11-03 08:04

Severity: medium

To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • Add the following line immediately before the pam_unix.so statement in the AUTH section:

    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=

  • Add the following line immediately after the pam_unix.so statement in the AUTH section:

    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=

  • Add the following line immediately before the pam_unix.so statement in the ACCOUNT section:

    account required pam_faillock.so

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.

Security identifiers

  • CCE-26844-1
  • DISA FSO RHEL-06-000061

Remediation script

                var_accounts_passwords_pam_faillock_deny="6"
AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"

for pamFile in "${AUTH_FILES[@]}"
do
	
	# pam_faillock.so already present?
	if grep -q "^auth.*pam_faillock.so.*" $pamFile; then

		# pam_faillock.so present, deny directive present?
		if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*deny=" $pamFile; then

			# both pam_faillock.so & deny present, just correct deny directive value
			sed -i --follow-symlink "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
			sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile

		# pam_faillock.so present, but deny directive not yet
		else

			# append correct deny value to appropriate places
			sed -i --follow-symlink "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
			sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
		fi

	# pam_faillock.so not present yet
	else

		# insert pam_faillock.so preauth & authfail rows with proper value of the 'deny' option
		sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
		sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
		sed -i --follow-symlink "/^account.*required.*pam_unix.so/i account     required      pam_faillock.so" $pamFile
	fi
done

              

Result for Set Lockout Time For Failed Password Attempts

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time

Time: 2015-11-03 08:04

Severity: medium

To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • Add the following line immediately before the pam_unix.so statement in the AUTH section:

    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=

  • Add the following line immediately after the pam_unix.so statement in the AUTH section:

    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=

  • Add the following line immediately before the pam_unix.so statement in the ACCOUNT section:

    account required pam_faillock.so

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.

Security identifiers

  • CCE-27110-6
  • DISA FSO RHEL-06-000356

Remediation script

                var_accounts_passwords_pam_faillock_unlock_time="1800"
AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"

for pamFile in "${AUTH_FILES[@]}"
do
	
	# pam_faillock.so already present?
	if grep -q "^auth.*pam_faillock.so.*" $pamFile; then

		# pam_faillock.so present, unlock_time directive present?
		if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*unlock_time=" $pamFile; then

			# both pam_faillock.so & unlock_time present, just correct unlock_time directive value
			sed -i --follow-symlink "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(unlock_time *= *\).*/\1\2$var_accounts_passwords_pam_faillock_unlock_time/" $pamFile
			sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(unlock_time *= *\).*/\1\2$var_accounts_passwords_pam_faillock_unlock_time/" $pamFile

		# pam_faillock.so present, but unlock_time directive not yet
		else

			# append correct unlock_time value to appropriate places
			sed -i --follow-symlink "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ unlock_time=$var_accounts_passwords_pam_faillock_unlock_time/" $pamFile
			sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ unlock_time=$var_accounts_passwords_pam_faillock_unlock_time/" $pamFile
		fi

	# pam_faillock.so not present yet
	else

		# insert pam_faillock.so preauth & authfail rows with proper value of the 'unlock_time' option
		sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent unlock_time=$var_accounts_passwords_pam_faillock_unlock_time" $pamFile
		sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail unlock_time=$var_accounts_passwords_pam_faillock_unlock_time" $pamFile
		sed -i --follow-symlink "/^account.*required.*pam_unix.so/i account     required      pam_faillock.so" $pamFile
	fi
done

              

Result for Limit Password Reuse

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember

Time: 2015-11-03 08:04

Severity: medium

Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below:

  • for the pam_unix.so case:

    password sufficient pam_unix.so existing_options remember=

  • for the pam_pwhistory.so case:

    password requisite pam_pwhistory.so existing_options remember=

The DoD STIG requirement is 5 passwords.

Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.

Security identifiers

  • CCE-26741-9
  • DISA FSO RHEL-06-000274

Remediation script

                var_password_pam_unix_remember="4"
if grep -q "remember=" /etc/pam.d/system-auth; then   
	sed -i --follow-symlink "s/\(remember *= *\).*/\1$var_password_pam_unix_remember/" /etc/pam.d/system-auth
else
	sed -i --follow-symlink "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth
fi

              

Result for Set Password Hashing Algorithm in /etc/pam.d/system-auth

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth

Time: 2015-11-03 08:03

Severity: medium

In /etc/pam.d/system-auth, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below:

password    sufficient    pam_unix.so sha512 other arguments...
This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.

Using a stronger hashing algorithm makes password cracking attacks more difficult.

Security identifiers

  • CCE-26303-8
  • DISA FSO RHEL-06-000062

Remediation script

                if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" /etc/pam.d/system-auth; then   
	sed -i --follow-symlink "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" /etc/pam.d/system-auth
fi

              

Result for Set Password Hashing Algorithm in /etc/login.defs

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs

Time: 2015-11-03 08:03

Severity: medium

In /etc/login.defs, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm:

ENCRYPT_METHOD SHA512

Using a stronger hashing algorithm makes password cracking attacks more difficult.

Security identifiers

  • CCE-27228-6
  • DISA FSO RHEL-06-000063

Remediation script

                if grep --silent ^ENCRYPT_METHOD /etc/login.defs ; then
	sed -i 's/^ENCRYPT_METHOD.*/ENCRYPT_METHOD SHA512/g' /etc/login.defs
else
	echo "" >> /etc/login.defs
	echo "ENCRYPT_METHOD SHA512" >> /etc/login.defs
fi

              

Result for Set Password Hashing Algorithm in /etc/libuser.conf

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf

Time: 2015-11-03 08:03

Severity: medium

In /etc/libuser.conf, add or correct the following line in its [defaults] section to ensure the system will use the SHA-512 algorithm for password hashing:

crypt_style = sha512

Using a stronger hashing algorithm makes password cracking attacks more difficult.

Security identifiers

  • CCE-27229-4
  • DISA FSO RHEL-06-000064

Result for Verify /etc/grub.conf User Ownership

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_file_user_owner_grub_conf

Time: 2015-11-03 08:03

Severity: medium

The file /etc/grub.conf should be owned by the root user to prevent destruction or modification of the file. To properly set the owner of /etc/grub.conf, run the command:

$ sudo chown root /etc/grub.conf 

Only root should be able to modify important boot parameters.

Security identifiers

  • CCE-26995-1
  • DISA FSO RHEL-06-000065

Remediation script

                chown root /etc/grub.conf

              

Result for Verify /etc/grub.conf Group Ownership

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_file_group_owner_grub_conf

Time: 2015-11-03 08:03

Severity: medium

The file /etc/grub.conf should be group-owned by the root group to prevent destruction or modification of the file. To properly set the group owner of /etc/grub.conf, run the command:

$ sudo chgrp root /etc/grub.conf 

The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.

Security identifiers

  • CCE-27022-3
  • DISA FSO RHEL-06-000066

Remediation script

                chgrp root /etc/grub.conf

              

Result for Set GNOME Login Inactivity Timeout

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_gconf_gnome_screensaver_idle_delay

Time: 2015-11-03 08:04

Severity: medium

Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes:

$ sudo gconftool-2 \
  --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type int \
  --set /desktop/gnome/session/idle_delay 

Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.

Security identifiers

  • CCE-26828-4
  • DISA FSO RHEL-06-000257

Remediation script

                inactivity_timeout_value="15"
# Install GConf2 package if not installed
if ! rpm -q GConf2; then
  yum -y install GConf2
fi

# Set the idle time-out value for inactivity in the GNOME desktop to meet the
# requirement
gconftool-2 --direct \
            --config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \
            --type int \
            --set /desktop/gnome/session/idle_delay ${inactivity_timeout_value}

              

Result for GNOME Desktop Screensaver Mandatory Use

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_gconf_gnome_screensaver_idle_activation_enabled

Time: 2015-11-03 08:04

Severity: medium

Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity:

$ sudo gconftool-2 --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type bool \
  --set /apps/gnome-screensaver/idle_activation_enabled true

Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.

Security identifiers

  • CCE-26600-7
  • DISA FSO RHEL-06-000258

Remediation script

                # Install GConf2 package if not installed
if ! rpm -q GConf2; then
  yum -y install GConf2
fi

# Set the screensaver activation in the GNOME desktop after a period of inactivity
gconftool-2 --direct \
            --config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \
            --type bool \
            --set /apps/gnome-screensaver/idle_activation_enabled true

              

Result for Enable Screen Lock Activation After Idle Period

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_gconf_gnome_screensaver_lock_enabled

Time: 2015-11-03 08:04

Severity: medium

Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated:

$ sudo gconftool-2 --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type bool \
  --set /apps/gnome-screensaver/lock_enabled true

Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby.

Security identifiers

  • CCE-26235-2
  • DISA FSO RHEL-06-000259

Remediation script

                # Install GConf2 package if not installed
if ! rpm -q GConf2; then
  yum -y install GConf2
fi

# Set the screensaver locking activation in the GNOME desktop when the
# screensaver is activated
gconftool-2 --direct \
            --config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \
            --type bool \
            --set /apps/gnome-screensaver/lock_enabled true

              

Result for Implement Blank Screensaver

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_gconf_gnome_screensaver_mode_blank

Time: 2015-11-03 08:04

Severity: low

Run the following command to set the screensaver mode in the GNOME desktop to a blank screen:

$ sudo gconftool-2 --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type string \
  --set /apps/gnome-screensaver/mode blank-only

Setting the screensaver mode to blank-only conceals the contents of the display from passersby.

Security identifiers

  • CCE-26638-7
  • DISA FSO RHEL-06-000260

Remediation script

                # Install GConf2 package if not installed
if ! rpm -q GConf2; then
  yum -y install GConf2
fi

# Set the screensaver mode in the GNOME desktop to a blank screen
gconftool-2 --direct \
            --config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \
            --type string \
            --set /apps/gnome-screensaver/mode blank-only

              

Result for Enable Smart Card Login

Result: fail

Rule ID: xccdf_org.ssgproject.content_rule_smartcard_auth

Time: 2015-11-03 08:03

Severity: medium

To enable smart card authentication, consult the documentation at:

  • https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html

For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at:

  • https://access.redhat.com/solutions/82273

Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials.

Security identifiers

  • CCE-27440-7
  • DISA FSO RHEL-06-000349

Result for Install openswan Package

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_package_openswan_installed

Time: 2015-11-03 08:04

Severity: low

The Openswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The openswan package can be installed with the following command:

$ sudo yum install openswan

Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.

Security identifiers

  • CCE-27626-1
  • DISA FSO RHEL-06-000321

Remediation script

                yum -y install openswan

              

Result for Ensure Log Files Are Owned By Appropriate User

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_rsyslog_files_ownership

Time: 2015-11-03 08:03

Severity: medium

The owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's owner:

$ ls -l LOGFILE
If the owner is not root, run the following command to correct this:
$ sudo chown root LOGFILE

The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.

Security identifiers

  • CCE-26812-8
  • DISA FSO RHEL-06-000133

Result for Ensure Log Files Are Owned By Appropriate Group

Result: unknown

Rule ID: xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership

Time: 2015-11-03 08:03

Severity: medium

The group-owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's group owner:

$ ls -l LOGFILE
If the owner is not root, run the following command to correct this:
$ sudo chgrp root LOGFILE

The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.

Security identifiers

  • CCE-26821-9
  • DISA FSO RHEL-06-000134

Result for Ensure System Log Files Have Correct Permissions

Result: unknown

Rule ID: xccdf_org.ssgproject.content_rule_rsyslog_files_permissions

Time: 2015-11-03 08:03

Severity: medium

The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's permissions:

$ ls -l LOGFILE
If the permissions are not 600 or more restrictive, run the following command to correct this:
$ sudo chmod 0600 LOGFILE

Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value.

Security identifiers

  • CCE-27190-8
  • DISA FSO RHEL-06-000135

Result for Ensure Logrotate Runs Periodically

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_ensure_logrotate_activated

Time: 2015-11-03 08:03

Severity: low

The logrotate utility allows for the automatic rotation of log files. The frequency of rotation is specified in /etc/logrotate.conf, which triggers a cron task. To configure logrotate to run daily, add or correct the following line in /etc/logrotate.conf:

# rotate log files frequency
daily

Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.

Security identifiers

  • CCE-27014-0
  • DISA FSO RHEL-06-000138

Result for Enable auditd Service

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_service_auditd_enabled

Time: 2015-11-03 08:03

Severity: medium

The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:

$ sudo chkconfig --level 2345 auditd on

Ensuring the auditd service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.

Security identifiers

  • CCE-27058-7
  • DISA FSO RHEL-06-000145

Remediation script

                . /usr/share/scap-security-guide/remediation_functions

service_command enable auditd

              

Result for Enable Auditing for Processes Which Start Prior to the Audit Daemon

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_bootloader_audit_argument

Time: 2015-11-03 08:04

Severity: low

To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the kernel line in /etc/grub.conf, in the manner below:

kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1

Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.

Security identifiers

  • CCE-26785-6
  • DISA FSO RHEL-06-000525

Remediation script

                /sbin/grubby --update-kernel=ALL --args="audit=1"

              

Result for Configure auditd Number of Logs Retained

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs

Time: 2015-11-03 08:03

Severity: medium

Determine how many log files auditd should retain when it rotates logs. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting NUMLOGS with the correct value of 5:

num_logs = NUMLOGS
Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.

The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.

Security identifiers

  • CCE-27522-2
  • DISA FSO RHEL-06-000159

Result for Configure auditd Max Log File Size

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file

Time: 2015-11-03 08:03

Severity: medium

Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting the correct value of 6 for STOREMB:

max_log_file = STOREMB
Set the value to 6 (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.

The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.

Security identifiers

  • CCE-27550-3
  • DISA FSO RHEL-06-000160

Result for Configure auditd max_log_file_action Upon Reaching Maximum Log Size

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action

Time: 2015-11-03 08:03

Severity: medium

The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd, add or correct the line in /etc/audit/auditd.conf:

max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:

  • ignore

  • syslog

  • suspend

  • rotate

  • keep_logs

Set the ACTION to rotate to ensure log rotation occurs. This is the default. The setting is case-insensitive.

Automatically rotating logs (by setting this to rotate) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed.

Security identifiers

  • CCE-27237-7
  • DISA FSO RHEL-06-000161

Result for Configure auditd space_left Action on Low Disk Space

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action

Time: 2015-11-03 08:04

Severity: medium

The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately:

space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:

  • ignore

  • syslog

  • email

  • exec

  • suspend

  • single

  • halt

Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt.

Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

Security identifiers

  • CCE-27238-5
  • DISA FSO RHEL-06-000005

Remediation script

                var_auditd_space_left_action="email"
#
# If space_left_action present in /etc/audit/auditd.conf, change value
# to var_auditd_space_left_action, else
# add "space_left_action = $var_auditd_space_left_action" to /etc/audit/auditd.conf
#

if grep --silent ^space_left_action /etc/audit/auditd.conf ; then
        sed -i 's/^space_left_action.*/space_left_action = '"$var_auditd_space_left_action"'/g' /etc/audit/auditd.conf
else
        echo -e "\n# Set space_left_action to $var_auditd_space_left_action per security requirements" >> /etc/audit/auditd.conf
        echo "space_left_action = $var_auditd_space_left_action" >> /etc/audit/auditd.conf
fi

              

Result for Configure auditd admin_space_left Action on Low Disk Space

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action

Time: 2015-11-03 08:04

Severity: medium

The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:

admin_space_left_action = ACTION
Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include suspend and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.

Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.

Security identifiers

  • CCE-27239-3

Remediation script

                var_auditd_admin_space_left_action="single"
grep -q ^admin_space_left_action /etc/audit/auditd.conf && \
  sed -i "s/admin_space_left_action.*/admin_space_left_action = $var_auditd_admin_space_left_action/g" /etc/audit/auditd.conf
if ! [ $? -eq 0 ]; then
    echo "admin_space_left_action = $var_auditd_admin_space_left_action" >> /etc/audit/auditd.conf
fi

              

Result for Configure auditd mail_acct Action on Low Disk Space

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct

Time: 2015-11-03 08:03

Severity: medium

The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations:

action_mail_acct = 

Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.

Security identifiers

  • CCE-27241-9
  • DISA FSO RHEL-06-000313

Result for Configure auditd to use audispd's syslog plugin

Result: fail

Rule ID: xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated

Time: 2015-11-03 08:03

Severity: low

To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service:

$ sudo service auditd restart

The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server

Security identifiers

  • CCE-26933-2
  • DISA FSO RHEL-06-000509

Result for Record attempts to alter time through adjtimex

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex

Time: 2015-11-03 08:04

Severity: low

On a 32-bit system, add the following to /etc/audit/audit.rules:

# audit_time_rules
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules
On a 64-bit system, add the following to /etc/audit/audit.rules:
# audit_time_rules
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime 
-k audit_time_rules

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Security identifiers

  • CCE-26242-8
  • DISA FSO RHEL-06-000165

Remediation script

                
# audit.rules file to operate at
AUDIT_RULES_FILE="/etc/audit/audit.rules"

# General form / skeleton of an audit rule to search for
BASE_SEARCH_RULE='-a always,exit .* -k audit_time_rules'

# System calls group to search for
SYSCALL_GROUP="time"

# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && ARCHS=("b32") || ARCHS=("b32" "b64")

# Perform the remediation depending on the system's architecture:
# * on 32 bit system, operate just at '-F arch=b32' audit rules
# * on 64 bit system, operate at both '-F arch=b32' & '-F arch=b64' audit rules
for ARCH in ${ARCHS[@]}
do

  # Create expected audit rule form for particular system call & architecture
  if [ ${ARCH} = "b32" ]
  then
    # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
    # so append it to the list of time group system calls to be audited
    EXPECTED_RULE="-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k audit_time_rules"
  else
    # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
    # therefore don't add it to the list of time group system calls to be audited
    EXPECTED_RULE="-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules"
  fi

  # Indicator that we want to append $EXPECTED_RULE for key & arch into
  # audit.rules by default
  APPEND_EXPECTED_RULE=0

  # From all the existing /etc/audit.rule definitions select those, which:
  # * follow the common audit rule form ($BASE_SEARCH_RULE above)
  # * meet the hardware architecture requirement, and
  # * are current $SYSCALL_GROUP specific
  IFS=$'\n' EXISTING_KEY_ARCH_RULES=($(sed -e "/${BASE_SEARCH_RULE}/!d" -e "/${ARCH}/!d" -e "/${SYSCALL_GROUP}/!d"  ${AUDIT_RULES_FILE}))

  # Process found rules case by case
  for RULE in ${EXISTING_KEY_ARCH_RULES[@]}
  do
    # Found rule is for same arch & syscall group, but differs slightly (in count of -S arguments)
    if [ ${RULE} != ${EXPECTED_RULE} ]
    then
      # If so, isolate just '-S syscall' substring of that rule
      RULE_SYSCALLS=$(echo ${RULE} | grep -o -P '(-S \w+ )+')

        # Check if list of '-S syscall' arguments of that rule is a subset
        # '-S syscall' list from the expected form ($EXPECTED_RULE)
        if [ $(echo ${EXPECTED_RULE} | grep -- ${RULE_SYSCALLS}) ]
        then
          # If so, this audit rule is covered when we append expected rule
          # later & therefore the rule can be deleted.
          #
          # Thus delete the rule from both - the audit.rules file and
          # our $EXISTING_KEY_ARCH_RULES array
          sed -i -e "/${RULE}/d" ${AUDIT_RULES_FILE}
          EXISTING_KEY_ARCH_RULES=(${EXISTING_KEY_ARCH_RULES[@]//${RULE}/})
        else
          # Rule isn't covered by $EXPECTED_RULE - in other words it besides
          # adjtimex, settimeofday, or stime -S arguments contains also -S argument
          # for other time group system call (-S clock_adjtime for example).
          # Example: '-S adjtimex -S clock_adjtime'
          #
          # Therefore:
          # * delete the original rule for arch & key from audit.rules
          #   (original '-S adjtimex -S clock_adjtime' rule would be deleted)
          # * delete $SYSCALL_GROUP -S arguments from the rule,
          #   but keep those not from this $SYSCALL_GROUP
          #   (original '-S adjtimex -S clock_adjtime' would become '-S clock_adjtime')
          # * append the modified (filtered) rule again into audit.rules
          #   if the same rule not already present
          #   (new rule for same arch & key with '-S clock_adjtime' would be appended
          #    if not present yet)
          sed -i -e "/${RULE}/d" ${AUDIT_RULES_FILE}

          if [ ${ARCH} = "b32" ]
          then
            # On 32-bit arch drop ' -S (adjtimex|settimeofday|stime)' from the rule's
            # system call list
            NEW_SYSCALLS_FOR_RULE=$(echo ${RULE_SYSCALLS} | sed -r -e "s/[\s]*-S (adjtimex|settimeofday|stime)//g")
          else
            # On 64-bit arch drop ' -S (adjtimex|settimeofday)' from the rule's
            # system call list ('stime' call isn't known, see "$ ausyscall .." examples above)
            NEW_SYSCALLS_FOR_RULE=$(echo ${RULE_SYSCALLS} | sed -r -e "s/[\s]*-S (adjtimex|settimeofday)//g")
          fi
          # Update the list of system calls for new rule to contain those from new syscalls list
          UPDATED_RULE=$(echo ${RULE} | sed "s/${RULE_SYSCALLS}/${NEW_SYSCALLS_FOR_RULE}/g")
          # Squeeze repeated whitespace characters in rule definition (if any) into one
          UPDATED_RULE=$(echo ${UPDATED_RULE} | tr -s '[:space:]')
          # Insert updated rule into /etc/audit/audit.rules only in case it's not
          # present yet to prevent duplicate same rules
          if [ ! $(grep -- ${UPDATED_RULE} ${AUDIT_RULES_FILE}) ]
          then
            echo ${UPDATED_RULE} >> ${AUDIT_RULES_FILE}
          fi
        fi

    else
      # /etc/audit/audit.rules already contains the expected rule form for this
      # architecture & key => don't insert it second time
      APPEND_EXPECTED_RULE=1
    fi
  done

  # We deleted all rules that were subset of the expected one for this arch & key.
  # Also isolated rules containing system calls not from this system calls group.
  # Now append the expected rule if it's not present in audit.rules yet
  if [[ ${APPEND_EXPECTED_RULE} -eq "0" ]]
  then
    echo ${EXPECTED_RULE} >> ${AUDIT_RULES_FILE}
  fi
done

              

Result for Record attempts to alter time through settimeofday

Result: fail

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday

Time: 2015-11-03 08:03

Severity: low

On a 32-bit system, add the following to /etc/audit/audit.rules:

# audit_time_rules
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules
On a 64-bit system, add the following to /etc/audit/audit.rules:
# audit_time_rules
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime 
-k audit_time_rules

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Security identifiers

  • CCE-27203-9
  • DISA FSO RHEL-06-000167

Result for Record Attempts to Alter Time Through stime

Result: fail

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_time_stime

Time: 2015-11-03 08:03

Severity: low

On a 32-bit system, add the following to /etc/audit/audit.rules:

# audit_time_rules
-a always,exit -F arch=b32 -S stime -k audit_time_rules
On a 64-bit system, the "-S stime" is not necessary. The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime 
-k audit_time_rules

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Security identifiers

  • CCE-27169-2
  • DISA FSO RHEL-06-000169

Result for Record Attempts to Alter Time Through clock_settime

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime

Time: 2015-11-03 08:04

Severity: low

On a 32-bit system, add the following to /etc/audit/audit.rules:

# audit_time_rules
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules
On a 64-bit system, add the following to /etc/audit/audit.rules:
# audit_time_rules
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime 
-k audit_time_rules

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Security identifiers

  • CCE-27170-0
  • DISA FSO RHEL-06-000171

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in ${RULE_ARCHS[@]}
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -k audit_time_rules"
	GROUP="clock_settime"
	FULL_RULE="-a always,exit -F arch=$ARCH -S clock_settime -k audit_time_rules"
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

              

Result for Record Attempts to Alter the localtime File

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime

Time: 2015-11-03 08:04

Severity: low

Add the following to /etc/audit/audit.rules:

-w /etc/localtime -p wa -k audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Security identifiers

  • CCE-27172-6
  • DISA FSO RHEL-06-000173

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation
fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules"

              

Result for Record Events that Modify User/Group Information

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification

Time: 2015-11-03 08:04

Severity: low

Add the following to /etc/audit/audit.rules, in order to capture events that modify account changes:

# audit_rules_usergroup_modification
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

Security identifiers

  • CCE-26664-3
  • DISA FSO RHEL-06-000174

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation
fix_audit_watch_rule "auditctl" "/etc/group" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "auditctl" "/etc/passwd" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "auditctl" "/etc/gshadow" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "auditctl" "/etc/shadow" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "auditctl" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification"

              

Result for Record Events that Modify the System's Network Environment

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification

Time: 2015-11-03 08:04

Severity: low

Add the following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system:

# audit_rules_networkconfig_modification
-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification

The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.

Security identifiers

  • CCE-26648-6
  • DISA FSO RHEL-06-000182

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -k *"
	# Use escaped BRE regex to specify rule group
	GROUP="set\(host\|domain\)name"
	FULL_RULE="-a always,exit -F arch=$ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification"
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

# Then perform the remediations for the watch rules
fix_audit_watch_rule "auditctl" "/etc/issue" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "auditctl" "/etc/issue.net" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "auditctl" "/etc/hosts" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "auditctl" "/etc/sysconfig/network" "wa" "audit_rules_networkconfig_modification"

              

Result for System Audit Logs Must Have Mode 0640 or Less Permissive

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit

Time: 2015-11-03 08:03

Severity: low

Change the mode of the audit log files with the following command:

$ sudo chmod 0640 audit_file

If users can write to audit logs, audit trails can be modified or destroyed.

Security identifiers

  • CCE-27243-5
  • DISA FSO RHEL-06-000383

Remediation script

                chmod -R 640 /var/log/audit/*
chmod 640 /etc/audit/audit.rules

              

Result for System Audit Logs Must Be Owned By Root

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit

Time: 2015-11-03 08:03

Severity: low

To properly set the owner of /var/log, run the command:

$ sudo chown root /var/log 

Failure to give ownership of the audit log files to root allows the designated owner, and unauthorized users, potential access to sensitive information.

Security identifiers

  • CCE-27244-3
  • DISA FSO RHEL-06-000384

Result for Record Events that Modify the System's Mandatory Access Controls

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_mac_modification

Time: 2015-11-03 08:04

Severity: low

Add the following to /etc/audit/audit.rules:

-w /etc/selinux/ -p wa -k MAC-policy

The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.

Security identifiers

  • CCE-26657-7
  • DISA FSO RHEL-06-000183

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation
fix_audit_watch_rule "auditctl" "/etc/selinux/" "wa" "MAC-policy"

              

Result for Record Events that Modify the System's Discretionary Access Controls - chmod

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod

Time: 2015-11-03 08:04

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S chmod  -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-26280-8
  • DISA FSO RHEL-06-000184

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *"
	GROUP="chmod"
	FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod"
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

              

Result for Record Events that Modify the System's Discretionary Access Controls - chown

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown

Time: 2015-11-03 08:04

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27173-4
  • DISA FSO RHEL-06-000185

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in ${RULE_ARCHS[@]}
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *"
	GROUP="chown"
	FULL_RULE="-a always,exit -F arch=$ARCH -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod"
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

              

Result for Record Events that Modify the System's Discretionary Access Controls - fchmod

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod

Time: 2015-11-03 08:04

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27174-2
  • DISA FSO RHEL-06-000186

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *"
	GROUP="chmod"
	FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod"
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

              

Result for Record Events that Modify the System's Discretionary Access Controls - fchmodat

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat

Time: 2015-11-03 08:04

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27175-9
  • DISA FSO RHEL-06-000187

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *"
	GROUP="chmod"
	FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod"
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

              

Result for Record Events that Modify the System's Discretionary Access Controls - fchown

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown

Time: 2015-11-03 08:04

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27177-5
  • DISA FSO RHEL-06-000188

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in ${RULE_ARCHS[@]}
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *"
	GROUP="chown"
	FULL_RULE="-a always,exit -F arch=$ARCH -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod"
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

              

Result for Record Events that Modify the System's Discretionary Access Controls - fchownat

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat

Time: 2015-11-03 08:04

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27178-3
  • DISA FSO RHEL-06-000189

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in ${RULE_ARCHS[@]}
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *"
	GROUP="chown"
	FULL_RULE="-a always,exit -F arch=$ARCH -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod"
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

              

Result for Record Events that Modify the System's Discretionary Access Controls - fremovexattr

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr

Time: 2015-11-03 08:04

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27179-1
  • DISA FSO RHEL-06-000190

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit .* -F auid>=500 -F auid!=4294967295 -k *"
	GROUP="xattr"
	FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod"
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

              

Result for Record Events that Modify the System's Discretionary Access Controls - fsetxattr

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr

Time: 2015-11-03 08:04

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27180-9
  • DISA FSO RHEL-06-000191

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit .* -F auid>=500 -F auid!=4294967295 -k *"
	GROUP="xattr"
	FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod"
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

              

Result for Record Events that Modify the System's Discretionary Access Controls - lchown

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown

Time: 2015-11-03 08:04

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27181-7
  • DISA FSO RHEL-06-000192

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in ${RULE_ARCHS[@]}
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *"
	GROUP="chown"
	FULL_RULE="-a always,exit -F arch=$ARCH -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod"
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

              

Result for Record Events that Modify the System's Discretionary Access Controls - lremovexattr

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr

Time: 2015-11-03 08:04

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27182-5
  • DISA FSO RHEL-06-000193

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit .* -F auid>=500 -F auid!=4294967295 -k *"
	GROUP="xattr"
	FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod"
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

              

Result for Record Events that Modify the System's Discretionary Access Controls - lsetxattr

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr

Time: 2015-11-03 08:04

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27183-3
  • DISA FSO RHEL-06-000194

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit .* -F auid>=500 -F auid!=4294967295 -k *"
	GROUP="xattr"
	FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod"
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

              

Result for Record Events that Modify the System's Discretionary Access Controls - removexattr

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr

Time: 2015-11-03 08:04

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27184-1
  • DISA FSO RHEL-06-000195

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit .* -F auid>=500 -F auid!=4294967295 -k *"
	GROUP="xattr"
	FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod"
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

              

Result for Record Events that Modify the System's Discretionary Access Controls - setxattr

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr

Time: 2015-11-03 08:04

Severity: low

At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Security identifiers

  • CCE-27185-8
  • DISA FSO RHEL-06-000196

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit .* -F auid>=500 -F auid!=4294967295 -k *"
	GROUP="xattr"
	FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod"
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

              

Result for Record Attempts to Alter Login and Logout Events

Result: fail

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_login_events

Time: 2015-11-03 08:03

Severity: low

The audit system already collects login info for all users and root. To watch for attempted manual edits of files involved in storing login events, add the following to /etc/audit/audit.rules:

-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins

Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.

Security identifiers

  • CCE-26691-6

Result for Record Attempts to Alter Process and Session Initiation Information

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_session_events

Time: 2015-11-03 08:04

Severity: low

The audit system already collects process information for all users and root. To watch for attempted manual edits of files involved in storing such process information, add the following to /etc/audit/audit.rules:

-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session

Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.

Security identifiers

  • CCE-26610-6

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation
fix_audit_watch_rule "auditctl" "/var/run/utmp" "wa" "session"
fix_audit_watch_rule "auditctl" "/var/log/btmp" "wa" "session"
fix_audit_watch_rule "auditctl" "/var/log/wtmp" "wa" "session"

              

Result for Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification

Time: 2015-11-03 08:04

Severity: low

At a minimum the audit system should collect unauthorized file accesses for all users and root. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
If the system is 64 bit then also add the following:

-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Security identifiers

  • CCE-26712-0
  • DISA FSO RHEL-06-000197

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do

	# First fix the -EACCES requirement
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k *"
	# Use escaped BRE regex to specify rule group
	GROUP="\(creat\|open\|truncate\)"
	FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access"
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

	# Then fix the -EPERM requirement
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k *"
	# No need to change content of $GROUP variable - it's the same as for -EACCES case above
	FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access"
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

done

              

Result for Ensure auditd Collects Information on the Use of Privileged Commands

Result: error

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands

Time: 2015-11-03 08:05

Severity: low

At a minimum the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART:

$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
Then, for each setuid / setgid program on the system, add a line of the following form to /etc/audit/audit.rules, where SETUID_PROG_PATH is the full path to each setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Security identifiers

  • CCE-26457-2
  • DISA FSO RHEL-06-000198

Remediation script


# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation
perform_audit_rules_privileged_commands_remediation "auditctl" "500"

Result for Ensure auditd Collects Information on Exporting to Media (successful)

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_media_export

Time: 2015-11-03 08:05

Severity: low

At a minimum the audit system should collect media exportation events for all users and root. Add the following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export

The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.

Security identifiers

  • CCE-26573-6
  • DISA FSO RHEL-06-000199

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *"
	GROUP="mount"
	FULL_RULE="-a always,exit -F arch=$ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export"
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

              

Result for Ensure auditd Collects File Deletion Events by User

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events

Time: 2015-11-03 08:05

Severity: low

At a minimum the audit system should collect file deletion events for all users and root. Add the following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete

Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.

Security identifiers

  • CCE-26651-0
  • DISA FSO RHEL-06-000200

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in ${RULE_ARCHS[@]}
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k delete"
	# Use escaped BRE regex to specify rule group
	GROUP="\(rmdir\|unlink\|rename\)"
	FULL_RULE="-a always,exit -F arch=$ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete"
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

              

Result for Ensure auditd Collects System Administrator Actions

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions

Time: 2015-11-03 08:05

Severity: low

At a minimum the audit system should collect administrator actions for all users and root. Add the following to /etc/audit/audit.rules:

-w /etc/sudoers -p wa -k actions

The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.

Security identifiers

  • CCE-26662-7
  • DISA FSO RHEL-06-000201

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation
fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions"

              

Result for Ensure auditd Collects Information on Kernel Module Loading and Unloading

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading

Time: 2015-11-03 08:05

Severity: low

Add the following to /etc/audit/audit.rules in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=ARCH -S init_module -S delete_module -k modules

The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

Security identifiers

  • CCE-26611-4
  • DISA FSO RHEL-06-000202

Remediation script

                
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
# Note: 32-bit kernel modules can't be loaded / unloaded on 64-bit kernel =>
#       it's not required on a 64-bit system to check also for the presence
#       of 32-bit's equivalent of the corresponding rule. Therefore for
#       each system it's enought to check presence of system's native rule form.
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit -F arch=$ARCH -S .* -k *"
	# Use escaped BRE regex to specify rule group
	GROUP="\(init\|delete\)_module"
	FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -S delete_module -k modules"
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

# Then perform the remediations for the watch rules
fix_audit_watch_rule "auditctl" "/sbin/insmod" "x" "modules"
fix_audit_watch_rule "auditctl" "/sbin/rmmod" "x" "modules"
fix_audit_watch_rule "auditctl" "/sbin/modprobe" "x" "modules"

              

Result for Make the auditd Configuration Immutable

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_immutable

Time: 2015-11-03 08:05

Severity: low

Add the following to /etc/audit/audit.rules in order to make the configuration immutable:

-e 2
With this setting, a reboot will be required to change any audit rules.

Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation

Security identifiers

  • CCE-26612-2

Remediation script

                
readonly AUDIT_RULES='/etc/audit/audit.rules'

# If '-e .*' setting present in audit.rules already, delete it since the
# auditctl(8) manual page instructs it should be the last rule in configuration
sed -i '/-e[[:space:]]\+.*/d' $AUDIT_RULES

# Append '-e 2' requirement at the end of audit.rules
echo '' >> $AUDIT_RULES
echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_RULES
echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_RULES
echo '-e 2' >> $AUDIT_RULES

              

Result for Set SSH Idle Timeout Interval

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout

Time: 2015-11-03 08:05

Severity: low

SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows:

ClientAliveInterval 
The timeout interval is given in seconds. To have a timeout of 15 minutes, set interval to 900.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.

Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.

Security identifiers

  • CCE-26919-1
  • DISA FSO RHEL-06-000230

Remediation script

                sshd_idle_timeout_value="900"
grep -q ^ClientAliveInterval /etc/ssh/sshd_config && \
  sed -i "s/ClientAliveInterval.*/ClientAliveInterval $sshd_idle_timeout_value/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "ClientAliveInterval $sshd_idle_timeout_value" >> /etc/ssh/sshd_config
fi

              

Result for Enable the NTP Daemon

Result: fixed

Rule ID: xccdf_org.ssgproject.content_rule_service_ntpd_enabled

Time: 2015-11-03 08:05

Severity: medium

The ntpd service can be enabled with the following command:

$ sudo chkconfig --level 2345 ntpd on

Enabling the ntpd service ensures that the ntpd service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.

The NTP daemon offers all of the functionality of ntpdate, which is now deprecated. Additional information on this is available at http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate

Security identifiers

  • CCE-27093-4
  • DISA FSO RHEL-06-000247

Remediation script

                #
# Enable ntpd for all run levels
#
/sbin/chkconfig --level 0123456 ntpd on

#
# Start ntpd if not currently running
#
/sbin/service ntpd start

              

Result for Specify a Remote NTP Server

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server

Time: 2015-11-03 08:03

Severity: medium

To specify a remote NTP server for time synchronization, edit the file /etc/ntp.conf. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver:

server ntpserver
This instructs the NTP software to contact that remote server to obtain time data.

Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events.

Security identifiers

  • CCE-27098-3
  • DISA FSO RHEL-06-000248

Result for Specify Additional Remote NTP Servers

Result: pass

Rule ID: xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers

Time: 2015-11-03 08:03

Severity: low

Additional NTP servers can be specified for time synchronization in the file /etc/ntp.conf. To do so, add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for ntpserver:

server ntpserver

Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems.

Security identifiers

  • CCE-26958-9