Introduction
Test Result
Result ID | Profile | Start time | End time | Benchmark | Benchmark version |
xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_pci-dss | xccdf_org.ssgproject.content_profile_pci-dss | 2015-11-03 08:02 | 2015-11-03 08:05 | embedded | 0.1.26 |
Target info
Targets
|
Addresses
|
Applicable platforms
|
Score
system | score | max | % | bar |
urn:xccdf:scoring:default | 42.46 | 100.00 | 42.46% |
Results overview
Rule Results Summary
pass | fixed | fail | error | not selected | not checked | not applicable | informational | unknown | total |
32 | 49 | 8 | 1 | 312 | 2 | 0 | 0 | 2 | 406 |
Rule results summary
Results details
Result for Ensure Red Hat GPG Key Installed
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
Time: 2015-11-03 08:02
Severity: high
To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run:
$ sudo rhn_register
If the system is not connected to the Internet or an RHN Satellite,
then install the Red Hat GPG key from trusted media such as
the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted
in /media/cdrom
, use the following command as the root user to import
it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat.
Security identifiers
- CCE-26506-6
- DISA FSO RHEL-06-000008
Remediation script
# The two fingerprints below are retrieved from https://access.redhat.com/security/team/key
readonly REDHAT_RELEASE_2_FINGERPRINT="567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51"
readonly REDHAT_AUXILIARY_FINGERPRINT="43A6 E49C 4A38 F4BE 9ABF 2A53 4568 9C88 2FA6 58E0"
# Location of the key we would like to import (once it's integrity verified)
readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")")
# Verify /etc/pki/rpm-gpg directory permissions are safe
if [ "${RPM_GPG_DIR_PERMS}" -le "755" ]
then
# If they are safe, try to obtain fingerprints from the key file
# (to ensure there won't be e.g. CRC error)
IFS=$'\n' GPG_OUT=($(gpg --with-fingerprint "${REDHAT_RELEASE_KEY}"))
GPG_RESULT=$?
# No CRC error, safe to proceed
if [ "${GPG_RESULT}" -eq "0" ]
then
for ITEM in "${GPG_OUT[@]}"
do
# Filter just hexadecimal fingerprints from gpg's output from
# processing of a key file
RESULT=$(echo ${ITEM} | sed -n "s/[[:space:]]*Key fingerprint = \(.*\)/\1/p" | tr -s '[:space:]')
# If fingerprint matches Red Hat's release 2 or auxiliary key import the key
if [[ ${RESULT} ]] && ([[ ${RESULT} = "${REDHAT_RELEASE_2_FINGERPRINT}" ]] || \
[[ ${RESULT} = "${REDHAT_AUXILIARY_FINGERPRINT}" ]])
then
rpm --import "${REDHAT_RELEASE_KEY}"
fi
done
fi
fi
Result for Ensure gpgcheck Enabled In Main Yum Configuration
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Time: 2015-11-03 08:02
Severity: medium
The gpgcheck
option controls whether
RPM packages' signatures are always checked prior to installation.
To configure yum to check package signatures before installing
them, ensure the following line appears in /etc/yum.conf
in
the [main]
section:
gpgcheck=1
Ensuring the validity of packages' cryptographic signatures prior to installation ensures the authenticity of the software and protects against malicious tampering.
Security identifiers
- CCE-26709-6
- DISA FSO RHEL-06-000013
Result for Ensure gpgcheck Enabled For All Yum Package Repositories
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
Time: 2015-11-03 08:02
Severity: low
To ensure signature checking is not disabled for
any repos, remove any lines from files in /etc/yum.repos.d
of the form:
gpgcheck=0
Ensuring all packages' cryptographic signatures are valid prior to installation ensures the authenticity of the software and protects against malicious tampering.
Security identifiers
- CCE-26647-8
- DISA FSO RHEL-06-000015
Result for Ensure Software Patches Installed
Result: notchecked
Rule ID: xccdf_org.ssgproject.content_rule_security_patches_up_to_date
Time: 2015-11-03 08:02
Severity: medium
If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates:
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages)
can be manually downloaded from the Red Hat Network and installed using rpm
.
Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities.
Security identifiers
- CCE-27635-2
- DISA FSO RHEL-06-000011
Result for Install AIDE
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_package_aide_installed
Time: 2015-11-03 08:03
Severity: medium
Install the AIDE package with the command:
$ sudo yum install aide
The AIDE package must be installed if it is to be available for integrity checking.
Security identifiers
- CCE-27024-9
- DISA FSO RHEL-06-000016
Remediation script
yum -y install aide
Result for Disable Prelinking
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_disable_prelink
Time: 2015-11-03 08:04
Severity: low
The prelinking feature changes binaries in an attempt to decrease their startup
time. In order to disable it, change or add the following line inside the file
/etc/sysconfig/prelink
:
PRELINKING=no
Next, run the following command to return binaries to a normal, non-prelinked state:
$ sudo /usr/sbin/prelink -ua
The prelinking feature can interfere with the operation of AIDE, because it changes binaries.
Security identifiers
- CCE-27221-1
Remediation script
#
# Disable prelinking altogether
#
if grep -q ^PRELINKING /etc/sysconfig/prelink
then
sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
else
echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink
echo "PRELINKING=no" >> /etc/sysconfig/prelink
fi
#
# Undo previous prelink changes to binaries
#
/usr/sbin/prelink -ua
Result for Build and Test AIDE Database
Result: fail
Rule ID: xccdf_org.ssgproject.content_rule_aide_build_database
Time: 2015-11-03 08:02
Severity: medium
Run the following command to generate a new database:
$ sudo /usr/sbin/aide --init
By default, the database will be written to the file /var/lib/aide/aide.db.new.gz
.
Storing the database, the configuration file /etc/aide.conf
, and the binary
/usr/sbin/aide
(or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To initiate a manual check, run the following command:
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate.
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Security identifiers
- CCE-27135-3
- DISA FSO RHEL-06-000018
Result for Configure Periodic Execution of AIDE
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Time: 2015-11-03 08:04
Severity: medium
To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab
:
05 4 * * * root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example.
By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.
Security identifiers
- CCE-27222-9
- DISA FSO RHEL-06-000306
Remediation script
echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
Result for Verify and Correct File Permissions with RPM
Result: fail
Rule ID: xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Time: 2015-11-03 08:03
Severity: low
The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, run the following command to determine which package owns it:
$ rpm -qf FILENAME
Next, run the following command to reset its permissions to
the correct values:
$ sudo rpm --setperms PACKAGENAME
Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.
Security identifiers
- CCE-26731-0
- DISA FSO RHEL-06-000518
group ownership of all files matches local rpm database
name | epoch | version | release | arch | filepath | extended name | size differs | mode differs | md5 differs | device differs | link mismatch | ownership differs | group differs | mtime differs | capabilities differ | configuration file | documentation file | ghost file | license file | readme file |
gdm | 1 | 2.30.4 | 64.el6 | x86_64 | /var/log/gdm | gdm-1:2.30.4-64.el6.x86_64 | pass | fail | not performed | pass | pass | pass | fail | pass | pass | false | false | false | false | false |
mode of all files matches local rpm database
name | epoch | version | release | arch | filepath | extended name | size differs | mode differs | md5 differs | device differs | link mismatch | ownership differs | group differs | mtime differs | capabilities differ | configuration file | documentation file | ghost file | license file | readme file |
gdm | 1 | 2.30.4 | 64.el6 | x86_64 | /var/log/gdm | gdm-1:2.30.4-64.el6.x86_64 | pass | fail | not performed | pass | pass | pass | fail | pass | pass | false | false | false | false | false |
gdm | 1 | 2.30.4 | 64.el6 | x86_64 | /var/run/gdm | gdm-1:2.30.4-64.el6.x86_64 | pass | fail | not performed | pass | pass | pass | pass | pass | pass | false | false | false | false | false |
rhn-client-tools | (none) | 1.0.0.1 | 32.el6 | noarch | /etc/sysconfig/rhn/up2date | rhn-client-tools-0:1.0.0.1-32.el6.noarch | fail | fail | not performed | pass | pass | pass | pass | fail | pass | true | false | false | false | false |
Result for Verify File Hashes with RPM
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_rpm_verify_hashes
Time: 2015-11-03 08:03
Severity: low
The RPM package management system can check the hashes of installed software packages, including many that are important to system security. Run the following command to list which files on the system have hashes that differ from what is expected by the RPM database:
$ rpm -Va | grep '^..5'
A "c" in the second column indicates that a file is a configuration file, which
may appropriately be expected to change. If the file was not expected to
change, investigate the cause of the change using audit logs or other means.
The package can then be reinstalled to restore the file.
Run the following command to determine which package owns the file:
$ rpm -qf FILENAME
The package can be reinstalled from a yum repository using the command:
$ sudo yum reinstall PACKAGENAME
Alternatively, the package can be reinstalled from trusted media using the command:
$ sudo rpm -Uvh PACKAGENAME
The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.
Security identifiers
- CCE-27223-7
- DISA FSO RHEL-06-000519
Result for Install Intrusion Detection Software
Result: notchecked
Rule ID: xccdf_org.ssgproject.content_rule_install_hids
Time: 2015-11-03 08:03
Severity: medium
The base Red Hat platform already includes a sophisticated auditing system that
can detect intruder activity, as well as SELinux, which provides host-based
intrusion prevention capabilities by confining privileged programs and user
sessions which may become compromised.
In DoD environments, supplemental intrusion detection tools, such as, the McAfee
Host-based Security System, are available to integrate with existing infrastructure.
When these supplemental tools interfere with the proper functioning of SELinux, SELinux
takes precedence.
Host-based intrusion detection tools provide a system-level defense when an intruder gains access to a system or network.
Security identifiers
- CCE-27409-2
- DISA FSO RHEL-06-000285
Result for Verify User Who Owns shadow File
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_userowner_shadow_file
Time: 2015-11-03 08:03
Severity: medium
To properly set the owner of /etc/shadow
, run the command:
$ sudo chown root /etc/shadow
The /etc/shadow
file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture.
Security identifiers
- CCE-26947-2
- DISA FSO RHEL-06-000033
Remediation script
chown root /etc/shadow
Result for Verify Group Who Owns shadow File
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_groupowner_shadow_file
Time: 2015-11-03 08:03
Severity: medium
To properly set the group owner of /etc/shadow
, run the command:
$ sudo chgrp root /etc/shadow
The /etc/shadow
file stores password hashes. Protection of this file is
critical for system security.
Security identifiers
- CCE-26967-0
- DISA FSO RHEL-06-000034
Remediation script
chgrp root /etc/shadow
Result for Verify Permissions on shadow File
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow
Time: 2015-11-03 08:03
Severity: medium
To properly set the permissions of /etc/shadow
, run the command:
$ sudo chmod 0000 /etc/shadow
The /etc/shadow
file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture.
Security identifiers
- CCE-26992-8
- DISA FSO RHEL-06-000035
Remediation script
chmod 0000 /etc/shadow
Result for Verify User Who Owns group File
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_file_owner_etc_group
Time: 2015-11-03 08:03
Severity: medium
To properly set the owner of /etc/group
, run the command:
$ sudo chown root /etc/group
The /etc/group
file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.
Security identifiers
- CCE-26822-7
- DISA FSO RHEL-06-000042
Remediation script
chown root /etc/group
Result for Verify Group Who Owns group File
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_file_groupowner_etc_group
Time: 2015-11-03 08:03
Severity: medium
To properly set the group owner of /etc/group
, run the command:
$ sudo chgrp root /etc/group
The /etc/group
file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.
Security identifiers
- CCE-26930-8
- DISA FSO RHEL-06-000043
Remediation script
chgrp root /etc/group
Result for Verify Permissions on group File
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_file_permissions_etc_group
Time: 2015-11-03 08:03
Severity: medium
To properly set the permissions of /etc/group
, run the command:
$ sudo chmod 644 /etc/group
The /etc/group
file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.
Security identifiers
- CCE-26954-8
- DISA FSO RHEL-06-000044
Remediation script
chmod 644 /etc/group
Result for Verify User Who Owns passwd File
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
Time: 2015-11-03 08:03
Severity: medium
To properly set the owner of /etc/passwd
, run the command:
$ sudo chown root /etc/passwd
The /etc/passwd
file contains information about the users that are configured on
the system. Protection of this file is critical for system security.
Security identifiers
- CCE-26953-0
- DISA FSO RHEL-06-000039
Remediation script
chown root /etc/passwd
Result for Verify Group Who Owns passwd File
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd
Time: 2015-11-03 08:03
Severity: medium
To properly set the group owner of /etc/passwd
, run the command:
$ sudo chgrp root /etc/passwd
The /etc/passwd
file contains information about the users that are configured on
the system. Protection of this file is critical for system security.
Security identifiers
- CCE-26856-5
- DISA FSO RHEL-06-000040
Remediation script
chgrp root /etc/passwd
Result for Verify Permissions on passwd File
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
Time: 2015-11-03 08:03
Severity: medium
To properly set the permissions of /etc/passwd
, run the command:
$ sudo chmod 0644 /etc/passwd
If the /etc/passwd
file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the list of
accounts on the system and associated information, and protection of this file
is critical for system security.
Security identifiers
- CCE-26868-0
- DISA FSO RHEL-06-000041
Remediation script
chmod 0644 /etc/passwd
Result for Prevent Log In to Accounts With Empty Password
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_no_empty_passwords
Time: 2015-11-03 08:04
Severity: high
If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
onto the account without authentication. Remove any instances of the nullok
option in /etc/pam.d/system-auth
to
prevent logins with empty passwords.
If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
Security identifiers
- CCE-27038-9
- DISA FSO RHEL-06-000030
Remediation script
sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/system-auth
Result for Verify All Account Password Hashes are Shadowed
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed
Time: 2015-11-03 08:03
Severity: medium
If any password hashes are stored in /etc/passwd
(in the second field,
instead of an x
), the cause of this misconfiguration should be
investigated. The account should have its password reset and the hash should be
properly stored, or the account should be deleted entirely.
The hashes for all user account passwords should be stored in
the file /etc/shadow
and never in /etc/passwd
,
which is readable by all users.
Security identifiers
- CCE-26476-2
- DISA FSO RHEL-06-000031
Result for All GIDs referenced in /etc/passwd must be defined in /etc/group
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_gid_passwd_group_same
Time: 2015-11-03 08:03
Severity: low
Add a group to the system for each GID referenced without a corresponding group.
Inconsistency in GIDs between /etc/passwd
and /etc/group
could lead to a user having unintended rights.
Security identifiers
- CCE-27379-7
- DISA FSO RHEL-06-000294
Result for Set Password Maximum Age
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs
Time: 2015-11-03 08:04
Severity: medium
To specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MAX_DAYS
A value of 180 days is sufficient for many environments.
The DoD requirement is 60.
Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.
Security identifiers
- CCE-26985-2
- DISA FSO RHEL-06-000053
Remediation script
var_accounts_maximum_age_login_defs="90"
grep -q ^PASS_MAX_DAYS /etc/login.defs && \
sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
echo "PASS_MAX_DAYS $var_accounts_maximum_age_login_defs" >> /etc/login.defs
fi
Result for Set Account Expiration Following Inactivity
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration
Time: 2015-11-03 08:04
Severity: low
To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following lines in /etc/default/useradd
, substituting
NUM_DAYS
appropriately:
INACTIVE=UNDEFINED_SUB
A value of 35 is recommended.
If a password is currently on the
verge of expiration, then 35 days remain until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 95
days could elapse until the account would be automatically disabled. See the
useradd
man page for more information. Determining the inactivity
timeout must be done with careful consideration of the length of a "normal"
period of inactivity for users in the particular environment. Setting
the timeout too low incurs support costs and also has the potential to impact
availability of the system to legitimate users.
Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
Security identifiers
- CCE-27283-1
- DISA FSO RHEL-06-000334
Remediation script
var_account_disable_post_pw_expiration="90"
grep -q ^INACTIVE /etc/default/useradd && \
sed -i "s/INACTIVE.*/INACTIVE=$var_account_disable_post_pw_expiration/g" /etc/default/useradd
if ! [ $? -eq 0 ]; then
echo "INACTIVE=$var_account_disable_post_pw_expiration" >> /etc/default/useradd
fi
Result for Ensure All Accounts on the System Have Unique Names
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_account_unique_name
Time: 2015-11-03 08:03
Severity: low
Change usernames, or delete accounts, so each has a unique name.
Unique usernames allow for accountability on the system.
Security identifiers
- CCE-27609-7
- DISA FSO RHEL-06-000296
Result for Set Last Login/Access Notification
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_display_login_attempts
Time: 2015-11-03 08:04
Severity: low
To configure the system to notify users of last login/access
using pam_lastlog
, add the following line immediately after session required pam_limits.so
:
session required pam_lastlog.so showfailed
Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.
Security identifiers
- CCE-27291-4
- DISA FSO RHEL-06-000372
Remediation script
sed -i --follow-symlinks '/pam_limits.so/a session\t required\t pam_lastlog.so showfailed' /etc/pam.d/system-auth
Result for Set Password Strength Minimum Digit Characters
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
Time: 2015-11-03 08:04
Severity: low
The pam_cracklib module's dcredit
parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each digit.
Add dcredit=-1
after pam_cracklib.so to require use of a digit in passwords.
Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
Security identifiers
- CCE-26374-9
- DISA FSO RHEL-06-000056
Remediation script
var_password_pam_dcredit="-1"
if grep -q "dcredit=" /etc/pam.d/system-auth; then
sed -i --follow-symlink "s/\(dcredit *= *\).*/\1$var_password_pam_dcredit/" /etc/pam.d/system-auth
else
sed -i --follow-symlink "/pam_cracklib.so/ s/$/ dcredit=$var_password_pam_dcredit/" /etc/pam.d/system-auth
fi
Result for Set Password Minimum Length
Result: fail
Rule ID: xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
Time: 2015-11-03 08:03
Severity: low
The pam_cracklib module's minlen
parameter controls requirements for
minimum characters required in a password. Add minlen=
after pam_pwquality to set minimum password length requirements.
Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Security identifiers
- CCE-26615-5
Result for Set Password Strength Minimum Uppercase Characters
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
Time: 2015-11-03 08:04
Severity: low
The pam_cracklib module's ucredit=
parameter controls requirements for
usage of uppercase letters in a password. When set to a negative number, any password will be required to
contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each uppercase character.
Add ucredit=-1
after pam_cracklib.so to require use of an upper case character in passwords.
Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.
Security identifiers
- CCE-26601-5
- DISA FSO RHEL-06-000057
Remediation script
var_password_pam_ucredit="-1"
if grep -q "ucredit=" /etc/pam.d/system-auth; then
sed -i --follow-symlink "s/\(ucredit *= *\).*/\1$var_password_pam_ucredit/" /etc/pam.d/system-auth
else
sed -i --follow-symlink "/pam_cracklib.so/ s/$/ ucredit=$var_password_pam_ucredit/" /etc/pam.d/system-auth
fi
Result for Set Password Strength Minimum Lowercase Characters
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
Time: 2015-11-03 08:04
Severity: low
The pam_cracklib module's lcredit=
parameter controls requirements for
usage of lowercase letters in a password. When set to a negative number, any password will be required to
contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each lowercase character.
Add lcredit=-1
after pam_cracklib.so to require use of a lowercase character in passwords.
Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.
Security identifiers
- CCE-26631-2
- DISA FSO RHEL-06-000059
Remediation script
var_password_pam_lcredit="-1"
if grep -q "lcredit=" /etc/pam.d/system-auth; then
sed -i --follow-symlink "s/\(lcredit *= *\).*/\1$var_password_pam_lcredit/" /etc/pam.d/system-auth
else
sed -i --follow-symlink "/pam_cracklib.so/ s/$/ lcredit=$var_password_pam_lcredit/" /etc/pam.d/system-auth
fi
Result for Set Deny For Failed Password Attempts
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Time: 2015-11-03 08:04
Severity: medium
To configure the system to lock out accounts after a number of incorrect login
attempts using pam_faillock.so
, modify the content of both
/etc/pam.d/system-auth
and /etc/pam.d/password-auth
as follows:
-
Add the following line immediately
before
thepam_unix.so
statement in theAUTH
section:auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
-
Add the following line immediately
after
thepam_unix.so
statement in theAUTH
section:auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
-
Add the following line immediately
before
thepam_unix.so
statement in theACCOUNT
section:account required pam_faillock.so
Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.
Security identifiers
- CCE-26844-1
- DISA FSO RHEL-06-000061
Remediation script
var_accounts_passwords_pam_faillock_deny="6"
AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"
for pamFile in "${AUTH_FILES[@]}"
do
# pam_faillock.so already present?
if grep -q "^auth.*pam_faillock.so.*" $pamFile; then
# pam_faillock.so present, deny directive present?
if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*deny=" $pamFile; then
# both pam_faillock.so & deny present, just correct deny directive value
sed -i --follow-symlink "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
# pam_faillock.so present, but deny directive not yet
else
# append correct deny value to appropriate places
sed -i --follow-symlink "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
fi
# pam_faillock.so not present yet
else
# insert pam_faillock.so preauth & authfail rows with proper value of the 'deny' option
sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
sed -i --follow-symlink "/^account.*required.*pam_unix.so/i account required pam_faillock.so" $pamFile
fi
done
Result for Set Lockout Time For Failed Password Attempts
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
Time: 2015-11-03 08:04
Severity: medium
To configure the system to lock out accounts after a number of incorrect login
attempts and require an administrator to unlock the account using pam_faillock.so
,
modify the content of both /etc/pam.d/system-auth
and /etc/pam.d/password-auth
as follows:
-
Add the following line immediately
before
thepam_unix.so
statement in theAUTH
section:auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
-
Add the following line immediately
after
thepam_unix.so
statement in theAUTH
section:auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
-
Add the following line immediately
before
thepam_unix.so
statement in theACCOUNT
section:account required pam_faillock.so
Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.
Security identifiers
- CCE-27110-6
- DISA FSO RHEL-06-000356
Remediation script
var_accounts_passwords_pam_faillock_unlock_time="1800"
AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"
for pamFile in "${AUTH_FILES[@]}"
do
# pam_faillock.so already present?
if grep -q "^auth.*pam_faillock.so.*" $pamFile; then
# pam_faillock.so present, unlock_time directive present?
if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*unlock_time=" $pamFile; then
# both pam_faillock.so & unlock_time present, just correct unlock_time directive value
sed -i --follow-symlink "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(unlock_time *= *\).*/\1\2$var_accounts_passwords_pam_faillock_unlock_time/" $pamFile
sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(unlock_time *= *\).*/\1\2$var_accounts_passwords_pam_faillock_unlock_time/" $pamFile
# pam_faillock.so present, but unlock_time directive not yet
else
# append correct unlock_time value to appropriate places
sed -i --follow-symlink "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ unlock_time=$var_accounts_passwords_pam_faillock_unlock_time/" $pamFile
sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ unlock_time=$var_accounts_passwords_pam_faillock_unlock_time/" $pamFile
fi
# pam_faillock.so not present yet
else
# insert pam_faillock.so preauth & authfail rows with proper value of the 'unlock_time' option
sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent unlock_time=$var_accounts_passwords_pam_faillock_unlock_time" $pamFile
sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail unlock_time=$var_accounts_passwords_pam_faillock_unlock_time" $pamFile
sed -i --follow-symlink "/^account.*required.*pam_unix.so/i account required pam_faillock.so" $pamFile
fi
done
Result for Limit Password Reuse
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
Time: 2015-11-03 08:04
Severity: medium
Do not allow users to reuse recent passwords. This can be
accomplished by using the remember
option for the pam_unix
or pam_pwhistory
PAM modules. In the file
/etc/pam.d/system-auth
, append remember=
to the line which refers to the pam_unix.so
or
pam_pwhistory.so
module, as shown below:
-
for the
pam_unix.so
case:password sufficient pam_unix.so existing_options remember=
-
for the
pam_pwhistory.so
case:password requisite pam_pwhistory.so existing_options remember=
The DoD STIG requirement is 5 passwords.
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.
Security identifiers
- CCE-26741-9
- DISA FSO RHEL-06-000274
Remediation script
var_password_pam_unix_remember="4"
if grep -q "remember=" /etc/pam.d/system-auth; then
sed -i --follow-symlink "s/\(remember *= *\).*/\1$var_password_pam_unix_remember/" /etc/pam.d/system-auth
else
sed -i --follow-symlink "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth
fi
Result for Set Password Hashing Algorithm in /etc/pam.d/system-auth
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
Time: 2015-11-03 08:03
Severity: medium
In /etc/pam.d/system-auth
, the password
section of
the file controls which PAM modules execute during a password change.
Set the pam_unix.so
module in the
password
section to include the argument sha512
, as shown below:
password sufficient pam_unix.so sha512 other arguments...
This will help ensure when local users change their passwords, hashes for the new
passwords will be generated using the SHA-512 algorithm.
This is the default.
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Security identifiers
- CCE-26303-8
- DISA FSO RHEL-06-000062
Remediation script
if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" /etc/pam.d/system-auth; then
sed -i --follow-symlink "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" /etc/pam.d/system-auth
fi
Result for Set Password Hashing Algorithm in /etc/login.defs
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
Time: 2015-11-03 08:03
Severity: medium
In /etc/login.defs
, add or correct the following line to ensure
the system will use SHA-512 as the hashing algorithm:
ENCRYPT_METHOD SHA512
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Security identifiers
- CCE-27228-6
- DISA FSO RHEL-06-000063
Remediation script
if grep --silent ^ENCRYPT_METHOD /etc/login.defs ; then
sed -i 's/^ENCRYPT_METHOD.*/ENCRYPT_METHOD SHA512/g' /etc/login.defs
else
echo "" >> /etc/login.defs
echo "ENCRYPT_METHOD SHA512" >> /etc/login.defs
fi
Result for Set Password Hashing Algorithm in /etc/libuser.conf
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf
Time: 2015-11-03 08:03
Severity: medium
In /etc/libuser.conf
, add or correct the following line in its
[defaults]
section to ensure the system will use the SHA-512
algorithm for password hashing:
crypt_style = sha512
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Security identifiers
- CCE-27229-4
- DISA FSO RHEL-06-000064
Result for Verify /etc/grub.conf User Ownership
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_file_user_owner_grub_conf
Time: 2015-11-03 08:03
Severity: medium
The file /etc/grub.conf
should
be owned by the root
user to prevent destruction
or modification of the file.
To properly set the owner of /etc/grub.conf
, run the command:
$ sudo chown root /etc/grub.conf
Only root should be able to modify important boot parameters.
Security identifiers
- CCE-26995-1
- DISA FSO RHEL-06-000065
Remediation script
chown root /etc/grub.conf
Result for Verify /etc/grub.conf Group Ownership
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_file_group_owner_grub_conf
Time: 2015-11-03 08:03
Severity: medium
The file /etc/grub.conf
should
be group-owned by the root
group to prevent
destruction or modification of the file.
To properly set the group owner of /etc/grub.conf
, run the command:
$ sudo chgrp root /etc/grub.conf
The root
group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway.
Security identifiers
- CCE-27022-3
- DISA FSO RHEL-06-000066
Remediation script
chgrp root /etc/grub.conf
Result for Set GNOME Login Inactivity Timeout
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_gconf_gnome_screensaver_idle_delay
Time: 2015-11-03 08:04
Severity: medium
Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes:
$ sudo gconftool-2 \
--direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type int \
--set /desktop/gnome/session/idle_delay
Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.
Security identifiers
- CCE-26828-4
- DISA FSO RHEL-06-000257
Remediation script
inactivity_timeout_value="15"
# Install GConf2 package if not installed
if ! rpm -q GConf2; then
yum -y install GConf2
fi
# Set the idle time-out value for inactivity in the GNOME desktop to meet the
# requirement
gconftool-2 --direct \
--config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \
--type int \
--set /desktop/gnome/session/idle_delay ${inactivity_timeout_value}
Result for GNOME Desktop Screensaver Mandatory Use
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_gconf_gnome_screensaver_idle_activation_enabled
Time: 2015-11-03 08:04
Severity: medium
Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity:
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/idle_activation_enabled true
Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.
Security identifiers
- CCE-26600-7
- DISA FSO RHEL-06-000258
Remediation script
# Install GConf2 package if not installed
if ! rpm -q GConf2; then
yum -y install GConf2
fi
# Set the screensaver activation in the GNOME desktop after a period of inactivity
gconftool-2 --direct \
--config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \
--type bool \
--set /apps/gnome-screensaver/idle_activation_enabled true
Result for Enable Screen Lock Activation After Idle Period
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_gconf_gnome_screensaver_lock_enabled
Time: 2015-11-03 08:04
Severity: medium
Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated:
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/lock_enabled true
Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby.
Security identifiers
- CCE-26235-2
- DISA FSO RHEL-06-000259
Remediation script
# Install GConf2 package if not installed
if ! rpm -q GConf2; then
yum -y install GConf2
fi
# Set the screensaver locking activation in the GNOME desktop when the
# screensaver is activated
gconftool-2 --direct \
--config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \
--type bool \
--set /apps/gnome-screensaver/lock_enabled true
Result for Implement Blank Screensaver
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_gconf_gnome_screensaver_mode_blank
Time: 2015-11-03 08:04
Severity: low
Run the following command to set the screensaver mode in the GNOME desktop to a blank screen:
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type string \
--set /apps/gnome-screensaver/mode blank-only
Setting the screensaver mode to blank-only conceals the contents of the display from passersby.
Security identifiers
- CCE-26638-7
- DISA FSO RHEL-06-000260
Remediation script
# Install GConf2 package if not installed
if ! rpm -q GConf2; then
yum -y install GConf2
fi
# Set the screensaver mode in the GNOME desktop to a blank screen
gconftool-2 --direct \
--config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \
--type string \
--set /apps/gnome-screensaver/mode blank-only
Result for Enable Smart Card Login
Result: fail
Rule ID: xccdf_org.ssgproject.content_rule_smartcard_auth
Time: 2015-11-03 08:03
Severity: medium
To enable smart card authentication, consult the documentation at:
https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html
For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at:
https://access.redhat.com/solutions/82273
Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials.
Security identifiers
- CCE-27440-7
- DISA FSO RHEL-06-000349
Result for Install openswan Package
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_package_openswan_installed
Time: 2015-11-03 08:04
Severity: low
The Openswan package provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks.
The openswan
package can be installed with the following command:
$ sudo yum install openswan
Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.
Security identifiers
- CCE-27626-1
- DISA FSO RHEL-06-000321
Remediation script
yum -y install openswan
Result for Ensure Log Files Are Owned By Appropriate User
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_rsyslog_files_ownership
Time: 2015-11-03 08:03
Severity: medium
The owner of all log files written by
rsyslog
should be root.
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf
and typically all appear in /var/log
.
For each log file LOGFILE referenced in /etc/rsyslog.conf
,
run the following command to inspect the file's owner:
$ ls -l LOGFILE
If the owner is not root
, run the following command to
correct this:
$ sudo chown root LOGFILE
The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.
Security identifiers
- CCE-26812-8
- DISA FSO RHEL-06-000133
Result for Ensure Log Files Are Owned By Appropriate Group
Result: unknown
Rule ID: xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership
Time: 2015-11-03 08:03
Severity: medium
The group-owner of all log files written by
rsyslog
should be root.
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf
and typically all appear in /var/log
.
For each log file LOGFILE referenced in /etc/rsyslog.conf
,
run the following command to inspect the file's group owner:
$ ls -l LOGFILE
If the owner is not root
, run the following command to
correct this:
$ sudo chgrp root LOGFILE
The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.
Security identifiers
- CCE-26821-9
- DISA FSO RHEL-06-000134
Result for Ensure System Log Files Have Correct Permissions
Result: unknown
Rule ID: xccdf_org.ssgproject.content_rule_rsyslog_files_permissions
Time: 2015-11-03 08:03
Severity: medium
The file permissions for all log files written by
rsyslog
should be set to 600, or more restrictive.
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf
and typically all appear in /var/log
.
For each log file LOGFILE referenced in /etc/rsyslog.conf
,
run the following command to inspect the file's permissions:
$ ls -l LOGFILE
If the permissions are not 600 or more restrictive,
run the following command to correct this:
$ sudo chmod 0600 LOGFILE
Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value.
Security identifiers
- CCE-27190-8
- DISA FSO RHEL-06-000135
Result for Ensure Logrotate Runs Periodically
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_ensure_logrotate_activated
Time: 2015-11-03 08:03
Severity: low
The logrotate
utility allows for the automatic rotation of
log files. The frequency of rotation is specified in /etc/logrotate.conf
,
which triggers a cron task. To configure logrotate to run daily, add or correct
the following line in /etc/logrotate.conf
:
# rotate log files frequency
daily
Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.
Security identifiers
- CCE-27014-0
- DISA FSO RHEL-06-000138
Result for Enable auditd Service
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_service_auditd_enabled
Time: 2015-11-03 08:03
Severity: medium
The auditd
service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The auditd
service can be enabled with the following command:
$ sudo chkconfig --level 2345 auditd on
Ensuring the auditd
service is active ensures
audit records generated by the kernel can be written to disk, or that appropriate
actions will be taken if other obstacles exist.
Security identifiers
- CCE-27058-7
- DISA FSO RHEL-06-000145
Remediation script
. /usr/share/scap-security-guide/remediation_functions
service_command enable auditd
Result for Enable Auditing for Processes Which Start Prior to the Audit Daemon
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_bootloader_audit_argument
Time: 2015-11-03 08:04
Severity: low
To ensure all processes can be audited, even
those which start prior to the audit daemon, add the argument
audit=1
to the kernel line in /etc/grub.conf
, in the manner below:
kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1
Each process on the system carries an "auditable" flag which
indicates whether its activities can be audited. Although auditd
takes care of enabling this for all processes which launch after it
does, adding the kernel argument ensures it is set for every
process during boot.
Security identifiers
- CCE-26785-6
- DISA FSO RHEL-06-000525
Remediation script
/sbin/grubby --update-kernel=ALL --args="audit=1"
Result for Configure auditd Number of Logs Retained
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs
Time: 2015-11-03 08:03
Severity: medium
Determine how many log files
auditd
should retain when it rotates logs.
Edit the file /etc/audit/auditd.conf
. Add or modify the following
line, substituting NUMLOGS with the correct value of 5:
num_logs = NUMLOGS
Set the value to 5 for general-purpose systems.
Note that values less than 2 result in no log rotation.
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
Security identifiers
- CCE-27522-2
- DISA FSO RHEL-06-000159
Result for Configure auditd Max Log File Size
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file
Time: 2015-11-03 08:03
Severity: medium
Determine the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
/etc/audit/auditd.conf
. Add or modify the following line, substituting
the correct value of 6 for STOREMB:
max_log_file = STOREMB
Set the value to 6
(MB) or higher for general-purpose systems.
Larger values, of course,
support retention of even more audit data.
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
Security identifiers
- CCE-27550-3
- DISA FSO RHEL-06-000160
Result for Configure auditd max_log_file_action Upon Reaching Maximum Log Size
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action
Time: 2015-11-03 08:03
Severity: medium
The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by auditd
, add or correct the line in /etc/audit/auditd.conf
:
max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf
man
page. These include:
-
ignore
-
syslog
-
suspend
-
rotate
-
keep_logs
Set the ACTION
to rotate
to ensure log rotation
occurs. This is the default. The setting is case-insensitive.
Automatically rotating logs (by setting this to rotate
)
minimizes the chances of the system unexpectedly running out of disk space by
being overwhelmed with log data. However, for systems that must never discard
log data, or which use external processes to transfer it and reclaim space,
keep_logs
can be employed.
Security identifiers
- CCE-27237-7
- DISA FSO RHEL-06-000161
Result for Configure auditd space_left Action on Low Disk Space
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
Time: 2015-11-03 08:04
Severity: medium
The auditd
service can be configured to take an action
when disk space starts to run low.
Edit the file /etc/audit/auditd.conf
. Modify the following line,
substituting ACTION appropriately:
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf
man page.
These include:
-
ignore
-
syslog
-
email
-
exec
-
suspend
-
single
-
halt
Set this to email
(instead of the default,
which is suspend
) as it is more likely to get prompt attention. Acceptable values
also include suspend
, single
, and halt
.
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
Security identifiers
- CCE-27238-5
- DISA FSO RHEL-06-000005
Remediation script
var_auditd_space_left_action="email"
#
# If space_left_action present in /etc/audit/auditd.conf, change value
# to var_auditd_space_left_action, else
# add "space_left_action = $var_auditd_space_left_action" to /etc/audit/auditd.conf
#
if grep --silent ^space_left_action /etc/audit/auditd.conf ; then
sed -i 's/^space_left_action.*/space_left_action = '"$var_auditd_space_left_action"'/g' /etc/audit/auditd.conf
else
echo -e "\n# Set space_left_action to $var_auditd_space_left_action per security requirements" >> /etc/audit/auditd.conf
echo "space_left_action = $var_auditd_space_left_action" >> /etc/audit/auditd.conf
fi
Result for Configure auditd admin_space_left Action on Low Disk Space
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action
Time: 2015-11-03 08:04
Severity: medium
The auditd
service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf
. Add or modify the following line,
substituting ACTION appropriately:
admin_space_left_action = ACTION
Set this value to single
to cause the system to switch to single-user
mode for corrective action. Acceptable values also include suspend
and
halt
. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf
man page.
Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.
Security identifiers
- CCE-27239-3
Remediation script
var_auditd_admin_space_left_action="single"
grep -q ^admin_space_left_action /etc/audit/auditd.conf && \
sed -i "s/admin_space_left_action.*/admin_space_left_action = $var_auditd_admin_space_left_action/g" /etc/audit/auditd.conf
if ! [ $? -eq 0 ]; then
echo "admin_space_left_action = $var_auditd_admin_space_left_action" >> /etc/audit/auditd.conf
fi
Result for Configure auditd mail_acct Action on Low Disk Space
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct
Time: 2015-11-03 08:03
Severity: medium
The auditd
service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in /etc/audit/auditd.conf
to ensure that administrators are notified
via email for those situations:
action_mail_acct =
Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.
Security identifiers
- CCE-27241-9
- DISA FSO RHEL-06-000313
Result for Configure auditd to use audispd's syslog plugin
Result: fail
Rule ID: xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated
Time: 2015-11-03 08:03
Severity: low
To configure the auditd
service to use the
syslog
plug-in of the audispd
audit event multiplexor, set
the active
line in /etc/audisp/plugins.d/syslog.conf
to
yes
. Restart the auditd
service:
$ sudo service auditd restart
The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server
Security identifiers
- CCE-26933-2
- DISA FSO RHEL-06-000509
Result for Record attempts to alter time through adjtimex
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex
Time: 2015-11-03 08:04
Severity: low
On a 32-bit system, add the following to /etc/audit/audit.rules
:
# audit_time_rules
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules
On a 64-bit system, add the following to /etc/audit/audit.rules
:
# audit_time_rules
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime
-k audit_time_rules
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Security identifiers
- CCE-26242-8
- DISA FSO RHEL-06-000165
Remediation script
# audit.rules file to operate at
AUDIT_RULES_FILE="/etc/audit/audit.rules"
# General form / skeleton of an audit rule to search for
BASE_SEARCH_RULE='-a always,exit .* -k audit_time_rules'
# System calls group to search for
SYSCALL_GROUP="time"
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && ARCHS=("b32") || ARCHS=("b32" "b64")
# Perform the remediation depending on the system's architecture:
# * on 32 bit system, operate just at '-F arch=b32' audit rules
# * on 64 bit system, operate at both '-F arch=b32' & '-F arch=b64' audit rules
for ARCH in ${ARCHS[@]}
do
# Create expected audit rule form for particular system call & architecture
if [ ${ARCH} = "b32" ]
then
# stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
# so append it to the list of time group system calls to be audited
EXPECTED_RULE="-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k audit_time_rules"
else
# stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
# therefore don't add it to the list of time group system calls to be audited
EXPECTED_RULE="-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules"
fi
# Indicator that we want to append $EXPECTED_RULE for key & arch into
# audit.rules by default
APPEND_EXPECTED_RULE=0
# From all the existing /etc/audit.rule definitions select those, which:
# * follow the common audit rule form ($BASE_SEARCH_RULE above)
# * meet the hardware architecture requirement, and
# * are current $SYSCALL_GROUP specific
IFS=$'\n' EXISTING_KEY_ARCH_RULES=($(sed -e "/${BASE_SEARCH_RULE}/!d" -e "/${ARCH}/!d" -e "/${SYSCALL_GROUP}/!d" ${AUDIT_RULES_FILE}))
# Process found rules case by case
for RULE in ${EXISTING_KEY_ARCH_RULES[@]}
do
# Found rule is for same arch & syscall group, but differs slightly (in count of -S arguments)
if [ ${RULE} != ${EXPECTED_RULE} ]
then
# If so, isolate just '-S syscall' substring of that rule
RULE_SYSCALLS=$(echo ${RULE} | grep -o -P '(-S \w+ )+')
# Check if list of '-S syscall' arguments of that rule is a subset
# '-S syscall' list from the expected form ($EXPECTED_RULE)
if [ $(echo ${EXPECTED_RULE} | grep -- ${RULE_SYSCALLS}) ]
then
# If so, this audit rule is covered when we append expected rule
# later & therefore the rule can be deleted.
#
# Thus delete the rule from both - the audit.rules file and
# our $EXISTING_KEY_ARCH_RULES array
sed -i -e "/${RULE}/d" ${AUDIT_RULES_FILE}
EXISTING_KEY_ARCH_RULES=(${EXISTING_KEY_ARCH_RULES[@]//${RULE}/})
else
# Rule isn't covered by $EXPECTED_RULE - in other words it besides
# adjtimex, settimeofday, or stime -S arguments contains also -S argument
# for other time group system call (-S clock_adjtime for example).
# Example: '-S adjtimex -S clock_adjtime'
#
# Therefore:
# * delete the original rule for arch & key from audit.rules
# (original '-S adjtimex -S clock_adjtime' rule would be deleted)
# * delete $SYSCALL_GROUP -S arguments from the rule,
# but keep those not from this $SYSCALL_GROUP
# (original '-S adjtimex -S clock_adjtime' would become '-S clock_adjtime')
# * append the modified (filtered) rule again into audit.rules
# if the same rule not already present
# (new rule for same arch & key with '-S clock_adjtime' would be appended
# if not present yet)
sed -i -e "/${RULE}/d" ${AUDIT_RULES_FILE}
if [ ${ARCH} = "b32" ]
then
# On 32-bit arch drop ' -S (adjtimex|settimeofday|stime)' from the rule's
# system call list
NEW_SYSCALLS_FOR_RULE=$(echo ${RULE_SYSCALLS} | sed -r -e "s/[\s]*-S (adjtimex|settimeofday|stime)//g")
else
# On 64-bit arch drop ' -S (adjtimex|settimeofday)' from the rule's
# system call list ('stime' call isn't known, see "$ ausyscall .." examples above)
NEW_SYSCALLS_FOR_RULE=$(echo ${RULE_SYSCALLS} | sed -r -e "s/[\s]*-S (adjtimex|settimeofday)//g")
fi
# Update the list of system calls for new rule to contain those from new syscalls list
UPDATED_RULE=$(echo ${RULE} | sed "s/${RULE_SYSCALLS}/${NEW_SYSCALLS_FOR_RULE}/g")
# Squeeze repeated whitespace characters in rule definition (if any) into one
UPDATED_RULE=$(echo ${UPDATED_RULE} | tr -s '[:space:]')
# Insert updated rule into /etc/audit/audit.rules only in case it's not
# present yet to prevent duplicate same rules
if [ ! $(grep -- ${UPDATED_RULE} ${AUDIT_RULES_FILE}) ]
then
echo ${UPDATED_RULE} >> ${AUDIT_RULES_FILE}
fi
fi
else
# /etc/audit/audit.rules already contains the expected rule form for this
# architecture & key => don't insert it second time
APPEND_EXPECTED_RULE=1
fi
done
# We deleted all rules that were subset of the expected one for this arch & key.
# Also isolated rules containing system calls not from this system calls group.
# Now append the expected rule if it's not present in audit.rules yet
if [[ ${APPEND_EXPECTED_RULE} -eq "0" ]]
then
echo ${EXPECTED_RULE} >> ${AUDIT_RULES_FILE}
fi
done
Result for Record attempts to alter time through settimeofday
Result: fail
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday
Time: 2015-11-03 08:03
Severity: low
On a 32-bit system, add the following to /etc/audit/audit.rules
:
# audit_time_rules
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules
On a 64-bit system, add the following to /etc/audit/audit.rules
:
# audit_time_rules
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime
-k audit_time_rules
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Security identifiers
- CCE-27203-9
- DISA FSO RHEL-06-000167
Result for Record Attempts to Alter Time Through stime
Result: fail
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_time_stime
Time: 2015-11-03 08:03
Severity: low
On a 32-bit system, add the following to /etc/audit/audit.rules
:
# audit_time_rules
-a always,exit -F arch=b32 -S stime -k audit_time_rules
On a 64-bit system, the "-S stime" is not necessary. The -k option allows for
the specification of a key in string form that can be used for better
reporting capability through ausearch and aureport. Multiple system calls
can be defined on the same line to save space if desired, but is not required.
See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime
-k audit_time_rules
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Security identifiers
- CCE-27169-2
- DISA FSO RHEL-06-000169
Result for Record Attempts to Alter Time Through clock_settime
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime
Time: 2015-11-03 08:04
Severity: low
On a 32-bit system, add the following to /etc/audit/audit.rules
:
# audit_time_rules
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules
On a 64-bit system, add the following to /etc/audit/audit.rules
:
# audit_time_rules
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime
-k audit_time_rules
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Security identifiers
- CCE-27170-0
- DISA FSO RHEL-06-000171
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in ${RULE_ARCHS[@]}
do
PATTERN="-a always,exit -F arch=$ARCH -S .* -k audit_time_rules"
GROUP="clock_settime"
FULL_RULE="-a always,exit -F arch=$ARCH -S clock_settime -k audit_time_rules"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Result for Record Attempts to Alter the localtime File
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime
Time: 2015-11-03 08:04
Severity: low
Add the following to /etc/audit/audit.rules
:
-w /etc/localtime -p wa -k audit_time_rules
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport and
should always be used.
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Security identifiers
- CCE-27172-6
- DISA FSO RHEL-06-000173
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation
fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules"
Result for Record Events that Modify User/Group Information
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification
Time: 2015-11-03 08:04
Severity: low
Add the following to /etc/audit/audit.rules
, in order
to capture events that modify account changes:
# audit_rules_usergroup_modification
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Security identifiers
- CCE-26664-3
- DISA FSO RHEL-06-000174
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation
fix_audit_watch_rule "auditctl" "/etc/group" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "auditctl" "/etc/passwd" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "auditctl" "/etc/gshadow" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "auditctl" "/etc/shadow" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "auditctl" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification"
Result for Record Events that Modify the System's Network Environment
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
Time: 2015-11-03 08:04
Severity: low
Add the following to /etc/audit/audit.rules
, setting
ARCH to either b32 or b64 as appropriate for your system:
# audit_rules_networkconfig_modification
-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.
Security identifiers
- CCE-26648-6
- DISA FSO RHEL-06-000182
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S .* -k *"
# Use escaped BRE regex to specify rule group
GROUP="set\(host\|domain\)name"
FULL_RULE="-a always,exit -F arch=$ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
# Then perform the remediations for the watch rules
fix_audit_watch_rule "auditctl" "/etc/issue" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "auditctl" "/etc/issue.net" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "auditctl" "/etc/hosts" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "auditctl" "/etc/sysconfig/network" "wa" "audit_rules_networkconfig_modification"
Result for System Audit Logs Must Have Mode 0640 or Less Permissive
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit
Time: 2015-11-03 08:03
Severity: low
Change the mode of the audit log files with the following command:
$ sudo chmod 0640 audit_file
If users can write to audit logs, audit trails can be modified or destroyed.
Security identifiers
- CCE-27243-5
- DISA FSO RHEL-06-000383
Remediation script
chmod -R 640 /var/log/audit/*
chmod 640 /etc/audit/audit.rules
Result for System Audit Logs Must Be Owned By Root
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit
Time: 2015-11-03 08:03
Severity: low
To properly set the owner of /var/log
, run the command:
$ sudo chown root /var/log
Failure to give ownership of the audit log files to root allows the designated owner, and unauthorized users, potential access to sensitive information.
Security identifiers
- CCE-27244-3
- DISA FSO RHEL-06-000384
Result for Record Events that Modify the System's Mandatory Access Controls
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
Time: 2015-11-03 08:04
Severity: low
Add the following to /etc/audit/audit.rules
:
-w /etc/selinux/ -p wa -k MAC-policy
The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.
Security identifiers
- CCE-26657-7
- DISA FSO RHEL-06-000183
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation
fix_audit_watch_rule "auditctl" "/etc/selinux/" "wa" "MAC-policy"
Result for Record Events that Modify the System's Discretionary Access Controls - chmod
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
Time: 2015-11-03 08:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-26280-8
- DISA FSO RHEL-06-000184
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *"
GROUP="chmod"
FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Result for Record Events that Modify the System's Discretionary Access Controls - chown
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
Time: 2015-11-03 08:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27173-4
- DISA FSO RHEL-06-000185
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in ${RULE_ARCHS[@]}
do
PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *"
GROUP="chown"
FULL_RULE="-a always,exit -F arch=$ARCH -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Result for Record Events that Modify the System's Discretionary Access Controls - fchmod
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
Time: 2015-11-03 08:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27174-2
- DISA FSO RHEL-06-000186
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *"
GROUP="chmod"
FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Result for Record Events that Modify the System's Discretionary Access Controls - fchmodat
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
Time: 2015-11-03 08:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27175-9
- DISA FSO RHEL-06-000187
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *"
GROUP="chmod"
FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Result for Record Events that Modify the System's Discretionary Access Controls - fchown
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown
Time: 2015-11-03 08:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27177-5
- DISA FSO RHEL-06-000188
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in ${RULE_ARCHS[@]}
do
PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *"
GROUP="chown"
FULL_RULE="-a always,exit -F arch=$ARCH -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Result for Record Events that Modify the System's Discretionary Access Controls - fchownat
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat
Time: 2015-11-03 08:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27178-3
- DISA FSO RHEL-06-000189
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in ${RULE_ARCHS[@]}
do
PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *"
GROUP="chown"
FULL_RULE="-a always,exit -F arch=$ARCH -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Result for Record Events that Modify the System's Discretionary Access Controls - fremovexattr
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr
Time: 2015-11-03 08:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27179-1
- DISA FSO RHEL-06-000190
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit .* -F auid>=500 -F auid!=4294967295 -k *"
GROUP="xattr"
FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Result for Record Events that Modify the System's Discretionary Access Controls - fsetxattr
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr
Time: 2015-11-03 08:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27180-9
- DISA FSO RHEL-06-000191
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit .* -F auid>=500 -F auid!=4294967295 -k *"
GROUP="xattr"
FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Result for Record Events that Modify the System's Discretionary Access Controls - lchown
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
Time: 2015-11-03 08:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27181-7
- DISA FSO RHEL-06-000192
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in ${RULE_ARCHS[@]}
do
PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *"
GROUP="chown"
FULL_RULE="-a always,exit -F arch=$ARCH -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Result for Record Events that Modify the System's Discretionary Access Controls - lremovexattr
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr
Time: 2015-11-03 08:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27182-5
- DISA FSO RHEL-06-000193
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit .* -F auid>=500 -F auid!=4294967295 -k *"
GROUP="xattr"
FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Result for Record Events that Modify the System's Discretionary Access Controls - lsetxattr
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr
Time: 2015-11-03 08:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27183-3
- DISA FSO RHEL-06-000194
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit .* -F auid>=500 -F auid!=4294967295 -k *"
GROUP="xattr"
FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Result for Record Events that Modify the System's Discretionary Access Controls - removexattr
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr
Time: 2015-11-03 08:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27184-1
- DISA FSO RHEL-06-000195
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit .* -F auid>=500 -F auid!=4294967295 -k *"
GROUP="xattr"
FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Result for Record Events that Modify the System's Discretionary Access Controls - setxattr
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
Time: 2015-11-03 08:04
Severity: low
At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Security identifiers
- CCE-27185-8
- DISA FSO RHEL-06-000196
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit .* -F auid>=500 -F auid!=4294967295 -k *"
GROUP="xattr"
FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Result for Record Attempts to Alter Login and Logout Events
Result: fail
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_login_events
Time: 2015-11-03 08:03
Severity: low
The audit system already collects login info for all users and root. To watch for attempted manual edits of
files involved in storing login events, add the following to /etc/audit/audit.rules
:
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
Security identifiers
- CCE-26691-6
Result for Record Attempts to Alter Process and Session Initiation Information
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_session_events
Time: 2015-11-03 08:04
Severity: low
The audit system already collects process information for all
users and root. To watch for attempted manual edits of files involved in
storing such process information, add the following to
/etc/audit/audit.rules
:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
Security identifiers
- CCE-26610-6
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation
fix_audit_watch_rule "auditctl" "/var/run/utmp" "wa" "session"
fix_audit_watch_rule "auditctl" "/var/log/btmp" "wa" "session"
fix_audit_watch_rule "auditctl" "/var/log/wtmp" "wa" "session"
Result for Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification
Time: 2015-11-03 08:04
Severity: low
At a minimum the audit system should collect
unauthorized file accesses for all users and root. Add the following
to /etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Security identifiers
- CCE-26712-0
- DISA FSO RHEL-06-000197
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
# First fix the -EACCES requirement
PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k *"
# Use escaped BRE regex to specify rule group
GROUP="\(creat\|open\|truncate\)"
FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
# Then fix the -EPERM requirement
PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k *"
# No need to change content of $GROUP variable - it's the same as for -EACCES case above
FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Result for Ensure auditd Collects Information on the Use of Privileged Commands
Result: error
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
Time: 2015-11-03 08:05
Severity: low
At a minimum the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART:
$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
Then, for each setuid / setgid program on the system, add a line of the
following form to /etc/audit/audit.rules
, where
SETUID_PROG_PATH is the full path to each setuid / setgid program
in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Security identifiers
- CCE-26457-2
- DISA FSO RHEL-06-000198
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation
perform_audit_rules_privileged_commands_remediation "auditctl" "500"
Result for Ensure auditd Collects Information on Exporting to Media (successful)
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_media_export
Time: 2015-11-03 08:05
Severity: low
At a minimum the audit system should collect media
exportation events for all users and root. Add the following to
/etc/audit/audit.rules
, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export
The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.
Security identifiers
- CCE-26573-6
- DISA FSO RHEL-06-000199
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *"
GROUP="mount"
FULL_RULE="-a always,exit -F arch=$ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Result for Ensure auditd Collects File Deletion Events by User
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events
Time: 2015-11-03 08:05
Severity: low
At a minimum the audit system should collect file
deletion events for all users and root. Add the following to
/etc/audit/audit.rules
, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
Security identifiers
- CCE-26651-0
- DISA FSO RHEL-06-000200
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in ${RULE_ARCHS[@]}
do
PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k delete"
# Use escaped BRE regex to specify rule group
GROUP="\(rmdir\|unlink\|rename\)"
FULL_RULE="-a always,exit -F arch=$ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Result for Ensure auditd Collects System Administrator Actions
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
Time: 2015-11-03 08:05
Severity: low
At a minimum the audit system should collect
administrator actions for all users and root. Add the following to
/etc/audit/audit.rules
:
-w /etc/sudoers -p wa -k actions
The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.
Security identifiers
- CCE-26662-7
- DISA FSO RHEL-06-000201
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation
fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions"
Result for Ensure auditd Collects Information on Kernel Module Loading and Unloading
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading
Time: 2015-11-03 08:05
Severity: low
Add the following to /etc/audit/audit.rules
in order
to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
Security identifiers
- CCE-26611-4
- DISA FSO RHEL-06-000202
Remediation script
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
# Note: 32-bit kernel modules can't be loaded / unloaded on 64-bit kernel =>
# it's not required on a 64-bit system to check also for the presence
# of 32-bit's equivalent of the corresponding rule. Therefore for
# each system it's enought to check presence of system's native rule form.
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S .* -k *"
# Use escaped BRE regex to specify rule group
GROUP="\(init\|delete\)_module"
FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -S delete_module -k modules"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
# Then perform the remediations for the watch rules
fix_audit_watch_rule "auditctl" "/sbin/insmod" "x" "modules"
fix_audit_watch_rule "auditctl" "/sbin/rmmod" "x" "modules"
fix_audit_watch_rule "auditctl" "/sbin/modprobe" "x" "modules"
Result for Make the auditd Configuration Immutable
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_audit_rules_immutable
Time: 2015-11-03 08:05
Severity: low
Add the following to /etc/audit/audit.rules
in order
to make the configuration immutable:
-e 2
With this setting, a reboot will be required to change any
audit rules.
Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation
Security identifiers
- CCE-26612-2
Remediation script
readonly AUDIT_RULES='/etc/audit/audit.rules'
# If '-e .*' setting present in audit.rules already, delete it since the
# auditctl(8) manual page instructs it should be the last rule in configuration
sed -i '/-e[[:space:]]\+.*/d' $AUDIT_RULES
# Append '-e 2' requirement at the end of audit.rules
echo '' >> $AUDIT_RULES
echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_RULES
echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_RULES
echo '-e 2' >> $AUDIT_RULES
Result for Set SSH Idle Timeout Interval
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
Time: 2015-11-03 08:05
Severity: low
SSH allows administrators to set an idle timeout
interval.
After this interval has passed, the idle user will be
automatically logged out.
To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config
as
follows:
ClientAliveInterval
The timeout interval is given in seconds. To have a timeout
of 15 minutes, set interval to 900.
If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.
Security identifiers
- CCE-26919-1
- DISA FSO RHEL-06-000230
Remediation script
sshd_idle_timeout_value="900"
grep -q ^ClientAliveInterval /etc/ssh/sshd_config && \
sed -i "s/ClientAliveInterval.*/ClientAliveInterval $sshd_idle_timeout_value/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
echo "ClientAliveInterval $sshd_idle_timeout_value" >> /etc/ssh/sshd_config
fi
Result for Enable the NTP Daemon
Result: fixed
Rule ID: xccdf_org.ssgproject.content_rule_service_ntpd_enabled
Time: 2015-11-03 08:05
Severity: medium
The ntpd
service can be enabled with the following command:
$ sudo chkconfig --level 2345 ntpd on
Enabling the ntpd
service ensures that the ntpd
service will be running and that the system will synchronize its time to
any servers specified. This is important whether the system is configured to be
a client (and synchronize only its own clock) or it is also acting as an NTP
server to other systems. Synchronizing time is essential for authentication
services such as Kerberos, but it is also important for maintaining accurate
logs and auditing possible security breaches.
The NTP daemon offers all of the functionality of ntpdate
, which is now
deprecated. Additional information on this is available at
http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate
Security identifiers
- CCE-27093-4
- DISA FSO RHEL-06-000247
Remediation script
#
# Enable ntpd for all run levels
#
/sbin/chkconfig --level 0123456 ntpd on
#
# Start ntpd if not currently running
#
/sbin/service ntpd start
Result for Specify a Remote NTP Server
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server
Time: 2015-11-03 08:03
Severity: medium
To specify a remote NTP server for time synchronization, edit
the file /etc/ntp.conf
. Add or correct the following lines,
substituting the IP or hostname of a remote NTP server for ntpserver:
server ntpserver
This instructs the NTP software to contact that remote server to obtain time
data.
Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events.
Security identifiers
- CCE-27098-3
- DISA FSO RHEL-06-000248
Result for Specify Additional Remote NTP Servers
Result: pass
Rule ID: xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers
Time: 2015-11-03 08:03
Severity: low
Additional NTP servers can be specified for time synchronization
in the file /etc/ntp.conf
. To do so, add additional lines of the
following form, substituting the IP address or hostname of a remote NTP server for
ntpserver:
server ntpserver
Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems.
Security identifiers
- CCE-26958-9