Summary
During OSCAP Scan Result (ID OSCAP-Test-Desktop) processing which started 2010-08-26 17:34 and ended 2010-08-26 17:38, 397 rule results were recorded.
Result ID: OSCAP-Test-Desktop
Start time: 2010-08-26 17:34
End time: 2010-08-26 17:38
Profile: Desktop
Target: kparal
Rule results: 397
pass | 77 |
fixed | 0 |
fail | 7 |
error | 0 |
not selected | 313 |
not checked | 0 |
not applicable | 0 |
informational | 0 |
unknown | 0 |
Target information
Target
- kparal
Addresses
- 127.0.0.1
- 10.34.28.231
- 10.200.130.41
- 192.168.1.1
Benchmark execution information
Score
system | score | max | bar |
---|---|---|---|
urn:xccdf:scoring:default | 7.57 | 100.00 |
|
urn:xccdf:scoring:flat | 770.00 | 840.00 |
|
Rule results
Title | result | more |
---|---|---|
Ensure that /tmp has its own partition or logical volume | notselected | view |
Ensure that /tmp is of adequate size | notselected | view |
Ensure that /var has its own partition or logical volume | notselected | view |
Ensure that /var is of adequate size | notselected | view |
Ensure that /var/log has its own partition or logical volume | notselected | view |
Ensure that /var/log/audit has its own partition or logical volume | notselected | view |
Ensure that /home has its own partition or logical volume | notselected | view |
Ensure Fedora GPG Key is Installed | notselected | view |
yum-updatesd service should be disabled | notselected | view |
Automatic Update Retrieval should be scheduled with Cron | notselected | view |
Ensure gpgcheck is Globally Activated | pass | view |
Ensure Package Signature Checking is Not Disabled For Any Repos | fail | view |
Ensure Repodata Signature Checking is Globally Activated | notselected | view |
Ensure Repodata Signature Checking is Not Disabled For Any Repos | pass | view |
Install AIDE | notselected | view |
Run AIDE periodically | notselected | view |
Verify Package Integrity Using RPM | notselected | view |
Add nodev Option to Non-Root Local Partitions | notselected | view |
Add nodev Option to Removable Media Partitions | notselected | view |
Add noexec Option to Removable Media Partitions | notselected | view |
Add nosuid Option to Removable Media Partitions | notselected | view |
Disable Modprobe Loading of USB Storage Driver | notselected | view |
Remove USB Storage Driver | notselected | view |
Disable Kernel Support for USB via Bootloader Configuration | notselected | view |
Disable Booting from USB Devices in the BIOS | notselected | view |
Disable the Automounter if Possible | notselected | view |
Disable GNOME Automounting if Possible | notselected | view |
Disable Mounting of cramfs | notselected | view |
Disable Mounting of freevxfs | notselected | view |
Disable Mounting of jffs2 | notselected | view |
Disable Mounting of hfs | notselected | view |
Disable Mounting of hfsplus | notselected | view |
Disable Mounting of squashfs | notselected | view |
Disable Mounting of udf | notselected | view |
Verify user who owns 'shadow' file | pass | view |
Verify group who owns 'shadow' file | pass | view |
Verify user who owns 'group' file | pass | view |
Verify group who owns 'group' file | pass | view |
Verify user who owns 'gshadow' file | pass | view |
Verify group who owns 'gshadow' file | pass | view |
Verify user who owns 'passwd' file | pass | view |
Verify group who owns 'passwd' file | pass | view |
Verify permissions on 'shadow' file | fail | view |
Verify permissions on 'group' file | pass | view |
Verify permissions on 'gshadow' file | fail | view |
Verify permissions on 'passwd' file | pass | view |
Verify that All World-Writable Directories Have Sticky Bits Set | pass | view |
Find Unauthorized World-Writable Files | fail | view |
Find Unauthorized SGID System Executables | pass | view |
Find Unauthorized SUID System Executables | fail | view |
Find files unowned by a user | pass | view |
Find files unowned by a group | pass | view |
Find world writable directories not owned by a system account | pass | view |
Set Daemon umask | pass | view |
Disable Core Dumps for all users | notselected | view |
Disable Core Dumps for SUID programs | notselected | view |
Enable ExecShield | notselected | view |
Enable ExecShield randomized placement of virtual memory regions | notselected | view |
Enable NX or XD Support in the BIOS | notselected | view |
Restrict Root Logins to System Console | notselected | view |
Restrict Root Logins to System Console | notselected | view |
Restrict virtual console Root Logins | notselected | view |
Restrict serial port Root Logins | pass | view |
Limit su Access to the Root Account | pass | view |
Limit su Access to the wheel group | notselected | view |
Configure sudo to Improve Auditing of Root Access | notselected | view |
Block Shell and Login Access for Non-Root System Accounts | notselected | view |
Verify that No Accounts Have Empty Password Fields | pass | view |
Verify that All Account Password Hashes are Shadowed | pass | view |
Verify that No Non-Root Accounts Have UID 0 | pass | view |
Set password minimum length | pass | view |
Set minimum password age | pass | view |
Set maximum password age | notselected | view |
Set password warn age | pass | view |
Remove Legacy + Entries from /etc/shadow | pass | view |
Remove Legacy + Entries from /etc/group | pass | view |
Remove Legacy + Entries from /etc/passwd | pass | view |
Set Password Quality Requirements | notselected | view |
Set Password Quality Requirements using pam_passwdqc | notselected | view |
Set Lockouts for Failed Password Attempts | notselected | view |
Do not leak information on authorization failure | notselected | view |
Restrict Execution of userhelper to Console Users | notselected | view |
Restrict File permissions of userhelper | notselected | view |
Set Password hashing algorithm | notselected | view |
Limit password reuse | notselected | view |
Ensure that No Dangerous Directories Exist in Root's Path | pass | view |
Write permissions are disabled for group and other in all directories in Root's Path | pass | view |
Ensure that User Home Directories are not Group-Writable or World-Readable | fail | view |
Ensure that Users Have Sensible Umask Values in /etc/bashrc | notselected | view |
Ensure that Users Have Sensible Umask Values in /etc/csh.cshrc | notselected | view |
Ensure that Users Have Sensible Umask Values in /etc/login.defs | pass | view |
Ensure that Users Have Sensible Umask Values in /etc/profile | notselected | view |
Check for existance of .netrc file | notselected | view |
Set Boot Loader user owner | pass | view |
Set Boot Loader group owner | pass | view |
Set permission on /etc/grub.conf | notselected | view |
Set Boot Loader Password | notselected | view |
Require Authentication for Single-User Mode | notselected | view |
Disable Interactive Boot | notselected | view |
Implement Inactivity Time-out for Login Shells | notselected | view |
Implement Inactivity Time-out for Login Shells | notselected | view |
Implement Inactivity Time-out for Login Shells | notselected | view |
Implement idle activation of screen saver | notselected | view |
Implement idle activation of screen lock | notselected | view |
Implement blank screen saver | notselected | view |
Configure console screen locking | notselected | view |
Modify the System Login Banner | notselected | view |
Implement a GUI Warning Banner | notselected | view |
Enable SELinux in /etc/grub.conf | pass | view |
Enable SELinux enforcement in /etc/grub.conf | notselected | view |
Set the SELinux state | fail | view |
Set the SELinux policy | pass | view |
Ensure SELinux is Properly Enabled | notselected | view |
Disable MCS Translation Service (mcstrans) if Possible | notselected | view |
Disable restorecon Service (restorecond) | notselected | view |
Check for Unconfined Daemons | notselected | view |
Disable net.ipv4.conf.default.send_redirects for Hosts Only | notselected | view |
Disable net.ipv4.conf.all.send_redirects for Hosts Only | notselected | view |
Disable net.ipv4.ip forward for Hosts Only | notselected | view |
Set net.ipv4.conf.all.accept_source_route for Hosts and Routers | pass | view |
Set net.ipv4.conf.all.accept_redirects for Hosts and Routers | pass | view |
Set net.ipv4.conf.all.secure_redirects for Hosts and Routers | pass | view |
Set net.ipv4.conf.all.log_martians for Hosts and Routers | notselected | view |
Set net.ipv4.conf.default.accept_source_route for Hosts and Routers | pass | view |
Set net.ipv4.conf.default.accept_redirects for Hosts and Routers | notselected | view |
Set net.ipv4.conf.default.secure_redirects for Hosts and Routers | pass | view |
Set net.ipv4.icmp_echo_ignore_broadcasts for Hosts and Routers | pass | view |
Set net.ipv4.icmp_ignore_bogus_error_messages for Hosts and Routers | pass | view |
Set net.ipv4.tcp_syncookies for Hosts and Routers | pass | view |
Set net.ipv4.conf.all.rp_filter for Hosts and Routers | pass | view |
Set net.ipv4.conf.default.rp_filter for Hosts and Routers | pass | view |
Disable Wireless in BIOS | notselected | view |
Deactivate Wireless Interfaces | notselected | view |
Disable Wireless Drivers | notselected | view |
Disable Automatic Loading of IPv6 Kernel Module | notselected | view |
Disable NETWORKING_IPV6 in /etc/sysconfig/network | notselected | view |
Disable IPV6INIT in /etc/sysconfig/network | notselected | view |
Disable IPV6INIT in /etc/sysconfig/network-scripts/ifcfg-* | notselected | view |
Disable IPV6_AUTOCONF in /etc/sysconfig/network | notselected | view |
Disable accepting IPv6 router advertisements (net.ipv6.conf.default.accept_ra) | notselected | view |
Disable accepting redirects from IPv6 routers (net.ipv6.conf.default.accept_redirects) | notselected | view |
Disable accepting redirects from IPv6 routers (net.ipv6.conf.all.accept_redirects) | notselected | view |
Use Privacy Extensions for Address if Necessary | notselected | view |
Limit Network-Transmitted Configuration via net.ipv6.conf.default.router_solicitations | notselected | view |
Limit Network-Transmitted Configuration via net.ipv6.conf.default.accept_ra_rtr_pref | notselected | view |
Limit Network-Transmitted Configuration via net.ipv6.conf.default.accept_ra_pinfo | notselected | view |
Limit Network-Transmitted Configuration via net.ipv6.conf.default.accept_ra_defrtr | notselected | view |
Limit Network-Transmitted Configuration via net.ipv6.conf.default.autoconf | notselected | view |
Limit Network-Transmitted Configuration via net.ipv6.conf.default.dad_transmits | notselected | view |
Limit Network-Transmitted Configuration via net.ipv6.conf.default.max_addresses | notselected | view |
Verify ip6tables is enabled | pass | view |
Verify iptables is enabled | pass | view |
Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain | notselected | view |
Change the default policy to DROP (from ACCEPT) for the FORWARD built-in chain | notselected | view |
Disable Support for DCCP | notselected | view |
Disable Support for SCTP | notselected | view |
Disable Support for RDS | notselected | view |
Disable Support for TIPC | notselected | view |
Configure Syslog | pass | view |
Confirm user that owns System Log Files | pass | view |
Confirm group that owns System Log Files | pass | view |
Confirm Permissions of System Log Files | pass | view |
Send Logs to a Remote Loghost | notselected | view |
Disable syslogd from Accepting Remote Messages on Loghosts Only | notselected | view |
Ensure All Logs are Rotated by logrotate | notselected | view |
Monitor Suspicious Log Messages using Logwatch | notselected | view |
Enable the auditd Service | pass | view |
Enable Auditing for Processes Which Start Prior to the Audit Daemon | notselected | view |
Records Events that Modify Date and Time Information | notselected | view |
Record Events that Modify User/Group Information | notselected | view |
Record Events that Modify the System’s Network Environment | notselected | view |
Record Events that Modify the System’s Mandatory Access Controls | notselected | view |
Ensure auditd Collects Logon and Logout Events | notselected | view |
Ensure auditd Collects Process and Session Initiation Information | notselected | view |
Ensure auditd Collects Discretionary Access Control Permission Modification Events | notselected | view |
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) | notselected | view |
Ensure auditd Collects Information on the Use of Privileged Commands | notselected | view |
Ensure auditd Collects Information on Exporting to Media (successful) | notselected | view |
Ensure auditd Collects Files Deletion Events by User (successful and unsuccessful) | notselected | view |
Ensure auditd Collects System Administrator Actions | notselected | view |
Ensure auditd Collects Information on Kernel Module Loading and Unloading | notselected | view |
Make the auditd Configuration Immutable | notselected | view |
Disable Inetd | notselected | view |
Disable Xinetd | notselected | view |
Uninstall Inetd | notselected | view |
Uninstall Xinetd | notselected | view |
Uninstall Telnet server | notselected | view |
Disable telnet service | notselected | view |
Remove the telnet client command from the System | notselected | view |
Remove the kerberos telnet client from the System | notselected | view |
Remove the Rsh Server Commands from the System | notselected | view |
disable rcp | notselected | view |
disable rsh | notselected | view |
disable rlogin | notselected | view |
Remove .rhosts Support from PAM Configuration Files | notselected | view |
Remove the Rsh Client Commands from the System | notselected | view |
Uninstall NIS | notselected | view |
Disable NIS | notselected | view |
Uninstall TFTP Server | notselected | view |
Disable TFTP Server | notselected | view |
Installation Helper Service (firstboot) | notselected | view |
Console Mouse Service (gpm) | notselected | view |
Interrupt Distribution on Multiprocessor Systems (irqbalance) | notselected | view |
ISDN Support (isdn) | notselected | view |
Kdump Kernel Crash Analyzer (kdump) | notselected | view |
Kudzu Hardware Probing Utility (kudzu) | notselected | view |
Software RAID Monitor (mdmonitor) | notselected | view |
IA32 Microcode Utility(microcodectl) | notselected | view |
Disable All Networking if Not Needed) | notselected | view |
Disable All External Network Interfaces if Not Needed | notselected | view |
Disable Zeroconf Networking | notselected | view |
Smart Card Support (pcscd) | notselected | view |
SMART Disk Monitoring Support (smartd) | notselected | view |
Boot Caching (readahead early/readahead later) | notselected | view |
Boot Caching (readahead early/readahead later) | notselected | view |
D-Bus IPC Service (messagebus) | notselected | view |
HAL Daemon (haldaemon) | notselected | view |
Bluetooth Host Controller Interface Daemon (bluetooth) | notselected | view |
Bluetooth Input Devices (hidd) | notselected | view |
Disable Bluetooth Kernel Modules | notselected | view |
Advanced Power Management Subsystem (apmd) | notselected | view |
Advanced Configuration and Power Interface (acpid) | notselected | view |
CPU Throttling (cpuspeed) | notselected | view |
Enable cron Daemon | notselected | view |
Disable anacron if Possible | notselected | view |
Uninstall anacron if Possible | notselected | view |
Set group owner on /etc/crontab | pass | view |
Set user owner on /etc/crontab | pass | view |
Set Permissions on /etc/crontab | pass | view |
Set group owner on /etc/anacrontab | pass | view |
Set user owner on /etc/anacrontab | pass | view |
Set Permissions on /etc/anacrontab | pass | view |
Set group owner on /etc/cron.hourly | pass | view |
Set group owner on /etc/cron.daily | pass | view |
Set group owner on /etc/cron.weekly | pass | view |
Set group owner on /etc/cron.monthly | pass | view |
Set group owner on /etc/cron.d | pass | view |
Set user owner on /etc/cron.hourly | pass | view |
Set user owner on /etc/cron.daily | pass | view |
Set user owner on /etc/cron.weekly | pass | view |
Set user owner on /etc/cron.monthly | pass | view |
Set user owner on /etc/cron.d | pass | view |
Set permissions on /etc/cron.hourly | pass | view |
Set permissions on /etc/cron.daily | pass | view |
Set permissions on /etc/cron.weekly | pass | view |
Set permissions on /etc/cron.monthly | pass | view |
Set permissions on /etc/cron.d | pass | view |
Restrict group owner on /var/spool/cron directory | pass | view |
Restrict user owner on /var/spool/cron directory | pass | view |
Restrict Permissions on /var/spool/cron directory | pass | view |
Disable at Daemon | notselected | view |
uninstall at Daemon | notselected | view |
Remove /etc/cron.deny | notselected | view |
Remove /etc/at.deny | notselected | view |
Disable OpenSSH Software | notselected | view |
Remove OpenSSH Software | notselected | view |
Remove SSH Server iptables Firewall Exception | notselected | view |
Remove SSH Server ip6tables Firewall Exception | notselected | view |
Ensure Only Protocol 2 Connections Allowed | notselected | view |
Set Idle Timeout Interval for User Logins | notselected | view |
Set ClientAliveCountMax for User Logins | notselected | view |
Disable .rhosts Files | notselected | view |
Disable Host-Based Authentication | notselected | view |
Disable root Login via SSH | notselected | view |
Disable Empty Passwords | notselected | view |
Enable a Warning Banner | notselected | view |
Do Not Allow Users to Set Environment Options | notselected | view |
Use Only Approved Ciphers | notselected | view |
Disable X Windows at System Boot | notselected | view |
Remove X Windows from the System if Possible | notselected | view |
Disable X Window System Listening | notselected | view |
Create Warning Banners for GUI Login Users | notselected | view |
Disable Avahi Server Software | notselected | view |
Serve Only via Required Protocol | notselected | view |
Serve Only via Required Protocol | notselected | view |
Check Responses' TTL Field | notselected | view |
Prevent Other Programs from Using Avahi's Port | notselected | view |
Disable Publishing if Possible | notselected | view |
Restrict disable-user-service-publishing | notselected | view |
Restrict publish-addresses | notselected | view |
Restrict publish-hinfo | notselected | view |
Restrict publish-workstation | notselected | view |
Restrict publish-domain | notselected | view |
Disable the CUPS Service if Possible | notselected | view |
Disable Firewall Access to Printing Service over IPv4 if Possible | notselected | view |
Disable Firewall Access to Printing Service over IPv6 if Possible | notselected | view |
Disable Printer Browsing Entirely if Possible | notselected | view |
Deny CUPS ability to listen for Incoming printer information | notselected | view |
Disable HPLIP Service if Possible | notselected | view |
Disable DHCP Client if Possible | notselected | view |
Disable DHCP Server if possible | notselected | view |
Uninstall DHCP Server if possible | notselected | view |
Do Not Use Dynamic DNS | notselected | view |
Deny Decline Messages | notselected | view |
Deny BOOTP Queries | notselected | view |
DHCP should not send domain-name | notselected | view |
DHCP should not send domain-name-servers | notselected | view |
DHCP should not send nis-domain | notselected | view |
DHCP should not send nis-servers | notselected | view |
DHCP should not send ntp-servers | notselected | view |
DHCP should not send routers | notselected | view |
DHCP should not send time-offset | notselected | view |
Configure DHCP Logging | notselected | view |
Enable the NTP Daemon | notselected | view |
Deny All Access to ntpd by Default | notselected | view |
Specify a Remote NTP Server for Time Data | notselected | view |
Obtain NTP Software | notselected | view |
Enable the NTP Daemon | notselected | view |
Configure the Client NTP Daemon to Use the Local Server | notselected | view |
Disable the Listening Sendmail Daemon | notselected | view |
Configure LDAP to Use TLS for All Transactions | notselected | view |
Disable OpenLDAP service | notselected | view |
Disable nfslock | notselected | view |
Disable rpcgssd | notselected | view |
Disable rpcidmapd | notselected | view |
Disable netfs if Possible | notselected | view |
Configure lockd to Use Fixed Ports for TCP | notselected | view |
Configure statd to Use an outgoing static port | notselected | view |
Configure statd to Use a static port | notselected | view |
Configure lockd to Use a static port for UDP | notselected | view |
Configure mountd to Use a static port | notselected | view |
Configure rquotad to Use Fixed Ports | notselected | view |
Disable nfs service | notselected | view |
Disable rpcsvcgssd service | notselected | view |
Mount Remote Filesystems with nodev | notselected | view |
Mount Remote Filesystems with nosuid | notselected | view |
Mount Remote Filesystems with noexec | notselected | view |
Use Root-Squashing on All Exports | notselected | view |
Restrict NFS Clients to Privileged Ports | notselected | view |
Export Filesystems Read-Only if Possible | notselected | view |
Disable DNS Server if Possible | notselected | view |
Uninstall bind if Possible | notselected | view |
Run DNS Software in a chroot Jail owned by root group | notselected | view |
Run DNS Software in a chroot Jail owned by root user | notselected | view |
Set permissions on chroot Jail for DNS | notselected | view |
Disable DNS Dynamic Updates if Possible | notselected | view |
Disable vsftpd if Possible | notselected | view |
Uninstall vsftpd if Possible | notselected | view |
Enable Logging of All FTP Transactions | notselected | view |
Create Warning Banners for All FTP Users | notselected | view |
Restrict Access to Anonymous Users if Possible | notselected | view |
Disable FTP Uploads if Possible | notselected | view |
Disable Apache if Possible | notselected | view |
Uninstall Apache if Possible | notselected | view |
Restrict Information Leakageusing ServerTokens | notselected | view |
Restrict Information Leakage using ServerSignature | notselected | view |
Restrict permissions on /etc/httpd/conf | notselected | view |
Restrict permissions on /etc/httpd/conf/* | notselected | view |
Restrict permissions on /usr/sbin/httpd | notselected | view |
Restrict group access to /etc/httpd/conf/* | notselected | view |
Restrict permissions on /var/log/httpd | notselected | view |
Disable Dovecot if Possible | notselected | view |
Uninstall Dovecot if Possible | notselected | view |
Dovecot should not support imaps | notselected | view |
Dovecot should not support pop3s | notselected | view |
Dovecot should not support pop3 | notselected | view |
Dovecot should not support imap | notselected | view |
Disable Plaintext Authentication | notselected | view |
Enable Dovecot Option mail_drop_priv_before_exec | notselected | view |
Enable Dovecot Option mail_drop_priv_before_exec | notselected | view |
Disable Samba if Possible | notselected | view |
Disable Guest Access and Local Login Support | notselected | view |
Require Client SMB Packet Signing, if using smbclient | notselected | view |
Require Client SMB Packet Signing, if using mount.cifs | notselected | view |
Disable Squid if Possible | notselected | view |
Uninstall Squid if Possible | notselected | view |
Verify ftp_passive setting | notselected | view |
Verify ftp_sanitycheck setting | notselected | view |
Verify check_hostnames stting | notselected | view |
Verify request_header_max_size setting | notselected | view |
Verify reply_header_max_size setting | notselected | view |
Verify cache_effective_user setting | notselected | view |
Verify cache_effective_group setting | notselected | view |
Verify ignore_unknown_nameservers setting | notselected | view |
Check allow_underscore setting | notselected | view |
Check httpd_suppress_version setting | notselected | view |
Check forwarded_for setting | notselected | view |
Check log_mime_hdrs setting | notselected | view |
Restrict gss-http traffic | notselected | view |
Restrict https traffic | notselected | view |
Restrict wais traffic | notselected | view |
Restrict multiling http traffic | notselected | view |
Restrict http traffic | notselected | view |
Restrict ftp traffic | notselected | view |
Restrict gopher traffic | notselected | view |
Restrict filemaker traffic | notselected | view |
Restrict proxy access to localhost | notselected | view |
Restrict http-mgmt traffic | notselected | view |
Disable snmpd if Possible | notselected | view |
Uninstall net-snmp if Possible | notselected | view |
Do not log authorization failures and successes | notselected | view |
Remove SETroubleshoot if Possible | notselected | view |
Disable SETroubleshoot if Possible | notselected | view |
Mail Transfer Agent | notselected | view |
Correct Permissions on LDAP Server Files | notselected | view |
Correct Permissions on LDAP Server Files | notselected | view |
Disable RPC Portmapper if Possible | notselected | view |
Result for Ensure that /tmp has its own partition or logical volume
Result: notselected
Rule ID: rule-2.1.1.1.1.a
Time: 2010-08-26 17:34
Rule description
The /tmp directory is a world-writable directory used for temporary file storage. Ensure that it has its own partition or logical volume.
Related identifiers
- TBD (http://cce.mitre.org)
Result for Ensure that /tmp is of adequate size
Result: notselected
Rule ID: rule-2.1.1.1.1.b
Time: 2010-08-26 17:34
Rule description
Because software may need to use /tmp to temporarily store large files, ensure that it is of adequate size.
Related identifiers
- TBD (http://cce.mitre.org)
Result for Ensure that /var has its own partition or logical volume
Result: notselected
Rule ID: rule-2.1.1.1.2.a
Time: 2010-08-26 17:34
Severity: low
Rule description
The /var directory is used by daemons and other system services to store frequently-changing data. It is not uncommon for the /var directory to contain world-writable directories, installed by other software packages. Ensure that /var has its own partition or logical volume.
Related identifiers
- TBD (http://cce.mitre.org)
References
Result for Ensure that /var is of adequate size
Result: notselected
Rule ID: rule-2.1.1.1.2.b
Time: 2010-08-26 17:34
Rule description
Because the yum package manager and other software uses /var to temporarily store large files, ensure that it is of adequate size. For a modern, general-purpose system, 10GB should be adequate.
Related identifiers
- TBD (http://cce.mitre.org)
Result for Ensure that /var/log has its own partition or logical volume
Result: notselected
Rule ID: rule-2.1.1.1.3.a
Time: 2010-08-26 17:34
Rule description
System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume.
Related identifiers
- TBD (http://cce.mitre.org)
Result for Ensure that /var/log/audit has its own partition or logical volume
Result: notselected
Rule ID: rule-2.1.1.1.4.a
Time: 2010-08-26 17:34
Rule description
Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.
Related identifiers
- TBD (http://cce.mitre.org)
Result for Ensure that /home has its own partition or logical volume
Result: notselected
Rule ID: rule-2.1.1.1.5.a
Time: 2010-08-26 17:34
Severity: low
Rule description
If user home directories will be stored locally, create a separate partition for /home. If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later.
Related identifiers
- TBD (http://cce.mitre.org)
References
Result for Ensure Fedora GPG Key is Installed
Result: notselected
Rule ID: rule-2.1.2.1.1.a
Time: 2010-08-26 17:34
Rule description
The GPG key should be installed.
Related identifiers
- TBD (http://cce.mitre.org)
Result for yum-updatesd service should be disabled
Result: notselected
Rule ID: rule-2.1.2.3.2.a
Time: 2010-08-26 17:34
Severity: low
Rule description
The yum-updatesd service should be disabled
Related identifiers
- CCE-4218-4 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig yum-updatesd off
References
Result for Automatic Update Retrieval should be scheduled with Cron
Result: notselected
Rule ID: rule-2.1.2.3.2.b
Time: 2010-08-26 17:34
Severity: medium
Rule description
Place the yum.cron script somewhere in /etc/cron.*/
Related identifiers
- TBD (http://cce.mitre.org)
Fix script
echo -e "/usr/bin/yum -R 120 -e 0 -d 0 -y update yum\n/usr/bin/yum -R 10 -e 0 -d 0 -y update" > /etc/cron.weekly/yum.cron
References
Result for Ensure gpgcheck is Globally Activated
Result: pass
Rule ID: rule-2.1.2.3.3.a
Time: 2010-08-26 17:34
Rule description
The gpgcheck option should be used to ensure that checking of an RPM package’s signature always occurs prior to its installation. To force yum to check package signatures before installing them, ensure that the following line appears in /etc/yum.conf in the [main] section: gpgcheck=1
Related identifiers
- TBD (http://cce.mitre.org)
References
Result for Ensure Package Signature Checking is Not Disabled For Any Repos
Result: fail
Rule ID: rule-2.1.2.3.4.a
Time: 2010-08-26 17:34
Rule description
To ensure that signature checking is not disabled for any repos, ensure that the following line DOES NOT appear in any repo configuration files in /etc/yum.repos.d or elsewhere: gpgcheck=0
Related identifiers
- TBD (http://cce.mitre.org)
References
Result for Ensure Repodata Signature Checking is Globally Activated
Result: notselected
Rule ID: rule-2.1.2.3.5.a
Time: 2010-08-26 17:34
Rule description
The repo_gpgcheck option should be used to ensure that checking of a signature on repodata is performed prior to using it. To force yum to check the signature on repodata sent by a repository prior to using it, ensure that the following line appears in /etc/yum.conf in the [main] section: repo_gpgcheck=1
Related identifiers
- TBD (http://cce.mitre.org)
References
Result for Ensure Repodata Signature Checking is Not Disabled For Any Repos
Result: pass
Rule ID: rule-2.1.2.3.6.a
Time: 2010-08-26 17:34
Rule description
To ensure that signature checking is not disabled for any repos, ensure that the following line DOES NOT appear in any repo configuration files in /etc/yum.repos.d or elsewhere: gpgcheck=0
Related identifiers
- TBD (http://cce.mitre.org)
References
Result for Install AIDE
Result: notselected
Rule ID: rule-2.1.3.1.1.a
Time: 2010-08-26 17:34
Severity: medium
Rule description
The AIDE package should be installed
Related identifiers
- CCE-4209-3 (http://cce.mitre.org)
Fix script
yum install aide
References
Result for Run AIDE periodically
Result: notselected
Rule ID: rule-2.1.3.1.4.a
Time: 2010-08-26 17:34
Severity: medium
Rule description
Setup cron to run AIDE periodically using cron.
Related identifiers
- TBD (http://cce.mitre.org)
Fix script
echo -e "/usr/sbin/aide --check" > /etc/cron.daily/aide.cron
References
Result for Verify Package Integrity Using RPM
Result: notselected
Rule ID: rule-2.1.3.2.a
Time: 2010-08-26 17:34
Rule description
Verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database.
Related identifiers
- TBD (http://cce.mitre.org)
References
Result for Add nodev Option to Non-Root Local Partitions
Result: notselected
Rule ID: rule-2.2.1.1.a
Time: 2010-08-26 17:34
Severity: unknown
Rule description
The nodev option should be disabled as appropriate for all non-root partitions.
Related identifiers
- CCE-4249-9 (http://cce.mitre.org)
Fix script
Edit the file /etc/fstab. The important columns for purposes of this section are
column 2 (mount point), column 3 (filesystem type), and column 4 (mount options). For
any line which satisfies all of the conditions -- the filesystem type is ext2 or ext3,
and the mount point is not / -- add the text ',nodev' to the list of mount options in
column 4.
References
Result for Add nodev Option to Removable Media Partitions
Result: notselected
Rule ID: rule-2.2.1.2.a
Time: 2010-08-26 17:34
Rule description
The nodev option should be disabled for all removable media.
Related identifiers
- CCE-3522-0 (http://cce.mitre.org)
Fix instructions
(1) via /etc/fstab
Fix script
Edit the file /etc/fstab. Filesystems which represent removable media can be
located by finding lines whose mount points contain strings like floppy or cdrom, or
whose types are iso9660, vfat, or msdos. For each line representing a removable media
mountpoint, add the text ',nodev' to the list of mount options in column 4.
References
Result for Add noexec Option to Removable Media Partitions
Result: notselected
Rule ID: rule-2.2.1.2.b
Time: 2010-08-26 17:34
Rule description
The noexec option should be disabled for all removable media.
Related identifiers
- CCE-4275-4 (http://cce.mitre.org)
Fix instructions
(1) via /etc/fstab
Fix script
Edit the file /etc/fstab. Filesystems which represent removable media can be
located by finding lines whose mount points contain strings like floppy or cdrom, or
whose types are iso9660, vfat, or msdos. For each line representing a removable media
mountpoint, add the text ',noexec' to the list of mount options in column 4.
Result for Add nosuid Option to Removable Media Partitions
Result: notselected
Rule ID: rule-2.2.1.2.c
Time: 2010-08-26 17:34
Severity: medium
Rule description
The nosuid option should be disabled for all removable media.
Related identifiers
- CCE-4042-8 (http://cce.mitre.org)
Fix instructions
(1) via /etc/fstab
Fix script
Edit the file /etc/fstab. Filesystems which represent removable media can be
located by finding lines whose mount points contain strings like floppy or cdrom, or
whose types are iso9660, vfat, or msdos. For each line representing a removable media
mountpoint, add the text ',nosuid' to the list of mount options in column 4.
References
Result for Disable Modprobe Loading of USB Storage Driver
Result: notselected
Rule ID: rule-2.2.2.2.1.a
Time: 2010-08-26 17:34
Rule description
The USB device support module should not be loaded
Related identifiers
- CCE-4187-1 (http://cce.mitre.org)
Fix script
echo -e "\nblacklist usb_storage" >> /etc/modprobe.d/blacklist.conf
References
Result for Remove USB Storage Driver
Result: notselected
Rule ID: rule-2.2.2.2.2.a
Time: 2010-08-26 17:34
Rule description
The USB device support module should not be installed. The command in the FIX will need to be repeated every time the kernel is updated. This command will also cause the command rpm -q --verify kernel to fail, which may be an undesirable side effect.
Related identifiers
- CCE-4006-3 (http://cce.mitre.org)
Fix script
rm /lib/modules/2.6.*.el5/kernel/drivers/usb/storage/usb-storage.ko
References
Result for Disable Kernel Support for USB via Bootloader Configuration
Result: notselected
Rule ID: rule-2.2.2.2.3.a
Time: 2010-08-26 17:34
Rule description
USB kernel support should be disabled.
Related identifiers
- CCE-4173-1 (http://cce.mitre.org)
Fix script
To disable kernel support for USB, append 'nousb' to the kernel line in
/etc/grub.conf as follows: kernel /vmlinuz-version ro vga=ext
root=/dev/VolGroup00/LogVol00 rhgb quiet nousb
References
Result for Disable Booting from USB Devices in the BIOS
Result: notselected
Rule ID: rule-2.2.2.2.4.a
Time: 2010-08-26 17:34
Severity: high
Rule description
The ability to boot from USB devices should be disabled
Related identifiers
- CCE-3944-6 (http://cce.mitre.org)
Fix instructions
(1) via BIOS
References
Result for Disable the Automounter if Possible
Result: notselected
Rule ID: rule-2.2.2.3.a
Time: 2010-08-26 17:34
Severity: medium
Rule description
The autofs service should be disabled.
Related identifiers
- CCE-4072-5 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig autofs off
References
Result for Disable GNOME Automounting if Possible
Result: notselected
Rule ID: rule-2.2.2.4.a
Time: 2010-08-26 17:34
Severity: medium
Rule description
The GNOME automounter (gnome-volume-manager) should be disabled if possible
Related identifiers
- CCE-4231-7 (http://cce.mitre.org)
Fix instructions
Execute the following commands to prevent gnome-volume-manager from automatically mounting devices and media: # gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool --set /desktop/gnome/volume_manager/automount_media false # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /desktop/gnome/volume_manager/automount_drives false Verify the changes by executing the following command, which should return a list of settings: # gconftool-2 -R /desktop/gnome/volume_manager The automount drives and automount media settings should be set to false. Survey the list for any other options that should be adjusted.
References
Result for Disable Mounting of cramfs
Result: notselected
Rule ID: rule-2.2.2.5.a
Time: 2010-08-26 17:34
Rule description
Using the install command inside /etc/modprobe.conf instructs the kernel module loading system to run the command specified (here, /bin/true) instead of inserting the module in the kernel as normal. This effectively prevents usage of these uncommon filesystems.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
Append the following line to /etc/modprobe.conf in order to prevent the usage of uncommon filesystem types:
Fix script
echo "install cramfs /bin/true" >> /etc/modprobe.conf
Result for Disable Mounting of freevxfs
Result: notselected
Rule ID: rule-2.2.2.5.b
Time: 2010-08-26 17:34
Rule description
Using the install command inside /etc/modprobe.conf instructs the kernel module loading system to run the command specified (here, /bin/true) instead of inserting the module in the kernel as normal. This effectively prevents usage of these uncommon filesystems.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
Append the following line to /etc/modprobe.conf in order to prevent the usage of uncommon filesystem types:
Fix script
echo "install freevxfs /bin/true" >> /etc/modprobe.conf
Result for Disable Mounting of jffs2
Result: notselected
Rule ID: rule-2.2.2.5.c
Time: 2010-08-26 17:34
Rule description
Using the install command inside /etc/modprobe.conf instructs the kernel module loading system to run the command specified (here, /bin/true) instead of inserting the module in the kernel as normal. This effectively prevents usage of these uncommon filesystems.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
Append the following line to /etc/modprobe.conf in order to prevent the usage of uncommon filesystem types:
Fix script
echo "install jffs2 /bin/true" >> /etc/modprobe.conf
Result for Disable Mounting of hfs
Result: notselected
Rule ID: rule-2.2.2.5.d
Time: 2010-08-26 17:34
Rule description
Using the install command inside /etc/modprobe.conf instructs the kernel module loading system to run the command specified (here, /bin/true) instead of inserting the module in the kernel as normal. This effectively prevents usage of these uncommon filesystems.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
Append the following line to /etc/modprobe.conf in order to prevent the usage of uncommon filesystem types:
Fix script
echo "install hfs /bin/true" >> /etc/modprobe.conf
Result for Disable Mounting of hfsplus
Result: notselected
Rule ID: rule-2.2.2.5.e
Time: 2010-08-26 17:34
Rule description
Using the install command inside /etc/modprobe.conf instructs the kernel module loading system to run the command specified (here, /bin/true) instead of inserting the module in the kernel as normal. This effectively prevents usage of these uncommon filesystems.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
Append the following line to /etc/modprobe.conf in order to prevent the usage of uncommon filesystem types:
Fix script
echo "install hfsplus /bin/true" >> /etc/modprobe.conf
Result for Disable Mounting of squashfs
Result: notselected
Rule ID: rule-2.2.2.5.f
Time: 2010-08-26 17:34
Rule description
Using the install command inside /etc/modprobe.conf instructs the kernel module loading system to run the command specified (here, /bin/true) instead of inserting the module in the kernel as normal. This effectively prevents usage of these uncommon filesystems.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
Append the following line to /etc/modprobe.conf in order to prevent the usage of uncommon filesystem types:
Fix script
echo "install squashfs /bin/true" >> /etc/modprobe.conf
Result for Disable Mounting of udf
Result: notselected
Rule ID: rule-2.2.2.5.g
Time: 2010-08-26 17:34
Rule description
Using the install command inside /etc/modprobe.conf instructs the kernel module loading system to run the command specified (here, /bin/true) instead of inserting the module in the kernel as normal. This effectively prevents usage of these uncommon filesystems.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
Append the following line to /etc/modprobe.conf in order to prevent the usage of uncommon filesystem types:
Fix script
echo "install udf /bin/true" >> /etc/modprobe.conf
Result for Verify user who owns 'shadow' file
Result: pass
Rule ID: rule-2.2.3.1.a
Time: 2010-08-26 17:34
Severity: medium
Rule description
The /etc/shadow file should be owned by root.
Related identifiers
- CCE-3918-0 (http://cce.mitre.org)
Fix script
chown root /etc/shadow
References
Result for Verify group who owns 'shadow' file
Result: pass
Rule ID: rule-2.2.3.1.b
Time: 2010-08-26 17:34
Severity: medium
Rule description
The /etc/shadow file should be owned by root.
Related identifiers
- CCE-3988-3 (http://cce.mitre.org)
Fix script
chown :root /etc/shadow
References
Result for Verify user who owns 'group' file
Result: pass
Rule ID: rule-2.2.3.1.c
Time: 2010-08-26 17:34
Severity: medium
Rule description
The /etc/group file should be owned by root.
Related identifiers
- CCE-3276-3 (http://cce.mitre.org)
Fix script
chown root /etc/group
References
Result for Verify group who owns 'group' file
Result: pass
Rule ID: rule-2.2.3.1.d
Time: 2010-08-26 17:34
Severity: medium
Rule description
The /etc/group file should be owned by root.
Related identifiers
- CCE-3883-6 (http://cce.mitre.org)
Fix script
chown :root /etc/group
References
Result for Verify user who owns 'gshadow' file
Result: pass
Rule ID: rule-2.2.3.1.e
Time: 2010-08-26 17:34
Severity: medium
Rule description
The /etc/gshadow file should be owned by root.
Related identifiers
- CCE-4210-1 (http://cce.mitre.org)
Fix script
chown root /etc/gshadow
References
Result for Verify group who owns 'gshadow' file
Result: pass
Rule ID: rule-2.2.3.1.f
Time: 2010-08-26 17:34
Severity: medium
Rule description
The /etc/gshadow file should be owned by root.
Related identifiers
- CCE-4064-2 (http://cce.mitre.org)
Fix script
chown :root /etc/gshadow
References
Result for Verify user who owns 'passwd' file
Result: pass
Rule ID: rule-2.2.3.1.g
Time: 2010-08-26 17:34
Severity: medium
Rule description
The /etc/passwd file should be owned by root.
Related identifiers
- CCE-3958-6 (http://cce.mitre.org)
Fix script
chown root /etc/passwd
References
Result for Verify group who owns 'passwd' file
Result: pass
Rule ID: rule-2.2.3.1.h
Time: 2010-08-26 17:34
Severity: medium
Rule description
The /etc/passwd file should be owned by root.
Related identifiers
- CCE-3495-9 (http://cce.mitre.org)
Fix script
chown :root /etc/passwd
References
Result for Verify permissions on 'shadow' file
Result: fail
Rule ID: rule-2.2.3.1.i
Time: 2010-08-26 17:34
Severity: medium
Rule description
File permissions for /etc/shadow should be set correctly.
Related identifiers
- CCE-4130-1 (http://cce.mitre.org)
Fix script
chmod 400 /etc/shadow
References
Result for Verify permissions on 'group' file
Result: pass
Rule ID: rule-2.2.3.1.j
Time: 2010-08-26 17:34
Severity: medium
Rule description
File permissions for /etc/group should be set correctly.
Related identifiers
- CCE-3967-7 (http://cce.mitre.org)
Fix script
chmod 644 /etc/group
References
Result for Verify permissions on 'gshadow' file
Result: fail
Rule ID: rule-2.2.3.1.k
Time: 2010-08-26 17:34
Severity: medium
Rule description
File permissions for /etc/gshadow should be set correctly.
Related identifiers
- CCE-3932-1 (http://cce.mitre.org)
Fix script
chmod 400 /etc/gshadow
References
Result for Verify permissions on 'passwd' file
Result: pass
Rule ID: rule-2.2.3.1.l
Time: 2010-08-26 17:34
Severity: medium
Rule description
File permissions for /etc/passwd should be set correctly.
Related identifiers
- CCE-3566-7 (http://cce.mitre.org)
Fix script
chmod 644 /etc/passwd
References
Result for Verify that All World-Writable Directories Have Sticky Bits Set
Result: pass
Rule ID: rule-2.2.3.2.a
Time: 2010-08-26 17:35
Severity: low
Rule description
The sticky bit should be set for all world-writable directories.
Related identifiers
- CCE-3399-3 (http://cce.mitre.org)
Fix instructions
Locate any directories in local partitions which are world-writable and do not have their sticky bits set. The following command will discover and print these. Run it once for each local partition PART: # find PART -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print If this command produces any output, fix each reported directory /dir using the command: # chmod +t /dir
References
Result for Find Unauthorized World-Writable Files
Result: fail
Rule ID: rule-2.2.3.3.a
Time: 2010-08-26 17:35
Severity: medium
Rule description
The world-write permission should be disabled for all files.
Related identifiers
- CCE-3795-2 (http://cce.mitre.org)
Fix instructions
The following command discovers and prints any world-writable files in local partitions. Run it once for each local partition PART:
Fix script
find PART -xdev -type f -perm -0002 -print | xargs chmod o-w
References
Result for Find Unauthorized SGID System Executables
Result: pass
Rule ID: rule-2.2.3.4.a
Time: 2010-08-26 17:35
Severity: medium
Rule description
The sgid bit should not be set for all files.
Related identifiers
- CCE-4178-0 (http://cce.mitre.org)
References
Result for Find Unauthorized SUID System Executables
Result: fail
Rule ID: rule-2.2.3.4.b
Time: 2010-08-26 17:36
Severity: high
Rule description
The suid bit should not be set for all files.
Related identifiers
- CCE-3324-1 (http://cce.mitre.org)
Fix instructions
(1) via chmod
References
Result for Find files unowned by a user
Result: pass
Rule ID: rule-2.2.3.5.a
Time: 2010-08-26 17:36
Severity: medium
Rule description
All files should be owned by a user
Related identifiers
- CCE-4223-4 (http://cce.mitre.org)
Fix instructions
(1) via chown
Result for Find files unowned by a group
Result: pass
Rule ID: rule-2.2.3.5.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
All files should be owned by a group
Related identifiers
- CCE-3573-3 (http://cce.mitre.org)
Fix instructions
(1) via chgrp
Result for Find world writable directories not owned by a system account
Result: pass
Rule ID: rule-2.2.3.6.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
All world writable directories should be owned by a system user
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via chown
References
Result for Set Daemon umask
Result: pass
Rule ID: rule-2.2.4.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The daemon umask should be set to [profile value]
Related identifiers
- CCE-4220-0 (http://cce.mitre.org)
Fix instructions
(1) via /etc/sysconfig/init
Fix script
Edit the file /etc/sysconfig/init, and add or correct the following line: umask
027
References
Result for Disable Core Dumps for all users
Result: notselected
Rule ID: rule-2.2.4.2.a
Time: 2010-08-26 17:38
Severity: low
Rule description
Core dumps for all users should be disabled
Related identifiers
- CCE-4225-9 (http://cce.mitre.org)
Fix instructions
(1) via /etc/security/limits.conf
Fix script
To disable core dumps for all users, add or correct the following line in
/etc/security/limits.conf: * hard core 0
References
Result for Disable Core Dumps for SUID programs
Result: notselected
Rule ID: rule-2.2.4.2.b
Time: 2010-08-26 17:38
Severity: low
Rule description
Core dumps for setuid programs should be disabled
Related identifiers
- CCE-4247-3 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - fs.suid_dumpable
Fix script
To ensure that core dumps can never be made by setuid programs, edit
/etc/sysctl.conf and add or correct the line: fs.suid_dumpable = 0
References
Result for Enable ExecShield
Result: notselected
Rule ID: rule-2.2.4.3.a
Time: 2010-08-26 17:38
Rule description
ExecShield should be enabled
Related identifiers
- CCE-4168-1 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - kernel.exec-shield
Fix script
To ensure ExecShield (including random placement of virtual memory regions) is
activated at boot, add or correct the following settings in /etc/sysctl.conf:
kernel.exec-shield = 1
References
Result for Enable ExecShield randomized placement of virtual memory regions
Result: notselected
Rule ID: rule-2.2.4.3.b
Time: 2010-08-26 17:38
Rule description
ExecShield randomized placement of virtual memory regions should be enabled
Related identifiers
- CCE-4146-7 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - kernel.randomize_va_space
Fix script
To ensure ExecShield (including random placement of virtual memory regions) is
activated at boot, add or correct the following settings in /etc/sysctl.conf:
kernel.randomize_va_space = 1
References
Result for Enable NX or XD Support in the BIOS
Result: notselected
Rule ID: rule-2.2.4.4.3.a
Time: 2010-08-26 17:38
Rule description
The XD/NX processor feature should be enabled in the BIOS
Related identifiers
- CCE-4177-2 (http://cce.mitre.org)
Fix instructions
(1) via BIOS
Fix script
Reboot the system and enter the BIOS or 'Setup' configuration menu. Navigate the
BIOS configuration menu and make sure that the option is enabled. The setting may be
located under a 'Security' section. Look for Execute Disable (XD) on Intel-based
systems and No Execute (NX) on AMD-based systems.
References
Result for Restrict Root Logins to System Console
Result: notselected
Rule ID: rule-2.3.1.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Logins through the specified virtual console interface should be disabled
Related identifiers
- CCE-3820-8 (http://cce.mitre.org)
Fix instructions
(1) via /etc/securetty
Result for Restrict Root Logins to System Console
Result: notselected
Rule ID: rule-2.3.1.1.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
root Logins through the specified virtual console device should be disabled
Related identifiers
- CCE-3485-0 (http://cce.mitre.org)
Fix instructions
(1) via /etc/securetty
References
Result for Restrict virtual console Root Logins
Result: notselected
Rule ID: rule-2.3.1.1.c
Time: 2010-08-26 17:38
Severity: medium
Rule description
Logins through the virtual console devices should be disabled
Related identifiers
- CCE-4111-1 (http://cce.mitre.org)
Fix instructions
(1) via /etc/securetty
References
Result for Restrict serial port Root Logins
Result: pass
Rule ID: rule-2.3.1.1.d
Time: 2010-08-26 17:38
Severity: medium
Rule description
Login prompts on serial ports should be disabled.
Related identifiers
- CCE-4256-4 (http://cce.mitre.org)
Fix instructions
(1) via /etc/securetty
References
Result for Limit su Access to the Root Account
Result: pass
Rule ID: rule-2.3.1.2.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The wheel group should exist
Fix instructions
(1) via /etc/group
References
Result for Limit su Access to the wheel group
Result: notselected
Rule ID: rule-2.3.1.2.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
Command access to the root account should be restricted to the wheel group.
Fix instructions
(1) via /etc/pam.d/su
References
Result for Configure sudo to Improve Auditing of Root Access
Result: notselected
Rule ID: rule-2.3.1.3.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Sudo privileges should granted to the wheel group
Related identifiers
- CCE-4044-4 (http://cce.mitre.org)
Fix instructions
echo "%wheel ALL=(ALL) ALL" >> /etc/sudoers
References
Result for Block Shell and Login Access for Non-Root System Accounts
Result: notselected
Rule ID: rule-2.3.1.4.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Login access to non-root system accounts should be disabled
Related identifiers
- CCE-3987-5 (http://cce.mitre.org)
Fix instructions
(1) via /etc/passwd
References
Result for Verify that No Accounts Have Empty Password Fields
Result: pass
Rule ID: rule-2.3.1.5.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Login access to accounts without passwords should be disabled
Related identifiers
- CCE-4238-2 (http://cce.mitre.org)
Fix instructions
(1) via /etc/shadow
References
Result for Verify that All Account Password Hashes are Shadowed
Result: pass
Rule ID: rule-2.3.1.5.2.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Check that passwords are shadowed
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/password
Result for Verify that No Non-Root Accounts Have UID 0
Result: pass
Rule ID: rule-2.3.1.6.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Anonymous root logins should be disabled
Related identifiers
- CCE-4009-7 (http://cce.mitre.org)
Fix instructions
(1) via /etc/passwd
References
Result for Set password minimum length
Result: pass
Rule ID: rule-2.3.1.7.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The password minimum length should be set to:
Related identifiers
- CCE-4154-1 (http://cce.mitre.org)
Fix instructions
(1) via /etc/login.defs
References
Result for Set minimum password age
Result: pass
Rule ID: rule-2.3.1.7.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
The minimum password age should be set to:
Related identifiers
- CCE-4180-6 (http://cce.mitre.org)
Fix instructions
(1) via /etc/login.defs
References
Result for Set maximum password age
Result: notselected
Rule ID: rule-2.3.1.7.c
Time: 2010-08-26 17:38
Severity: medium
Rule description
The maximum password age should be set to:
Related identifiers
- CCE-4092-3 (http://cce.mitre.org)
Fix instructions
(1) via /etc/login.defs
References
Result for Set password warn age
Result: pass
Rule ID: rule-2.3.1.7.d
Time: 2010-08-26 17:38
Severity: medium
Rule description
The password warn age should be set to:
Related identifiers
- CCE-4097-2 (http://cce.mitre.org)
Fix instructions
(1) via /etc/login.defs
References
Result for Remove Legacy + Entries from /etc/shadow
Result: pass
Rule ID: rule-2.3.1.8.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
NIS file inclusions should be set appropriately in the /etc/shadow file
Fix instructions
(1) via /etc/shadow
Result for Remove Legacy + Entries from /etc/group
Result: pass
Rule ID: rule-2.3.1.8.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
NIS file inclusions should be set appropriately in the /etc/group file
Fix instructions
(1) via /etc/group
Result for Remove Legacy + Entries from /etc/passwd
Result: pass
Rule ID: rule-2.3.1.8.c
Time: 2010-08-26 17:38
Severity: medium
Rule description
NIS file inclusions should be set appropriately in the /etc/passwd file
Related identifiers
- CCE-4114-5 (http://cce.mitre.org)
Fix instructions
(1) via /etc/passwd
Result for Set Password Quality Requirements
Result: notselected
Rule ID: rule-2.3.3.1.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The password strength should meet minimum requirements
Related identifiers
- CCE-3762-2 (http://cce.mitre.org)
Fix instructions
(1) via PAM
Result for Set Password Quality Requirements using pam_passwdqc
Result: notselected
Rule ID: rule-2.3.3.1.2.a
Time: 2010-08-26 17:38
Rule description
The password strength should meet minimum requirements
Related identifiers
- CCE-3762-2 (http://cce.mitre.org)
Fix instructions
(1) via PAM
Result for Set Lockouts for Failed Password Attempts
Result: notselected
Rule ID: rule-2.3.3.2.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The "account lockout threshold" policy should meet minimum requirements.
Related identifiers
- CCE-3410-8 (http://cce.mitre.org)
Fix instructions
(1) via PAM
Result for Do not leak information on authorization failure
Result: notselected
Rule ID: rule-2.3.3.2.b
Time: 2010-08-26 17:38
Rule description
Authorization failures should not alert attackers as to what went wrong.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/pam.d/system-auth
Result for Restrict Execution of userhelper to Console Users
Result: notselected
Rule ID: rule-2.3.3.4.a
Time: 2010-08-26 17:38
Rule description
The /usr/sbin/userhelper file should be owned by the appropriate group.
Related identifiers
- CCE-4185-5 (http://cce.mitre.org)
Fix instructions
(1) via chgrp
Fix script
# chgrp usergroup /usr/sbin/userhelper
Result for Restrict File permissions of userhelper
Result: notselected
Rule ID: rule-2.3.3.4.b
Time: 2010-08-26 17:38
Rule description
File permissions for /usr/sbin/userhelper should be set correctly.
Related identifiers
- CCE-3952-9 (http://cce.mitre.org)
Fix instructions
(1) via chmod
Fix script
# chmod 4710 /usr/sbin/userhelper
Result for Set Password hashing algorithm
Result: notselected
Rule ID: rule-2.3.3.5.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The password hashing algorithm should be set to SHA-512
Related identifiers
- TBD (http://cce.mitre.org)
Fix script
/usr/sbin/authconfig --passalgo=sha512 --update
Result for Limit password reuse
Result: notselected
Rule ID: rule-2.3.3.6.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The passwords to remember should be set to:
Related identifiers
- TBD (http://cce.mitre.org)
References
Result for Ensure that No Dangerous Directories Exist in Root's Path
Result: pass
Rule ID: rule-2.3.4.1.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The PATH variable should be set correctly for user root
Related identifiers
- CCE-3301-9 (http://cce.mitre.org)
References
Result for Write permissions are disabled for group and other in all directories in Root's Path
Result: pass
Rule ID: rule-2.3.4.1.2.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Check each directory in root's path and make use it does not grant write permission to group and other
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
Via chmod
References
Result for Ensure that User Home Directories are not Group-Writable or World-Readable
Result: fail
Rule ID: rule-2.3.4.2.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
File permissions should be set correctly for the home directories for all user accounts.
Related identifiers
- CCE-4090-7 (http://cce.mitre.org)
References
Result for Ensure that Users Have Sensible Umask Values in /etc/bashrc
Result: notselected
Rule ID: rule-2.3.4.4.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The default umask for all users for the bash shell should be set to:
Related identifiers
- CCE-3844-8 (http://cce.mitre.org)
Fix instructions
(1) via /etc/bashrc
References
Result for Ensure that Users Have Sensible Umask Values in /etc/csh.cshrc
Result: notselected
Rule ID: rule-2.3.4.4.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
The default umask for all users for the csh shell should be set to:
Related identifiers
- CCE-4227-5 (http://cce.mitre.org)
Fix instructions
(1) via /etc/csh.cshrc
References
Result for Ensure that Users Have Sensible Umask Values in /etc/login.defs
Result: pass
Rule ID: rule-2.3.4.4.c
Time: 2010-08-26 17:38
Severity: medium
Rule description
The default umask for all users should be set to:
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/login.defs
References
Result for Ensure that Users Have Sensible Umask Values in /etc/profile
Result: notselected
Rule ID: rule-2.3.4.4.d
Time: 2010-08-26 17:38
Severity: medium
Rule description
The default umask for all users should be set to:
Related identifiers
- CCE-3870-3 (http://cce.mitre.org)
Fix instructions
(1) via /etc/profile
References
Result for Check for existance of .netrc file
Result: notselected
Rule ID: rule-2.3.4.5.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
No user directory should contain file .netrc
Related identifiers
- TBD (http://cce.mitre.org)
Fix script
rm .netrc
References
Result for Set Boot Loader user owner
Result: pass
Rule ID: rule-2.3.5.2.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The /etc/grub.conf file should be owned by root.
Related identifiers
- CCE-4144-2 (http://cce.mitre.org)
Fix script
chown root /etc/grub.conf
References
Result for Set Boot Loader group owner
Result: pass
Rule ID: rule-2.3.5.2.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
The /etc/grub.conf file should be owned by group root.
Related identifiers
- CCE-4197-0 (http://cce.mitre.org)
Fix script
chown :root /etc/grub.conf
References
Result for Set permission on /etc/grub.conf
Result: notselected
Rule ID: rule-2.3.5.2.c
Time: 2010-08-26 17:38
Severity: medium
Rule description
File permissions for /etc/grub.conf should be set correctly.
Related identifiers
- CCE-3923-0 (http://cce.mitre.org)
Fix script
chmod 600 /etc/grub.conf
References
Result for Set Boot Loader Password
Result: notselected
Rule ID: rule-2.3.5.2.d
Time: 2010-08-26 17:38
Severity: high
Rule description
The grub boot loader should have password protection enabled
Related identifiers
- CCE-3818-2 (http://cce.mitre.org)
Fix instructions
(1) via /etc/grub.conf
References
Result for Require Authentication for Single-User Mode
Result: notselected
Rule ID: rule-2.3.5.3.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The requirement for a password to boot into single-user mode should be enabled.
Related identifiers
- CCE-4241-6 (http://cce.mitre.org)
Fix instructions
(1) via /etc/inittab
References
Result for Disable Interactive Boot
Result: notselected
Rule ID: rule-2.3.5.4.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The ability for users to perform interactive startups should be disabled.
Related identifiers
- CCE-4245-7 (http://cce.mitre.org)
Fix instructions
(1) via /etc/sysconfig/init
References
Result for Implement Inactivity Time-out for Login Shells
Result: notselected
Rule ID: rule-2.3.5.5.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The idle time-out value for the default /bin/tcsh shell should be:
Related identifiers
- CCE-3689-7 (http://cce.mitre.org)
Fix instructions
(1) via /etc/profile.d/autologout.csh
References
Result for Implement Inactivity Time-out for Login Shells
Result: notselected
Rule ID: rule-2.3.5.5.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
The idle time-out value for the default /bin/bash shell should be:
Related identifiers
- CCE-3707-7 (http://cce.mitre.org)
Fix instructions
(1) via /etc/profile.d/tmout.sh
References
Result for Implement Inactivity Time-out for Login Shells
Result: notselected
Rule ID: rule-2.3.5.6.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The idle time-out value for period of inactivity gnome desktop lockout should be 15 minutes
Related identifiers
- CCE-3315-9 (http://cce.mitre.org)
Fix instructions
(1) via gconftool-2
References
Result for Implement idle activation of screen saver
Result: notselected
Rule ID: rule-2.3.5.6.1.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
Idle activation of the screen saver should be enabled
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via gconftool-2
References
Result for Implement idle activation of screen lock
Result: notselected
Rule ID: rule-2.3.5.6.1.c
Time: 2010-08-26 17:38
Severity: medium
Rule description
Idle activation of the screen lock should be enabled
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via gconftool-2
References
Result for Implement blank screen saver
Result: notselected
Rule ID: rule-2.3.5.6.1.d
Time: 2010-08-26 17:38
Severity: medium
Rule description
The screen saver should be blank
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via gconftool-2
References
Result for Configure console screen locking
Result: notselected
Rule ID: rule-2.3.5.6.2.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The vlock package should be installed
Related identifiers
- CCE-3910-7 (http://cce.mitre.org)
Fix script
yum install vlock
References
Result for Modify the System Login Banner
Result: notselected
Rule ID: rule-2.3.7.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The system login banner text should be:
Related identifiers
- CCE-4060-0 (http://cce.mitre.org)
Fix instructions
Take value of DOD_text and put it in /etc/issue
References
Result for Implement a GUI Warning Banner
Result: notselected
Rule ID: rule-2.3.7.2.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The direct gnome login warning banner text should be:
Related identifiers
- CCE-4188-9 (http://cce.mitre.org)
Fix instructions
(1) via RHEL.xml
References
Result for Enable SELinux in /etc/grub.conf
Result: pass
Rule ID: rule-2.4.2.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
SELinux should NOT be disabled in /etc/grub.conf. Check that selinux=0 is not found
Related identifiers
- CCE-3977-6 (http://cce.mitre.org)
Fix instructions
remove offending line from /etc/grub.conf
References
Result for Enable SELinux enforcement in /etc/grub.conf
Result: notselected
Rule ID: rule-2.4.2.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
SELinux enforcement should NOT be disabled in /etc/grub.conf. Check that enforcing=0 is not found.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
remove offending line from /etc/grub.conf
References
Result for Set the SELinux state
Result: fail
Rule ID: rule-2.4.2.c
Time: 2010-08-26 17:38
Severity: medium
Rule description
The SELinux state should be:
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/selinux/config
References
Result for Set the SELinux policy
Result: pass
Rule ID: rule-2.4.2.d
Time: 2010-08-26 17:38
Severity: medium
Rule description
The SELinux policy should be set appropriately.
Related identifiers
- CCE-3624-4 (http://cce.mitre.org)
Fix instructions
(1) via /etc/selinux/config
Result for Ensure SELinux is Properly Enabled
Result: notselected
Rule ID: rule-2.4.2.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Check output of /usr/sbin/sestatus
Related identifiers
- TBD (http://cce.mitre.org)
References
Result for Disable MCS Translation Service (mcstrans) if Possible
Result: notselected
Rule ID: rule-2.4.3.2.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The mcstrans service should be disabled.
Related identifiers
- CCE-3668-1 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Disable restorecon Service (restorecond)
Result: notselected
Rule ID: rule-2.4.3.3.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The restorecond service should be disabled.
Related identifiers
- CCE-4129-3 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Check for Unconfined Daemons
Result: notselected
Rule ID: rule-2.4.5.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Check for device file that is not labeled.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Result for Disable net.ipv4.conf.default.send_redirects for Hosts Only
Result: notselected
Rule ID: rule-2.5.1.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The default setting for sending ICMP redirects should be disabled for network interfaces.
Related identifiers
- CCE-4151-7 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv4.conf.default.send_redirects
References
Result for Disable net.ipv4.conf.all.send_redirects for Hosts Only
Result: notselected
Rule ID: rule-2.5.1.1.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
Sending ICMP redirects should be disabled for all interfaces.
Related identifiers
- CCE-4155-8 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv4.conf.all.send_redirects
References
Result for Disable net.ipv4.ip forward for Hosts Only
Result: notselected
Rule ID: rule-2.5.1.1.c
Time: 2010-08-26 17:38
Severity: medium
Rule description
IP forwarding should be disabled.
Related identifiers
- CCE-3561-8 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv4.ip_forward
References
Result for Set net.ipv4.conf.all.accept_source_route for Hosts and Routers
Result: pass
Rule ID: rule-2.5.1.2.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Accepting source routed packets should be: for all interfaces as appropriate.
Related identifiers
- CCE-4236-6 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv4.conf.all.accept_source_route
References
Result for Set net.ipv4.conf.all.accept_redirects for Hosts and Routers
Result: pass
Rule ID: rule-2.5.1.2.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
Accepting ICMP redirects should be: for all interfaces as appropriate.
Related identifiers
- CCE-4217-6 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv4.conf.all.accept_redirects
References
Result for Set net.ipv4.conf.all.secure_redirects for Hosts and Routers
Result: pass
Rule ID: rule-2.5.1.2.c
Time: 2010-08-26 17:38
Severity: medium
Rule description
Accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be: for all interfaces as appropriate.
Related identifiers
- CCE-3472-8 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv4.conf.all.secure_redirects
Result for Set net.ipv4.conf.all.log_martians for Hosts and Routers
Result: notselected
Rule ID: rule-2.5.1.2.d
Time: 2010-08-26 17:38
Severity: medium
Rule description
Logging of "martian" packets (those with impossible addresses) should be: for all interfaces as appropriate.
Related identifiers
- CCE-4320-8 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv4.conf.all.log_martians
References
Result for Set net.ipv4.conf.default.accept_source_route for Hosts and Routers
Result: pass
Rule ID: rule-2.5.1.2.e
Time: 2010-08-26 17:38
Severity: medium
Rule description
The default setting for accepting source routed packets should be: for all interfaces as appropriate.
Related identifiers
- CCE-4091-5 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv4.conf.default.accept_source_route
References
Result for Set net.ipv4.conf.default.accept_redirects for Hosts and Routers
Result: notselected
Rule ID: rule-2.5.1.2.f
Time: 2010-08-26 17:38
Severity: medium
Rule description
The default setting for accepting ICMP redirects should be: for all interfaces as appropriate.
Related identifiers
- CCE-4186-3 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv4.conf.default.accept_redirects
References
Result for Set net.ipv4.conf.default.secure_redirects for Hosts and Routers
Result: pass
Rule ID: rule-2.5.1.2.g
Time: 2010-08-26 17:38
Severity: medium
Rule description
The default setting for accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be: for all interfaces as appropriate.
Related identifiers
- CCE-3339-9 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv4.conf.default.secure_redirects
Result for Set net.ipv4.icmp_echo_ignore_broadcasts for Hosts and Routers
Result: pass
Rule ID: rule-2.5.1.2.h
Time: 2010-08-26 17:38
Severity: medium
Rule description
Ignoring ICMP echo requests (pings) sent to broadcast / multicast addresses should be: for all interfaces as appropriate.
Related identifiers
- CCE-3644-2 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv4.icmp_echo_ignore_broadcasts
References
Result for Set net.ipv4.icmp_ignore_bogus_error_messages for Hosts and Routers
Result: pass
Rule ID: rule-2.5.1.2.i
Time: 2010-08-26 17:38
Severity: medium
Rule description
Ignoring bogus ICMP responses to broadcasts should be: for all interfaces as appropriate.
Related identifiers
- CCE-4133-5 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv4.icmp_ignore_bogus_error_messages
Result for Set net.ipv4.tcp_syncookies for Hosts and Routers
Result: pass
Rule ID: rule-2.5.1.2.j
Time: 2010-08-26 17:38
Severity: medium
Rule description
Sending TCP syncookies should be: for all interfaces as appropriate.
Related identifiers
- CCE-4265-5 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv4.tcp_syncookies
References
Result for Set net.ipv4.conf.all.rp_filter for Hosts and Routers
Result: pass
Rule ID: rule-2.5.1.2.k
Time: 2010-08-26 17:38
Severity: medium
Rule description
Performing source validation by reverse path should be: for all interfaces as appropriate.
Related identifiers
- CCE-4080-8 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv4.conf.all.rp_filter
References
Result for Set net.ipv4.conf.default.rp_filter for Hosts and Routers
Result: pass
Rule ID: rule-2.5.1.2.l
Time: 2010-08-26 17:38
Severity: medium
Rule description
The default setting for performing source validation by reverse path should be: for all interfaces as appropriate.
Related identifiers
- CCE-3840-6 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv4.conf.default.rp_filter
Result for Disable Wireless in BIOS
Result: notselected
Rule ID: rule-2.5.2.2.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
All wireless devices should be disabled in the BIOS.
Related identifiers
- CCE-3628-5 (http://cce.mitre.org)
Fix instructions
(1) via BIOS menus
References
Result for Deactivate Wireless Interfaces
Result: notselected
Rule ID: rule-2.5.2.2.2.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
All wireless interfaces should be disabled.
Related identifiers
- CCE-4276-2 (http://cce.mitre.org)
Fix instructions
rm /etc/sysconfig/network-scripts/ifcfg-interface
References
Result for Disable Wireless Drivers
Result: notselected
Rule ID: rule-2.5.2.2.3.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Device drivers for wireless devices should be excluded from the kernel.
Related identifiers
- CCE-4170-7 (http://cce.mitre.org)
Fix instructions
(1) via modprobe
References
Result for Disable Automatic Loading of IPv6 Kernel Module
Result: notselected
Rule ID: rule-2.5.3.1.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Automatic loading of the IPv6 kernel module should be disabled.
Related identifiers
- CCE-3562-6 (http://cce.mitre.org)
Fix instructions
(1) via /etc/modprobe.conf
References
Result for Disable NETWORKING_IPV6 in /etc/sysconfig/network
Result: notselected
Rule ID: rule-2.5.3.1.2.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The default setting for IPv6 configuration should be disabled
Related identifiers
- CCE-3381-1 (http://cce.mitre.org)
Fix instructions
(1) via /etc/sysconfig/network
References
Result for Disable IPV6INIT in /etc/sysconfig/network
Result: notselected
Rule ID: rule-2.5.3.1.2.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
Global IPv6 initialization should be disabled
Related identifiers
- CCE-3377-9 (http://cce.mitre.org)
Fix instructions
(1) via /etc/sysconfig/network
References
Result for Disable IPV6INIT in /etc/sysconfig/network-scripts/ifcfg-*
Result: notselected
Rule ID: rule-2.5.3.1.2.c
Time: 2010-08-26 17:38
Severity: medium
Rule description
IPv6 configuration should be disabled for all interfaces.
Related identifiers
- CCE-4296-0 (http://cce.mitre.org)
Fix instructions
(1) via /etc/sysconfig/network-scripts/ifcfg-*
References
Result for Disable IPV6_AUTOCONF in /etc/sysconfig/network
Result: notselected
Rule ID: rule-2.5.3.2.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Accepting IPv6 router advertisements should be disabled for all interfaces.
Related identifiers
- CCE-4269-7 (http://cce.mitre.org)
Fix instructions
(1) via /etc/sysconfig/network
Result for Disable accepting IPv6 router advertisements (net.ipv6.conf.default.accept_ra)
Result: notselected
Rule ID: rule-2.5.3.2.1.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
The default setting for accepting IPv6 router advertisements should be: for all interfaces.
Related identifiers
- CCE-4291-1 (http://cce.mitre.org)
Fix instructions
(1) via sysctl (2) via IPV6_AUTOCONF in /etc/sysconfig/network
Result for Disable accepting redirects from IPv6 routers (net.ipv6.conf.default.accept_redirects)
Result: notselected
Rule ID: rule-2.5.3.2.1.c
Time: 2010-08-26 17:38
Severity: medium
Rule description
Accepting redirects from IPv6 routers should be: for all interfaces.
Related identifiers
- CCE-4313-3 (http://cce.mitre.org)
Fix instructions
(1) via sysctl (2) via IPV6_AUTOCONF in /etc/sysconfig/network
References
Result for Disable accepting redirects from IPv6 routers (net.ipv6.conf.all.accept_redirects)
Result: notselected
Rule ID: rule-2.5.3.2.1.d
Time: 2010-08-26 17:38
Severity: medium
Rule description
The default setting for accepting redirects from IPv6 routers should be: for all interfaces.
Related identifiers
- CCE-4198-8 (http://cce.mitre.org)
Fix instructions
(1) via sysctl (2) via IPV6_AUTOCONF in /etc/sysconfig/network
References
Result for Use Privacy Extensions for Address if Necessary
Result: notselected
Rule ID: rule-2.5.3.2.3.a
Time: 2010-08-26 17:38
Rule description
IPv6 privacy extensions should be: for all interfaces.
Related identifiers
- CCE-3842-2 (http://cce.mitre.org)
Fix instructions
(1) via IPV6_PRIVACY in /etc/sysconfig/network-scripts/ifcfg-<interface>
Result for Limit Network-Transmitted Configuration via net.ipv6.conf.default.router_solicitations
Result: notselected
Rule ID: rule-2.5.3.2.5.a
Time: 2010-08-26 17:38
Rule description
The default number of IPv6 router solicitations for network interfaces to send should be:
Related identifiers
- CCE-4159-0 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv6.conf.default.router_solicitations
Result for Limit Network-Transmitted Configuration via net.ipv6.conf.default.accept_ra_rtr_pref
Result: notselected
Rule ID: rule-2.5.3.2.5.b
Time: 2010-08-26 17:38
Rule description
The default setting for accepting router preference via IPv6 router advertisement should be: for interfaces.
Related identifiers
- CCE-4221-8 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv6.conf.default.accept_ra_rtr_pref
Result for Limit Network-Transmitted Configuration via net.ipv6.conf.default.accept_ra_pinfo
Result: notselected
Rule ID: rule-2.5.3.2.5.c
Time: 2010-08-26 17:38
Rule description
The default setting for accepting prefix information via IPv6 router advertisement should be: for interfaces.
Related identifiers
- CCE-4058-4 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv6.conf.default.accept_ra_pinfo
Result for Limit Network-Transmitted Configuration via net.ipv6.conf.default.accept_ra_defrtr
Result: notselected
Rule ID: rule-2.5.3.2.5.d
Time: 2010-08-26 17:38
Rule description
The default setting for accepting a default router via IPv6 router advertisement should be: for interfaces.
Related identifiers
- CCE-4128-5 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv6.conf.default.accept_ra_defrtr
Result for Limit Network-Transmitted Configuration via net.ipv6.conf.default.autoconf
Result: notselected
Rule ID: rule-2.5.3.2.5.e
Time: 2010-08-26 17:38
Rule description
The default setting for autoconfiguring network interfaces using prefix information in IPv6 router advertisements should be: .
Related identifiers
- CCE-4287-9 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv6.conf.default.autoconf
Result for Limit Network-Transmitted Configuration via net.ipv6.conf.default.dad_transmits
Result: notselected
Rule ID: rule-2.5.3.2.5.f
Time: 2010-08-26 17:38
Rule description
The default number of IPv6 duplicate address detection solicitations for network interfaces to send per configured address should be: .
Related identifiers
- CCE-3895-0 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv6.conf.default.dad_transmits
Result for Limit Network-Transmitted Configuration via net.ipv6.conf.default.max_addresses
Result: notselected
Rule ID: rule-2.5.3.2.5.g
Time: 2010-08-26 17:38
Rule description
The default number of global unicast IPv6 addresses allowed per network interface should be: .
Related identifiers
- CCE-4137-6 (http://cce.mitre.org)
Fix instructions
(1) via sysctl - net.ipv6.conf.default.max_addresses
Result for Verify ip6tables is enabled
Result: pass
Rule ID: rule-2.5.5.1.a
Time: 2010-08-26 17:38
Severity: high
Rule description
The ip6tables service should be enabled.
Related identifiers
- CCE-4167-3 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Verify iptables is enabled
Result: pass
Rule ID: rule-2.5.5.1.b
Time: 2010-08-26 17:38
Severity: high
Rule description
The iptables service should be enabled.
Related identifiers
- CCE-4189-7 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain
Result: notselected
Rule ID: rule-2.5.5.3.1.a
Time: 2010-08-26 17:38
Severity: high
Rule description
Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Change the default policy to DROP (from ACCEPT) for the FORWARD built-in chain
Result: notselected
Rule ID: rule-2.5.5.3.1.b
Time: 2010-08-26 17:38
Severity: high
Rule description
Change the default policy to DROP (from ACCEPT) for the FORWARD built-in chain.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Disable Support for DCCP
Result: notselected
Rule ID: rule-2.5.7.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Support for DCCP should be disabled.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/modprobe.conf
Result for Disable Support for SCTP
Result: notselected
Rule ID: rule-2.5.7.2.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Support for SCTP should be disabled.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/modprobe.conf
Result for Disable Support for RDS
Result: notselected
Rule ID: rule-2.5.7.3.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Support for RDS should be disabled.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/modprobe.conf
Result for Disable Support for TIPC
Result: notselected
Rule ID: rule-2.5.7.4.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Support for TIPC should be disabled.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/modprobe.conf
Result for Configure Syslog
Result: pass
Rule ID: rule-2.6.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The syslog service should be enabled.
Related identifiers
- CCE-3679-8 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Result for Confirm user that owns System Log Files
Result: pass
Rule ID: rule-2.6.1.2.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
All syslog log files should be owned by root.
Related identifiers
- CCE-4366-1 (http://cce.mitre.org)
Fix instructions
(1) via chown
References
Result for Confirm group that owns System Log Files
Result: pass
Rule ID: rule-2.6.1.2.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
All syslog log files should be group owned by root.
Related identifiers
- CCE-3701-0 (http://cce.mitre.org)
Fix instructions
(1) via chown
References
Result for Confirm Permissions of System Log Files
Result: pass
Rule ID: rule-2.6.1.2.c
Time: 2010-08-26 17:38
Severity: medium
Rule description
File permissions for all syslog log files should be set correctly.
Related identifiers
- CCE-4233-3 (http://cce.mitre.org)
Fix instructions
(1) via chmod
References
Result for Send Logs to a Remote Loghost
Result: notselected
Rule ID: rule-2.6.1.3.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Syslog logs should be sent to a remote loghost
Related identifiers
- CCE-4260-6 (http://cce.mitre.org)
Fix instructions
(1) via /etc/syslog.conf
References
Result for Disable syslogd from Accepting Remote Messages on Loghosts Only
Result: notselected
Rule ID: rule-2.6.1.4.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Syslogd should reject remote messages
Related identifiers
- CCE-3382-9 (http://cce.mitre.org)
Fix instructions
(1) via /etc/sysconfig/syslog
References
Result for Ensure All Logs are Rotated by logrotate
Result: notselected
Rule ID: rule-2.6.1.5.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The logrotate (syslog rotater) service should be enabled.
Related identifiers
- CCE-4182-2 (http://cce.mitre.org)
Fix instructions
(1) via cron
References
Result for Monitor Suspicious Log Messages using Logwatch
Result: notselected
Rule ID: rule-2.6.1.6.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The logwatch service should be enabled
Related identifiers
- CCE-4323-2 (http://cce.mitre.org)
Fix instructions
(1) via cron
References
Result for Enable the auditd Service
Result: pass
Rule ID: rule-2.6.2.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The auditd service should be enabled.
Related identifiers
- CCE-4292-9 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Enable Auditing for Processes Which Start Prior to the Audit Daemon
Result: notselected
Rule ID: rule-2.6.2.3.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
To ensure that all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the kernel line in /etc/grub.conf, in the manner below: kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/grub.conf add audit=1 to kernel line
References
Result for Records Events that Modify Date and Time Information
Result: notselected
Rule ID: rule-2.6.2.4.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Audit rules about time
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/audit/audit.rules
Result for Record Events that Modify User/Group Information
Result: notselected
Rule ID: rule-2.6.2.4.2.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Audit rules about User/Group Information
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/audit/audit.rules
Fix script
cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules
Result for Record Events that Modify the System’s Network Environment
Result: notselected
Rule ID: rule-2.6.2.4.3.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Audit rules about the System’s Network Environment
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/audit/audit.rules
Fix script
cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules
Result for Record Events that Modify the System’s Mandatory Access Controls
Result: notselected
Rule ID: rule-2.6.2.4.4.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Audit rules about the System’s Mandatory Access Controls
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/audit/audit.rules
Fix script
cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules
References
Result for Ensure auditd Collects Logon and Logout Events
Result: notselected
Rule ID: rule-2.6.2.4.5.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Audit rules about the Logon and Logout Events
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/audit/audit.rules
References
Result for Ensure auditd Collects Process and Session Initiation Information
Result: notselected
Rule ID: rule-2.6.2.4.6.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Audit rules about the Process and Session Initiation Information
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/audit/audit.rules
References
Result for Ensure auditd Collects Discretionary Access Control Permission Modification Events
Result: notselected
Rule ID: rule-2.6.2.4.7.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Audit rules about the Discretionary Access Control Permission Modification Events
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/audit/audit.rules
Fix script
cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules
References
Result for Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
Result: notselected
Rule ID: rule-2.6.2.4.8.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Audit rules about the Unauthorized Access Attempts to Files (unsuccessful)
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/audit/audit.rules
Fix script
cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules
References
Result for Ensure auditd Collects Information on the Use of Privileged Commands
Result: notselected
Rule ID: rule-2.6.2.4.9.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Audit rules about the Information on the Use of Privileged Commands
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/audit/audit.rules
Fix script
cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules
References
Result for Ensure auditd Collects Information on Exporting to Media (successful)
Result: notselected
Rule ID: rule-2.6.2.4.10.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Audit rules about the Information on Exporting to Media (successful)
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/audit/audit.rules
Fix script
cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules
References
Result for Ensure auditd Collects Files Deletion Events by User (successful and unsuccessful)
Result: notselected
Rule ID: rule-2.6.2.4.11.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Audit rules about the Files Deletion Events by User (successful and unsuccessful)
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/audit/audit.rules
Fix script
cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules
References
Result for Ensure auditd Collects System Administrator Actions
Result: notselected
Rule ID: rule-2.6.2.4.12.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Audit rules about the System Administrator Actions
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/audit/audit.rules
Fix script
cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules
References
Result for Ensure auditd Collects Information on Kernel Module Loading and Unloading
Result: notselected
Rule ID: rule-2.6.2.4.13.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Audit rules about the Information on Kernel Module Loading and Unloading
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/audit/audit.rules
Result for Make the auditd Configuration Immutable
Result: notselected
Rule ID: rule-2.6.2.4.14.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Force a reboot to change audit rules
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/audit/audit.rules
Fix script
cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules
Result for Disable Inetd
Result: notselected
Rule ID: rule-3.2.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The inetd service should be disabled.
Related identifiers
- CCE-4234-1 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Disable Xinetd
Result: notselected
Rule ID: rule-3.2.1.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
The xinetd service should be disabled.
Related identifiers
- CCE-4252-3 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Uninstall Inetd
Result: notselected
Rule ID: rule-3.2.1.c
Time: 2010-08-26 17:38
Rule description
The inetd package should be uninstalled.
Related identifiers
- CCE-4023-8 (http://cce.mitre.org)
Fix instructions
(1) via yum
Fix script
# yum erase inetd
Result for Uninstall Xinetd
Result: notselected
Rule ID: rule-3.2.1.d
Time: 2010-08-26 17:38
Rule description
The xinetd package should be uninstalled.
Related identifiers
- CCE-4164-0 (http://cce.mitre.org)
Fix instructions
(1) via yum
Fix script
# yum erase xinetd
Result for Uninstall Telnet server
Result: notselected
Rule ID: rule-3.2.2.a
Time: 2010-08-26 17:38
Severity: high
Rule description
The telnet-server package should be uninstalled.
Related identifiers
- CCE-4330-7 (http://cce.mitre.org)
Fix instructions
(1) via yum
Fix script
# yum erase telnet-server
References
Result for Disable telnet service
Result: notselected
Rule ID: rule-3.2.2.b
Time: 2010-08-26 17:38
Severity: high
Rule description
telnet service should be disabled.
Related identifiers
- CCE-3390-2 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Remove the telnet client command from the System
Result: notselected
Rule ID: rule-3.2.2.1.a
Time: 2010-08-26 17:38
Severity: high
Rule description
The telnet package should be uninstalled.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via yum
Fix script
# yum erase telnet
References
Result for Remove the kerberos telnet client from the System
Result: notselected
Rule ID: rule-3.2.2.1.b
Time: 2010-08-26 17:38
Rule description
The krb5-workstation package should be uninstalled.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via yum
Fix script
# yum erase rsh-server
Result for Remove the Rsh Server Commands from the System
Result: notselected
Rule ID: rule-3.2.3.1.a
Time: 2010-08-26 17:38
Severity: high
Rule description
The rsh-server package should be uninstalled.
Related identifiers
- CCE-4308-3 (http://cce.mitre.org)
Fix instructions
(1) via yum
Fix script
# yum erase rsh-server
References
Result for disable rcp
Result: notselected
Rule ID: rule-3.2.3.1.b
Time: 2010-08-26 17:38
Severity: high
Rule description
The rcp service should be disabled.
Related identifiers
- CCE-3974-3 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig rcp off
Result for disable rsh
Result: notselected
Rule ID: rule-3.2.3.1.c
Time: 2010-08-26 17:38
Severity: high
Rule description
The rsh service should be disabled.
Related identifiers
- CCE-4141-8 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig rsh off
References
Result for disable rlogin
Result: notselected
Rule ID: rule-3.2.3.1.d
Time: 2010-08-26 17:38
Severity: high
Rule description
The rlogin service should be disabled.
Related identifiers
- CCE-3537-8 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig rlogin off
References
Result for Remove .rhosts Support from PAM Configuration Files
Result: notselected
Rule ID: rule-3.2.3.2.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Check that pam_rhosts authentication is not used by any PAM services.
Related identifiers
- TBD (http://cce.mitre.org)
References
Result for Remove the Rsh Client Commands from the System
Result: notselected
Rule ID: rule-3.2.3.3.a
Time: 2010-08-26 17:38
Severity: high
Rule description
The rsh package, which contains client programs for many of r-commands should be uninstalled.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via yum
Fix script
# yum erase rsh
Result for Uninstall NIS
Result: notselected
Rule ID: rule-3.2.4.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The ypserv package should be uninstalled.
Related identifiers
- CCE-4348-9 (http://cce.mitre.org)
Fix instructions
(1) via yum
Fix script
# yum erase ypserv
References
Result for Disable NIS
Result: notselected
Rule ID: rule-3.2.4.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
The ypbind service should be disabled.
Related identifiers
- CCE-3705-1 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig ypbind off
References
Result for Uninstall TFTP Server
Result: notselected
Rule ID: rule-3.2.5.a
Time: 2010-08-26 17:38
Rule description
The tftp-server package should be uninstalled.
Related identifiers
- CCE-3916-4 (http://cce.mitre.org)
Fix instructions
(1) via yum
Fix script
# yum erase tftp-server
Result for Disable TFTP Server
Result: notselected
Rule ID: rule-3.2.5.b
Time: 2010-08-26 17:38
Severity: low
Rule description
The tftp service should be disabled.
Related identifiers
- CCE-4273-9 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig tftp off
References
Result for Installation Helper Service (firstboot)
Result: notselected
Rule ID: rule-3.3.1.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The firstboot service should be disabled.
Related identifiers
- CCE-3412-4 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig firstboot off
References
Result for Console Mouse Service (gpm)
Result: notselected
Rule ID: rule-3.3.2.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The gpm service should be disabled.
Related identifiers
- CCE-4229-1 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig gpm off
References
Result for Interrupt Distribution on Multiprocessor Systems (irqbalance)
Result: notselected
Rule ID: rule-3.3.3.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The irqbalance service should be disabled.
Related identifiers
- CCE-4123-6 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig irqbalance off
References
Result for ISDN Support (isdn)
Result: notselected
Rule ID: rule-3.3.4.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The isdn service should be disabled.
Related identifiers
- CCE-4286-1 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig isdn off
References
Result for Kdump Kernel Crash Analyzer (kdump)
Result: notselected
Rule ID: rule-3.3.5.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The kdump service should be disabled.
Related identifiers
- CCE-3425-6 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig kdump off
References
Result for Kudzu Hardware Probing Utility (kudzu)
Result: notselected
Rule ID: rule-3.3.6.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The kudzu service should be disabled.
Related identifiers
- CCE-4211-9 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig kudzu off
References
Result for Software RAID Monitor (mdmonitor)
Result: notselected
Rule ID: rule-3.3.7.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The mdmonitor service should be disabled.
Related identifiers
- CCE-3854-7 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig mdmonitor off
References
Result for IA32 Microcode Utility(microcodectl)
Result: notselected
Rule ID: rule-3.3.8.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The microcode_ctl service should be disabled.
Related identifiers
- CCE-4356-2 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig microcode ctl off
References
Result for Disable All Networking if Not Needed)
Result: notselected
Rule ID: rule-3.3.9.1.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The network service should be disabled.
Related identifiers
- CCE-4369-5 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig network off
References
Result for Disable All External Network Interfaces if Not Needed
Result: notselected
Rule ID: rule-3.3.9.2.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
All files of the form ifcfg-interface except for ifcfg-lo in /etc/sysconfig/network-scripts should be removed
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
via /etc/sysconfig/network-scripts
Fix script
# rm /etc/sysconfig/network-scripts/ifcfg-interface
Result for Disable Zeroconf Networking
Result: notselected
Rule ID: rule-3.3.9.3.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Disable Zeroconf automatic route assignment in the 169.245.0.0 subnet.
Related identifiers
- CCE-4369-5 (http://cce.mitre.org)
Fix instructions
(1) via /etc/sysconfig/network
Result for Smart Card Support (pcscd)
Result: notselected
Rule ID: rule-3.3.10.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The pcscd service should be disabled.
Related identifiers
- CCE-4100-4 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig pcscd off
References
Result for SMART Disk Monitoring Support (smartd)
Result: notselected
Rule ID: rule-3.3.11.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The smartd service should be disabled.
Related identifiers
- CCE-3455-3 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig smartd off
References
Result for Boot Caching (readahead early/readahead later)
Result: notselected
Rule ID: rule-3.3.12.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The readahead_early service should be disabled.
Related identifiers
- CCE-4421-4 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig readahead early off
References
Result for Boot Caching (readahead early/readahead later)
Result: notselected
Rule ID: rule-3.3.12.b
Time: 2010-08-26 17:38
Severity: low
Rule description
The readahead_later service should be disabled.
Related identifiers
- CCE-4302-6 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig readahead later off
References
Result for D-Bus IPC Service (messagebus)
Result: notselected
Rule ID: rule-3.3.13.1.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The messagebus service should be disabled.
Related identifiers
- CCE-3822-4 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig messagebus off
References
Result for HAL Daemon (haldaemon)
Result: notselected
Rule ID: rule-3.3.13.2.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The haldaemon service should be disabled.
Related identifiers
- CCE-4364-6 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig haldaemon off
References
Result for Bluetooth Host Controller Interface Daemon (bluetooth)
Result: notselected
Rule ID: rule-3.3.14.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The bluetooth service should be disabled.
Related identifiers
- CCE-4355-4 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig bluetooth off
References
Result for Bluetooth Input Devices (hidd)
Result: notselected
Rule ID: rule-3.3.14.2.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The hidd service should be disabled.
Related identifiers
- CCE-4377-8 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig hidd off
References
Result for Disable Bluetooth Kernel Modules
Result: notselected
Rule ID: rule-3.3.14.3.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Prevent loading of the Bluetooth module.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/modprobe.conf
References
Result for Advanced Power Management Subsystem (apmd)
Result: notselected
Rule ID: rule-3.3.15.1.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The apmd service should be disabled.
Related identifiers
- CCE-4289-5 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig apmd off
References
Result for Advanced Configuration and Power Interface (acpid)
Result: notselected
Rule ID: rule-3.3.15.2.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The acpid service should be disabled.
Related identifiers
- CCE-4298-6 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for CPU Throttling (cpuspeed)
Result: notselected
Rule ID: rule-3.3.15.3.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The cpuspeed service should be disabled.
Related identifiers
- CCE-4051-9 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Enable cron Daemon
Result: notselected
Rule ID: rule-3.4.a
Time: 2010-08-26 17:38
Severity: high
Rule description
The crond service should be enabled.
Related identifiers
- CCE-4324-0 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Result for Disable anacron if Possible
Result: notselected
Rule ID: rule-3.4.1.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The anacron service should be disabled.
Related identifiers
- CCE-4406-5 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Uninstall anacron if Possible
Result: notselected
Rule ID: rule-3.4.1.b
Time: 2010-08-26 17:38
Rule description
The anacron package should be uninstalled.
Related identifiers
- CCE-4428-9 (http://cce.mitre.org)
Fix instructions
(1) via yum
Fix script
# yum erase anacron
Result for Set group owner on /etc/crontab
Result: pass
Rule ID: rule-3.4.2.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The /etc/crontab file should be owned by the appropriate group.
Related identifiers
- CCE-3626-9 (http://cce.mitre.org)
Fix instructions
(1) via chown
References
Result for Set user owner on /etc/crontab
Result: pass
Rule ID: rule-3.4.2.1.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
The /etc/crontab file should be owned by the appropriate user.
Related identifiers
- CCE-3851-3 (http://cce.mitre.org)
Fix instructions
(1) via chown
References
Result for Set Permissions on /etc/crontab
Result: pass
Rule ID: rule-3.4.2.1.c
Time: 2010-08-26 17:38
Severity: medium
Rule description
File permissions for /etc/crontab should be set correctly.
Related identifiers
- CCE-4388-5 (http://cce.mitre.org)
Fix instructions
(1) via chmod
References
Result for Set group owner on /etc/anacrontab
Result: pass
Rule ID: rule-3.4.2.2.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The /etc/anacrontab file should be owned by the appropriate group.
Related identifiers
- CCE-3604-6 (http://cce.mitre.org)
Fix instructions
(1) via chown
Result for Set user owner on /etc/anacrontab
Result: pass
Rule ID: rule-3.4.2.2.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
The /etc/anacrontab file should be owned by the appropriate user.
Related identifiers
- CCE-4379-4 (http://cce.mitre.org)
Fix instructions
(1) via chown
Result for Set Permissions on /etc/anacrontab
Result: pass
Rule ID: rule-3.4.2.2.c
Time: 2010-08-26 17:38
Severity: medium
Rule description
File permissions for /etc/anacrontab should be set correctly.
Related identifiers
- CCE-4304-2 (http://cce.mitre.org)
Fix instructions
(1) via chmod
Result for Set group owner on /etc/cron.hourly
Result: pass
Rule ID: rule-3.4.2.3.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The /etc/cron.hourly file should be owned by the appropriate group.
Related identifiers
- CCE-4054-3 (http://cce.mitre.org)
Fix instructions
(1) via chown
References
Result for Set group owner on /etc/cron.daily
Result: pass
Rule ID: rule-3.4.2.3.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
The /etc/cron.daily file should be owned by the appropriate group.
Related identifiers
- CCE-3481-9 (http://cce.mitre.org)
Fix instructions
(1) via chown
References
Result for Set group owner on /etc/cron.weekly
Result: pass
Rule ID: rule-3.4.2.3.c
Time: 2010-08-26 17:38
Severity: medium
Rule description
The /etc/cron.weekly file should be owned by the appropriate group.
Related identifiers
- CCE-4331-5 (http://cce.mitre.org)
Fix instructions
(1) via chown
References
Result for Set group owner on /etc/cron.monthly
Result: pass
Rule ID: rule-3.4.2.3.d
Time: 2010-08-26 17:38
Severity: medium
Rule description
The /etc/cron.monthly file should be owned by the appropriate group.
Related identifiers
- CCE-4322-4 (http://cce.mitre.org)
Fix instructions
(1) via chown
References
Result for Set group owner on /etc/cron.d
Result: pass
Rule ID: rule-3.4.2.3.e
Time: 2010-08-26 17:38
Severity: medium
Rule description
The /etc/cron.d file should be owned by the appropriate group.
Related identifiers
- CCE-4212-7 (http://cce.mitre.org)
Fix instructions
(1) via chown
References
Result for Set user owner on /etc/cron.hourly
Result: pass
Rule ID: rule-3.4.2.3.f
Time: 2010-08-26 17:38
Severity: medium
Rule description
The /etc/cron.hourly file should be owned by the appropriate user.
Related identifiers
- CCE-3983-4 (http://cce.mitre.org)
Fix instructions
(1) via chown
References
Result for Set user owner on /etc/cron.daily
Result: pass
Rule ID: rule-3.4.2.3.g
Time: 2010-08-26 17:38
Severity: medium
Rule description
The /etc/cron.daily file should be owned by the appropriate user.
Related identifiers
- CCE-4022-0 (http://cce.mitre.org)
Fix instructions
(1) via chown
References
Result for Set user owner on /etc/cron.weekly
Result: pass
Rule ID: rule-3.4.2.3.h
Time: 2010-08-26 17:38
Severity: medium
Rule description
The /etc/cron.weekly file should be owned by the appropriate user.
Related identifiers
- CCE-3833-1 (http://cce.mitre.org)
Fix instructions
(1) via chown
References
Result for Set user owner on /etc/cron.monthly
Result: pass
Rule ID: rule-3.4.2.3.i
Time: 2010-08-26 17:38
Severity: medium
Rule description
The /etc/cron.monthly file should be owned by the appropriate user.
Related identifiers
- CCE-4441-2 (http://cce.mitre.org)
Fix instructions
(1) via chown
References
Result for Set user owner on /etc/cron.d
Result: pass
Rule ID: rule-3.4.2.3.j
Time: 2010-08-26 17:38
Severity: medium
Rule description
The /etc/cron.d file should be owned by the appropriate user.
Related identifiers
- CCE-4380-2 (http://cce.mitre.org)
Fix instructions
(1) via chown
References
Result for Set permissions on /etc/cron.hourly
Result: pass
Rule ID: rule-3.4.2.3.k
Time: 2010-08-26 17:38
Severity: medium
Rule description
File permissions for /etc/cron.hourly should be set correctly.
Related identifiers
- CCE-4106-1 (http://cce.mitre.org)
Fix instructions
(1) via chmod
Result for Set permissions on /etc/cron.daily
Result: pass
Rule ID: rule-3.4.2.3.l
Time: 2010-08-26 17:38
Severity: medium
Rule description
File permissions for /etc/cron.daily should be set correctly.
Related identifiers
- CCE-4450-3 (http://cce.mitre.org)
Fix instructions
(1) via chmod
References
Result for Set permissions on /etc/cron.weekly
Result: pass
Rule ID: rule-3.4.2.3.m
Time: 2010-08-26 17:38
Severity: medium
Rule description
File permissions for /etc/cron.weekly should be set correctly.
Related identifiers
- CCE-4203-6 (http://cce.mitre.org)
Fix instructions
(1) via chmod
Result for Set permissions on /etc/cron.monthly
Result: pass
Rule ID: rule-3.4.2.3.n
Time: 2010-08-26 17:38
Severity: medium
Rule description
File permissions for /etc/cron.monthly should be set correctly.
Related identifiers
- CCE-4251-5 (http://cce.mitre.org)
Fix instructions
(1) via chmod
Result for Set permissions on /etc/cron.d
Result: pass
Rule ID: rule-3.4.2.3.o
Time: 2010-08-26 17:38
Severity: medium
Rule description
File permissions for /etc/cron.d should be set correctly.
Related identifiers
- CCE-4250-7 (http://cce.mitre.org)
Fix instructions
(1) via chmod
Result for Restrict group owner on /var/spool/cron directory
Result: pass
Rule ID: rule-3.4.2.4.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The /var/spool/cron directory should be owned by the appropriate group.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via chown
References
Result for Restrict user owner on /var/spool/cron directory
Result: pass
Rule ID: rule-3.4.2.4.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
The /var/spool/cron directory should be owned by the appropriate user.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via chown
References
Result for Restrict Permissions on /var/spool/cron directory
Result: pass
Rule ID: rule-3.4.2.4.c
Time: 2010-08-26 17:38
Severity: medium
Rule description
Directory permissions for /var/spool/cron should be set correctly.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via chmod
Result for Disable at Daemon
Result: notselected
Rule ID: rule-3.4.3.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The atd service should be disabled.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for uninstall at Daemon
Result: notselected
Rule ID: rule-3.4.3.b
Time: 2010-08-26 17:38
Rule description
The at package should be removed.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Result for Remove /etc/cron.deny
Result: notselected
Rule ID: rule-3.4.4.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
/etc/cron.deny file should not exist.
Related identifiers
- TBD (http://cce.mitre.org)
Fix script
rm /etc/cron.deny
Result for Remove /etc/at.deny
Result: notselected
Rule ID: rule-3.4.4.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
/etc/at.deny file should not exist.
Related identifiers
- TBD (http://cce.mitre.org)
Fix script
rm /etc/at.deny
References
Result for Disable OpenSSH Software
Result: notselected
Rule ID: rule-3.5.1.1.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The sshd service should be disabled.
Related identifiers
- CCE-4268-9 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig sshd off
References
Result for Remove OpenSSH Software
Result: notselected
Rule ID: rule-3.5.1.1.b
Time: 2010-08-26 17:38
Rule description
SSH should be uninstalled
Related identifiers
- CCE-4272-1 (http://cce.mitre.org)
Fix instructions
(1) via yum
Fix script
# yum erase openssh-server
Result for Remove SSH Server iptables Firewall Exception
Result: notselected
Rule ID: rule-3.5.1.2.a
Time: 2010-08-26 17:38
Severity: high
Rule description
Inbound connections to the ssh port should be denied
Related identifiers
- CCE-4295-2 (http://cce.mitre.org)
Fix instructions
(1) /etc/sysconfig/iptables
Result for Remove SSH Server ip6tables Firewall Exception
Result: notselected
Rule ID: rule-3.5.1.2.b
Time: 2010-08-26 17:38
Severity: high
Rule description
Inbound connections to the ssh port should be denied
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) /etc/sysconfig/ip6tables
Result for Ensure Only Protocol 2 Connections Allowed
Result: notselected
Rule ID: rule-3.5.2.1.a
Time: 2010-08-26 17:38
Severity: high
Rule description
SSH version 1 protocol support should be disabled.
Related identifiers
- CCE-4325-7 (http://cce.mitre.org)
Fix instructions
(1) via /etc/ssh/sshd_config
References
Result for Set Idle Timeout Interval for User Logins
Result: notselected
Rule ID: rule-3.5.2.3.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The SSH idle timout interval should be set to an appropriate value
Related identifiers
- CCE-3845-5 (http://cce.mitre.org)
Fix instructions
(1) via /etc/ssh/sshd_config
References
Result for Set ClientAliveCountMax for User Logins
Result: notselected
Rule ID: rule-3.5.2.3.b
Time: 2010-08-26 17:38
Rule description
The ClientAliveCountMax should be set to an appropriate value
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/ssh/sshd_config
Result for Disable .rhosts Files
Result: notselected
Rule ID: rule-3.5.2.4.a
Time: 2010-08-26 17:38
Severity: high
Rule description
Emulation of the rsh command through the ssh server should be disabled
Related identifiers
- CCE-4475-0 (http://cce.mitre.org)
Fix instructions
(1) via /etc/ssh/sshd_config
References
Result for Disable Host-Based Authentication
Result: notselected
Rule ID: rule-3.5.2.5.a
Time: 2010-08-26 17:38
Rule description
SSH host-based authentication should be disabled
Related identifiers
- CCE-4370-3 (http://cce.mitre.org)
Fix instructions
(1) via /etc/ssh/sshd_config
Result for Disable root Login via SSH
Result: notselected
Rule ID: rule-3.5.2.6.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Root login via SSH should be disabled
Related identifiers
- CCE-4387-7 (http://cce.mitre.org)
Fix instructions
(1) via /etc/ssh/sshd_config
References
Result for Disable Empty Passwords
Result: notselected
Rule ID: rule-3.5.2.7.a
Time: 2010-08-26 17:38
Rule description
Remote connections from accounts with empty passwords should be disabled
Related identifiers
- CCE-3660-8 (http://cce.mitre.org)
Fix instructions
(1) via /etc/ssh/sshd_config
Result for Enable a Warning Banner
Result: notselected
Rule ID: rule-3.5.2.8.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
SSH warning banner should be enabled
Related identifiers
- CCE-4431-3 (http://cce.mitre.org)
Fix instructions
(1) via /etc/ssh/sshd_config
References
Result for Do Not Allow Users to Set Environment Options
Result: notselected
Rule ID: rule-3.5.2.9.a
Time: 2010-08-26 17:38
Rule description
PermitUserEnvironment should be disabled
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/ssh/sshd_config
Result for Use Only Approved Ciphers
Result: notselected
Rule ID: rule-3.5.2.10.a
Time: 2010-08-26 17:38
Rule description
Use only FIPS approved ciphers not in CBC mode
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/ssh/sshd_config
Result for Disable X Windows at System Boot
Result: notselected
Rule ID: rule-3.6.1.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
X Windows should be disabled at system boot
Related identifiers
- CCE-4462-8 (http://cce.mitre.org)
Fix instructions
(1) via /etc/inittab
References
Result for Remove X Windows from the System if Possible
Result: notselected
Rule ID: rule-3.6.1.2.a
Time: 2010-08-26 17:38
Rule description
X Windows should be removed
Related identifiers
- CCE-4422-2 (http://cce.mitre.org)
Fix instructions
(1) via yum
Fix script
# yum groupremove "X Window System"
Result for Disable X Window System Listening
Result: notselected
Rule ID: rule-3.6.1.3.2.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Disable the ability to provide remote graphical display
Related identifiers
- CCE-4074-1 (http://cce.mitre.org)
Fix instructions
(1) via /etc/X11/xinit/xserverrc
Fix script
echo "exec X :0 -nolisten tcp $@" > /etc/X11/xinit/xserverrc
References
Result for Create Warning Banners for GUI Login Users
Result: notselected
Rule ID: rule-3.6.2.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
Enable warning banner for GUI login
Related identifiers
- CCE-3717-6 (http://cce.mitre.org)
Fix instructions
(1) via /etc/gdm/custom.conf
References
Result for Disable Avahi Server Software
Result: notselected
Rule ID: rule-3.7.1.1.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The avahi-daemon service should be disabled.
Related identifiers
- CCE-4365-3 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig avahi-daemon off
References
Result for Serve Only via Required Protocol
Result: notselected
Rule ID: rule-3.7.2.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The Avahi daemon should be configured not to serve via Ipv6
Related identifiers
- CCE-4136-8 (http://cce.mitre.org)
Fix instructions
(1) via /etc/avahi/avahi-daemon.conf
Result for Serve Only via Required Protocol
Result: notselected
Rule ID: rule-3.7.2.1.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
The Avahi daemon should be configured not to serve via Ipv4
Related identifiers
- CCE-4409-9 (http://cce.mitre.org)
Fix instructions
(1) via /etc/avahi/avahi-daemon.conf
Result for Check Responses' TTL Field
Result: notselected
Rule ID: rule-3.7.2.2.a
Time: 2010-08-26 17:38
Rule description
Avahi should be configured to reject packets with a TTL field not equal to 255
Related identifiers
- CCE-4426-3 (http://cce.mitre.org)
Fix instructions
(1) via /etc/avahi/avahi-daemon.conf
Result for Prevent Other Programs from Using Avahi's Port
Result: notselected
Rule ID: rule-3.7.2.3.a
Time: 2010-08-26 17:38
Rule description
Avahi should be configured to not allow other stacks from binding to port 5353
Related identifiers
- CCE-4193-9 (http://cce.mitre.org)
Fix instructions
(1) via /etc/avahi/avahi-daemon.conf
Result for Disable Publishing if Possible
Result: notselected
Rule ID: rule-3.7.2.4.a
Time: 2010-08-26 17:38
Rule description
Avahi publishing of local information should be disabled
Related identifiers
- CCE-4444-6 (http://cce.mitre.org)
Fix instructions
(1) via /etc/avahi/avahi-daemon.conf
Result for Restrict disable-user-service-publishing
Result: notselected
Rule ID: rule-3.7.2.5.a
Time: 2010-08-26 17:38
Rule description
Avahi publishing of local information by user applications should be disabled
Related identifiers
- CCE-4352-1 (http://cce.mitre.org)
Fix instructions
(1) via /etc/avahi/avahi-daemon.conf
Result for Restrict publish-addresses
Result: notselected
Rule ID: rule-3.7.2.5.b
Time: 2010-08-26 17:38
Rule description
Avahi publishing of hardware information should be disabled
Related identifiers
- CCE-4433-9 (http://cce.mitre.org)
Fix instructions
(1) via /etc/avahi/avahi-daemon.conf
Result for Restrict publish-hinfo
Result: notselected
Rule ID: rule-3.7.2.5.c
Time: 2010-08-26 17:38
Rule description
Avahi publishing of workstation name should be disabled
Related identifiers
- CCE-4451-1 (http://cce.mitre.org)
Fix instructions
(1) via /etc/avahi/avahi-daemon.conf
Result for Restrict publish-workstation
Result: notselected
Rule ID: rule-3.7.2.5.d
Time: 2010-08-26 17:38
Rule description
Avahi publishing of IP addresses should be disabled
Related identifiers
- CCE-4341-4 (http://cce.mitre.org)
Fix instructions
(1) via /etc/avahi/avahi-daemon.conf
Result for Restrict publish-domain
Result: notselected
Rule ID: rule-3.7.2.5.e
Time: 2010-08-26 17:38
Rule description
Avahi publishing of domain name should be disabled
Related identifiers
- CCE-4358-8 (http://cce.mitre.org)
Fix instructions
(1) via /etc/avahi/avahi-daemon.conf
Result for Disable the CUPS Service if Possible
Result: notselected
Rule ID: rule-3.8.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The cups service should be disabled.
Related identifiers
- CCE-4112-9 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig cups off
References
Result for Disable Firewall Access to Printing Service over IPv4 if Possible
Result: notselected
Rule ID: rule-3.8.2.a
Time: 2010-08-26 17:38
Severity: high
Rule description
Firewall access to printing service should be disabled
Related identifiers
- CCE-3649-1 (http://cce.mitre.org)
Fix instructions
(1) via /etc/sysconfig/iptables
Result for Disable Firewall Access to Printing Service over IPv6 if Possible
Result: notselected
Rule ID: rule-3.8.2.b
Time: 2010-08-26 17:38
Severity: high
Rule description
Firewall access to printing service should be disabled
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/sysconfig/ip6tables
Result for Disable Printer Browsing Entirely if Possible
Result: notselected
Rule ID: rule-3.8.3.1.1.a
Time: 2010-08-26 17:38
Rule description
Remote print browsing should be disabled
Related identifiers
- CCE-4420-6 (http://cce.mitre.org)
Fix instructions
(1) via /etc/cups/cupsd.conf
Result for Deny CUPS ability to listen for Incoming printer information
Result: notselected
Rule ID: rule-3.8.3.1.1.b
Time: 2010-08-26 17:38
Rule description
CUPS should be denied the ability to listen for Incoming printer information
Related identifiers
- CCE-4407-3 (http://cce.mitre.org)
Fix instructions
(1) via /etc/cups/cupsd.conf
Result for Disable HPLIP Service if Possible
Result: notselected
Rule ID: rule-3.8.4.1.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The hplip service should be disabled.
Related identifiers
- CCE-4425-5 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Disable DHCP Client if Possible
Result: notselected
Rule ID: rule-3.9.1.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The dhcp client service should be disabled for each interface.
Related identifiers
- CCE-4191-3 (http://cce.mitre.org)
Fix instructions
(1) via /etc/sysconfig/network-scripts/ifcfg-eth*
References
Result for Disable DHCP Server if possible
Result: notselected
Rule ID: rule-3.9.3.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The dhcpd service should be disabled.
Related identifiers
- CCE-4336-4 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig dhcpd off
References
Result for Uninstall DHCP Server if possible
Result: notselected
Rule ID: rule-3.9.3.b
Time: 2010-08-26 17:38
Rule description
The dhcp package should be uninstalled.
Related identifiers
- CCE-4464-4 (http://cce.mitre.org)
Fix instructions
(1) via yum
Fix script
# yum erase dhcp
Result for Do Not Use Dynamic DNS
Result: notselected
Rule ID: rule-3.9.4.1.a
Time: 2010-08-26 17:38
Rule description
The dynamic DNS feature of the DHCP server should be disabled
Related identifiers
- CCE-4257-2 (http://cce.mitre.org)
Fix instructions
(1) via /etc/dhcpd.conf
References
Result for Deny Decline Messages
Result: notselected
Rule ID: rule-3.9.4.2.a
Time: 2010-08-26 17:38
Rule description
DHCPDECLINE messages should be denied by the DHCP server
Related identifiers
- CCE-4403-2 (http://cce.mitre.org)
Fix instructions
(1) via /etc/dhcpd.conf
Result for Deny BOOTP Queries
Result: notselected
Rule ID: rule-3.9.4.3.a
Time: 2010-08-26 17:38
Rule description
BOOTP queries should be denied by the DHCP server
Related identifiers
- CCE-4345-5 (http://cce.mitre.org)
Fix instructions
(1) via /etc/dhcpd.conf
Result for DHCP should not send domain-name
Result: notselected
Rule ID: rule-3.9.4.4.a
Time: 2010-08-26 17:38
Rule description
Domain name server information should not be sent by the DHCP server.
Related identifiers
- CCE-3724-2 (http://cce.mitre.org)
Fix instructions
(1) via /etc/dhcpd.conf
Result for DHCP should not send domain-name-servers
Result: notselected
Rule ID: rule-3.9.4.4.b
Time: 2010-08-26 17:38
Rule description
Default routers should not be sent by the DHCP server.
Related identifiers
- CCE-4243-2 (http://cce.mitre.org)
Fix instructions
(1) via /etc/dhcpd.conf
Result for DHCP should not send nis-domain
Result: notselected
Rule ID: rule-3.9.4.4.c
Time: 2010-08-26 17:38
Rule description
Domain name should not be sent by the DHCP server.
Related identifiers
- CCE-4389-3 (http://cce.mitre.org)
Fix instructions
(1) via /etc/dhcpd.conf
Result for DHCP should not send nis-servers
Result: notselected
Rule ID: rule-3.9.4.4.d
Time: 2010-08-26 17:38
Rule description
NIS domain should not be sent by the DHCP server.
Related identifiers
- CCE-3913-1 (http://cce.mitre.org)
Fix instructions
(1) via /etc/dhcpd.conf
Result for DHCP should not send ntp-servers
Result: notselected
Rule ID: rule-3.9.4.4.e
Time: 2010-08-26 17:38
Rule description
NIS servers should not be sent by the DHCP server.
Related identifiers
- CCE-4169-9 (http://cce.mitre.org)
Fix instructions
(1) via /etc/dhcpd.conf
Result for DHCP should not send routers
Result: notselected
Rule ID: rule-3.9.4.4.f
Time: 2010-08-26 17:38
Rule description
Time offset should not be sent by the DHCP server.
Related identifiers
- CCE-4318-2 (http://cce.mitre.org)
Fix instructions
(1) via /etc/dhcpd.conf
Result for DHCP should not send time-offset
Result: notselected
Rule ID: rule-3.9.4.4.g
Time: 2010-08-26 17:38
Rule description
NTP servers should not be sent by the DHCP server.
Related identifiers
- CCE-4319-0 (http://cce.mitre.org)
Fix instructions
(1) via /etc/dhcpd.conf
Result for Configure DHCP Logging
Result: notselected
Rule ID: rule-3.9.4.5.a
Time: 2010-08-26 17:38
Rule description
dhcpd logging should be enabled.
Related identifiers
- CCE-3733-3 (http://cce.mitre.org)
Fix instructions
(1) via /etc/syslog.conf
Result for Enable the NTP Daemon
Result: notselected
Rule ID: rule-3.10.2.2.1.a
Time: 2010-08-26 17:38
Severity: high
Rule description
The ntpd service should be enabled.
Related identifiers
- CCE-4376-0 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
Fix script
# chkconfig ntpd on
References
Result for Deny All Access to ntpd by Default
Result: notselected
Rule ID: rule-3.10.2.2.2.a
Time: 2010-08-26 17:38
Rule description
Network access to ntpd should be denied
Related identifiers
- CCE-4134-3 (http://cce.mitre.org)
Fix instructions
(1) via /etc/ntp.conf
Result for Specify a Remote NTP Server for Time Data
Result: notselected
Rule ID: rule-3.10.2.2.3.a
Time: 2010-08-26 17:38
Rule description
A remote NTP Server for time synchronization should be specified
Related identifiers
- CCE-4385-1 (http://cce.mitre.org)
Fix instructions
(1) via /etc/ntp.conf
References
Result for Obtain NTP Software
Result: notselected
Rule ID: rule-3.10.3.1.a
Time: 2010-08-26 17:38
Rule description
OpenNTPD should be installed
Related identifiers
- CCE-4032-9 (http://cce.mitre.org)
Fix instructions
(1) via openntpd package
Result for Enable the NTP Daemon
Result: notselected
Rule ID: rule-3.10.3.2.1.a
Time: 2010-08-26 17:38
Severity: high
Rule description
The ntp daemon should be enabled
Related identifiers
- CCE-4424-8 (http://cce.mitre.org)
Fix instructions
(1) via /etc/rc.local
References
Result for Configure the Client NTP Daemon to Use the Local Server
Result: notselected
Rule ID: rule-3.10.3.2.2.a
Time: 2010-08-26 17:38
Severity: high
Rule description
The ntp daemon synchronization server should be set appropriately
Related identifiers
- CCE-3487-6 (http://cce.mitre.org)
Fix instructions
(1) via /usr/local/etc/ntpd.conf
Result for Disable the Listening Sendmail Daemon
Result: notselected
Rule ID: rule-3.11.2.1.a
Time: 2010-08-26 17:38
Rule description
The listening sendmail daemon should be disabled.
Related identifiers
- CCE-4293-7 (http://cce.mitre.org)
Fix instructions
(1) via /etc/sysconfig/sendmail
Result for Configure LDAP to Use TLS for All Transactions
Result: notselected
Rule ID: rule-3.12.2.2.a
Time: 2010-08-26 17:38
Rule description
Clients require LDAP servers to provide valid certificates for SSL communications.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/ldap.conf
Result for Disable OpenLDAP service
Result: notselected
Rule ID: rule-3.12.3.1.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The ldap service should be disabled.
Related identifiers
- CCE-3501-4 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Disable nfslock
Result: notselected
Rule ID: rule-3.13.1.1.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The nfslock service should be disabled.
Related identifiers
- CCE-4396-8 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Disable rpcgssd
Result: notselected
Rule ID: rule-3.13.1.1.b
Time: 2010-08-26 17:38
Severity: low
Rule description
The rpcgssd service should be disabled.
Related identifiers
- CCE-3535-2 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Disable rpcidmapd
Result: notselected
Rule ID: rule-3.13.1.1.c
Time: 2010-08-26 17:38
Severity: low
Rule description
The rpcidmapd service should be disabled.
Related identifiers
- CCE-3568-3 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Disable netfs if Possible
Result: notselected
Rule ID: rule-3.13.1.2.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The netfs service should be disabled.
Related identifiers
- CCE-4533-6 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Configure lockd to Use Fixed Ports for TCP
Result: notselected
Rule ID: rule-3.13.2.3.a
Time: 2010-08-26 17:38
Rule description
The lockd service should be configured to use a static port for TCP
Related identifiers
- CCE-4559-1 (http://cce.mitre.org)
Fix instructions
(1) via /etc/sysconfig/nfs
Result for Configure statd to Use an outgoing static port
Result: notselected
Rule ID: rule-3.13.2.3.b
Time: 2010-08-26 17:38
Rule description
The statd service should be configured to use an outgoing static port
Related identifiers
- CCE-4015-4 (http://cce.mitre.org)
Fix instructions
(1) via /etc/sysconfig/nfs
Result for Configure statd to Use a static port
Result: notselected
Rule ID: rule-3.13.2.3.c
Time: 2010-08-26 17:38
Rule description
The statd service should be configured to use a static port
Related identifiers
- CCE-3667-3 (http://cce.mitre.org)
Fix instructions
(1) via /etc/sysconfig/nfs
Result for Configure lockd to Use a static port for UDP
Result: notselected
Rule ID: rule-3.13.2.3.d
Time: 2010-08-26 17:38
Rule description
The lockd service should be configured to use a static port for UDP
Related identifiers
- CCE-4310-9 (http://cce.mitre.org)
Fix instructions
(1) via /etc/sysconfig/nfs
Result for Configure mountd to Use a static port
Result: notselected
Rule ID: rule-3.13.2.3.e
Time: 2010-08-26 17:38
Rule description
The mountd service should be configured to use a static port
Related identifiers
- CCE-4438-8 (http://cce.mitre.org)
Fix instructions
(1) via /etc/sysconfig/nfs
Result for Configure rquotad to Use Fixed Ports
Result: notselected
Rule ID: rule-3.13.2.3.f
Time: 2010-08-26 17:38
Rule description
The rquotad service should be configured to use a static port
Related identifiers
- CCE-3579-0 (http://cce.mitre.org)
Fix instructions
(1) via /etc/sysconfig/nfs
Result for Disable nfs service
Result: notselected
Rule ID: rule-3.13.3.1.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The nfs service should be disabled
Related identifiers
- CCE-4473-5 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Disable rpcsvcgssd service
Result: notselected
Rule ID: rule-3.13.3.1.b
Time: 2010-08-26 17:38
Severity: low
Rule description
The rpcsvcgssd service should be disabled
Related identifiers
- CCE-4491-7 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Mount Remote Filesystems with nodev
Result: notselected
Rule ID: rule-3.13.3.2.a
Time: 2010-08-26 17:38
Rule description
The nodev option should be enabled for all NFS mounts
Related identifiers
- CCE-4368-7 (http://cce.mitre.org)
Fix instructions
(1) via /etc/fstab
Result for Mount Remote Filesystems with nosuid
Result: notselected
Rule ID: rule-3.13.3.2.b
Time: 2010-08-26 17:38
Severity: medium
Rule description
The nosuid option should be enabled for all NFS mounts
Related identifiers
- CCE-4024-6 (http://cce.mitre.org)
Fix instructions
(1) via /etc/fstab
References
Result for Mount Remote Filesystems with noexec
Result: notselected
Rule ID: rule-3.13.3.2.c
Time: 2010-08-26 17:38
Severity: medium
Rule description
The noexec option should be enabled for all NFS mounts
Related identifiers
- CCE-4526-0 (http://cce.mitre.org)
Fix instructions
(1) via /etc/fstab
References
Result for Use Root-Squashing on All Exports
Result: notselected
Rule ID: rule-3.13.4.1.2.a
Time: 2010-08-26 17:38
Rule description
Root squashing should be enabled for all NFS shares
Related identifiers
- CCE-4544-3 (http://cce.mitre.org)
Fix instructions
(1) via /etc/exports
Result for Restrict NFS Clients to Privileged Ports
Result: notselected
Rule ID: rule-3.13.4.1.3.a
Time: 2010-08-26 17:38
Rule description
Restriction of NFS clients to privileged ports should be enabled
Related identifiers
- CCE-4465-1 (http://cce.mitre.org)
Fix instructions
(1) via /etc/exports
Result for Export Filesystems Read-Only if Possible
Result: notselected
Rule ID: rule-3.13.4.1.4.a
Time: 2010-08-26 17:38
Rule description
Write access to NFS shares should be disabled
Related identifiers
- CCE-4350-5 (http://cce.mitre.org)
Fix instructions
(1) via /etc/exports
Result for Disable DNS Server if Possible
Result: notselected
Rule ID: rule-3.14.1.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The named service should be disabled.
Related identifiers
- CCE-3578-2 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Uninstall bind if Possible
Result: notselected
Rule ID: rule-3.14.1.b
Time: 2010-08-26 17:38
Rule description
The bind package should be uninstalled.
Related identifiers
- CCE-4219-2 (http://cce.mitre.org)
Fix instructions
(1) via yum
Result for Run DNS Software in a chroot Jail owned by root group
Result: notselected
Rule ID: rule-3.14.3.2.a
Time: 2010-08-26 17:38
Rule description
The /var/named/chroot/etc/named.conf file should be owned by the appropriate group.
Related identifiers
- CCE-3985-9 (http://cce.mitre.org)
Fix instructions
(1) via chown
Result for Run DNS Software in a chroot Jail owned by root user
Result: notselected
Rule ID: rule-3.14.3.2.b
Time: 2010-08-26 17:38
Rule description
The /var/named/chroot/etc/named.conf file should be owned by the appropriate user.
Related identifiers
- CCE-4258-0 (http://cce.mitre.org)
Fix instructions
(1) via chown
Result for Set permissions on chroot Jail for DNS
Result: notselected
Rule ID: rule-3.14.3.2.c
Time: 2010-08-26 17:38
Rule description
File permissions for /var/named/chroot/etc/named.conf should be set correctly.
Related identifiers
- CCE-4487-5 (http://cce.mitre.org)
Fix instructions
(1) via chmod
Result for Disable DNS Dynamic Updates if Possible
Result: notselected
Rule ID: rule-3.14.4.5.a
Time: 2010-08-26 17:38
Rule description
LDAP's dynamic updates feature should be disabled
Related identifiers
- CCE-4399-2 (http://cce.mitre.org)
Fix instructions
(1) via /etc/named.conf
Result for Disable vsftpd if Possible
Result: notselected
Rule ID: rule-3.15.1.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The vsftpd service should be disabled.
Related identifiers
- CCE-3919-8 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Uninstall vsftpd if Possible
Result: notselected
Rule ID: rule-3.15.1.b
Time: 2010-08-26 17:38
Severity: low
Rule description
The vsftpd service should be uninstalled.
Related identifiers
- CCE-3919-8 (http://cce.mitre.org)
Fix instructions
(1) via yum
References
Result for Enable Logging of All FTP Transactions
Result: notselected
Rule ID: rule-3.15.3.1.a
Time: 2010-08-26 17:38
Severity: low
Rule description
Logging of vsftpd transactions should be enabled
Related identifiers
- CCE-4549-2 (http://cce.mitre.org)
Fix instructions
(1) via /etc/vsftpd.conf
References
Result for Create Warning Banners for All FTP Users
Result: notselected
Rule ID: rule-3.15.3.2.a
Time: 2010-08-26 17:38
Rule description
A warning banner for all FTP users should be enabled
Related identifiers
- CCE-4554-2 (http://cce.mitre.org)
Fix instructions
(1) via /etc/vsftpd.conf
Result for Restrict Access to Anonymous Users if Possible
Result: notselected
Rule ID: rule-3.15.3.3.1.a
Time: 2010-08-26 17:38
Severity: high
Rule description
Local user login to the vsftpd service should be disabled
Related identifiers
- CCE-4443-8 (http://cce.mitre.org)
Fix instructions
(1) via /etc/vsftpd.conf
References
Result for Disable FTP Uploads if Possible
Result: notselected
Rule ID: rule-3.15.3.4.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
File uploads via vsftpd should be disabled
Related identifiers
- CCE-4461-0 (http://cce.mitre.org)
Fix instructions
(1) via /etc/vsftpd.conf
References
Result for Disable Apache if Possible
Result: notselected
Rule ID: rule-3.16.1.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The httpd service should be disabled.
Related identifiers
- CCE-4338-0 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Uninstall Apache if Possible
Result: notselected
Rule ID: rule-3.16.1.b
Time: 2010-08-26 17:38
Rule description
The httpd package should be uninstalled.
Related identifiers
- CCE-4514-6 (http://cce.mitre.org)
Fix instructions
(1) via yum
Result for Restrict Information Leakageusing ServerTokens
Result: notselected
Rule ID: rule-3.16.3.1.a
Time: 2010-08-26 17:38
Rule description
The apache2 server's ServerTokens value should be set appropriately
Related identifiers
- CCE-4474-3 (http://cce.mitre.org)
Fix instructions
(1) via /etc/httpd/conf/httpd.conf
Result for Restrict Information Leakage using ServerSignature
Result: notselected
Rule ID: rule-3.16.3.1.b
Time: 2010-08-26 17:38
Rule description
The apache2 server's ServerSignature value should be set appropriately
Related identifiers
- CCE-3756-4 (http://cce.mitre.org)
Fix instructions
(1) via /etc/httpd/conf/httpd.conf
Result for Restrict permissions on /etc/httpd/conf
Result: notselected
Rule ID: rule-3.16.5.1.a
Time: 2010-08-26 17:38
Rule description
File permissions for /etc/httpd/conf should be set correctly.
Related identifiers
- CCE-4509-6 (http://cce.mitre.org)
Fix instructions
(1) via chmod
Result for Restrict permissions on /etc/httpd/conf/*
Result: notselected
Rule ID: rule-3.16.5.1.b
Time: 2010-08-26 17:38
Rule description
File permissions for /etc/httpd/conf/* should be set correctly.
Related identifiers
- CCE-4386-9 (http://cce.mitre.org)
Fix instructions
(1) via chmod
Result for Restrict permissions on /usr/sbin/httpd
Result: notselected
Rule ID: rule-3.16.5.1.c
Time: 2010-08-26 17:38
Rule description
File permissions for /usr/sbin/httpd should be set correctly.
Related identifiers
- CCE-4029-5 (http://cce.mitre.org)
Fix instructions
(1) via chmod
Result for Restrict group access to /etc/httpd/conf/*
Result: notselected
Rule ID: rule-3.16.5.1.d
Time: 2010-08-26 17:38
Rule description
The /etc/httpd/conf/* files should be owned by the appropriate group.
Related identifiers
- CCE-3581-6 (http://cce.mitre.org)
Fix instructions
(1) via chgrp
Result for Restrict permissions on /var/log/httpd
Result: notselected
Rule ID: rule-3.16.5.1.e
Time: 2010-08-26 17:38
Rule description
File permissions for /var/log/httpd should be set correctly.
Related identifiers
- CCE-4574-0 (http://cce.mitre.org)
Fix instructions
(1) via chmod
Result for Disable Dovecot if Possible
Result: notselected
Rule ID: rule-3.17.1.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The dovecot service should be disabled.
Related identifiers
- CCE-3847-1 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Uninstall Dovecot if Possible
Result: notselected
Rule ID: rule-3.17.1.b
Time: 2010-08-26 17:38
Rule description
The dovecot package should be uninstalled.
Related identifiers
- CCE-4239-0 (http://cce.mitre.org)
Fix instructions
(1) via yum
Result for Dovecot should not support imaps
Result: notselected
Rule ID: rule-3.17.2.1.a
Time: 2010-08-26 17:38
Rule description
Dovecot should be configured to not support the imaps protocol
Related identifiers
- CCE-4384-4 (http://cce.mitre.org)
Fix instructions
(1) via /etc/dovecot.conf
Result for Dovecot should not support pop3s
Result: notselected
Rule ID: rule-3.17.2.1.b
Time: 2010-08-26 17:38
Rule description
Dovecot should be configured to not support the pop3s protocol
Related identifiers
- CCE-3887-7 (http://cce.mitre.org)
Fix instructions
(1) via /etc/dovecot.conf
Result for Dovecot should not support pop3
Result: notselected
Rule ID: rule-3.17.2.1.c
Time: 2010-08-26 17:38
Rule description
Dovecot should be configured to not support the pop3 protocol
Related identifiers
- CCE-4530-2 (http://cce.mitre.org)
Fix instructions
(1) via /etc/dovecot.conf
Result for Dovecot should not support imap
Result: notselected
Rule ID: rule-3.17.2.1.d
Time: 2010-08-26 17:38
Rule description
Dovecot should be configured to not support the imap protocol
Related identifiers
- CCE-4547-6 (http://cce.mitre.org)
Fix instructions
(1) via /etc/dovecot.conf
Result for Disable Plaintext Authentication
Result: notselected
Rule ID: rule-3.17.2.2.4.a
Time: 2010-08-26 17:38
Rule description
Dovecot plaintext authentication of clients should be disabled
Related identifiers
- CCE-4552-6 (http://cce.mitre.org)
Fix instructions
(1) via /etc/dovecot.conf
Result for Enable Dovecot Option mail_drop_priv_before_exec
Result: notselected
Rule ID: rule-3.17.2.3.a
Time: 2010-08-26 17:38
Rule description
The Dovecot option to drop privileges to user before executing mail process should be enabled
Related identifiers
- CCE-4371-1 (http://cce.mitre.org)
Fix instructions
(1) via /etc/dovecot.conf
Result for Enable Dovecot Option mail_drop_priv_before_exec
Result: notselected
Rule ID: rule-3.17.2.3.b
Time: 2010-08-26 17:38
Rule description
The Dovecot option to spawn a new login process per connection should be enabled
Related identifiers
- CCE-4410-7 (http://cce.mitre.org)
Fix instructions
(1) via /etc/dovecot.conf
Result for Disable Samba if Possible
Result: notselected
Rule ID: rule-3.18.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The smb service should be disabled.
Related identifiers
- CCE-4551-8 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Disable Guest Access and Local Login Support
Result: notselected
Rule ID: rule-3.18.2.3.a
Time: 2010-08-26 17:38
Rule description
Do not allow guest users to access local file or printer shares. In global or in each share, set the parameter guest ok to no.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/samba/smb.conf in [share] guest ok = no
References
Result for Require Client SMB Packet Signing, if using smbclient
Result: notselected
Rule ID: rule-3.18.2.10.a
Time: 2010-08-26 17:38
Rule description
Require samba clients running smbclient to use packet signing. A Samba client should only communicate with servers who can support SMB packet signing. Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.
Related identifiers
- CCE-4556-7 (http://cce.mitre.org)
Fix instructions
(1) via /etc/samba/smb.conf in [global] client signing = mandatory
Result for Require Client SMB Packet Signing, if using mount.cifs
Result: notselected
Rule ID: rule-3.18.2.11.a
Time: 2010-08-26 17:38
Rule description
Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who specify shares in /etc/fstab). To do so, ensure that signing options (either sec=krb5i or sec=ntlmv2i) are used. See the mount.cifs(8) man page for more information. A Samba client should only communicate with servers who can support SMB packet signing. Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.
Related identifiers
- CCE-4556-7 (http://cce.mitre.org)
Fix instructions
(1) via /etc/fstab
Result for Disable Squid if Possible
Result: notselected
Rule ID: rule-3.19.1.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The squid service should be disabled.
Related identifiers
- CCE-4556-7 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Uninstall Squid if Possible
Result: notselected
Rule ID: rule-3.19.1.b
Time: 2010-08-26 17:38
Rule description
The squid package should be uninstalled.
Related identifiers
- CCE-4076-6 (http://cce.mitre.org)
Fix instructions
(1) via yum
Result for Verify ftp_passive setting
Result: notselected
Rule ID: rule-3.19.2.2.a
Time: 2010-08-26 17:38
Rule description
The Squid option to force FTP passive connections should be enabled
Related identifiers
- CCE-4454-5 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Verify ftp_sanitycheck setting
Result: notselected
Rule ID: rule-3.19.2.2.b
Time: 2010-08-26 17:38
Rule description
The Squid option to perform FTP sanity checks should be enabled
Related identifiers
- CCE-4459-4 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Verify check_hostnames stting
Result: notselected
Rule ID: rule-3.19.2.2.c
Time: 2010-08-26 17:38
Rule description
The Squid option to check for RFC compliant hostnames should be enabled
Related identifiers
- CCE-4503-9 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Verify request_header_max_size setting
Result: notselected
Rule ID: rule-3.19.2.2.d
Time: 2010-08-26 17:38
Rule description
The Squid max request HTTP header length should be set to an appropriate value
Related identifiers
- CCE-4353-9 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Verify reply_header_max_size setting
Result: notselected
Rule ID: rule-3.19.2.2.e
Time: 2010-08-26 17:38
Rule description
The Squid max reply HTTP header length should be set to an appropriate value
Related identifiers
- CCE-4419-8 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Verify cache_effective_user setting
Result: notselected
Rule ID: rule-3.19.2.2.f
Time: 2010-08-26 17:38
Rule description
The Squid EUID should be set to an appropriate user
Related identifiers
- CCE-3692-1 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Verify cache_effective_group setting
Result: notselected
Rule ID: rule-3.19.2.2.g
Time: 2010-08-26 17:38
Rule description
The Squid GUID should be set to an appropriate group
Related identifiers
- CCE-4476-8 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Verify ignore_unknown_nameservers setting
Result: notselected
Rule ID: rule-3.19.2.2.h
Time: 2010-08-26 17:38
Rule description
The Squid option to ignore unknown nameservers should be enabled
Related identifiers
- CCE-3585-7 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Check allow_underscore setting
Result: notselected
Rule ID: rule-3.19.2.3.a
Time: 2010-08-26 17:38
Rule description
The Squid option to allow underscores in hostnames should be disabled
Related identifiers
- CCE-4344-8 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Check httpd_suppress_version setting
Result: notselected
Rule ID: rule-3.19.2.3.b
Time: 2010-08-26 17:38
Rule description
The Squid option to suppress the httpd version string should be enabled
Related identifiers
- CCE-4494-1 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Check forwarded_for setting
Result: notselected
Rule ID: rule-3.19.2.3.c
Time: 2010-08-26 17:38
Rule description
The Squid option to show proxy client IP addresses in HTTP headers should be disabled
Related identifiers
- CCE-4181-4 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Check log_mime_hdrs setting
Result: notselected
Rule ID: rule-3.19.2.3.d
Time: 2010-08-26 17:38
Rule description
The Squid option to log HTTP MIME headers should be enabled
Related identifiers
- CCE-4577-3 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Restrict gss-http traffic
Result: notselected
Rule ID: rule-3.19.2.5.a
Time: 2010-08-26 17:38
Rule description
Squid should be configured to not allow gss-http traffic
Related identifiers
- CCE-4511-2 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Restrict https traffic
Result: notselected
Rule ID: rule-3.19.2.5.b
Time: 2010-08-26 17:38
Rule description
Squid should be configured to not allow https traffic
Related identifiers
- CCE-4529-4 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Restrict wais traffic
Result: notselected
Rule ID: rule-3.19.2.5.c
Time: 2010-08-26 17:38
Rule description
Squid should be configured to not allow wais traffic
Related identifiers
- CCE-3610-3 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Restrict multiling http traffic
Result: notselected
Rule ID: rule-3.19.2.5.d
Time: 2010-08-26 17:38
Rule description
Squid should be configured to not allow multiling http traffic
Related identifiers
- CCE-4466-9 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Restrict http traffic
Result: notselected
Rule ID: rule-3.19.2.5.e
Time: 2010-08-26 17:38
Rule description
Squid should be configured to not allow http traffic
Related identifiers
- CCE-4607-8 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Restrict ftp traffic
Result: notselected
Rule ID: rule-3.19.2.5.f
Time: 2010-08-26 17:38
Rule description
Squid should be configured to not allow ftp traffic
Related identifiers
- CCE-4255-6 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Restrict gopher traffic
Result: notselected
Rule ID: rule-3.19.2.5.g
Time: 2010-08-26 17:38
Rule description
Squid should be configured to not allow gopher traffic
Related identifiers
- CCE-4127-7 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Restrict filemaker traffic
Result: notselected
Rule ID: rule-3.19.2.5.h
Time: 2010-08-26 17:38
Rule description
Squid should be configured to not allow filemaker traffic
Related identifiers
- CCE-4519-5 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Restrict proxy access to localhost
Result: notselected
Rule ID: rule-3.19.2.5.i
Time: 2010-08-26 17:38
Rule description
Squid proxy access to localhost should be denied
Related identifiers
- CCE-4413-1 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Restrict http-mgmt traffic
Result: notselected
Rule ID: rule-3.19.2.5.j
Time: 2010-08-26 17:38
Rule description
Squid should be configured to not allow http-mgmt traffic
Related identifiers
- CCE-4373-7 (http://cce.mitre.org)
Fix instructions
(1) via /etc/squid/squid.conf
Result for Disable snmpd if Possible
Result: notselected
Rule ID: rule-3.20.1.a
Time: 2010-08-26 17:38
Severity: medium
Rule description
The snmpd service should be disabled.
Related identifiers
- CCE-3765-5 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Uninstall net-snmp if Possible
Result: notselected
Rule ID: rule-3.20.1.b
Time: 2010-08-26 17:38
Rule description
The net-snmp package should be uninstalled.
Related identifiers
- CCE-4404-0 (http://cce.mitre.org)
Fix instructions
(1) via yum
Result for Do not log authorization failures and successes
Result: notselected
Rule ID: rule-2.3.3.2.c
Time: 2010-08-26 17:38
Severity: medium
Rule description
Remove pam_succeed_if module with quiet option and remove auth pam_deny line.
Related identifiers
- TBD (http://cce.mitre.org)
Fix instructions
(1) via /etc/pam.d/system-auth
References
Result for Remove SETroubleshoot if Possible
Result: notselected
Rule ID: rule-2.4.3.1.a
Time: 2010-08-26 17:38
Rule description
The setroubleshoot package should be uninstalled.
Related identifiers
- CCE-4148-3 (http://cce.mitre.org)
Fix instructions
(1) via yum
Result for Disable SETroubleshoot if Possible
Result: notselected
Rule ID: rule-2.4.3.1.b
Time: 2010-08-26 17:38
Severity: low
Rule description
The setroubleshoot service should be disabled.
Related identifiers
- CCE-4254-9 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Mail Transfer Agent
Result: notselected
Rule ID: rule-3.11.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The sendmail service should be disabled.
Related identifiers
- CCE-4416-4 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig
References
Result for Correct Permissions on LDAP Server Files
Result: notselected
Rule ID: rule-3.12.3.7.a
Time: 2010-08-26 17:38
Rule description
The /var/lib/ldap/* files should be owned by the appropriate group.
Related identifiers
- CCE-4484-2 (http://cce.mitre.org)
Fix instructions
(1) via chown
Result for Correct Permissions on LDAP Server Files
Result: notselected
Rule ID: rule-3.12.3.7.b
Time: 2010-08-26 17:38
Rule description
The /var/lib/ldap/* files should be owned by the appropriate user.
Related identifiers
- CCE-4502-1 (http://cce.mitre.org)
Fix instructions
(1) via chown
Result for Disable RPC Portmapper if Possible
Result: notselected
Rule ID: rule-3.13.1.3.a
Time: 2010-08-26 17:38
Severity: low
Rule description
The portmap service should be disabled.
Related identifiers
- CCE-4550-0 (http://cce.mitre.org)
Fix instructions
(1) via chkconfig