Vuln ID | GEN ID | Title | Discussion (Rationale) | Fix Text (Description) | Check Text (OCIL Check) | CCI Ref (800-53 Origin) |
TBD | TBD | It is required that the /tmp partition is located on a separate partition. |
The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.
|
The /tmp directory is a world-writable directory used
for temporary file storage. Ensure that it has its own partition or
logical volume at installation time, or migrate it using LVM.
|
/tmp lives on its own partition:
# df -h /tmpIt will return a line for /tmp if it is on its own partition.
If no line is returned, this is a finding. |
CCI-000366 (CM-6 b) |
TBD | TBD | It is required that the /var partition is located on a separate partition. |
Ensuring that /var is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
system services such as daemons or other programs which use it.
It is not uncommon for the /var directory to contain
world-writable directories, installed by other software packages.
|
The /var directory is used by daemons and other system
services to store frequently-changing data. Ensure that /var has its own partition
or logical volume at installation time, or migrate it using LVM.
|
/var lives on its own partition:
# df -h /varIt will return a line for /var if it is on its own partition.
If no line is returned, this is a finding. |
CCI-000366 (CM-6 b) |
TBD | TBD | It is required that the /var/log partition is located on a separate partition. |
Placing /var/log in its own partition
enables better separation between log files
and other files in /var/ .
|
System logs are stored in the /var/log directory.
Ensure that it has its own partition or logical
volume at installation time, or migrate it using LVM.
|
/var/log lives on its own partition:
# df -h /var/logIt will return a line for /var/log if it is on its own partition.
If no line is returned, this is a finding. |
CCI-000366 (CM-6 b) |
TBD | TBD |
Placing /var/log/audit in its own partition
enables better separation between audit files
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space.
|
Audit logs are stored in the /var/log/audit directory. Ensure that it
has its own partition or logical volume at installation time, or migrate it
later using LVM. Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon.
|
/var/log/audit lives on its own partition:
# df -h /var/log/auditIt will return a line for /var/log/audit if it is on its own partition.
If no line is returned, this is a finding. |
CCI-000137 (AU-4) |
|
TBD | TBD |
Ensuring that /home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage.
|
If user home directories will be stored locally, create a separate partition
for /home at installation time (or migrate it later using LVM). If
/home will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later.
|
/home lives on its own partition:
# df -h /homeIt will return a line for /home if it is on its own partition.
If no line is returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | This key is necessary to cryptographically verify that packages are from Red Hat. |
To ensure that the system can cryptographically verify base software
packages come from Red Hat (and to connect to the Red Hat Network to
receive them if desired), the Red Hat GPG key must properly be installed.
To ensure that the GPG key is installed, run:
# rhn_register |
$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkeyThe command should return the string: gpg(Red Hat, Inc. (release key <security@redhat.com>) If the Red Hat GPG Key isn't installed, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. | The Red Hat Network service automatically queries Red Hat Network
servers to determine whether there are any actions that should be executed,
such as package updates. This only occurs if the system was registered to an
RHN server or satellite and managed as such.
The rhnsd service can be disabled with the following command:
# chkconfig rhnsd off |
rhnsd service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify rhnsd is disabled through current
runtime configuration:
# service rhnsd statusIf the service is disabled, the command will return: rhnsd is stoppedRun the following command to verify rhnsd is disabled through system
boot configuration:
# chkconfig
Output should indicate the rhnsd service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000382 (CM-7) |
|
TBD | TBD | Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. | The following command prints a list of packages that
need to be updated:
# yum check-updateTo actually install these updates, run: # yum update |
# yum update If Updates are not installed, this is a finding. |
CCI-001232 (SI-2 (1)) |
|
TBD | TBD | Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering. | The gpgcheck option should be used to ensure that
checking of an RPM package’s signature always occurs prior to its
installation. To configure yum to check package signatures before installing
them, ensure that the following line appears in /etc/yum.conf in
the [main] section:
gpgcheck=1 |
yum is configured to use gpgcheck ,
inspect /etc/yum.conf and ensure that the following appears in the
[main] section:
gpgcheck=1A value of 1 indicates that gpgcheck is enabled. Absence of a
gpgcheck line or a setting of 0 indicates that it is
disabled.
If GPG checking isn't enabled, this is a finding. |
CCI-000352 (CM-5 (3)) CCI-000663 (SA-7) |
|
TBD | TBD | Ensuring that all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering. | To ensure that signature checking is not disabled for
any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0 |
yum has been configured to disable
gpgcheck for any repos, inspect all files in
/etc/yum.repos.d and ensure that the following does not appear in any
sections:
gpgcheck=0A value of 0 indicates that gpgcheck has been disabled for that repo.
If GPG checking is disabled, this is a finding. |
CCI-000352 (CM-5 (3)) CCI-000663 (SA-7) |
|
TBD | TBD | The AIDE package must be installed if it is to be available for integrity checking. |
Install the AIDE package with the command:
# yum install aide |
aide package is installed:
# rpm -q aide If the package is installed, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. | SELinux can be disabled at boot time by an argument in
/etc/grub.conf .
Remove any instances of selinux=0 from the kernel arguments in that
file to prevent SELinux from being being disabled at boot.
|
/etc/grub.conf for any instances of selinux=0
in the kernel boot arguments. Presences of selinux=0 indicates
that SELinux is disabled at boot time.
If SELinux is Disabled at boot time, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system. | The files /etc/hosts.equiv and ~/.rhosts (in
each user's home directory) list remote hosts and users that are trusted by the
local system when using the rshd daemon.
To remove these files, run the following command to delete them from any
location:
# rm /etc/hosts.equiv $ rm ~/.rhosts |
/etc/hosts.equiv or a file named
.rhosts inside a user home directory indicates the presence
of an Rsh trust relationship.
If these files exist, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Setting the SELinux state to enforcing ensures that SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. | The SELinux state should be set to enforcing at
system boot time. In the file /etc/selinux/config , add or correct the
line SELINUX=enforcing to configure the system to boot into enforcing
mode.
|
/etc/selinux/config and ensure the following line appears:
SELINUX=enforcing If SELINUX=enforcing is not set properly, this is a finding. |
CCI-000022 (AC-3 (3) (a)) |
|
TBD | TBD |
Setting the SELinux policy to targeted or a more specialized policy
ensures that the system will confine processes that are likely to be
targeted for exploitation, such as network services or system services.
|
The SELinux targeted policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config :
SELINUXTYPE=targetedOther policies, such as mls , provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases.
|
/etc/selinux/config and ensure the following line appears:
SELINUXTYPE=targeted If SELINUX=targeted is not set properly, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | If a device file is not labeled, then misconfiguration is likely. | Device files are used for communication with important system resources.
SELinux contexts should exist for these. By checking for unlabeled_t file
contexts, we can determine if the system is optimally configured. |
# ls -Z | grep unlabeled_tIt should produce no output in a well-configured system. If unlabeled_t file contexts exist, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. |
To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in /etc/securetty :
vc/1 vc/2 vc/3 vc/4 |
# grep ^vc/[0-9] /etc/securettyIf any values are returned, you need to remove them by manipulating the file. To remove any occurance of the virtual consoles in one command type the following: # sed -i '/^vc/d' /etc/securetty If the user root hasn't been restricted from VCD's, this is a finding. |
CCI-000770 (IA-2 (5) (b)) |
|
TBD | TBD | Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account. | To restrict root logins on serial ports,
ensure lines of this form do not appear in /etc/securetty :
ttyS0 ttyS1 |
# grep ^ttyS/[0-9] /etc/securettyIf any values are returned, you need to remove them by manipulating the file. To remove any occurance of the virtual consoles in one command type the following: # sed -i '/^ttyS/d' /etc/securetty If the user root hasn't been restricted from Serial Ports, this is a finding. |
CCI-000770 (IA-2 (5) (b)) |
|
TBD | TBD | Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts. |
Some accounts are not associated with a human
user of the system, and exist to perform some administrative
function. Should an attacker be able to log into these accounts,
he or she should not be granted access to a shell.
Ensure that no shells are granted to system accounts. First, obtain a listing of all users, their UIDs, and their shells, by running: $ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwdIdentify the system accounts from this listing. These will primarily be the accounts with UID numbers less than 500, other than root. |
# usermod -s /sbin/nologin SYSACCTThe RHEL6 default is /sbin/nologin , but any command which will
exit with a failure status and disallow execution of any further
commands, such as /bin/false or /dev/null , will work.If any SYSACCTs have a login shell, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | If an account has an empty password, anybody may log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. | If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the nullok
option in /etc/pam.d/system-auth-ac to
prevent logins with empty passwords.
|
# grep nullok /etc/pam.d/system-auth /etc/pam.d/system-auth-acIf this produces any output, it may be possible to log into accounts with empty passwords. If NULL passwords can be used, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD |
The hashes for all user account passwords should be stored in
the file /etc/shadow and never in /etc/passwd ,
which is readable by all users.
|
If any password hashes are stored in /etc/passwd (in the second field,
instead of an x ), the cause of this misconfiguration should be
investigated. The account should have its password reset and the hash should be
properly stored, or the account should be deleted entirely.
|
/etc/passwd , run the following command:
# awk -F: '($2 != "x") {print}' /etc/passwdIf it produces any output, then a password hash is stored in /etc/passwd .
If any stored hashes are found in /etc/passwd, this is a finding. |
CCI-000196 (IA-5 (1) (c)) |
|
TBD | TBD | An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a provilieged account. Proper configuration of sudo is recommended to afford multiple System Administrators access to the root account. | If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. |
# awk -F: '($3 == "0") {print}' /etc/passwdThis should print only one line, for the user root. If any other accounts, other than root have an ID of 0, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The /etc/shadow file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture. |
To properly set the owner of /etc/shadow , run the command:
# chown root /etc/shadow |
/etc/shadow , run the command:
$ ls -l /etc/shadowIf properly configured, the output should indicate the following owner: root
If it does not, this is a finding. |
CCI-000225 (AC-6) |
|
TBD | TBD | The /etc/shadow file stores password hashes. Protection of this file is
critical for system security. |
To properly set the group owner of /etc/shadow , run the command:
# chgrp root /etc/shadow |
/etc/shadow , run the command:
$ ls -l /etc/shadowIf properly configured, the output should indicate the following group-owner: root
If it does not, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The /etc/shadow file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture. |
To properly set the permissions of /etc/shadow , run the command:
# chmod 0000 /etc/shadow |
/etc/shadow , run the command:
$ ls -l /etc/shadowIf properly configured, the output should indicate the following permissions: ----------
If it does not, this is a finding. |
CCI-000225 (AC-6) |
|
TBD | TBD | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. |
To properly set the owner of /etc/gshadow , run the command:
# chown root /etc/gshadow |
/etc/gshadow , run the command:
$ ls -l /etc/gshadowIf properly configured, the output should indicate the following owner: root
If it does not, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. |
To properly set the group owner of /etc/gshadow , run the command:
# chgrp root /etc/gshadow |
/etc/gshadow , run the command:
$ ls -l /etc/gshadowIf properly configured, the output should indicate the following group-owner: root
If it does not, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. |
To properly set the permissions of /etc/gshadow , run the command:
# chmod 0000 /etc/gshadow |
/etc/gshadow , run the command:
$ ls -l /etc/gshadowIf properly configured, the output should indicate the following permissions: ----------
If it does not, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The /etc/passwd contains information about the users that are configured on
the system. Protection of this file is critical for system security. |
To properly set the owner of /etc/passwd , run the command:
# chown root /etc/passwdThe /etc/passwd file should be owned by
root. |
/etc/passwd , run the command:
$ ls -l /etc/passwdIf properly configured, the output should indicate the following owner: root
If it does not, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. |
To properly set the group owner of /etc/passwd , run the command:
# chgrp root /etc/passwd |
/etc/passwd , run the command:
$ ls -l /etc/passwdIf properly configured, the output should indicate the following group-owner: root
If it does not, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | If the /etc/passwd file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the list of
acounts on the system and associated information, and protection of this file
is critical for system security. |
To properly set the permissions of /etc/passwd , run the command:
# chmod 0644 /etc/passwd |
/etc/passwd , run the command:
$ ls -l /etc/passwdIf properly configured, the output should indicate the following permissions: -rw-r--r--
If it does not, this is a finding. |
CCI-000225 (AC-6) |
|
TBD | TBD | Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system. | System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib /lib64 /usr/lib /usr/lib64Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules . All files in these directories should not be
group-writable or world-writable.
|
$ find DIR -perm /022 If any of the modules are group-writable, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. | System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib /lib64 /usr/lib /usr/lib64Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules . All files in these directories should be
owned by the root user.
|
root ,
run the following command for each directory DIR which contains shared libraries:
$ find DIR \! -user root If any of the shared modules aren't owned by root, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. |
System executables are stored in the following directories by default:
/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbinAll files in these directories should not be group-writable or world-writable. |
$ find DIR -perm /022 If any system executables are found to be group, or world writable, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. |
System executables are stored in the following directories by default:
/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbinAll files in these directories should be owned by the root user.
|
root ,
run the following command for each directory DIR which contains system executables:
$ find DIR \! -user root If any system executables are found to not be owned by root, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. | To specify password length requirements for new accounts,
edit the file /etc/login.defs and add or correct the following
lines:
PASS_MIN_LEN LENGTH The DoD requirement is 14 .
If a program consults /etc/login.defs and also another PAM module
(such as pam_cracklib ) during a password change operation,
then the most restrictive must be satisfied. See PAM section
for more information about enforcing password quality requirements.
|
$ grep PASS_MIN_LEN /etc/login.defsThe DoD requirement is 14 .
If it is not set to the required value, this is a finding. |
CCI-000205 (IA-5 (1) (a)) |
|
TBD | TBD | Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement. | To specify password minimum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line, replacing DAYS appropriately:
PASS_MIN_DAYS DAYSThe DoD requirement is 7. |
$ grep PASS_MIN_DAYS /etc/login.defsThe DoD requirement is 7. If it is not set to the required value, this is a finding. |
CCI-000198 (IA-5 (1) (d)) |
|
TBD | TBD | Setting the password maximum age ensures that users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise. | To specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line, replacing DAYS appropriately:
PASS_MAX_DAYS DAYSA value of 180 days is sufficient for many environments. The DoD requirement is 60. |
$ grep PASS_MAX_DAYS /etc/login.defsA value of 180 days is sufficient for many environments. The DoD requirement is 60. If it is not set to the required value, this is a finding. |
CCI-000199 (IA-5 (1) (d)) |
|
TBD | TBD | Setting the password warning age enables users to make the change at a practical time. | To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file /etc/login.defs and add or correct
the following line:
PASS_WARN_AGE DAYSA value of 7 days is considered for appropriate for many environments. |
$ grep PASS_WARN_AGE /etc/login.defsA value of 7 days is sufficient for many environments. The DoD requirement is 7. If it is not set to the required value, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. | The pam_cracklib module's retry= parameter controls how many times a program
will re-prompt a user after an incorrect password entry, on a per-session basis. To configure this, open:
/etc/pam.d/system-authLocate the retry= parameter, the DoD required value is 3.
|
$ grep retry /etc/pam.d/system-auth If it is not the required value, this is a finding. |
CCI-001092 (SC-5) |
|
TBD | TBD | Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. | The pam_cracklib module's dcredit= parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each digit.
|
$ grep dcredit /etc/pam.d/system-auth If it is not the required value, this is a finding. |
CCI-000194 (IA-5 (1) (a)) |
|
TBD | TBD | Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space. | The pam_cracklib module's ucredit= parameter controls requirements for
usage of uppercase letters in a password. When set to a negative number, any password will be required to
contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each uppercase character.
|
$ grep ucredit /etc/pam.d/system-auth If it is not the required value, this is a finding. |
CCI-000192 (IA-5 (1) (a)) |
|
TBD | TBD | Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. | The pam_cracklib module's ocredit= parameter controls requirements for
usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to
contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each special character.
|
$ grep ocredit /etc/pam.d/system-auth If it is not the required value, this is a finding. |
CCI-001619 (IA-5 (1) (a)) |
|
TBD | TBD | Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. | The pam_cracklib module's lcredit= parameter controls requirements for
usage of lowercase letters in a password. When set to a negative number, any password will be required to
contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each lowercase character.
|
$ grep lcredit /etc/pam.d/system-auth If it is not the required value, this is a finding. |
CCI-000193 (IA-5 (1) (a)) |
|
TBD | TBD | Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however. | The pam_cracklib module's difok= parameter controls requirements for
usage of different characters during a password change.
|
$ grep difok /etc/pam.d/system-auth If it is not the required value, this is a finding. |
CCI-000195 (IA-5 (1) (b)) |
|
TBD | TBD | Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. | This requires further investigation. | CCI-001452 (AC-7 a) CCI-000044 (AC-7 a) CCI-000047 (AC-7 b) |
||
TBD | TBD | Using a stronger hashing algorithm makes password cracking attacks more difficult. | The system's default algorithm for storing password hashes in
/etc/shadow is SHA-512.
In order to ensure the system is still configured to use SHA-512 algorithm,
the following line must appear in /etc/login.defs :
ENCRYPT_METHOD SHA512Also ensure that the pam_unix.so module in the password section in
/etc/pam.d/system-auth includes the argument sha512 .
If this is not the case, the following command can be run to fix: # /usr/sbin/authconfig --passalgo=sha512 --updateThis ensures that when users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. |
/etc/login.defs :
ENCRYPT_METHOD SHA512Also, ensure the pam_unix.so module in the password section of /etc/pam.d/system-auth includes
the argument sha512 .
If either of these are not the case, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Only root should be able to modify important boot parameters. | The file /etc/grub.conf is a symbolic link to
/boot/grub/grub.conf which should be owned by the root user
to prevent destruction or modification of the file.
To properly set the owner of /boot/grub/grub.conf , run the command:
# chown root /boot/grub/grub.conf |
/boot/grub/grub.conf , run the command:
$ ls -l /boot/grub/grub.confIf properly configured, the output should indicate the following owner: root
If it does not, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD |
The root group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway.
|
The file /etc/grub.conf is a symbolic link to
/boot/grub/grub.conf which should be group-owned by the root
group to prevent destruction or modification of the file.
To properly set the group owner of /boot/grub/grub.conf , run the command:
# chgrp /boot/grub/grub.conf |
/boot/grub/grub.conf , run the command:
$ ls -l /boot/grub/grub.confIf properly configured, the output should indicate the following group-owner:
If it does not, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Proper permissions ensure that only the root user can modify important boot parameters. | File permissions for /boot/grub/grub.conf should be set to 600, which
is the default.
To properly set the permissions of /boot/grub/grub.conf , run the command:
# chmod /boot/grub/grub.conf |
/boot/grub/grub.conf , run the command:
$ ls -l /boot/grub/grub.confIf properly configured, the output should indicate the following permissions:
If it does not, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Password protection on the boot loader configuration ensures that users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. | The grub boot loader should have password protection
enabled to protect boot-time settings.
To do so, select a password and then generate a hash from it by running:
# grub-crypt --sha-512You will then be prompted to enter a password. Insert the following line into /etc/grub.conf immediately
after the header comments. (Use the output from grub-crypt as the
value of password-hash):
password --encrypted password-hash |
CCI-000213 (AC-3) |
||
TBD | TBD | This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. | Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file /etc/sysconfig/init :
SINGLE=/sbin/sulogin |
$ grep SINGLE /etc/sysconfig/initThe output should be: SINGLE=/sbin/sulogin If the output is different, this is a finding. |
CCI-000213 (AC-3) |
|
TBD | TBD | Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security. |
To disable the ability for users to perform interactive startups,
edit the file /etc/sysconfig/init .
Add or correct the line:
PROMPT=noThe PROMPT option allows the console user to perform an
interactive system startup, in which it is possible to select the
set of services which are started on boot.
|
$ grep PROMPT /etc/sysconfig/initThe output should show: PROMPT=yes If it does not, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Installing vlock ensures that a console locking capability is available for users who may need to suspend console logins. |
To enable console screen locking, install the vlock package:
# yum install vlockInstruct users to invoke the program when necessary, in order to prevent passersby from abusing their login: $ vlockThe -a option can be used to prevent switching to other
virtual consoles.
|
vlock command.
If there is a command not found error, this is a finding. |
CCI-000058 (AC-11 a) |
|
TBD | TBD | Although unlikely to dissuade a serious attacker, the warning message reinforces policy awareness during the logon process. |
The contents of the file /etc/issue are
displayed on the screen just above the login prompt for users
logging directly into a terminal. Remote login programs such as
SSH or FTP can be configured to display /etc/issue as well.
Instructions for configuring these daemons are available later.
By default, the system will display the version of the OS, the kernel version, and the host name. Edit /etc/issue . Replace the default text with a message
compliant with the local site policy or a legal disclaimer.
|
$ cat /etc/issue If it does not display a message compliant with the environment, this is a finding. |
CCI-000048 (AC-8 a) CCI-001384 (AC-8 c) CCI-001385 (AC-8 c) CCI-001386 (AC-8 c) CCI-001387 (AC-8 c) CCI-001388 (AC-8 c) |
|
TBD | TBD | Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. ASLR also makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. |
To set the runtime status of the kernel.randomize_va_space kernel parameter,
run the following command:
# sysctl -w kernel.randomize_va_space1 |
kernel.randomize_va_space kernel parameter can be queried
by running the following command:
$ sysctl kernel.randomize_va_spaceThe output of the command should indicate a value of 1 .
If this value is not the default value, investigate how it could have been adjusted at runtime, and verify
that it is not set improperly in /etc/sysctl.conf .
If the correct value is not returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. |
To set the runtime status of the kernel.exec-shield kernel parameter,
run the following command:
# sysctl -w kernel.exec-shield1 |
kernel.exec-shield kernel parameter can be queried
by running the following command:
$ sysctl kernel.exec-shieldThe output of the command should indicate a value of 1 .
If this value is not the default value, investigate how it could have been adjusted at runtime, and verify
that it is not set improperly in /etc/sysctl.conf .
If the correct value is not returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for routers. |
To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.default.send_redirects0 |
net.ipv4.conf.default.send_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.default.send_redirectsThe output of the command should indicate a value of 0 .
If this value is not the default value, investigate how it could have been adjusted at runtime, and verify
that it is not set improperly in /etc/sysctl.conf .
If the correct value is not returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for routers. |
To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.all.send_redirects0 |
net.ipv4.conf.all.send_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.send_redirectsThe output of the command should indicate a value of 0 .
If this value is not the default value, investigate how it could have been adjusted at runtime, and verify
that it is not set improperly in /etc/sysctl.conf .
If the correct value is not returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for routers. |
To set the runtime status of the net.ipv4.ip_forward kernel parameter,
run the following command:
# sysctl -w net.ipv4.ip_forward0 |
net.ipv4.ip_forward kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.ip_forwardThe output of the command should indicate a value of 0 .
If this value is not the default value, investigate how it could have been adjusted at runtime, and verify
that it is not set improperly in /etc/sysctl.conf .
If the correct value is not returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. |
To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.all.accept_source_route0 |
net.ipv4.conf.all.accept_source_route kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.accept_source_routeThe output of the command should indicate a value of 0 .
If this value is not the default value, investigate how it could have been adjusted at runtime, and verify
that it is not set improperly in /etc/sysctl.conf .
If the correct value is not returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required. |
To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.all.accept_redirects0 |
net.ipv4.conf.all.accept_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.accept_redirectsThe output of the command should indicate a value of 0 .
If this value is not the default value, investigate how it could have been adjusted at runtime, and verify
that it is not set improperly in /etc/sysctl.conf .
If the correct value is not returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. |
To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.all.secure_redirects0 |
net.ipv4.conf.all.secure_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.secure_redirectsThe output of the command should indicate a value of 0 .
If this value is not the default value, investigate how it could have been adjusted at runtime, and verify
that it is not set improperly in /etc/sysctl.conf .
If the correct value is not returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. |
To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.all.log_martians1 |
net.ipv4.conf.all.log_martians kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.log_martiansThe output of the command should indicate a value of 1 .
If this value is not the default value, investigate how it could have been adjusted at runtime, and verify
that it is not set improperly in /etc/sysctl.conf .
If the correct value is not returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. |
To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.default.accept_source_route0 |
net.ipv4.conf.default.accept_source_route kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.default.accept_source_routeThe output of the command should indicate a value of 0 .
If this value is not the default value, investigate how it could have been adjusted at runtime, and verify
that it is not set improperly in /etc/sysctl.conf .
If the correct value is not returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. |
To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.default.secure_redirects0 |
net.ipv4.conf.default.secure_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.default.secure_redirectsThe output of the command should indicate a value of 0 .
If this value is not the default value, investigate how it could have been adjusted at runtime, and verify
that it is not set improperly in /etc/sysctl.conf .
If the correct value is not returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network. |
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter,
run the following command:
# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts1 |
net.ipv4.icmp_echo_ignore_broadcasts kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.icmp_echo_ignore_broadcastsThe output of the command should indicate a value of 1 .
If this value is not the default value, investigate how it could have been adjusted at runtime, and verify
that it is not set improperly in /etc/sysctl.conf .
If the correct value is not returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. |
To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter,
run the following command:
# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses1 |
net.ipv4.icmp_ignore_bogus_error_responses kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.icmp_ignore_bogus_error_responsesThe output of the command should indicate a value of 1 .
If this value is not the default value, investigate how it could have been adjusted at runtime, and verify
that it is not set improperly in /etc/sysctl.conf .
If the correct value is not returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests. |
To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter,
run the following command:
# sysctl -w net.ipv4.tcp_syncookies1 |
net.ipv4.tcp_syncookies kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.tcp_syncookiesThe output of the command should indicate a value of 1 .
If this value is not the default value, investigate how it could have been adjusted at runtime, and verify
that it is not set improperly in /etc/sysctl.conf .
If the correct value is not returned, this is a finding. |
CCI-001092 (SC-5) CCI-001095 (SC-5 (2)) |
|
TBD | TBD | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. |
To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.all.rp_filter1 |
net.ipv4.conf.all.rp_filter kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.rp_filterThe output of the command should indicate a value of 1 .
If this value is not the default value, investigate how it could have been adjusted at runtime, and verify
that it is not set improperly in /etc/sysctl.conf .
If the correct value is not returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. |
To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter,
run the following command:
# sysctl -w net.ipv4.conf.default.rp_filter1 |
net.ipv4.conf.default.rp_filter kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.default.rp_filterThe output of the command should indicate a value of 1 .
If this value is not the default value, investigate how it could have been adjusted at runtime, and verify
that it is not set improperly in /etc/sysctl.conf .
If the correct value is not returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation. | To prevent the IPv6 kernel module (ipv6 ) from loading the IPv6 networking stack, add the following line to /etc/modprobe.d/disabled.conf (or another file in /etc/modprobe.d ):
options ipv6 disable=1This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol. |
ipv6 kernel module, it will contain a line
of the form:
options ipv6 disable=1inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf .
This permits insertion of the IPv6 kernel module (which other parts of the system
expect to be present), but otherwise keeps it inactive.
Run the following command to search for such lines in all files in /etc/modprobe.d
and the deprecated /etc/modprobe.conf :
$ grep -r ipv6 /etc/modprobe.conf /etc/modprobe.d If the ipv6 kernel module is loaded, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | An illicit ICMP redirect message could result in a man-in-the-middle attack. | The setting for accepting IPv6 redirects should be: for all interfaces. To do so add the following lines to /etc/sysctl.conf to limit the configuration information requested from other systems, and accepted from the network:
net.ipv6.conf.default.accept_redirects = |
# grep ipv6 /etc/sysctl.conf If there is not output, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The ip6tables service provides the system's host-based firewalling
capability for IPv6 and ICMPv6.
|
The ip6tables service can be enabled with the following command:
# chkconfig ip6tables on |
ip6tables service:
# service ip6tables statusIf the service is enabled, it should return: ip6tables is running... If the service is not running, this is a finding. |
CCI-000066 (AC-17 e) CCI-001115 (SC-7 (9)) CCI-001118 (SC-7 (12)) CCI-001092 (SC-5) CCI-001117 (SC-7 (11)) CCI-001098 (SC-7 b) CCI-001100 (SC-7 (2)) CCI-001097 (SC-7 a) CCI-001123 (SC-7 (15)) CCI-001124 (SC-7 (16)) CCI-001414 (AC-4) |
|
TBD | TBD |
The iptables service provides the system's host-based firewalling
capability for IPv4 and ICMP.
|
The iptables service can be enabled with the following command:
# chkconfig iptables on |
iptables service:
# service iptables statusIf the service is enabled, it should return: iptables is running... If the service is not running, this is a finding. |
CCI-000066 (AC-17 e) CCI-001115 (SC-7 (9)) CCI-001118 (SC-7 (12)) CCI-001092 (SC-5) CCI-000027 (AC-4 (3)) CCI-001117 (SC-7 (11)) CCI-001098 (SC-7 b) CCI-001100 (SC-7 (2)) CCI-001097 (SC-7 a) CCI-001123 (SC-7 (15)) CCI-001124 (SC-7 (16)) CCI-001414 (AC-4) |
|
TBD | TBD | In iptables the default policy is applied only after all
the applicable rules in the table are examined for a match. Setting the
default policy to DROP implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted. |
To set the default policy to DROP (instead of ACCEPT) for
the built-in INPUT chain which processes incoming packets,
add or correct the following line in
/etc/sysconfig/iptables :
:INPUT DROP [0:0] |
/etc/sysconfig/iptables to determine
the default policy for the INPUT chain. It should be set to DROP.
If the default policy for the INPUT chain isn't set to DROP, this is a finding. |
CCI-000066 (AC-17 e) CCI-001109 (SC-7 (5)) CCI-001154 (SC-15 (2)) CCI-001414 (AC-4) |
|
TBD | TBD | Disabling DCCP protects the system against exploitation of any flaws in its implementation. |
The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.
To configure the system to prevent the dccp
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install dccp /bin/true |
dccp kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf .
These lines instruct the module loading system to run another program (such as
/bin/true ) upon a module install event.
Run the following command to search for such lines in all files in /etc/modprobe.d
and the deprecated /etc/modprobe.conf :
$ grep -r dccp /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Disabling SCTP protects the system against exploitation of any flaws in its implementation. |
The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the sctp
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install sctp /bin/true |
sctp kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf .
These lines instruct the module loading system to run another program (such as
/bin/true ) upon a module install event.
Run the following command to search for such lines in all files in /etc/modprobe.d
and the deprecated /etc/modprobe.conf :
$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Disabling RDS protects the system against exploitation of any flaws in its implementation. |
The Reliable Datagram Sockets (RDS) protocol is a transport
layer protocol designed to provide reliable high- bandwidth,
low-latency communications between nodes in a cluster.
To configure the system to prevent the rds
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install rds /bin/true |
rds kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf .
These lines instruct the module loading system to run another program (such as
/bin/true ) upon a module install event.
Run the following command to search for such lines in all files in /etc/modprobe.d
and the deprecated /etc/modprobe.conf :
$ grep -r rds /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Disabling TIPC protects the system against exploitation of any flaws in its implementation. |
The Transparent Inter-Process Communication (TIPC) protocol
is designed to provide communications between nodes in a
cluster.
To configure the system to prevent the tipc
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install tipc /bin/true |
tipc kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf .
These lines instruct the module loading system to run another program (such as
/bin/true ) upon a module install event.
Run the following command to search for such lines in all files in /etc/modprobe.d
and the deprecated /etc/modprobe.conf :
$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The rsyslog package provides the rsyslog daemon, which provides system logging services. |
Rsyslog is installed by default.
The rsyslog package can be installed with the following command:
# yum install rsyslog |
rsyslog package is installed:
# rpm -q rsyslog If the package is installed, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The rsyslog service must be running in order to provide
logging services, which are essential to system administration.
|
The rsyslog service provides syslog-style logging by default on RHEL 6.
The rsyslog service can be enabled with the following command:
# chkconfig rsyslog on |
rsyslog service:
# service rsyslog statusIf the service is enabled, it should return: rsyslog is running... If the service is not running, this is a finding. |
CCI-001557 (AC-4 (17) ?) CCI-001312 (SI-11 b) CCI-001311 (SI-11 a) |
|
TBD | TBD | The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. | The owner of all log files written by
rsyslog should be root.
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf typically all appear in /var/log .
For each log file LOGFILE referenced in /etc/rsyslog.conf ,
run the following command to inspect the file's owner:
$ ls -l LOGFILEIf the owner is not root , run the following command to
correct this:
# chown root LOGFILE |
$ ls -l LOGFILE If the owner is not root, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. | The group-owner of all log files written by
rsyslog should be root.
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf and typically all appear in /var/log .
For each log file LOGFILE referenced in /etc/rsyslog.conf ,
run the following command to inspect the file's group owner:
$ ls -l LOGFILEIf the owner is not root , run the following command to
correct this:
# chgrp root LOGFILE |
$ ls -l LOGFILE If the group-owner is not root, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Log files can contain valuable information regarding system configuratation. If the system log files are not protected unauthorized users could change the logged data, eliminaating their foresive value. | The file permissions for all log files written by
rsyslog should be set to 600, or more restrictive.
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf and typically all appear in /var/log .
For each log file LOGFILE referenced in /etc/rsyslog.conf ,
run the following command to inspect the file's permissions:
$ ls -l LOGFILEIf the permissions are not 600 or more restrictive, run the following command to correct this: # chmod 0600 LOGFILE |
$ ls -l LOGFILEThe permissions should be 600, or more restrictive. If the permissions are not correct, this is a finding. |
CCI-001314 (SI-11 c) |
|
TBD | TBD | A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. |
To configure rsyslog to send logs to a remote log server,
open /etc/rsyslog.conf and read and understand the last section of the file,
which describes the multiple directives necessary to activate remote
logging.
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
substituting loghost.example.com appropriately.
The choice of protocol depends on the environment of the system;
although TCP and RELP provide more reliable message delivery,
they may not be supported in all environments.
To use UDP for log message delivery: *.* @loghost.example.com To use TCP for log message delivery: *.* @@loghost.example.com To use RELP for log message delivery: *.* :omrelp:loghost.example.com |
/etc/rsyslog.confIf using UDP, a line similar to the following should be present: *.* @loghost.example.comIf using TCP, a line similar to the following should be present: *.* @@loghost.example.comIf using RELP, a line similar to the following should be present: *.* :omrelp:loghost.example.com If neither of these are present, this is a finding. |
CCI-001348 (AU-9 (2)) CCI-000136 (AU-3 (2)) CCI-001352 (AU-9 (4) (b)) |
|
TBD | TBD | Ensuring that the auditd service is active ensures that
audit records generated by the kernel can be written to disk, or that appropriate
actions will be taken if other obstacles exist.
|
The auditd service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The auditd service can be enabled with the following command:
# chkconfig auditd on |
auditd service:
# service auditd statusIf the service is enabled, it should return: auditd is running... If the service is not running, this is a finding. |
CCI-000169 (AU-12 a) CCI-000172 (AU-12 c) CCI-000174 (AU-12 (1)) CCI-001353 (AU-12 (2)) CCI-001462 (AU-14 a) CCI-001487 (AU-3) CCI-001115 (SC-7 (9)) CCI-001454 (AC-17 (7)) CCI-000067 (AC-17 (1)) CCI-000158 (AU-7 (1)) CCI-000831 (IR-4 (5)) CCI-001123 (SC-7 (15)) CCI-001190 (SC-24) CCI-001312 (SI-11 b) CCI-001263 (SI-4 (5)) CCI-000130 (AU-3) |
|
TBD | TBD |
Each process on the system carries an "auditable" flag which
indicates whether its activities can be audited. Although auditd
takes care of enabling this for all processes which launch after it
does, adding the kernel argument ensures that it is set for every
process during boot.
|
To ensure that all processes can be audited, even
those which start prior to the audit daemon, add the argument
audit=1 to the kernel line in /etc/grub.conf , in the manner below:
kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1 |
kernel ) in
/etc/grub.conf to ensure that they include audit=1 .
If any processes aren't able to be monitored and logged, this is a finding. |
CCI-001464 (AU-14 (1)) CCI-000130 (AU-3) |
|
TBD | TBD | The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maxium log file size and the number of logs retained. | Determine how many log files
auditd should retain when it rotates logs.
Edit the file /etc/audit/auditd.conf . Add or modify the following
line, substituting NUMLOGS with the correct value:
num_logs = NUMLOGSSet the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation. |
/etc/audit/auditd.conf and locate the following line to
determine how many logs the system is configured to retain after rotation:
num_logs = 5 If the overall system log file(s) retention hasn't been properly set up, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maxium log file size and the number of logs retained. | Determine the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
/etc/audit/auditd.conf . Add or modify the following line, substituting
the correct value for STOREMB:
max_log_file = STOREMBSet the value to 6 (MB) or higher for general-purpose systems.
Larger values, of course,
support retention of even more audit data. |
/etc/audit/auditd.conf and locate the following line to
determine how much data the system will retain in each audit log file:
max_log_file = 6 If the system audit data threshold hasn't been properly set up, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Automatically rotating logs (by setting this to rotate )
minimizes the chances of the system unexpectedly running out of disk space by
being overwhelmed with log data. However, for systems that must never discard
log data, or which use external processes to transfer it and reclaim space,
keep_logs can be employed. |
The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by auditd , add or correct the line:
max_log_file_action = ACTIONPossible values for ACTION are described in the auditd.conf man
page. These include:
ACTION to rotate to ensure log rotation
occurs. This is the default. The setting is case-insensitive.
|
/etc/audit/auditd.conf and locate the following line to
determine if the system is configured to rotate logs when they reach their
maximum size: max_log_file_action
If the system hasn't been properly set up to rotate audit logs, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. | The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf . Add or modify the following line,
substituting ACTION appropriately:
admin_space_left_action = ACTIONPossible values for ACTION are described in the auditd.conf man page.
These include:
single to cause the system to switch to single user
mode for corrective action. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined.
|
/etc/audit/auditd.conf and locate the following line to
determine if the system is configured to switch to single user mode
when disk space has run low:
admin_space_left_action single If the system isn't properly configured to swtich to single user mode for corrective action, this is a finding. |
CCI-000140 (AU-5 b) CCI-000143 (AU-5 (1)) CCI-000144 (AU-5 (2)) CCI-001343 (AU-5 (4)) |
|
TBD | TBD | Arbitrary changes to the system time can be used to obfuscate nefarious activites in log files as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | On a 32-bit system, add the following to /etc/audit/audit.rules :
# audit_time_rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rulesOn a 64-bit system, add the following to /etc/audit/audit.rules :
# audit_time_rules -a always,exit -F arch=b64 -S adjtimex -k audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules |
adjtimex
system call, run the following command:
# auditctl -l | grep syscall | grep adjtimexIf the system is configured to audit this activity, it will return a line. If the system hasn't been properly set up to audit time changes, rules, or usage flags, this is a finding. |
CCI-001487 (AU-3) CCI-000169 (AU-12 a) |
|
TBD | TBD | Arbitrary changes to the system time can be used to obfuscate nefarious activites in log files as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | On a 32-bit system, add the following to /etc/audit/audit.rules :
# audit_time_rules -a always,exit -F arch=b32 -S settimeofday -k audit_time_rulesOn a 64-bit system, add the following to /etc/audit/audit.rules :
# audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules |
settimeofday
system call, run the following command:
# auditctl -l | grep syscall | grep settimeofdayIf the system is configured to audit this activity, it will return a line. If the system hasn't been properly set up to audit time changes, rules, or usage flags, this is a finding. |
CCI-001487 (AU-3) CCI-000169 (AU-12 a) |
|
TBD | TBD | Arbitrary changes to the system time can be used to obfuscate nefarious activites in log files as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | On a 32-bit system, add the following to /etc/audit/audit.rules :
# audit_time_rules -a always,exit -F arch=b32 -S stime -k audit_time_rulesOn a 64-bit system, the "-S time" is not necessary. The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules |
stime
system call, run the following command:
# auditctl -l | grep syscall | grep stimeIf the system is configured to audit this activity, it will return a line. If the system hasn't been properly set up to audit time changes, rules, or usage flags, this is a finding. |
CCI-001487 (AU-3) CCI-000169 (AU-12 a) |
|
TBD | TBD | Arbitrary changes to the system time can be used to obfuscate nefarious activites in log files as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | On a 32-bit system, add the following to /etc/audit/audit.rules :
# audit_time_rules -a always,exit -F arch=b32 -S clock_settime -k audit_time_rulesOn a 64-bit system, add the following to /etc/audit/audit.rules :
# audit_time_rules -a always,exit -F arch=b64 -S clock_settime -k audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules |
clock_settime
system call, run the following command:
# auditctl -l | grep syscall | grep clock_settimeIf the system is configured to audit this activity, it will return a line. If the system hasn't been properly set up to audit time changes, rules, or usage flags, this is a finding. |
CCI-001487 (AU-3) CCI-000169 (AU-12 a) |
|
TBD | TBD | Arbitrary changes to the system time can be used to obfuscate nefarious activites in log files as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | Add the following to /etc/audit/audit.rules :
-w /etc/localtime -p wa -k audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used. |
# auditctl -l | grep "watch=/etc/localtime"If the system is configured to audit this activity, it will return a line. If the system hasn't been properly set up to audit time rules logging, this is a finding. |
CCI-001487 (AU-3) CCI-000169 (AU-12 a) |
|
TBD | TBD | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | Add the following to /etc/audit/audit.rules , in order
to capture events that modify account changes:
# audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes |
auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each).
If the system hasn't been properly set up to audit (and log) account changes, this is a finding. |
CCI-000018 (AC-2 (4)) CCI-001403 (AC-2 (4)) CCI-001404 (AC-2 (4)) CCI-001405 (AC-2 (4)) CCI-001684 () CCI-001683 () CCI-001685 () CCI-001686 () |
|
TBD | TBD | The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. | Add the following to /etc/audit/audit.rules , setting
ARCH to either b32 or b64 as appropriate for your system:
# audit_network_modifications -a exit,always -F arch=ARCH -S sethostname -S setdomainname -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications |
auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'If the system is configured to watch for account changes, a line should be returned for each file specified (and perm=wa should be indicated for each).
If the system isn't congfigured to audit changes of the network configuration, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited. | Add the following to /etc/audit/audit.rules :
-w /etc/selinux/ -p wa -k MAC-policy |
# auditctl -l | grep "dir=selinux"If the system is configured to watch for changes to its SELinux configuration, a line should be returned (including perm=wa indicating permissions that are watched).
If the system isn't properly set up to notify an admin when attemps to change the MAC tables occur, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod |
fchmod
system call, run the following command:
# auditctl -l | grep syscall | grep fchmodIf the system is configured to audit this activity, it will return a line. If the system hasn't been properly set up to audit permission changes, this is a finding. |
CCI-000126 (AU-2 d) |
|
TBD | TBD | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod |
fchmod
system call, run the following command:
# auditctl -l | grep syscall | grep fchmodIf the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding. |
CCI-000126 (AU-2 d) |
|
TBD | TBD | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod |
fchmod
system call, run the following command:
# auditctl -l | grep syscall | grep fchmodIf the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding. |
CCI-000126 (AU-2 d) |
|
TBD | TBD | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod |
fchmodat
system call, run the following command:
# auditctl -l | grep syscall | grep fchmodatIf the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding. |
CCI-000126 (AU-2 d) |
|
TBD | TBD | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod |
fchown
system call, run the following command:
# auditctl -l | grep syscall | grep fchownIf the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding. |
CCI-000126 (AU-2 d) |
|
TBD | TBD | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod |
fchownat
system call, run the following command:
# auditctl -l | grep syscall | grep fchownatIf the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding. |
CCI-000126 (AU-2 d) |
|
TBD | TBD | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod |
fremovexattr
system call, run the following command:
# auditctl -l | grep syscall | grep fremovexattrIf the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding. |
CCI-000126 (AU-2 d) |
|
TBD | TBD | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod |
fsetxattr
system call, run the following command:
# auditctl -l | grep syscall | grep fsetxattrIf the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding. |
CCI-000126 (AU-2 d) |
|
TBD | TBD | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod |
fchmod
system call, run the following command:
# auditctl -l | grep syscall | grep fchmodIf the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding. |
CCI-000126 (AU-2 d) |
|
TBD | TBD | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod |
lremovexattr
system call, run the following command:
# auditctl -l | grep syscall | grep lremovexattrIf the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding. |
CCI-000126 (AU-2 d) |
|
TBD | TBD | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod |
lsetxattr
system call, run the following command:
# auditctl -l | grep syscall | grep lsetxattrIf the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding. |
CCI-000126 (AU-2 d) |
|
TBD | TBD | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod |
removexattr
system call, run the following command:
# auditctl -l | grep syscall | grep removexattrIf the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding. |
CCI-000126 (AU-2 d) |
|
TBD | TBD | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
/etc/audit/audit.rules :
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_modIf the system is 64 bit then also add the following: -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod |
setxattr
system call, run the following command:
# auditctl -l | grep syscall | grep setxattrIf the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding. |
CCI-000126 (AU-2 d) |
|
TBD | TBD | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | At a minimum the audit system should collect
unauthorized file accesses for all users and root. Add the following
to /etc/audit/audit.rules , setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access |
CCI-000126 (AU-2 d) |
||
TBD | TBD | Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. | At a minimum the audit system should collect the
execution of privileged commands for all users and root.
To find the relevant setuid programs:
# find / -type f -perm -4000 -o -perm -2000 2>/dev/nullThen, for each setuid program on the system, add a line of the following form to /etc/audit/audit.rules , where SETUID_PROG_PATH is the full path to each setuid program
in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged |
CCI-000040 (AC-6 (2)) |
||
TBD | TBD | The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. | At a minimum the audit system should collect media
exportation events for all users and root. Add the following to
/etc/audit/audit.rules , setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export |
CCI-000366 (CM-6 b) |
||
TBD | TBD | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting as well as detecting malicious processes that attempt to delete log files to conceal their presence. | At a minimum the audit system should collect file
deletion events for all users and root. Add the following to
/etc/audit/audit.rules , setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat \ -F auid>=500 -F auid!=4294967295 -k delete |
unlink
system call, run the following command:
# auditctl -l | grep syscall | grep unlinkIf the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the unlinkat
system call, run the following command:
# auditctl -l | grep syscall | grep unlinkatIf the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the rename
system call, run the following command:
# auditctl -l | grep syscall | grep renameIf the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the renameat
system call, run the following command:
# auditctl -l | grep syscall | grep renameatIf the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding. |
CCI-000126 (AU-2 d) |
|
TBD | TBD | The actions taken by system administrators should be audited to keep a record of what was executed on the system as well as for accountability purposes. | At a minimum the audit system should collect
administrator actions for all users and root. Add the following to
/etc/audit/audit.rules :
-w /etc/sudoers -p wa -k actions |
CCI-000366 (CM-6 b) |
||
TBD | TBD | The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. | Add the following to /etc/audit/audit.rules in order
to capture kernel module loading and unloading events:
-w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -S init_module -S delete_module -k modules |
init_module
system call, run the following command:
# auditctl -l | grep syscall | grep init_moduleIf the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the delete_module
system call, run the following command:
# auditctl -l | grep syscall | grep delete_moduleIf the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself. |
The xinetd service can be disabled with the following command:
# chkconfig xinetd off |
xinetd service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify xinetd is disabled through current
runtime configuration:
# service xinetd statusIf the service is disabled, the command will return: xinetd is stoppedRun the following command to verify xinetd is disabled through system
boot configuration:
# chkconfig
Output should indicate the xinetd service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD |
Removing the xinetd package decreases the risk of the
xinetd service's accidental (or intentional) activation.
|
The xinetd package can be uninstalled with the following command:
# yum erase xinetd |
xinetd package is installed:
# rpm -q xinetd If the package is installed, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD |
Removing the telnet-server package decreases the risk of the
telnet service's accidental (or intentional) activation.
|
The telnet-server package can be uninstalled with
the following command:
# yum erase telnet-server |
telnet-server package is installed:
# rpm -q telnet-server If the package is installed, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. |
The telnet service can be disabled with the following command:
# chkconfig telnet off |
telnet service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify telnet is disabled through current
runtime configuration:
# service telnet statusIf the service is disabled, the command will return: telnet is stoppedRun the following command to verify telnet is disabled through system
boot configuration:
# chkconfig
Output should indicate the telnet service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-001436 (AC-17 (8)) CCI-000196 (IA-5 (1) (c)) CCI-000197 (IA-5 (1) (c)) |
|
TBD | TBD | The rsh-server package provides several obsolete and insecure
network services. Removing it
decreases the risk of those services' accidental (or intentional)
activation.
|
The rsh-server package can be uninstalled with
the following command:
# yum erase rsh-server |
rsh-server package is installed:
# rpm -q rsh-server If the package is installed, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. | The rsh service, which is available with
the rsh-server package and runs as a service through xinetd,
should be disabled.
The rsh service can be disabled with the following command:
# chkconfig rsh off |
rsh service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify rsh is disabled through current
runtime configuration:
# service rsh statusIf the service is disabled, the command will return: rsh is stoppedRun the following command to verify rsh is disabled through system
boot configuration:
# chkconfig
Output should indicate the rsh service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-001436 (AC-17 (8)) |
|
TBD | TBD | The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. | The rexec service, which is available with
the rsh-server package and runs as a service through xinetd,
should be disabled.
The rexec service can be disabled with the following command:
# chkconfig rexec off |
rexec service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify rexec is disabled through current
runtime configuration:
# service rexec statusIf the service is disabled, the command will return: rexec is stoppedRun the following command to verify rexec is disabled through system
boot configuration:
# chkconfig
Output should indicate the rexec service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. | The rlogin service, which is available with
the rsh-server package and runs as a service through xinetd,
should be disabled.
The rlogin service can be disabled with the following command:
# chkconfig rlogin off |
rlogin service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify rlogin is disabled through current
runtime configuration:
# service rlogin statusIf the service is disabled, the command will return: rlogin is stoppedRun the following command to verify rlogin is disabled through system
boot configuration:
# chkconfig
Output should indicate the rlogin service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-001436 (AC-17 (8)) |
|
TBD | TBD | Removing the ypserv package decreases the risk of the
accidental (or intentional) activation of NIS or NIS+ services.
|
The ypserv package can be uninstalled with
the following command:
# yum erase ypserv |
ypserv package is installed:
# rpm -q ypserv If the package is installed, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD |
Disabling the ypbind service ensures the system is not acting
as a client in a NIS or NIS+ domain.
|
The ypbind service, which allows the system to act as a client in
a NIS or NIS+ domain, should be disabled.
The ypbind service can be disabled with the following command:
# chkconfig ypbind off |
ypbind service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify ypbind is disabled through current
runtime configuration:
# service ypbind statusIf the service is disabled, the command will return: ypbind is stoppedRun the following command to verify ypbind is disabled through system
boot configuration:
# chkconfig
Output should indicate the ypbind service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD |
Removing the tftp-server package decreases the risk of the
accidental (or intentional) activation of tftp services.
|
The tftp-server package can be removed with the following command:
# yum erase tftp-server |
tftp-server package is installed:
# rpm -q tftp-server If the package is installed, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD |
Disabling the tftp service ensures the system is not acting
as a tftp server, which does not provide encryption or authentication.
|
The tftp service should be disabled.
The tftp service can be disabled with the following command:
# chkconfig tftp off |
tftp service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify tftp is disabled through current
runtime configuration:
# service tftp statusIf the service is disabled, the command will return: tftp is stoppedRun the following command to verify tftp is disabled through system
boot configuration:
# chkconfig
Output should indicate the tftp service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-001436 (AC-17 (8)) |
|
TBD | TBD | Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential. | The crond service is used to execute commands at
preconfigured times. It is required by almost all systems to perform necessary
maintenance tasks, such as notifying root of system activity.
The crond service can be enabled with the following command:
# chkconfig crond on |
crond service:
# service crond statusIf the service is enabled, it should return: crond is running... If the service is not running, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Many of the periodic or delayed execution features of the at daemon can be provided through the cron daemon instead. |
The at service can be disabled with the following command:
# chkconfig at off |
at service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify at is disabled through current
runtime configuration:
# service at statusIf the service is disabled, the command will return: at is stoppedRun the following command to verify at is disabled through system
boot configuration:
# chkconfig
Output should indicate the at service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used. | Only SSH protocol version 2 connections should be
permitted. The default setting in
/etc/ssh/sshd_config is correct, and can be
verified by ensuring that the following
line appears:
Protocol 2 |
# grep Protocol /etc/ssh/sshd_configIf configured properly, output should be Protocol 2 If it is not, this is a finding. |
CCI-000776 (IA-2 (9)) CCI-000774 (IA-2 (8)) CCI-001135 (SC-11) |
|
TBD | TBD | Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another. | SSH allows administrators to set an idle timeout
interval.
After this interval has passed, the idle user will be
automatically logged out.
To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as
follows:
ClientAliveInterval intervalThe timeout interval is given in seconds. To have a timeout of 15 minutes, set interval to 900. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle. |
# grep ClientAliveInterval /etc/ssh/sshd_configIf properly configured, the output should be: ClientAliveInterval 900 If it is not, this is a finding. |
CCI-000879 (MA-4 e) CCI-001133 (SC-10) |
|
TBD | TBD |
This ensures that a user login will be terminated as soon as the ClientAliveInternal
is reached.
|
To ensure that the SSH idle timeout occurs precisely when the ClientAliveInterval is set,
edit /etc/ssh/sshd_config as
follows:
ClientAliveCountMax 0 |
ClientAliveInterval is set, run the following command:
# grep ClientAliveCountMax /etc/ssh/sshd_configIf properly configured, output should be: ClientAliveCountMax 0 If it is not, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | SSH trust relationships mean that a compromise on one host can allow an attacker to move trivially to other hosts. | SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via .rhosts files.
To ensure that this behavior is disabled, add or correct the following line: IgnoreRhosts yes |
IgnoreRhosts
option is set, run the following command:
# grep -i IgnoreRhosts /etc/ssh/sshd_configIf no line, a commented line, or a line indicating the value yes is returned, then the required value is set.
If the required value is not set, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | SSH trust relationships mean that a compromise on one host can allow an attacker to move trivially to other hosts. | SSH's cryptographic host-based authentication is
more secure than .rhosts authentication,
since hosts are cryptographically authenticated. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.
To disable host-based authentication, add or correct the following line: HostbasedAuthentication no |
HostbasedAuthentication
option is set, run the following command:
# grep -i HostbasedAuthentication /etc/ssh/sshd_configIf no line, a commented line, or a line indicating the value no is returned, then the required value is set.
If the required value is not set, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root’s password. | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line:
PermitRootLogin no |
PermitRootLogin
option is set, run the following command:
# grep -i PermitRootLogin /etc/ssh/sshd_configIf a line indicating no is returned, then the required value is set. If the required value is not set, this is a finding. |
CCI-000770 (IA-2 (5) (b)) |
|
TBD | TBD | Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. | To explicitly disallow remote login from accounts with
empty passwords, add or correct the following line:
PermitEmptyPasswords noAny accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. |
PermitEmptyPasswords
option is set, run the following command:
# grep -i PermitEmptyPasswords /etc/ssh/sshd_configIf no line, a commented line, or a line indicating the value no is returned, then the required value is set.
If the required value is not set, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Although unlikely to dissuade a serious attacker, the warning message reinforces policy awareness during the logon process. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. |
To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in /etc/ssh/sshd_config :
Banner /etc/issueAnother section contains information on how to create an appropriate system-wide warning banner. |
Banner
option is set, run the following command:
# grep -i Banner /etc/ssh/sshd_configIf a line indicating /etc/issue is returned, then the required value is set. If the required value is not set, this is a finding. |
CCI-000048 (AC-8 a) |
|
TBD | TBD | SSH environment options potentially allow users to bypass access restriction in some configurations. | To ensure users are not able to present
environment options to the SSH daemon, add or correct the following line
in /etc/ssh/sshd_config :
PermitUserEnvironment no |
# grep PermitUserEnvironment /etc/ssh/sshd_configIf properly configured, output should be: PermitUserEnvironment no If it is not, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance. | Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved ciphers in CTR mode:
Ciphers aes128-ctr,aes192-ctr,aes256-ctrThe man page sshd_config(5) contains a list of supported ciphers.
Note that older or less capable versions of SSH client or server software
may still be found on systems such as networking equipment, and these
may not support CTR mode. This may become an issue if, for example,
these systems need to retrieve files from your SSH server using SFTP.
TODO: Need to investigate current status of this. Earlier issues with
CBC were supposed to be fixed. |
$ grep Ciphers /etc/ssh/sshd_configThe output should contain only those ciphers which are FIPS-approved. If that is not the case, this is a finding. |
CCI-000803 (IA-7) CCI-001144 (SC-13) CCI-001145 (SC-13 (1)) CCI-001146 (SC-13 (2)) CCI-000196 (IA-5 (1) (c)) |
|
TBD | TBD | Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted. |
The avahi-daemon service can be disabled with the following command:
# chkconfig avahi-daemon off |
avahi-daemon service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify avahi-daemon is disabled through current
runtime configuration:
# service avahi-daemon statusIf the service is disabled, the command will return: avahi-daemon is stoppedRun the following command to verify avahi-daemon is disabled through system
boot configuration:
# chkconfig
Output should indicate the avahi-daemon service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Unmanaged or unintentionally activate DHCP servers may provide faulty information to clients, interfering with the operation of a legitimate site DHCP server if there is one. | The dhcpd service should be disabled on
any system that does not need to act as a DHCP server.
The dhcpd service can be disabled with the following command:
# chkconfig dhcpd off |
dhcpd service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify dhcpd is disabled through current
runtime configuration:
# service dhcpd statusIf the service is disabled, the command will return: dhcpd is stoppedRun the following command to verify dhcpd is disabled through system
boot configuration:
# chkconfig
Output should indicate the dhcpd service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation. | If the system does not need to act as a DHCP server,
the dhcp package can be uninstalled.
The dhcp package can be removed with the following command:
# yum erase dhcp |
dhcp package is installed:
# rpm -q dhcp If the package is installed, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Enabling the ntpd service ensures that the ntpd
service will be running and that the system will synchronize its time to
any servers specified. This is important whether the system is configured to be
a client (and synchronize only its own clock) or it is also acting as an NTP
server to other systems. Synchronizing time is essential for authentication
services such as Kerberos, but it is also important for maintaining accurate
logs and auditing possible security breaches. |
The ntpd service can be enabled with the following command:
# chkconfig ntpd on |
ntpd service:
# service ntpd statusIf the service is enabled, it should return: ntpd is running... If the service is not running, this is a finding. |
CCI-000160 (AU-8 (1)) |
|
TBD | TBD | Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is recommended. | To specify a remote NTP server for time synchronization, edit
the file /etc/ntp.conf . Add or correct the following lines,
substituting the IP or hostname of a remote NTP server for ntpserver:
server ntpserverThis instructs the NTP software to contact that remote server to obtain time data. |
/etc/ntp.confIn the file, there should be a section similar to the following: # --- OUR TIMESERVERS ----- server ntpserver If this is not the case, this is a finding. |
CCI-000160 (AU-8 (1)) |
|
TBD | TBD |
This ensures that postfix accepts mail messages
(such as cron job reports) from the local system only,
and not from the network, which protects it from network attack.
|
Edit the file /etc/postfix/main.cf to ensure that only the following
inet_interfaces line appears:
inet_interfaces = localhost |
$ grep inet_interfaces /etc/postfix/main.cfIf properly configured, the output should show only localhost .
If it does not, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The ssl directive specifies whether to use ssl or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. | Configure LDAP to enforce TLS use. First, edit the file
/etc/pam_ldap.conf , and add or correct the following lines:
ssl start_tlsThen review the LDAP server and ensure TLS has been configured. |
$ grep start_tls /etc/pam_ldap.conf If no lines are returned, this is a finding. |
CCI-000776 (IA-2 (9)) CCI-000778 (IA-3) CCI-001453 (AC-17 (2)) |
|
TBD | TBD | The tls_cacertdir or tls_cacertfile directives are required when tls_cheekpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA. | Ensure a copy of the site's CA certificate has been placed in
the file /etc/pki/tls/CA/cacert.pem . Configure LDAP to enforce TLS
use and to trust certificates signed by the site's CA. First, edit the file
/etc/pam_ldap.conf , and add or correct either of the following lines:
tls_cacertdir /etc/pki/tls/CAor tls_cacertfile /etc/pki/tls/CA/cacert.pemThen review the LDAP server and ensure TLS has been configured. |
CCI-000776 (IA-2 (9)) CCI-000778 (IA-3) CCI-001453 (AC-17 (2)) |
||
TBD | TBD | The openldap-servers package should be removed if not in use.
Is this machine the OpenLDAP server? If not, remove the package:
# yum erase openldap-serversThe openldap-servers RPM is not installed by default on RHEL6 machines. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed. |
openldap-servers package is not installed,
run the following command:
$ rpm -q openldap-serversThe output should show: package openldap-servers is not installed If it does not, this is a finding. |
CCI-000366 (CM-6 b) |
||
TBD | TBD | The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local machine. If the local machine is not designated as a NFS server then this service should be disabled.
The nfs service can be disabled with the following command:
# chkconfig nfs off |
nfs service is disabled in system boot, as well as
not currently running. First, run the following to verify the service is stopped:
$ service nfs statusIf the service is stopped or disabled, it will return the following: rpc.svcgssd is stopped rpc.mountd is stopped nfsd is stopped rpc.rquotad is stoppedTo verify that the nfs service is disabled, run the following command:
$ chkconfig --list nfsIf properly configured, the output should look like: nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off If it does not, this is a finding. |
CCI-000366 (CM-6 b) |
||
TBD | TBD | The rpcsvcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd service is the server-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled.
The rpcsvcgssd service can be disabled with the following command:
# chkconfig rpcsvcgssd off |
rpcsvcgssd service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify rpcsvcgssd is disabled through current
runtime configuration:
# service rpcsvcgssd statusIf the service is disabled, the command will return: rpcsvcgssd is stoppedRun the following command to verify rpcsvcgssd is disabled through system
boot configuration:
# chkconfig
Output should indicate the rpcsvcgssd service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000366 (CM-6 b) |
||
TBD | TBD | Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby. |
The idle time-out value for period of inactivity GNOME
desktop lockout should be 15 minutes.
# gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /apps/gnome-screensaver/idle_delay 15 |
$ gconftool-2 -g /apps/gnome-screensaver/idle_delayIf properly configured, the output should be 15 .
If it is not, this is a finding. |
CCI-000057 (AC-11 a) |
|
TBD | TBD | Enabling idle activation of the screen saver ensures that the screensaver will be activated after the idle delay. | Idle activation of the screen saver should be
enabled
# gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true |
$ gconftool-2 -g /apps/gnome-screensaver/idle_activation_enabledIf properly configured, the output should be true .
If it is not, this is a finding. |
CCI-000057 (AC-11 a) |
|
TBD | TBD | Enabling the activation of the screen lock after an idle period ensures that password entry will be required in order to access the system, preventing access by passersby. | Idle activation of the screen lock should be
enabled.
# gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/lock_enabled true |
$ gconftool-2 -g /apps/gnome-screensaver/lock_enabledIf properly configured, the output should be true .
If it is not, this is a finding. |
CCI-000057 (AC-11 a) |
|
TBD | TBD | Setting the screensaver mode to blank-only conceals the contents of the display from passersby. |
The screen saver should be blank.
# gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome-screensaver/mode blank-only |
$ gconftool-2 -g /apps/gnome-screensaver/modeIf properly configured, the output should be blank-only
If it is not, this is a finding. |
CCI-000060 (AC-11 (1)) |
|
TBD | TBD | Mishandling crash data could expose sensitive information about vulnerablities in software executing on the local machine, as well as sensitive information from within a process's address space or registers. | The Automatic Bug Reporting Tool (abrtd ) daemon collects
and reports crash data when an application crash is detected. Using a variety
of plugins, abrtd can email crash reports to system administrators, log crash
reports to files, or forward crash reports to a centralized issue tracking
system such as RHTSupport.
The abrtd service can be disabled with the following command:
# chkconfig abrtd off |
abrtd service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify abrtd is disabled through current
runtime configuration:
# service abrtd statusIf the service is disabled, the command will return: abrtd is stoppedRun the following command to verify abrtd is disabled through system
boot configuration:
# chkconfig
Output should indicate the abrtd service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000382 (CM-7) |
|
TBD | TBD |
The atd service could be used by an unsophisticated insider to carry
out activities outside of a normal login session, which could complicate
accountability. Furthermore, the need to schedule tasks with at or
batch is not common.
|
The at and batch commands can be used to
schedule tasks that are meant to be executed only once. This allows delayed
execution in a manner similar to cron, except that it is not
recurring. The daemon atd keeps track of tasks scheduled via
at and batch , and executes them at the specified time.
The atd service can be disabled with the following command:
# chkconfig atd off |
atd service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify atd is disabled through current
runtime configuration:
# service atd statusIf the service is disabled, the command will return: atd is stoppedRun the following command to verify atd is disabled through system
boot configuration:
# chkconfig
Output should indicate the atd service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000382 (CM-7) |
|
TBD | TBD | All filesystems that are required for the successful operation of the system should be explicitly listed in /etc/fstab by and administrator. New filesystems should not be arbitrarily introduced via the automounter. | The autofs daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd .
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it is
almost always possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.
If the autofs service is not needed to dynamically mount NFS filesystems
or removable media, disable the service for all runlevels:
# chkconfig --level 0123456 autofs off |
autofs service is disabled, run the following command:
chkconfig --list autofsIf properly configured, the output should be: autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off If it does not, this is a finding. |
CCI-001250 (SI-3 (5)) CCI-000085 (AC-19 c) |
|
TBD | TBD | The ntpdate service may only be suitable for systems which
are rebooted frequently enough that clock drift does not cause problems between
reboots. In any event, the functionality of the ntpdate service is now
available in the ntpd program and should be considered deprecated. |
The ntpdate service sets the local hardware clock by polling NTP servers
when the system boots. It synchronizes to the NTP servers listed in
/etc/ntp/step-tickers or /etc/ntp.conf
and then sets the local hardware clock to the newly synchronized
system time.
The ntpdate service can be disabled with the following command:
# chkconfig ntpdate off |
ntpdate service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify ntpdate is disabled through current
runtime configuration:
# service ntpdate statusIf the service is disabled, the command will return: ntpdate is stoppedRun the following command to verify ntpdate is disabled through system
boot configuration:
# chkconfig
Output should indicate the ntpdate service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000382 (CM-7) |
|
TBD | TBD | The oddjobd service may provide necessary functionality in
some environments but it can be disabled if it is not needed. Execution of
tasks by privileged programs, on behalf of unprivileged ones, has traditionally
been a source of privilege escalation security issues. |
The oddjobd service exists to provide an interface and
access control mechanism through which
specified privileged tasks can run tasks for unprivileged client
applications. Communication with oddjobd through the system message bus.
The oddjobd service can be disabled with the following command:
# chkconfig oddjobd off |
oddjobd service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify oddjobd is disabled through current
runtime configuration:
# service oddjobd statusIf the service is disabled, the command will return: oddjobd is stoppedRun the following command to verify oddjobd is disabled through system
boot configuration:
# chkconfig
Output should indicate the oddjobd service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000382 (CM-7) |
|
TBD | TBD | The qpidd service is automatically installed when the "base"
package selection is selected during installation. The qpidd service listens
for network connections which increases the attack surface of the system. If
the system is not intended to receive AMQP traffic then the qpidd
service is not needed and should be disabled or removed. |
The qpidd service provides high speed, secure,
guaranteed delivery services. It is an implementation of the Advanced Message
Queuing Protocol. By default the qpidd service will bind to port 5672 and
listen for connection attempts.
The qpidd service can be disabled with the following command:
# chkconfig qpidd off |
qpidd service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify qpidd is disabled through current
runtime configuration:
# service qpidd statusIf the service is disabled, the command will return: qpidd is stoppedRun the following command to verify qpidd is disabled through system
boot configuration:
# chkconfig
Output should indicate the qpidd service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000382 (CM-7) |
|
TBD | TBD | General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information. | The rdisc service implements the client side of the ICMP
Internet Router Discovery Protocol (IRDP), which allows discovery of routers on
the local subnet. If a router is discovered then the local routing table is
updated with a corresponding default route. By default this daemon is disabled.
The rdisc service can be disabled with the following command:
# chkconfig rdisc off |
rdisc service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify rdisc is disabled through current
runtime configuration:
# service rdisc statusIf the service is disabled, the command will return: rdisc is stoppedRun the following command to verify rdisc is disabled through system
boot configuration:
# chkconfig
Output should indicate the rdisc service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000382 (CM-7) |
|
TBD | TBD | By default the sysstat service merely runs a program at
boot to reset the statistics, which can be retrieved using programs such as
sar and sadc . These may provide useful insight into system
operation, but unless used this service can be disabled. |
The sysstat service resets various I/O and CPU
performance statistics to zero in order to begin counting from a fresh state
at boot time.
The sysstat service can be disabled with the following command:
# chkconfig sysstat off |
sysstat service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify sysstat is disabled through current
runtime configuration:
# service sysstat statusIf the service is disabled, the command will return: sysstat is stoppedRun the following command to verify sysstat is disabled through system
boot configuration:
# chkconfig
Output should indicate the sysstat service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000382 (CM-7) |
|
TBD | TBD | Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users. | The nodev option should be enabled for all NFS mounts |
nodev option is configured for all NFS mounts, run the following command:
$ mount | grep nfsAll NFS mounts should show the nodev setting in parentheses.
If the setting does not show, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. | The nosuid option should be enabled for all NFS mounts |
nosuid option is configured for all NFS mounts, run the following command:
$ mount | grep nfsAll NFS mounts should show the nosuid setting in parentheses.
If the setting does not show, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | All network services involve some risk of compromise due to implementation flaws and should be disabled if possible. |
The named service can be disabled with the following command:
# chkconfig named off |
named service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify named is disabled through current
runtime configuration:
# service named statusIf the service is disabled, the command will return: named is stoppedRun the following command to verify named is disabled through system
boot configuration:
# chkconfig
Output should indicate the named service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | If there is no need to make DNS server software available, removing it provides a safeguard against its activation. | To remove the bind package, which contains the
named service, run the following command:
# yum erase bind |
bind package is installed:
# rpm -q bind If the package is installed, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Running FTP server software provides a network-based avenue of attack, and should be disabled if not needed. Furthermore, the FTP protocol is unencrypted and creates a risk of compromising sensitive information. |
The vsftpd service can be disabled with the following command:
# chkconfig vsftpd off |
vsftpd service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify vsftpd is disabled through current
runtime configuration:
# service vsftpd statusIf the service is disabled, the command will return: vsftpd is stoppedRun the following command to verify vsftpd is disabled through system
boot configuration:
# chkconfig
Output should indicate the vsftpd service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-001436 (AC-17 (8)) |
|
TBD | TBD | Removing the vsftpd package decreases the risk of its accidental activation. |
The vsftpd package can be removed with the following command:
# yum erase vsftpd |
vsftpd package is installed:
# rpm -q vsftpd If the package is installed, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Running web server software provides a network-based avenue of attack, and should be disabled if not needed. |
The httpd service can be disabled with the following command:
# chkconfig httpd off |
httpd service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify httpd is disabled through current
runtime configuration:
# service httpd statusIf the service is disabled, the command will return: httpd is stoppedRun the following command to verify httpd is disabled through system
boot configuration:
# chkconfig
Output should indicate the httpd service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | If there is no need to make the web server software available, removing it provides a safeguard against its activation. |
The httpd package can be removed with the following command:
# yum erase httpd |
httpd package is installed:
# rpm -q httpd If the package is installed, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Running an IMAP or POP3 server provides a network-based avenue of attack, and should be disabled if not needed. |
The dovecot service can be disabled with the following command:
# chkconfig dovecot off |
dovecot service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify dovecot is disabled through current
runtime configuration:
# service dovecot statusIf the service is disabled, the command will return: dovecot is stoppedRun the following command to verify dovecot is disabled through system
boot configuration:
# chkconfig
Output should indicate the dovecot service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | If there is no need to make the Dovecot software available, removing it provides a safeguard against its activation. | The dovecot package can be uninstalled
with the following command:
# yum erase dovecot |
dovecot package is installed:
# rpm -q dovecot If the package is installed, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Running a Samba server provides a network-based avenue of attack, and should be disabled if not needed. |
The smb service can be disabled with the following command:
# chkconfig smb off |
smb service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify smb is disabled through current
runtime configuration:
# service smb statusIf the service is disabled, the command will return: smb is stoppedRun the following command to verify smb is disabled through system
boot configuration:
# chkconfig
Output should indicate the smb service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. |
To require samba clients running smbclient to use
packet signing, add the following to the [global] section
of the Samba configuration file:
client signing = mandatoryRequiring samba clients such as smbclient to use packet
signing ensures that they can
only communicate with servers that support packet signing.
|
# grep signing /etc/samba/smb.confThe output should show: client signing = mandatory If it is not, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. | Require packet signing of clients who mount Samba
shares using the mount.cifs program (e.g., those who specify shares
in /etc/fstab ). To do so, ensure that signing options (either
sec=krb5i or sec=ntlmv2i ) are used.
See the mount.cifs(8) man page for more information. A Samba
client should only communicate with servers who can support SMB
packet signing.
|
# grep sec /etc/fstabThe output should show either krb5i or ntlmv2i in use.
If it does not, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Running proxy server software provides a network-based avenue of attack, and should be removed if not needed. |
The squid service can be disabled with the following command:
# chkconfig squid off |
squid service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify squid is disabled through current
runtime configuration:
# service squid statusIf the service is disabled, the command will return: squid is stoppedRun the following command to verify squid is disabled through system
boot configuration:
# chkconfig
Output should indicate the squid service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | If there is no need to make the proxy server software available, removing it provides a safeguard against its activation. |
The squid package can be removed with the following command:
# yum erase squid |
squid package is installed:
# rpm -q squid If the package is installed, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Running SNMP software provides a network-based avenue of attack, and should be disabled if not needed. |
The snmpd service can be disabled with the following command:
# chkconfig snmpd off |
snmpd service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify snmpd is disabled through current
runtime configuration:
# service snmpd statusIf the service is disabled, the command will return: snmpd is stoppedRun the following command to verify snmpd is disabled through system
boot configuration:
# chkconfig
Output should indicate the snmpd service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | If there is no need to run SNMP server software, removing the package provides a safeguard against its activation. | The net-snmp package provides the snmpd service.
The net-snmpd package can be removed with the following command:
# yum erase net-snmpd |
net-snmpd package is installed:
# rpm -q net-snmpd If the package is installed, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. | Do not allow users to reuse recent passwords. This can
be accomplished by using the remember option for the pam_unix PAM
module. In order to prevent a user from re-using any of their
last passwords,
append remember= to
the password line which uses the pam_unix module in the file
/etc/pam.d/system-auth , as shown:
password sufficient pam_unix.so existing_options remember=Old (and thus no longer valid) passwords are stored in the file /etc/security/opasswd . The DoD requirement is currently 24 passwords. |
CCI-000200 (IA-5 (1) (e)) |
||
TBD | TBD | Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated. | The RPM package management system can check file access
permissions of installed software packages, including many that are
important to system security. The following command will list which
files on the system have permissions that are different from what
is expected by the RPM database:
# rpm -Va | grep '^.M' |
# rpm -Va | grep '^.M' If there is output, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Setting the system's runlevel to 3 will prevent automatic startup
of the X server. To do so, ensure that the following line in /etc/inittab
features a 3 as shown:
id:3:initdefault: |
# grep initdefault /etc/inittabThe output should show the following: id:3:initdefault: If it does not, this is a finding. |
CCI-000366 (CM-6 b) |
||
TBD | TBD | Removing all packages which constitute the X Window System
ensures that users or malicious software cannot start X.
To do so, run the following command:
# yum groupremove "X Window System" |
$ rpm -qi xorg-x11-server-common If there is output, this is a finding. |
CCI-000366 (CM-6 b) |
||
TBD | TBD | DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances. |
For each interface IFACE on the system (e.g. eth0), edit
/etc/sysconfig/network-scripts/ifcfg-IFACE and make the
following changes:
|
# /etc/sysconfig/network-scripts/ifcfg-IFACELook for the following: BOOTPROTO=staticand the following, substituting the appropriate values based on your site's addressing scheme: NETMASK=255.255.255.0 IPADDR=192.168.1.2 GATEWAY=192.168.1.1 If it does not, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. | Do not allow users to reuse recent passwords. This can
be accomplished by using the remember option for the pam_unix PAM
module. In order to prevent a user from re-using any of their
last passwords,
append remember= to
the password line which uses the pam_unix module in the file
/etc/pam.d/system-auth , as shown:
password sufficient pam_unix.so existing_options remember=Old (and thus no longer valid) passwords are stored in the file /etc/security/opasswd . The DoD requirement is currently 24 passwords. |
CCI-000200 (IA-5 (1) (e)) |
||
TBD | TBD | Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so that they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. | If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. |
# find PART -xdev -nouser -print If files exist that aren't owned by a valid user, this is a finding. |
CCI-000224 (AC-4 (17) (c)) |
|
TBD | TBD | By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files. |
AIDE should be executed on a periodic basis to check for changes.
To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --checkAIDE can be executed periodically through other means; this is merely one example. |
CCI-000416 (CM-8 (3) (a)) CCI-001166 (SC-18 (1)) CCI-001263 (SI-4 (5)) CCI-001496 (AU-9 (3)) |
||
TBD | TBD | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. | To disable core dumps for all users, add the following line to
/etc/security/limits.conf :
* hard core 0 |
$ grep core /etc/security/limits.confThe output should be: * hard core 0 If it is not, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user. | By default the NFS server requires secure file-lock requests, which require credentials
from the client in order to lock a file. Most NFS clients send credentials with file lock requests,
however, there are a few clients that do not send credentials when requesting a file-lock, allowing
the client to only be able to lock world-readable files. To get around this, the insecure_locks
option can be used so these clients can access the desired export. This poses a security risk by
potentially allowing the client access to data for which it does not have authorization.
Remove any instances of the
insecure_locks option from the file /etc/exports .
|
/etc/exports for any instances of the insecure_locks .
|
CCI-000764 (IA-2) |
|
TBD | TBD | Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. | The auditd service can be configured to take an action
when disk space starts to run low.
Edit the file /etc/audit/auditd.conf . Modify the following line,
substituting ACTION appropriately:
space_left_action = ACTIONPossible values for ACTION are described in the auditd.conf man page.
These include:
email (instead of the default,
which is suspend ) as it is more likely to get prompt attention.
|
/etc/audit/auditd.conf and locate the following line to
determine if the system is configured to email the administrator when
disk space is starting to run low:
space_left_action email If the system isn't configured to send an email to the system administrator when disk space is starting to run low, this is a finding. |
CCI-000140 (AU-5 b) CCI-000143 (AU-5 (1)) CCI-000144 (AU-5 (2)) |
|
TBD | TBD | Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. | The auditd service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in /etc/audit/auditd.conf to ensure that administrators are notified
via email for those situations:
action_mail_acct = root |
/etc/audit/auditd.conf and locate the following line to
determine if the system is configured to send email to an
account when it needs to notify an administrator:
action_mail_acct = root If auditd isn't configured to send emails per identified actions, this is a finding. |
CCI-000139 (AU-5 a) |
|
TBD | TBD | If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation. | The kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate /etc/modprobe.d configuration file
to prevent the loading of the Bluetooth module:
install net-pf-31 /bin/true install bluetooth /bin/true |
bluetooth kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf .
These lines instruct the module loading system to run another program (such as
/bin/true ) upon a module install event.
Run the following command to search for such lines in all files in /etc/modprobe.d
and the deprecated /etc/modprobe.conf :
$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.dIf the system is configured to prevent the loading of the net-pf-31 kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf .
These lines instruct the module loading system to run another program (such as
/bin/true ) upon a module install event.
Run the following command to search for such lines in all files in /etc/modprobe.d
and the deprecated /etc/modprobe.conf :
$ grep -r net-pf-31 /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding. |
CCI-000085 (AC-19 c) |
|
TBD | TBD | USB storage devices such as thumb drives can be used to introduce unauthorized software and other vulnerabilities. Support for these devices should be disabled and the devices themselves should be tightly controlled. |
If USB storage devices should not be used, the modprobe program
used for automatic kernel module loading should be configured to not load
the USB storage driver upon demand. Add the following line to the appropriate
file in /etc/modprobe.d/ to prevent loading of the usb-storage
kernel module:
install usb-storage /bin/trueThis will prevent the modprobe program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually. |
usb-storage kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf .
These lines instruct the module loading system to run another program (such as
/bin/true ) upon a module install event.
Run the following command to search for such lines in all files in /etc/modprobe.d
and the deprecated /etc/modprobe.conf :
$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding. |
CCI-001250 (SI-3 (5)) CCI-000085 (AC-19 c) |
|
TBD | TBD | Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. |
Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. To set the number of concurrent
sessions per user add the following line in /etc/security/limits.conf :
* hard maxlogins MAXWhere MAX is the maximum number of login sessions allowed. |
maxlogins value is configured for all users
on the system:
# grep "maxlogins" /etc/security/limits.confYou should receive output simular to the following: * hard maxlogins MAXWhere MAX represents the value you have chosen. If it is not similar, this is a finding. |
CCI-000054 (AC-10) |
|
TBD | TBD | In iptables the default policy is applied only after all
the applicable rules in the table are examined for a match. Setting the
default policy to DROP implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted. |
To set the default policy to DROP (instead of ACCEPT) for
the built-in FORWARD chain which processes packets that will be forwarded from
one interface to another,
add or correct the following line in
/etc/sysconfig/iptables :
:FORWARD DROP [0:0] |
FORWARD policy is DROP :
grep ":FORWARD" /etc/sysconfig/iptablesThe output should be simular to the following: # grep ":FORWARD" /etc/sysconfig/iptables :FORWARD DROP [0:0 |
CCI-001109 (SC-7 (5)) |
|
TBD | TBD | Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network. | The Openswan package provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks.
The openswan package can be installed with the following command:
# yum install openswan |
openswan package is installed:
# rpm -q openswan If the package is installed, this is a finding. |
CCI-001130 (SC-9) CCI-001131 (SC-9 (1)) CCI-001135 (SC-11) |
|
TBD | TBD | Although unlikely to dissuade a serious attacker, the warning message reinforces policy awareness during the logon process. |
To enable displaying a login warning banner in the GNOME
Display Manager's login screen, run the following command:
sudo -u gdm gconftool-2 \ --type bool \ --set /apps/gdm/simple-greeter/banner_message_enable trueTo display a banner, this setting must be enabled and then banner text must also be set. |
/etc/gconf/schemas/gdm-simple-greeter.schemasSearch for the banner_message_enable schema.
If properly configured, the default value should be true .
If it is not, this is a finding. |
CCI-000048 (AC-8 a) CCI-000050 (AC-8 b) |
|
TBD | TBD | Although unlikely to dissuade a serious attacker, the warning message reinforces policy awareness during the logon process. |
To set the text shown by the GNOME Display Manager
in the login screen, run the following command:
sudo -u gdm gconftool-2 \ --type string \ --set /apps/gdm/simple-greeter/banner_message_text \ "Text of the warning banner here"When entering a warning banner that spans several lines, remember to begin and end the string with " . This command writes
directly to the file /var/lib/gdm/.gconf/apps/gdm/simple-greeter/%gconf.xml ,
and this file can later be edited directly if necessary.
|
/etc/gconf/schemas/gdm-simple-greeter.schemasSearch for the banner_message_text schema.
If properly configured, the proper banner text will appear within this schema.
If it does not, this is a finding. |
CCI-000048 (AC-8 a) CCI-001384 (AC-8 c) CCI-001385 (AC-8 c) CCI-001386 (AC-8 c) CCI-001387 (AC-8 c) CCI-001388 (AC-8 c) |
|
TBD | TBD | Disabling the bluetooth service prevents the system from attempting
connections to to Bluetooth devices, which entails some security risk.
Nevertheless, variation in this risk decision may be expected due to the
utility of Bluetooth connectivity and its limited range. |
The bluetooth service can be disabled with the following command:
# chkconfig bluetooth off |
bluetooth service is disabled in system boot
configuration via chkconfig and not currently running on the system (runtime configuration).
Run the following command to verify bluetooth is disabled through current
runtime configuration:
# service bluetooth statusIf the service is disabled, the command will return: bluetooth is stoppedRun the following command to verify bluetooth is disabled through system
boot configuration:
# chkconfig
Output should indicate the bluetooth service has been disabled at all runlevels,
as shown in the example below:
# chkconfig If the service is running, this is a finding. |
CCI-000085 (AC-19 c) |
|
TBD | TBD | Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. | To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following lines in /etc/defaults/useradd , substituting
NUM_DAYS appropriately:
INACTIVE=NUM_DAYSA value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd man page for more information. Determining the inactivity
timeout must be done with careful consideration of the length of a "normal"
period of inactivity for users in the particular environment. Setting
the timeout too low incurs support costs and also has the potential to impact
availability of the system to legitimate users.
|
INACTIVE setting, run the following command:
grep "INACTIVE" /etc/defaults/useraddThe output should indicate the INACTIVE configuration option is set
to an appropriate integer as shown in the example below:
# grep "INACTIVE" /etc/defaults/useradd INACTIVE=35 |
CCI-000015 (AC-2 (1)) CCI-000016 (AC-2 (2)) CCI-000017 (AC-2 (3)) CCI-000795 (IA-4 e) |
|
TBD | TBD | When the so-called 'sticky bit' is set on a directory,
only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky
bit prevents users from removing each other's files. In cases where
there is no reason for a directory to be world-writable, a better
solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application,
consult that application's documentation instead of blindly
changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command: # chmod +t DIR |
# find / -type d -perm -002 ! -perm -1000 If any world-writable directories are missing the sticky bit, this is a finding. |
CCI-000366 (CM-6 b) |
||
TBD | TBD | Allowing a user account to own a world-writeable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. | All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. |
# find PART -xdev -type d -perm -0002 -uid +500 -print If there is output, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | Using the -s option causes the TFTP service to only serve files from the
given directory. Serving files from an intentionally-specified directory
reduces the risk of sharing files which should remain private.
|
If running the tftp service is necessary, it should be configured
to change its root directory at startup. To do so, ensure that
/etc/xinetd.d/tftp includes -s as a command line argument, as shown in
the following example (which is also the default):
server_args = -s /var/lib/tftpboot |
tftp is configured by with the -s option by running the
following command:
grep "server_args" /etc/xinetd.d/tftpbootThe output should indicate the server_args variable is configured with the -s
flag, matching the example below:
# grep "server_args" /etc/xinetd.d/tftpboot server_args = -s /var/lib/tftpboot |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users. |
To ensure the default umask for users of the Bash shell is set properly,
add or correct the umask setting in /etc/bashrc to read
as follows:
umask 077 |
umask setting is configured correctly in the /etc/bashrc file by
running the following command:
# grep "umask" /etc/bashrcAll output must show the value of umask set to 077, as shown below:
# grep "umask" /etc/bashrc umask 077 umask 077 If the umask is configured incorrectly, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users. |
To ensure the default umask for users of the C shell is set properly,
add or correct the umask setting in /etc/csh.cshrc to read as follows:
umask 077 |
umask setting is configured correctly in the /etc/csh.cshrc file by
running the following command:
# grep "umask" /etc/csh.cshrcAll output must show the value of umask set to 077, as shown in the below:
# grep "umask" /etc/csh.cshrc umask 077 If the umask is configured incorrectly, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users. |
To ensure the default umask controlled by /etc/profile is set properly,
add or correct the umask setting in /etc/profile to read as follows:
umask 077 |
umask setting is configured correctly in the /etc/profile file by
running the following command:
# grep "umask" /etc/profileAll output must show the value of umask set to 077, as shown in the below:
# grep "umask" /etc/profile umask 077 If the umask is configured incorrectly, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users. |
To ensure the default umask controlled by /etc/login.defs is set properly,
add or correct the umask setting in /etc/login.defs to read as follows:
umask 077 |
umask setting is configured correctly in the /etc/login.defs file by
running the following command:
# grep "umask" /etc/login.defsAll output must show the value of umask set to 077, as shown in the below:
# grep "umask" /etc/login.defs umask 077 If the umask is configured incorrectly, this is a finding. |
CCI-000366 (CM-6 b) |
|
TBD | TBD |
Unencrypted passwords for remote FTP servers may be stored in .netrc
files. DoD policy requires passwords be encrypted in storage and not used
in access scripts.
|
The .netrc files contain login information
used to auto-login into FTP servers and reside in the user's home
directory. These files may contain unencrypted passwords to
remote FTP servers making them susceptible to access by unauthorized
users and should not be used. Any .netrc files should be removed.
|
.netrc files,
run the following command:
# find / -name .netrc If any .netrc files exist, this is a finding. |
CCI-000196 (IA-5 (1) (c)) |
|
TBD | TBD | This setting will cause the system greeting banner to be used for FTP connections as well. | Edit the vsftpd configuration file, which resides at /etc/vsftpd/vsftpd.conf
by default. Add or correct the following configuration options:
banner_file=/etc/issue |
grep "banner_file" /etc/vsftpd/vsftpd.confThe output should show the value of banner_file is set to /etc/issue , an example of which is shown below:
# grep "banner_file" /etc/issue banner_file=/etc/issue" If it does not, this is a finding. |
CCI-000048 (AC-8 a) |