Server Baseline


CCE ID Rule Title Description Rationale Variable Setting NIST 800-53 Mapping
CCE-14161-4 Ensure /tmp Located On Separate Partition The /tmp directory is a world-writable directory used for temporary file storage. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM. The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. CM-6
CCE-14777-7 Ensure /var Located On Separate Partition The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM. Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories, installed by other software packages. CM-6
CCE-14011-1 Ensure /var/log Located On Separate Partition System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM. Placing /var/log in its own partition enables better separation between log files and other files in /var/. CM-6 AU-9
CCE-14171-3 Ensure /var/log/audit Located On Separate Partition Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space. CM-6 AU-9
CCE-14559-9 Ensure /home Located On Separate Partition If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. CM-6
CCE-14440-2 Ensure Red Hat GPG Key Installed To ensure that the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them if desired), the Red Hat GPG key must properly be installed. To ensure that the GPG key is installed, run: 
# rhn_register
 This key is necessary to cryptographically verify that packages are from Red Hat. SI-2 SI-7 SC-13
CCE-3416-5 Disable Red Hat Network Service (rhnsd) The Red Hat Network service automatically queries Red Hat Network servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system was registered to an RHN server or satellite and managed as such. The rhnsd service can be disabled with the following command: 
# chkconfig rhnsd off
 Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. CM-6 CM-7
Ensure Software Patches Installed The following command prints a list of packages that need to be updated: 
# yum check-update
To actually install these updates, run: 
# yum update
 Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. SI-2
CCE-14914-6 Ensure gpgcheck Enabled In Main Yum Configuration The gpgcheck option should be used to ensure that checking of an RPM package’s signature always occurs prior to its installation. To configure yum to check package signatures before installing them, ensure that the following line appears in /etc/yum.conf in the [main] section: 
gpgcheck=1
 Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering. SI-2
CCE-14813-0 Ensure gpgcheck Enabled For All Yum Package Repositories To ensure that signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form: 
gpgcheck=0
 Ensuring that all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering. SI-2
CCE-4209-3 Install AIDE Install the AIDE package with the command: 
# yum install aide
 The AIDE package must be installed if it is to be available for integrity checking. CM-6 CM-7 SC-28 SI-7
CCE-3977-6 Ensure SELinux Not Disabled in /etc/grub.conf SELinux can be disabled at boot time by an argument in /etc/grub.conf. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being being disabled at boot. Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. AC-3 CM-6
CCE-TODO Remove Rsh Trust Files The files /etc/hosts.equiv and ~/.rhosts (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location: 
# rm /etc/hosts.equiv
$ rm ~/.rhosts
 Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.
CCE-3999-0 Ensure SELinux State is Enforcing The SELinux state should be set to enforcing at system boot time. In the file /etc/selinux/config, add or correct the line SELINUX=enforcing to configure the system to boot into enforcing mode. Setting the SELinux state to enforcing ensures that SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. CM-6 CM-7
CCE-3624-4 Configure SELinux Policy The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config: 
SELINUXTYPE=targeted
Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases. 		Setting the SELinux policy to targeted or a more specialized policy ensures that the system will confine processes that are likely to be targeted for exploitation, such as network services or system services. CM-6 CM-7
CCE-14991-4 Ensure No Device Files are Unlabeled by SELinux Device files are used for communication with important system resources. SELinux contexts should exist for these. By checking for unlabeled_t file contexts, we can determine if the system is optimally configured. If a device file is not labeled, then misconfiguration is likely. CM-6 CM-7
CCE-3485-0 Restrict Virtual Console Root Logins To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in /etc/securetty: 
vc/1
vc/2
vc/3
vc/4
 Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. CM-6 CM-7
CCE-4256-4 Restrict Serial Port Root Logins To restrict root logins on serial ports, ensure lines of this form do not appear in /etc/securetty: 
ttyS0
ttyS1
 Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account. AC-3 AC-6
CCE-3987-5 Ensure that System Accounts Do Not Run a Shell Upon Login Some accounts are not associated with a human user of the system, and exist to perform some administrative function. Should an attacker be able to log into these accounts, he or she should not be granted access to a shell.

Ensure that no shells are granted to system accounts. First, obtain a listing of all users, their UIDs, and their shells, by running: 
$ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd
Identify the system accounts from this listing. These will primarily be the accounts with UID numbers less than 500, other than root. 		Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts. AC-3 CM-6
CCE-4238-2 Prevent Log In to Accounts With Empty Password If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth-ac to prevent logins with empty passwords. If an account has an empty password, anybody may log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. AC-3 CM-6 IA-5
CCE-14300-8 Verify All Account Password Hashes are Shadowed If any password hashes are stored in /etc/passwd (in the second field, instead of an x), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely. The hashes for all user account passwords should be stored in the file /etc/shadow and never in /etc/passwd, which is readable by all users. IA-5
CCE-4009-7 Verify Only Root Has UID 0 If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a provilieged account. Proper configuration of sudo is recommended to afford multiple System Administrators access to the root account. AC-3 AC-11 CM-6 CM-7
CCE-3918-0 Verify User Who Owns shadow File To properly set the owner of /etc/shadow, run the command: 
# chown root /etc/shadow
The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture. AC-3 CM-6
CCE-3988-3 Verify Group Who Owns shadow File To properly set the group owner of /etc/shadow, run the command: 
# chgrp root /etc/shadow
The /etc/shadow file stores password hashes. Protection of this file is critical for system security. AC-3 CM-6
CCE-4130-1 Verify Permissions on shadow File To properly set the permissions of /etc/shadow, run the command: 
# chmod 0000 /etc/shadow
 The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture. AC-3 CM-6
CCE-4210-1 Verify User Who Owns gshadow File To properly set the owner of /etc/gshadow, run the command: 
# chown root /etc/gshadow
The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. AC-3 CM-6
CCE-4064-2 Verify Group Who Owns gshadow File To properly set the group owner of /etc/gshadow, run the command: 
# chgrp root /etc/gshadow
The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. AC-3 CM-6
CCE-3932-1 Verify Permissions on gshadow File To properly set the permissions of /etc/gshadow, run the command: 
# chmod 0000 /etc/gshadow
 The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. AC-3 CM-6
CCE-3958-6 Verify User Who Owns passwd File To properly set the owner of /etc/passwd, run the command: 
# chown root /etc/passwd
The /etc/passwd file should be owned by root.		 The /etc/passwd contains information about the users that are configured on the system. Protection of this file is critical for system security. AC-3 CM-6
CCE-3495-9 Verify Group Who Owns passwd File To properly set the group owner of /etc/passwd, run the command: 
# chgrp root /etc/passwd
The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security. AC-3 CM-6
CCE-3566-7 Verify Permissions on passwd File To properly set the permissions of /etc/passwd, run the command: 
# chmod 0644 /etc/passwd
 If the /etc/passwd file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of acounts on the system and associated information, and protection of this file is critical for system security. AC-3 CM-6
Verify that Shared Library Files Have Restrictive Permissions System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: 
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All files in these directories should not be group-writable or world-writable. 		Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system.
Verify that Shared Library Files Have Root Ownership System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: 
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. 		Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.
Verify that System Executables Have Restrictive Permissions System executables are stored in the following directories by default: 
/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin
All files in these directories should not be group-writable or world-writable. 		System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.
Verify that System Executables Have Root Ownership System executables are stored in the following directories by default: 
/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin
All files in these directories should be owned by the root user. 		System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.
CCE-4154-1 Set Password Minimum Length in login.defs To specify password length requirements for new accounts, edit the file /etc/login.defs and add or correct the following lines: 
PASS_MIN_LEN LENGTH


The DoD requirement is 14. If a program consults /etc/login.defs and also another PAM module (such as pam_cracklib) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements. 		Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. CM-6 CM-7 IA-5 AC-3
CCE-4180-6 Set Password Minimum Age To specify password minimum age for new accounts, edit the file /etc/login.defs and add or correct the following line, replacing DAYS appropriately: 
PASS_MIN_DAYS DAYS
The DoD requirement is 7. 		Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement. CM-6 IA-5
CCE-4092-3 Set Password Maximum Age To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line, replacing DAYS appropriately: 
PASS_MAX_DAYS DAYS
A value of 180 days is sufficient for many environments. The DoD requirement is 60. 		Setting the password maximum age ensures that users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise. CM-6 CM-7 IA-5 AC-3
CCE-4097-2 Set Password Warning Age To specify how many days prior to password expiration that a warning will be issued to users, edit the file /etc/login.defs and add or correct the following line: 
PASS_WARN_AGE DAYS
A value of 7 days is considered for appropriate for many environments. 		Setting the password warning age enables users to make the change at a practical time. CM-6 CM-7 IA-5 AC-3
CCE-15054-0 Set Password Retry Prompts Permitted Per-session The pam_cracklib module's retry= parameter controls how many times a program will re-prompt a user after an incorrect password entry, on a per-session basis. To configure this, open: 
/etc/pam.d/system-auth
Locate the retry= parameter, the DoD required value is 3. 		Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. IA-5
CCE-14113-5 Set Password Strength Minimum Digit Characters The pam_cracklib module's dcredit= parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. IA-5194
CCE-14672-0 Set Password Strength Minimum Uppercase Characters The pam_cracklib module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space. IA-5
CCE-14122-6 Set Password Strength Minimum Special Characters The pam_cracklib module's ocredit= parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. IA-5
CCE-14712-4 Set Password Strength Minimum Lowercase Characters The pam_cracklib module's lcredit= parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. IA-5
CCE-14701-7 Set Password Strength Minimum Different Characters The pam_cracklib module's difok= parameter controls requirements for usage of different characters during a password change. Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however. IA-5
CCE-3410-8 Set Deny For Failed Password Attempts This requires further investigation. Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. AC-7 CM-6
CCE-14063-2 Set Password Hashing Algorithm The system's default algorithm for storing password hashes in /etc/shadow is SHA-512. In order to ensure the system is still configured to use SHA-512 algorithm, the following line must appear in /etc/login.defs: 
ENCRYPT_METHOD SHA512
Also ensure that the pam_unix.so module in the password section in /etc/pam.d/system-auth includes the argument sha512.
If this is not the case, the following command can be run to fix: 
# /usr/sbin/authconfig --passalgo=sha512 --update
This ensures that when users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. 		Using a stronger hashing algorithm makes password cracking attacks more difficult. IA-5
CCE-4144-2 Verify /boot/grub/grub.conf User Ownership The file /etc/grub.conf is a symbolic link to /boot/grub/grub.conf which should be owned by the root user to prevent destruction or modification of the file. To properly set the owner of /boot/grub/grub.conf, run the command: 
# chown root /boot/grub/grub.conf
Only root should be able to modify important boot parameters. AC-3 CM-6
CCE-4197-0 Verify /boot/grub/grub.conf Group Ownership The file /etc/grub.conf is a symbolic link to /boot/grub/grub.conf which should be group-owned by the root group to prevent destruction or modification of the file. To properly set the group owner of /boot/grub/grub.conf, run the command: 
# chgrp  /boot/grub/grub.conf
The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway. AC-3 CM-6
CCE-3923-0 Verify /boot/grub/grub.conf Permissions File permissions for /boot/grub/grub.conf should be set to 600, which is the default. To properly set the permissions of /boot/grub/grub.conf, run the command: 
# chmod  /boot/grub/grub.conf
 Proper permissions ensure that only the root user can modify important boot parameters. AC-3 CM-6
CCE-3818-2 Set Boot Loader Password The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running: 
# grub-crypt --sha-512
You will then be prompted to enter a password. Insert the following line into /etc/grub.conf immediately after the header comments. (Use the output from grub-crypt as the value of password-hash): 
password --encrypted password-hash
 Password protection on the boot loader configuration ensures that users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. CM-7 IA-5 AC-3
CCE-4241-6 Require Authentication for Single User Mode Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected.

To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file /etc/sysconfig/init: 
SINGLE=/sbin/sulogin
 This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. AC-6 IA-5
CCE-4245-7 Disable Interactive Boot To disable the ability for users to perform interactive startups, edit the file /etc/sysconfig/init. Add or correct the line: 
PROMPT=no
The PROMPT option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot. 		Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security. CM-7 IA-4 SC-2
CCE-3910-7 Install the vlock Package To enable console screen locking, install the vlock package: 
# yum install vlock
Instruct users to invoke the program when necessary, in order to prevent passersby from abusing their login: 
$ vlock
The -a option can be used to prevent switching to other virtual consoles. 		Installing vlock ensures that a console locking capability is available for users who may need to suspend console logins. CM-6 CM-7
CCE-4060-0 Modify the System Login Banner The contents of the file /etc/issue are displayed on the screen just above the login prompt for users logging directly into a terminal. Remote login programs such as SSH or FTP can be configured to display /etc/issue as well. Instructions for configuring these daemons are available later.

By default, the system will display the version of the OS, the kernel version, and the host name.

Edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. 		Although unlikely to dissuade a serious attacker, the warning message reinforces policy awareness during the logon process. AC-3 CM-6 AC-8
CCE-4146-7 Enable Randomized Layout of Virtual Address Space To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: 
# sysctl -w kernel.randomize_va_space1
 Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. ASLR also makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. AC-3 CM-6
CCE-4168-1 Enable ExecShield To set the runtime status of the kernel.exec-shield kernel parameter, run the following command: 
# sysctl -w kernel.exec-shield1
 ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. CM-7
CCE-4151-7 Disable Kernel Parameter for Sending ICMP Redirects by Default To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: 
# sysctl -w net.ipv4.conf.default.send_redirects0
 Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for routers. AC-4 SC-5 SC-7
CCE-4155-8 Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: 
# sysctl -w net.ipv4.conf.all.send_redirects0
 Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for routers. CM-6
CCE-3561-8 Disable Kernel Parameter for IP Forwarding To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: 
# sysctl -w net.ipv4.ip_forward0
 IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for routers. AC-3 CM-6 CM-7 SC-5
CCE-4236-6 Disable Kernel Parameter for Accepting Source-Routed Packets for All Interfaces To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: 
# sysctl -w net.ipv4.conf.all.accept_source_route0
 Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. CM-7
CCE-4217-6 Disable Kernel Parameter for Accepting ICMP Redirects for All Interfaces To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: 
# sysctl -w net.ipv4.conf.all.accept_redirects0
 Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required. CM-7
CCE-3472-8 Disable Kernel Parameter for Accepting Secure Redirects for All Interfaces To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: 
# sysctl -w net.ipv4.conf.all.secure_redirects0
 Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. CM-7 AC-4
CCE-4320-8 Enable Kernel Parameter to Log Martian Packets To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command: 
# sysctl -w net.ipv4.conf.all.log_martians1
 The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. CM-7
CCE-4091-5 Disable Kernel Parameter for Accepting Source-Routed Packets By Default To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: 
# sysctl -w net.ipv4.conf.default.accept_source_route0
 Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. AC-4 SC-5 SC-7
CCE-3339-9 Disable Kernel Parameter for Accepting Secure Redirects By Default To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command: 
# sysctl -w net.ipv4.conf.default.secure_redirects0
 Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. AC-4 SC-5 SC-7
CCE-3644-2 Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: 
# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts1
 Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network. AC-3 CM-6 CM-7 SC-5
CCE-4133-5 Enable Kernel Parameter to Ignore Bogus ICMP Error Responses To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: 
# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses1
 Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. AC-3 CM-6 CM-7 SC-5
CCE-4265-5 Enable Kernel Parameter to Use TCP Syncookies To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: 
# sysctl -w net.ipv4.tcp_syncookies1
 A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests. CM-6 CM-7
CCE-4080-8 Enable Kernel Parameter to Use Reverse Path Filtering for All Interfaces To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: 
# sysctl -w net.ipv4.conf.all.rp_filter1
 Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. AC-4 SC-5 SC-7
CCE-3840-6 Enable Kernel Parameter to Use Reverse Path Filtering by Default To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command: 
# sysctl -w net.ipv4.conf.default.rp_filter1
 Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. AC-4 SC-5 SC-7
CCE-3562-6 Disable IPv6 Networking Support Automatic Loading To prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack, add the following line to /etc/modprobe.d/disabled.conf (or another file in /etc/modprobe.d): 
options ipv6 disable=1
This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol. 		Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation. CM-6 CM-7
CCE-4313-3 Disable Accepting IPv6 Redirects The setting for accepting IPv6 redirects should be: for all interfaces. To do so add the following lines to /etc/sysctl.conf to limit the configuration information requested from other systems, and accepted from the network: 
net.ipv6.conf.default.accept_redirects =
An illicit ICMP redirect message could result in a man-in-the-middle attack. CM-6 CM-7
CCE-4167-3 Verify ip6tables Enabled The ip6tables service can be enabled with the following command: 
# chkconfig ip6tables on
 The ip6tables service provides the system's host-based firewalling capability for IPv6 and ICMPv6. CM-6 CM-7
CCE-4189-7 Verify iptables Enabled The iptables service can be enabled with the following command: 
# chkconfig iptables on
 The iptables service provides the system's host-based firewalling capability for IPv4 and ICMP. CM-6 CM-7
CCE-14264-6 Set Default Iptables Policy for Incoming Packets To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/iptables: 
:INPUT DROP [0:0]
 In iptables the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. AC-4 CM-6
CCE-14268-7 Disable DCCP Support The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the dccp kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: 
install dccp /bin/true
 Disabling DCCP protects the system against exploitation of any flaws in its implementation. CM-6 CM-7
CCE-14132-5 Disable SCTP Support The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the sctp kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: 
install sctp /bin/true
 Disabling SCTP protects the system against exploitation of any flaws in its implementation. CM-6 CM-7
CCE-14027-7 Disable RDS Support The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high- bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the rds kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: 
install rds /bin/true
 Disabling RDS protects the system against exploitation of any flaws in its implementation. CM-6 CM-7
CCE-14911-2 Disable TIPC Support The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the tipc kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: 
install tipc /bin/true
 Disabling TIPC protects the system against exploitation of any flaws in its implementation. CM-6 CM-7
CCE-17742-8 Ensure rsyslog is Installed Rsyslog is installed by default. The rsyslog package can be installed with the following command: 
# yum install rsyslog
 The rsyslog package provides the rsyslog daemon, which provides system logging services. AU-2 AU-9 CM-6
CCE-17698-2 Enable rsyslog Service The rsyslog service provides syslog-style logging by default on RHEL 6. The rsyslog service can be enabled with the following command: 
# chkconfig rsyslog on
 The rsyslog service must be running in order to provide logging services, which are essential to system administration. AU-12 CM-6
CCE-17857-4 Ensure Log Files Are Owned By Appropriate User The owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's owner: 
$ ls -l LOGFILE
If the owner is not root, run the following command to correct this: 
# chown root LOGFILE
 The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. AC-3 CM-6
CCE-18240-2 Ensure Log Files Are Owned By Appropriate Group The group-owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's group owner: 
$ ls -l LOGFILE
If the owner is not root, run the following command to correct this: 
# chgrp root LOGFILE
 The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. AC-3 CM-6
CCE-18095-0 Ensure System Log Files Have Correct Permissions The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's permissions: 
$ ls -l LOGFILE
If the permissions are not 600 or more restrictive, run the following command to correct this: 
# chmod 0600 LOGFILE
 Log files can contain valuable information regarding system configuratation. If the system log files are not protected unauthorized users could change the logged data, eliminaating their foresive value. AC-3 CM-6
CCE-17248-6 Ensure Logs Sent To Remote Host To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting loghost.example.com appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery: 
*.* @loghost.example.com

To use TCP for log message delivery: 
*.* @@loghost.example.com

To use RELP for log message delivery: 
*.* :omrelp:loghost.example.com
 A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. AU-2 AU-9
CCE-4292-9 Enable auditd Service The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command: 
# chkconfig auditd on
 Ensuring that the auditd service is active ensures that audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist. CM-6 CM-7
CCE-15026-8 Enable Auditing for Processes Which Start Prior to the Audit Daemon To ensure that all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the kernel line in /etc/grub.conf, in the manner below: 
kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1
 Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures that it is set for every process during boot. AU-2
Configure auditd Number of Logs Retained Determine how many log files auditd should retain when it rotates logs. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting NUMLOGS with the correct value: 
num_logs = NUMLOGS
Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.		 The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maxium log file size and the number of logs retained.
Configure auditd Max Log File Size Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting the correct value for STOREMB: 
max_log_file = STOREMB
Set the value to 6 (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.		 The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maxium log file size and the number of logs retained.
Configure auditd max_log_file_action Upon Reaching Maximum Log Size The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd, add or correct the line: 
max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • ignore
  • syslog
  • suspend
  • rotate
  • keep_logs
Set the ACTION to rotate to ensure log rotation occurs. This is the default. The setting is case-insensitive. 		Automatically rotating logs (by setting this to rotate) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed.
Configure auditd admin_space_left Action on Low Disk Space The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: 
admin_space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • ignore
  • syslog
  • email
  • exec
  • suspend
  • single
  • halt
Set this value to single to cause the system to switch to single user mode for corrective action. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. 		Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.
CCE-14051-7 Record attempts to alter time through adjtimex On a 32-bit system, add the following to /etc/audit/audit.rules: 
# audit_time_rules
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules
On a 64-bit system, add the following to /etc/audit/audit.rules: 
# audit_time_rules
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: 
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime 
-k audit_time_rules
 Arbitrary changes to the system time can be used to obfuscate nefarious activites in log files as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. AU-2(a)
CCE-14051-7 Record attempts to alter time through settimeofday On a 32-bit system, add the following to /etc/audit/audit.rules: 
# audit_time_rules
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules
On a 64-bit system, add the following to /etc/audit/audit.rules: 
# audit_time_rules
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: 
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime 
-k audit_time_rules
 Arbitrary changes to the system time can be used to obfuscate nefarious activites in log files as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. AU-2(a)
CCE-14051-7 Record Attempts to Alter Time Through stime On a 32-bit system, add the following to /etc/audit/audit.rules: 
# audit_time_rules
-a always,exit -F arch=b32 -S stime -k audit_time_rules
On a 64-bit system, the "-S time" is not necessary. The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: 
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime 
-k audit_time_rules
 Arbitrary changes to the system time can be used to obfuscate nefarious activites in log files as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. AU-2(a)
CCE-14051-7 Record Attempts to Alter Time Through clock_settime On a 32-bit system, add the following to /etc/audit/audit.rules: 
# audit_time_rules
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules
On a 64-bit system, add the following to /etc/audit/audit.rules: 
# audit_time_rules
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: 
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime 
-k audit_time_rules
 Arbitrary changes to the system time can be used to obfuscate nefarious activites in log files as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. AU-2(a)
CCE-14051-7 Record Attempts to Alter the localtime File Add the following to /etc/audit/audit.rules: 
-w /etc/localtime -p wa -k audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used. 		Arbitrary changes to the system time can be used to obfuscate nefarious activites in log files as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. AU-2(a)
CCE-14829-6 Record Events that Modify User/Group Information Add the following to /etc/audit/audit.rules, in order to capture events that modify account changes: 
# audit_account_changes
-w /etc/group -p wa -k audit_account_changes
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes
 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. AU-2(a)
CCE-14816-3 Record Events that Modify the System's Network Environment Add the following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system: 
# audit_network_modifications
-a exit,always -F arch=ARCH -S sethostname -S setdomainname -k audit_network_modifications
-w /etc/issue -p wa -k audit_network_modifications
-w /etc/issue.net -p wa -k audit_network_modifications
-w /etc/hosts -p wa -k audit_network_modifications
-w /etc/sysconfig/network -p wa -k audit_network_modifications
 The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. AU-2(a)
CCE-14821-3 Record Events that Modify the System's Mandatory Access Controls Add the following to /etc/audit/audit.rules: 
-w /etc/selinux/ -p wa -k MAC-policy
 The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited. AU-2
CCE-14058-2 Record Events that Modify the System's Discretionary Access Controls - chmod At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S chmod  -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. AU-2
CCE-14058-2 Record Events that Modify the System's Discretionary Access Controls - chown At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. AU-2
CCE-14058-2 Record Events that Modify the System's Discretionary Access Controls - fchmod At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. AU-2
CCE-14058-2 Record Events that Modify the System's Discretionary Access Controls - fchmodat At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. AU-2
CCE-14058-2 Record Events that Modify the System's Discretionary Access Controls - fchown At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. AU-2
CCE-14058-2 Record Events that Modify the System's Discretionary Access Controls - fchownat At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. AU-2
CCE-14058-2 Record Events that Modify the System's Discretionary Access Controls - fremovexattr At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. AU-2
CCE-14058-2 Record Events that Modify the System's Discretionary Access Controls - fsetxattr At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. AU-2
CCE-14058-2 Record Events that Modify the System's Discretionary Access Controls - lchown At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. AU-2
CCE-14058-2 Record Events that Modify the System's Discretionary Access Controls - lremovexattr At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. AU-2
CCE-14058-2 Record Events that Modify the System's Discretionary Access Controls - lsetxattr At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. AU-2
CCE-14058-2 Record Events that Modify the System's Discretionary Access Controls - removexattr At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. AU-2
CCE-14058-2 Record Events that Modify the System's Discretionary Access Controls - setxattr At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \
    -k perm_mod
 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse amoung both authorized and unauthorized users. AU-2
CCE-14917-9 Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) At a minimum the audit system should collect unauthorized file accesses for all users and root. Add the following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
    -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
    -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. AU-2.1 (v)AU-2 d
CCE-14296-8 Ensure auditd Collects Information on the Use of Privileged Commands At a minimum the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid programs: 
# find / -type f -perm -4000 -o -perm -2000 2>/dev/null
Then, for each setuid program on the system, add a line of the following form to /etc/audit/audit.rules, where SETUID_PROG_PATH is the full path to each setuid program in the list: 
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
 Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. AU-2
CCE-14569-8 Ensure auditd Collects Information on Exporting to Media (successful) At a minimum the audit system should collect media exportation events for all users and root. Add the following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export
 The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. AU-2
CCE-14820-5 Ensure auditd Collects File Deletion Events by User At a minimum the audit system should collect file deletion events for all users and root. Add the following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat \
    -F auid>=500 -F auid!=4294967295 -k delete
 Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting as well as detecting malicious processes that attempt to delete log files to conceal their presence. AU-2
CCE-14824-7 Ensure auditd Collects System Administrator Actions At a minimum the audit system should collect administrator actions for all users and root. Add the following to /etc/audit/audit.rules: 
-w /etc/sudoers -p wa -k actions
 The actions taken by system administrators should be audited to keep a record of what was executed on the system as well as for accountability purposes. AU-2
CCE-14688-6 Ensure auditd Collects Information on Kernel Module Loading and Unloading Add the following to /etc/audit/audit.rules in order to capture kernel module loading and unloading events: 
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -S init_module -S delete_module -k modules
 The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. AU-2
CCE-4252-3 Disable xinetd Service The xinetd service can be disabled with the following command: 
# chkconfig xinetd off
 The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.
CCE-4164-0 Uninstall xinetd Package The xinetd package can be uninstalled with the following command: 
# yum erase xinetd
 Removing the xinetd package decreases the risk of the xinetd service's accidental (or intentional) activation.
CCE-4330-7 Uninstall telnet-server Package The telnet-server package can be uninstalled with the following command: 
# yum erase telnet-server
 Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation.
CCE-3390-2 Disable telnet Service The telnet service can be disabled with the following command: 
# chkconfig telnet off
 The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks.
CCE-4308-3 Uninstall rsh-server Package The rsh-server package can be uninstalled with the following command: 
# yum erase rsh-server
 The rsh-server package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.
CCE-4141-8 Disable rsh Service The rsh service, which is available with the rsh-server package and runs as a service through xinetd, should be disabled. The rsh service can be disabled with the following command: 
# chkconfig rsh off
 The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
CCE-undefined Disable rexec Service The rexec service, which is available with the rsh-server package and runs as a service through xinetd, should be disabled. The rexec service can be disabled with the following command: 
# chkconfig rexec off
 The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
CCE-3537-8 Disable rlogin Service The rlogin service, which is available with the rsh-server package and runs as a service through xinetd, should be disabled. The rlogin service can be disabled with the following command: 
# chkconfig rlogin off
 The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
CCE-4348-9 Uninstall ypserv Package The ypserv package can be uninstalled with the following command: 
# yum erase ypserv
 Removing the ypserv package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.
CCE-3705-1 Disable ypbind Service The ypbind service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The ypbind service can be disabled with the following command: 
# chkconfig ypbind off
 Disabling the ypbind service ensures the system is not acting as a client in a NIS or NIS+ domain.
CCE-3916-4 Uninstall tftp-server Package The tftp-server package can be removed with the following command: 
# yum erase tftp-server
 Removing the tftp-server package decreases the risk of the accidental (or intentional) activation of tftp services.
CCE-4273-9 Disable tftp Service The tftp service should be disabled. The tftp service can be disabled with the following command: 
# chkconfig tftp off
 Disabling the tftp service ensures the system is not acting as a tftp server, which does not provide encryption or authentication.
CCE-4324-0 Enable cron Service The crond service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The crond service can be enabled with the following command: 
# chkconfig crond on
 Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential. CM-6 CM-7
CCE-14466-7 Disable atd Service The at service can be disabled with the following command: 
# chkconfig at off
 Many of the periodic or delayed execution features of the at daemon can be provided through the cron daemon instead. CM-6 CM-7
CCE-4325-7 Allow Only SSH Protocol 2 Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears: 
Protocol 2
 SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.
CCE-3845-5 Set SSH Idle Timeout Interval SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows: 
ClientAliveInterval interval
The timeout interval is given in seconds. To have a timeout of 15 minutes, set interval to 900.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle. 		Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.
CCE-14061-6 Set SSH Client Alive Count To ensure that the SSH idle timeout occurs precisely when the ClientAliveInterval is set, edit /etc/ssh/sshd_config as follows: 
ClientAliveCountMax 0
 This ensures that a user login will be terminated as soon as the ClientAliveInternal is reached.
CCE-4475-0 Disable SSH Support for .rhosts Files SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.

To ensure that this behavior is disabled, add or correct the following line: 
IgnoreRhosts yes
 SSH trust relationships mean that a compromise on one host can allow an attacker to move trivially to other hosts.
CCE-4370-3 Disable Host-Based Authentication SSH's cryptographic host-based authentication is more secure than .rhosts authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

To disable host-based authentication, add or correct the following line: 
HostbasedAuthentication no
 SSH trust relationships mean that a compromise on one host can allow an attacker to move trivially to other hosts.
CCE-4387-7 Disable SSH Root Login The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line: 
PermitRootLogin no
 Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root’s password.
CCE-3660-8 Disable SSH Access via Empty Passwords To explicitly disallow remote login from accounts with empty passwords, add or correct the following line: 
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. 		Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
CCE-4431-3 Enable SSH Warning Banner To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config: 
Banner /etc/issue
Another section contains information on how to create an appropriate system-wide warning banner. 		Although unlikely to dissuade a serious attacker, the warning message reinforces policy awareness during the logon process. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.
CCE-4422-2 Do Not Allow SSH Environment Options To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in /etc/ssh/sshd_config: 
PermitUserEnvironment no
 SSH environment options potentially allow users to bypass access restriction in some configurations.
CCE-14491-5 Use Only Approved Ciphers Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers in CTR mode: 
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
The man page sshd_config(5) contains a list of supported ciphers. Note that older or less capable versions of SSH client or server software may still be found on systems such as networking equipment, and these may not support CTR mode. This may become an issue if, for example, these systems need to retrieve files from your SSH server using SFTP. TODO: Need to investigate current status of this. Earlier issues with CBC were supposed to be fixed.		 Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance.
CCE-4365-3 Disable Avahi Server Software The avahi-daemon service can be disabled with the following command: 
# chkconfig avahi-daemon off
 Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted. CM-6 CM-7
CCE-4336-4 Disable DHCP Service The dhcpd service should be disabled on any system that does not need to act as a DHCP server. The dhcpd service can be disabled with the following command: 
# chkconfig dhcpd off
 Unmanaged or unintentionally activate DHCP servers may provide faulty information to clients, interfering with the operation of a legitimate site DHCP server if there is one. CM-6 CM-7
CCE-4464-4 Uninstall DHCP Server Package If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The dhcp package can be removed with the following command: 
# yum erase dhcp
 Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation. CM-6 CM-7
CCE-4376-0 Enable the NTP Daemon The ntpd service can be enabled with the following command: 
# chkconfig ntpd on
 Enabling the ntpd service ensures that the ntpd service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.
CCE-4385-1 Specify a Remote NTP Server To specify a remote NTP server for time synchronization, edit the file /etc/ntp.conf. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver: 
server ntpserver
This instructs the NTP software to contact that remote server to obtain time data. 		Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is recommended.
CCE-15018-5 Disable Postfix Network Listening Edit the file /etc/postfix/main.cf to ensure that only the following inet_interfaces line appears: 
inet_interfaces = localhost
 This ensures that postfix accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack. CM-7
CCE-14894-0 Configure LDAP to Use TLS For All Transactions Configure LDAP to enforce TLS use. First, edit the file /etc/pam_ldap.conf, and add or correct the following lines: 
ssl start_tls
Then review the LDAP server and ensure TLS has been configured. 		The ssl directive specifies whether to use ssl or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL.
CCE-14894-0 Configure Certificate Directives for LDAP Use of TLS Ensure a copy of the site's CA certificate has been placed in the file /etc/pki/tls/CA/cacert.pem. Configure LDAP to enforce TLS use and to trust certificates signed by the site's CA. First, edit the file /etc/pam_ldap.conf, and add or correct either of the following lines: 
tls_cacertdir /etc/pki/tls/CA
or 
tls_cacertfile /etc/pki/tls/CA/cacert.pem
Then review the LDAP server and ensure TLS has been configured. 		The tls_cacertdir or tls_cacertfile directives are required when tls_cheekpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA.
CCE-3501-4 Uninstall openldap-servers Package The openldap-servers package should be removed if not in use. Is this machine the OpenLDAP server? If not, remove the package: 
# yum erase openldap-servers
The openldap-servers RPM is not installed by default on RHEL6 machines. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed. 		CM-6 CM-7
CCE-4473-5 Disable Network File System (nfs) The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local machine. If the local machine is not designated as a NFS server then this service should be disabled. The nfs service can be disabled with the following command: 
# chkconfig nfs off
CCE-4491-7 Disable Secure RPC Server Service (rpcsvcgssd) The rpcsvcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd service is the server-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. The rpcsvcgssd service can be disabled with the following command: 
# chkconfig rpcsvcgssd off
CCE-3315-9 Set GNOME Login Inactivity Timeout The idle time-out value for period of inactivity GNOME desktop lockout should be 15 minutes. 
# gconftool-2 \
  --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type int \
  --set /apps/gnome-screensaver/idle_delay 15
 Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby. AC-3 CM-6 CM-7 AC-11
CCE-14604-3 GNOME Desktop Screensaver Mandatory Use Idle activation of the screen saver should be enabled 
# gconftool-2 --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type bool \
  --set /apps/gnome-screensaver/idle_activation_enabled true
 Enabling idle activation of the screen saver ensures that the screensaver will be activated after the idle delay. CM-6 CM-7
CCE-14023-6 Enable Screen Lock Activation After Idle Period Idle activation of the screen lock should be enabled. 
# gconftool-2 --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type bool \
  --set /apps/gnome-screensaver/lock_enabled true
 Enabling the activation of the screen lock after an idle period ensures that password entry will be required in order to access the system, preventing access by passersby. AC-3 CM-6 CM-7 AC-11
CCE-14735-5 Implement Blank Screen Saver The screen saver should be blank. 
# gconftool-2
  --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type string \
  --set /apps/gnome-screensaver/mode blank-only
 Setting the screensaver mode to blank-only conceals the contents of the display from passersby. CM-6 CM-7
CCE-TODO Disable Automatic Bug Reporting Tool (abrtd) The Automatic Bug Reporting Tool (abrtd) daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The abrtd service can be disabled with the following command: 
# chkconfig abrtd off
 Mishandling crash data could expose sensitive information about vulnerablities in software executing on the local machine, as well as sensitive information from within a process's address space or registers. CM-6 CM-7
CCE-TODO Disable At Service (atd) The at and batch commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon atd keeps track of tasks scheduled via at and batch, and executes them at the specified time. The atd service can be disabled with the following command: 
# chkconfig atd off
 The atd service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with at or batch is not common. CM-6 CM-7
CCE-4072-5 Disable the Automounter The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it is almost always possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter.

If the autofs service is not needed to dynamically mount NFS filesystems or removable media, disable the service for all runlevels: 
# chkconfig --level 0123456 autofs off
 All filesystems that are required for the successful operation of the system should be explicitly listed in /etc/fstab by and administrator. New filesystems should not be arbitrarily introduced via the automounter. CM-6 CM-7
CCE-TODO Disable ntpdate Service (ntpdate) The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in /etc/ntp/step-tickers or /etc/ntp.conf and then sets the local hardware clock to the newly synchronized system time. The ntpdate service can be disabled with the following command: 
# chkconfig ntpdate off
 The ntpdate service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated. AU-8 CM-6
CCE-TODO Disable Odd Job Daemon (oddjobd) The oddjobd service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with oddjobd through the system message bus. The oddjobd service can be disabled with the following command: 
# chkconfig oddjobd off
 The oddjobd service may provide necessary functionality in some environments but it can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues. AC-6 CM-6 CM-7
CCE-3854-7 Disable Apache Qpid (qpidd) The qpidd service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The qpidd service can be disabled with the following command: 
# chkconfig qpidd off
 The qpidd service is automatically installed when the "base" package selection is selected during installation. The qpidd service listens for network connections which increases the attack surface of the system. If the system is not intended to receive AMQP traffic then the qpidd service is not needed and should be disabled or removed. CM-6 CM-7
CCE-TODO Disable Network Router Discovery Daemon (rdisc) The rdisc service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. The rdisc service can be disabled with the following command: 
# chkconfig rdisc off
 General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information. AC-4 CM-6 CM-7
CCE-TODO Disable System Statistics Reset Service (sysstat) The sysstat service resets various I/O and CPU performance statistics to zero in order to begin counting from a fresh state at boot time. The sysstat service can be disabled with the following command: 
# chkconfig sysstat off
 By default the sysstat service merely runs a program at boot to reset the statistics, which can be retrieved using programs such as sar and sadc. These may provide useful insight into system operation, but unless used this service can be disabled. CM-6 CM-7
CCE-4368-7 Mount Remote Filesystems with nodev The nodev option should be enabled for all NFS mounts Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.
CCE-4024-6 Mount Remote Filesystems with nosuid The nosuid option should be enabled for all NFS mounts NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.
CCE-3578-2 Disable DNS Server The named service can be disabled with the following command: 
# chkconfig named off
 All network services involve some risk of compromise due to implementation flaws and should be disabled if possible. CM-6 CM-7
CCE-4219-2 Uninstall bind Package To remove the bind package, which contains the named service, run the following command: 
# yum erase bind
 If there is no need to make DNS server software available, removing it provides a safeguard against its activation. CM-6 CM-7
CCE-3919-8 Disable vsftpd Service The vsftpd service can be disabled with the following command: 
# chkconfig vsftpd off
 Running FTP server software provides a network-based avenue of attack, and should be disabled if not needed. Furthermore, the FTP protocol is unencrypted and creates a risk of compromising sensitive information. CM-6 CM-7
CCE-14881-7 Uninstall vsftpd Package The vsftpd package can be removed with the following command: 
# yum erase vsftpd
 Removing the vsftpd package decreases the risk of its accidental activation. CM-6 CM-7
CCE-4338-0 Disable httpd Service The httpd service can be disabled with the following command: 
# chkconfig httpd off
 Running web server software provides a network-based avenue of attack, and should be disabled if not needed. CM-6 CM-7
CCE-4514-6 Uninstall httpd Package The httpd package can be removed with the following command: 
# yum erase httpd
 If there is no need to make the web server software available, removing it provides a safeguard against its activation. CM-6 CM-7
CCE-3847-1 Disable Dovecot Service The dovecot service can be disabled with the following command: 
# chkconfig dovecot off
 Running an IMAP or POP3 server provides a network-based avenue of attack, and should be disabled if not needed.
CCE-4239-0 Uninstall dovecot Package The dovecot package can be uninstalled with the following command: 
# yum erase dovecot
 If there is no need to make the Dovecot software available, removing it provides a safeguard against its activation.
CCE-4551-8 Disable Samba The smb service can be disabled with the following command: 
# chkconfig smb off
 Running a Samba server provides a network-based avenue of attack, and should be disabled if not needed.
CCE-14075-6 Require Client SMB Packet Signing, if using smbclient To require samba clients running smbclient to use packet signing, add the following to the [global] section of the Samba configuration file: 
client signing = mandatory
Requiring samba clients such as smbclient to use packet signing ensures that they can only communicate with servers that support packet signing. 		Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.
CCE-15029-2 Require Client SMB Packet Signing, if using mount.cifs Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who specify shares in /etc/fstab). To do so, ensure that signing options (either sec=krb5i or sec=ntlmv2i) are used.

See the mount.cifs(8) man page for more information. A Samba client should only communicate with servers who can support SMB packet signing. 		Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.
CCE-4556-7 Disable Squid The squid service can be disabled with the following command: 
# chkconfig squid off
 Running proxy server software provides a network-based avenue of attack, and should be removed if not needed.
CCE-4076-6 Uninstall squid Package The squid package can be removed with the following command: 
# yum erase squid
 If there is no need to make the proxy server software available, removing it provides a safeguard against its activation.
CCE-3765-5 Disable snmpd Service The snmpd service can be disabled with the following command: 
# chkconfig snmpd off
 Running SNMP software provides a network-based avenue of attack, and should be disabled if not needed.
CCE-14081-4 Uninstall net-snmp Package The net-snmp package provides the snmpd service. The net-snmpd package can be removed with the following command: 
# yum erase net-snmpd
 If there is no need to run SNMP server software, removing the package provides a safeguard against its activation.
CCE-14939-3 Limit Password Reuse Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix PAM module. In order to prevent a user from re-using any of their last passwords, append remember= to the password line which uses the pam_unix module in the file /etc/pam.d/system-auth, as shown: 
password sufficient pam_unix.so existing_options remember=
Old (and thus no longer valid) passwords are stored in the file /etc/security/opasswd. The DoD requirement is currently 24 passwords.		 Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. IA-5
CCE-4276-2 Deactivate Wireless Network Interfaces Deactivating wireless network interfaces should prevent normal usage of the wireless capability.

First, identify the interfaces available with the command: 
# ifconfig -a
>Additionally,the following command may also be used to determine whether wireless support ('extensions') is included for a particular interface, though this may not always be a clear indicator: 
# iwconfig
After identifying any wireless interfaces (which may have names like wlan0, ath0, wifi0, em1 or eth0), deactivate the interface with the command: 
# ifdown interface
These changes will only last until the next reboot. To disable the interface for future boots, remove the appropriate interface file from /etc/sysconfig/network-scripts: 
# rm /etc/sysconfig/network-scripts/ifcfg-interface
 Wireless networking allows attackers within physical proximity to launch network-based attacks against systems, including those against local LAN protocols which were not designed with security in mind. CM-7
CCE-4462-8 Disable X Windows Startup By Setting Runlevel Setting the system's runlevel to 3 will prevent automatic startup of the X server. To do so, ensure that the following line in /etc/inittab features a 3 as shown: 
id:3:initdefault:
CCE-4422-2 Remove the X Windows Package Group Removing all packages which constitute the X Window System ensures that users or malicious software cannot start X. To do so, run the following command: 
# yum groupremove "X Window System"
CCE-4191-3 Disable DHCP Client For each interface IFACE on the system (e.g. eth0), edit /etc/sysconfig/network-scripts/ifcfg-IFACE and make the following changes:
  • Correct the BOOTPROTO line to read: 
    BOOTPROTO=static
  • Add or correct the following lines, substituting the appropriate values based on your site’s addressing scheme: 
    NETMASK=255.255.255.0
IPADDR=192.168.1.2
GATEWAY=192.168.1.1
 DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances. CM-6 CM-7