Skip to content

Instantly share code, notes, and snippets.

@JJediny

JJediny/RHEL6STIGtoNIST800.csv

Created January 11, 2017 16:26
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save JJediny/afe3e7dc2c6a19eb61f5f35d1e0ee4e2 to your computer and use it in GitHub Desktop.
Save JJediny/afe3e7dc2c6a19eb61f5f35d1e0ee4e2 to your computer and use it in GitHub Desktop.
Download ZIP
RHEL6 STIG w/ NIST 800-53 Controls - Example output from https://github.com/opencontrol/xccdf2csv
Raw
RHEL6STIGtoNIST800.csv
STIG ID Version Rule Title Title Severity Check Text Fix Text CCI CCI Status Published contributor Definition Type NIST800-53rev4 Control NIST800-53rev3 Control NIST800-53rev1 Control
38437 RHEL-06-000526 Automated file system mounting tools must not be enabled unless needed. SRG-OS-999999 low To verify the "autofs" service is disabled, run the following command: chkconfig --list autofs If properly configured, the output should be the following: autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off Verify the "autofs" service is not running: # service autofs status If the autofs service is enabled or running, this is a finding. If the "autofs" service is not needed to dynamically mount NFS filesystems or removable media, disable the service for all runlevels: # chkconfig --level 0123456 autofs off Stop the service if it is already running: # service autofs stop CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38438 RHEL-06-000525 Auditing must be enabled at boot by setting a kernel parameter. SRG-OS-000062 low Inspect the kernel boot arguments (which follow the word "kernel") in "/boot/grub/grub.conf". If they include "audit=1", then auditing is enabled at boot time. If auditing is not enabled at boot time, this is a finding. To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument "audit=1" to the kernel line in "/boot/grub/grub.conf", in the manner below: kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1 UEFI systems may prepend "/boot" to the "/vmlinuz-version" argument. CCI-000169 CCI-000169 draft 5/22/2009 DISA FSO The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. technical 4 AU-12 a 3 AU-12 a 1 AU-12.1 (ii)
38439 RHEL-06-000524 The system must provide automated support for account management functions. SRG-OS-000001 medium Interview the SA to determine if there is an automated system for managing user accounts, preferably integrated with an existing enterprise user management system. If there is not, this is a finding. Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. If possible, this system should integrate with an existing enterprise user management system, such as, one based Active Directory or Kerberos. CCI-000015 CCI-000015 draft 5/13/2009 DISA FSO The organization employs automated mechanisms to support the information system account management functions. technical 4 AC-2 (1) 3 AC-2 (1) 1 AC-2 (1).1
38443 RHEL-06-000036 The /etc/gshadow file must be owned by root. SRG-OS-999999 medium To check the ownership of "/etc/gshadow", run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding. To properly set the owner of "/etc/gshadow", run the command: # chown root /etc/gshadow CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38444 RHEL-06-000523 The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets. SRG-OS-000231 medium If IPv6 is disabled, this is not applicable. Inspect the file "/etc/sysconfig/ip6tables" to determine the default policy for the INPUT chain. It should be set to DROP: # grep ":INPUT" /etc/sysconfig/ip6tables If the default policy for the INPUT chain is not set to DROP, this is a finding. To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/ip6tables": :INPUT DROP [0:0] Restart the IPv6 firewall: # service ip6tables restart CCI-000066 CCI-000066 draft 9/14/2009 DISA FSO The organization enforces requirements for remote connections to the information system. technical 3 AC-17 e 1 AC-17.1 (v)
38445 RHEL-06-000522 Audit log files must be group-owned by root. SRG-OS-000057 medium Run the following command to check the group owner of the system audit logs: grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %G:%n Audit logs must be group-owned by root. If they are not, this is a finding. Change the group owner of the audit log files with the following command: # chgrp root [audit_file] CCI-000162 CCI-000162 draft 5/22/2009 DISA FSO The information system protects audit information from unauthorized access. technical 4 AU-9 3 AU-9 1 AU-9.1
38446 RHEL-06-000521 The mail system must forward all mail for root to one or more system administrators. SRG-OS-999999 medium Find the list of alias maps used by the Postfix mail server: # postconf alias_maps Query the Postfix alias maps for an alias for "root": # postmap -q root <alias_map> If there are no aliases configured for root that forward to a monitored email address, this is a finding. Set up an alias for root that forwards to a monitored email address: # echo "root: <system.administrator>@mail.mil" >> /etc/aliases # newaliases CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38447 RHEL-06-000519 The system package management tool must verify contents of all files associated with packages. SRG-OS-999999 low The following command will list which files on the system have file hashes different from what is expected by the RPM database. # rpm -Va | awk '$1 ~ /..5/ && $2 != "c"' If there is output, this is a finding. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. Run the following command to list which files on the system have hashes that differ from what is expected by the RPM database: # rpm -Va | grep '^..5' A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file that has changed was not expected to then refresh from distribution media or online repositories. rpm -Uvh [affected_package] OR yum reinstall [affected_package] CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38448 RHEL-06-000037 The /etc/gshadow file must be group-owned by root. SRG-OS-999999 medium To check the group ownership of "/etc/gshadow", run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding. To properly set the group owner of "/etc/gshadow", run the command: # chgrp root /etc/gshadow CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38449 RHEL-06-000038 The /etc/gshadow file must have mode 0000. SRG-OS-999999 medium To check the permissions of "/etc/gshadow", run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following permissions: "----------" If it does not, this is a finding. To properly set the permissions of "/etc/gshadow", run the command: # chmod 0000 /etc/gshadow CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38450 RHEL-06-000039 The /etc/passwd file must be owned by root. SRG-OS-999999 medium To check the ownership of "/etc/passwd", run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding. To properly set the owner of "/etc/passwd", run the command: # chown root /etc/passwd CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38451 RHEL-06-000040 The /etc/passwd file must be group-owned by root. SRG-OS-999999 medium To check the group ownership of "/etc/passwd", run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding. To properly set the group owner of "/etc/passwd", run the command: # chgrp root /etc/passwd CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38452 RHEL-06-000518 The system package management tool must verify permissions on all files and directories associated with packages. SRG-OS-999999 low The following command will list which files and directories on the system have permissions different from what is expected by the RPM database: # rpm -Va | grep '^.M' If there is any output, for each file or directory found, find the associated RPM package and compare the RPM-expected permissions with the actual permissions on the file or directory: # rpm -qf [file or directory name] # rpm -q --queryformat "[%{FILENAMES} %{FILEMODES:perms}\n]" [package] | grep [filename] # ls -dlL [filename] If the existing permissions are more permissive than those expected by RPM, this is a finding. The RPM package management system can restore file access permissions of package files and directories. The following command will update permissions on files and directories with permissions different from what is expected by the RPM database: # rpm --setperms [package] CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38453 RHEL-06-000517 The system package management tool must verify group-ownership on all files and directories associated with packages. SRG-OS-999999 low The following command will list which files on the system have group-ownership different from what is expected by the RPM database: # rpm -Va | grep '^......G' If there is output, this is a finding. The RPM package management system can restore group-ownership of the package files and directories. The following command will update files and directories with group-ownership different from what is expected by the RPM database: # rpm -qf [file or directory name] # rpm --setugids [package] CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38454 RHEL-06-000516 The system package management tool must verify ownership on all files and directories associated with packages. SRG-OS-999999 low The following command will list which files on the system have ownership different from what is expected by the RPM database: # rpm -Va | grep '^.....U' If there is output, this is a finding. The RPM package management system can restore ownership of package files and directories. The following command will update files and directories with ownership different from what is expected by the RPM database: # rpm -qf [file or directory name] # rpm --setugids [package] CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38455 RHEL-06-000001 The system must use a separate file system for /tmp. SRG-OS-999999 low Run the following command to determine if "/tmp" is on its own partition or logical volume: $ mount | grep "on /tmp " If "/tmp" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding. The "/tmp" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38456 RHEL-06-000002 The system must use a separate file system for /var. SRG-OS-999999 low Run the following command to determine if "/var" is on its own partition or logical volume: $ mount | grep "on /var " If "/var" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding. The "/var" directory is used by daemons and other system services to store frequently-changing data. Ensure that "/var" has its own partition or logical volume at installation time, or migrate it using LVM. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38457 RHEL-06-000041 The /etc/passwd file must have mode 0644 or less permissive. SRG-OS-999999 medium To check the permissions of "/etc/passwd", run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following permissions: "-rw-r--r--" If it does not, this is a finding. To properly set the permissions of "/etc/passwd", run the command: # chmod 0644 /etc/passwd CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38458 RHEL-06-000042 The /etc/group file must be owned by root. SRG-OS-999999 medium To check the ownership of "/etc/group", run the command: $ ls -l /etc/group If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding. To properly set the owner of "/etc/group", run the command: # chown root /etc/group CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38459 RHEL-06-000043 The /etc/group file must be group-owned by root. SRG-OS-999999 medium To check the group ownership of "/etc/group", run the command: $ ls -l /etc/group If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding. To properly set the group owner of "/etc/group", run the command: # chgrp root /etc/group CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38460 RHEL-06-000515 The NFS server must not have the all_squash option enabled. SRG-OS-000104 low If the NFS server is read-only, in support of unrestricted access to organizational content, this is not applicable. The related "root_squash" option provides protection against remote administrator-level access to NFS server content. Its use is not a finding. To verify the "all_squash" option has been disabled, run the following command: # grep all_squash /etc/exports If there is output, this is a finding. Remove any instances of the "all_squash" option from the file "/etc/exports". Restart the NFS daemon for the changes to take effect. # service nfs restart CCI-000764 CCI-000764 draft 9/17/2009 DISA FSO The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). technical 4 IA-2 3 IA-2 1 IA-2.1
38461 RHEL-06-000044 The /etc/group file must have mode 0644 or less permissive. SRG-OS-999999 medium To check the permissions of "/etc/group", run the command: $ ls -l /etc/group If properly configured, the output should indicate the following permissions: "-rw-r--r--" If it does not, this is a finding. To properly set the permissions of "/etc/group", run the command: # chmod 644 /etc/group CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38463 RHEL-06-000003 The system must use a separate file system for /var/log. SRG-OS-999999 low Run the following command to determine if "/var/log" is on its own partition or logical volume: $ mount | grep "on /var/log " If "/var/log" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding. System logs are stored in the "/var/log" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38464 RHEL-06-000511 The audit system must take appropriate action when there are disk errors on the audit storage volume. SRG-OS-000047 medium Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when disk errors occur: # grep disk_error_action /etc/audit/auditd.conf disk_error_action = [ACTION] If the system is configured to "suspend" when disk errors occur or "ignore" them, this is a finding. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: disk_error_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "exec" "suspend" "single" "halt" Set this to "syslog","exec","single", or "halt". CCI-000140 CCI-000140 draft 5/20/2009 DISA FSO The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records). technical 4 AU-5 b 3 AU-5 b 1 AU-5.1 (iv)
38465 RHEL-06-000045 Library files must have mode 0755 or less permissive. SRG-OS-000259 medium System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in "/lib/modules". All files in these directories should not be group-writable or world-writable. To find shared libraries that are group-writable or world-writable, run the following command for each directory [DIR] which contains shared libraries: $ find -L [DIR] -perm /022 -type f If any of these files (excluding broken symlinks) are group-writable or world-writable, this is a finding. System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: # chmod go-w [FILE] CCI-001499 CCI-001499 draft 9/29/2009 DISA FSO The organization limits privileges to change software resident within software libraries. technical 4 CM-5 (6) 3 CM-5 (6) 1 CM-5 (6).1
38466 RHEL-06-000046 Library files must be owned by a system account. SRG-OS-000259 medium System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 /usr/local/lib /usr/local/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in "/lib/modules". All files in these directories should not be group-writable or world-writable. To find shared libraries that are not owned by "root" and do not match what is expected by the RPM, run the following command: for i in /lib /lib64 /usr/lib /usr/lib64 do for j in `find -L $i \! -user root` do rpm -V -f $j | grep '^.....U' done done If the command returns any results, this is a finding. System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 /usr/local/lib /usr/local/lib64 If any file in these directories is found to be owned by a user other than “root” and does not match what is expected by the RPM, correct its ownership by running one of the following commands: # rpm --setugids [PACKAGE_NAME] Or # chown root [FILE] CCI-001499 CCI-001499 draft 9/29/2009 DISA FSO The organization limits privileges to change software resident within software libraries. technical 4 CM-5 (6) 3 CM-5 (6) 1 CM-5 (6).1
38467 RHEL-06-000004 The system must use a separate file system for the system audit data path. SRG-OS-000044 low Run the following command to determine if "/var/log/audit" is on its own partition or logical volume: $ mount | grep "on /var/log/audit " If "/var/log/audit" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding. Audit logs are stored in the "/var/log/audit" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. CCI-000137 CCI-000137 draft 5/20/2009 DISA FSO The organization allocates audit record storage capacity. 3 AU-4 1 AU-4.1 (i)
38468 RHEL-06-000510 The audit system must take appropriate action when the audit storage volume is full. SRG-OS-000047 medium Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when the audit storage volume is full: # grep disk_full_action /etc/audit/auditd.conf disk_full_action = [ACTION] If the system is configured to "suspend" when the volume is full or "ignore" that it is full, this is a finding. The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: disk_full_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "exec" "suspend" "single" "halt" Set this to "syslog","exec","single", or "halt". CCI-000140 CCI-000140 draft 5/20/2009 DISA FSO The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records). technical 4 AU-5 b 3 AU-5 b 1 AU-5.1 (iv)
38469 RHEL-06-000047 All system command files must have mode 755 or less permissive. SRG-OS-000259 medium System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin All files in these directories should not be group-writable or world-writable. To find system executables that are group-writable or world-writable, run the following command for each directory [DIR] which contains system executables: $ find -L [DIR] -perm /022 -type f If any system executables are found to be group-writable or world-writable, this is a finding. System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: # chmod go-w [FILE] CCI-001499 CCI-001499 draft 9/29/2009 DISA FSO The organization limits privileges to change software resident within software libraries. technical 4 CM-5 (6) 3 CM-5 (6) 1 CM-5 (6).1
38470 RHEL-06-000005 The audit system must alert designated staff members when the audit storage volume approaches capacity. SRG-OS-000045 medium Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low: # grep space_left_action /etc/audit/auditd.conf space_left_action = email If the system is not configured to send an email to the system administrator when disk space is starting to run low, this is a finding. The "syslog" option is acceptable when it can be demonstrated that the local log management infrastructure notifies an appropriate administrator in a timely manner. The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: space_left_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "email" "exec" "suspend" "single" "halt" Set this to "email" (instead of the default, which is "suspend") as it is more likely to get prompt attention. The "syslog" option is acceptable, provided the local log management infrastructure notifies an appropriate administrator in a timely manner. RHEL-06-000521 ensures that the email generated through the operation "space_left_action" will be sent to an administrator. CCI-000138 CCI-000138 draft 5/20/2009 DISA FSO The organization configures auditing to reduce the likelihood of storage capacity being exceeded. technical 3 AU-4 1 AU-4.1 (ii)
38471 RHEL-06-000509 The system must forward audit records to the syslog service. SRG-OS-000043 low Verify the audispd plugin is active: # grep active /etc/audisp/plugins.d/syslog.conf If the "active" setting is missing or set to "no", this is a finding. Set the "active" line in "/etc/audisp/plugins.d/syslog.conf" to "yes". Restart the auditd process. # service auditd restart CCI-000136 CCI-000136 draft 5/20/2009 DISA FSO The organization centrally manages the content of audit records generated by organization-defined information system components. technical 3 AU-3 (2) 1 AU-3 (2).1 (ii)
38472 RHEL-06-000048 All system command files must be owned by root. SRG-OS-000259 medium System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin All files in these directories should not be group-writable or world-writable. To find system executables that are not owned by "root", run the following command for each directory [DIR] which contains system executables: $ find -L [DIR] \! -user root If any system executables are found to not be owned by root, this is a finding. System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin If any file [FILE] in these directories is found to be owned by a user other than root, correct its ownership with the following command: # chown root [FILE] CCI-001499 CCI-001499 draft 9/29/2009 DISA FSO The organization limits privileges to change software resident within software libraries. technical 4 CM-5 (6) 3 CM-5 (6) 1 CM-5 (6).1
38473 RHEL-06-000007 The system must use a separate file system for user home directories. SRG-OS-999999 low Run the following command to determine if "/home" is on its own partition or logical volume: $ mount | grep "on /home " If "/home" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding. If user home directories will be stored locally, create a separate partition for "/home" at installation time (or migrate it later using LVM). If "/home" will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38474 RHEL-06-000508 The system must allow locking of graphical desktop sessions. SRG-OS-000030 low If the GConf2 package is not installed, this is not applicable. Verify the keybindings for the Gnome screensaver: # gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome_settings_daemon/keybindings/screensaver If no output is visible, this is a finding. Run the following command to set the Gnome desktop keybinding for locking the screen: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome_settings_daemon/keybindings/screensaver "<Control><Alt>l" Another keyboard sequence may be substituted for "<Control><Alt>l", which is the default for the Gnome desktop. CCI-000058 CCI-000058 draft 5/19/2009 DISA FSO The information system provides the capability for users to directly initiate session lock mechanisms. technical 4 AC-11 a 3 AC-11 a 1 AC-11
38475 RHEL-06-000050 The system must require passwords to contain a minimum of 15 characters. SRG-OS-000078 medium To check the minimum password length, run the command: $ grep PASS_MIN_LEN /etc/login.defs The DoD requirement is "15". If it is not set to the required value, this is a finding. To specify password length requirements for new accounts, edit the file "/etc/login.defs" and add or correct the following lines: PASS_MIN_LEN 15 The DoD requirement is "15". If a program consults "/etc/login.defs" and also another PAM module (such as "pam_cracklib") during a password change operation, then the most restrictive must be satisfied. CCI-000205 CCI-000205 draft 5/22/2009 DISA FSO The information system enforces minimum password length. technical 4 IA-5 (1) (a) 3 IA-5 (1) (a) 1 IA-5 (1).1 (i)
38476 RHEL-06-000008 Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. SRG-OS-000090 high To ensure that the GPG keys are installed, run: $ rpm -q gpg-pubkey The command should return the strings below: gpg-pubkey-fd431d51-4ae0493b gpg-pubkey-2fa658e0-45700c69 If the Red Hat GPG Keys are not installed, this is a finding. To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG keys must be installed properly. To install the Red Hat GPG keys, run: # rhn_register If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG keys from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in "/media/cdrom", use the following command as the root user to import them into the keyring: # rpm --import /media/cdrom/RPM-GPG-KEY CCI-000352 CCI-000352 draft 9/18/2009 DISA FSO The information system prevents the installation of organization-defined critical software programs that are not signed with a certificate that is recognized and approved by the organization. technical 3 CM-5 (3) 1 CM-5 (3).1 (ii)
38477 RHEL-06-000051 Users must not be able to change passwords more than once every 24 hours. SRG-OS-000075 medium To check the minimum password age, run the command: $ grep PASS_MIN_DAYS /etc/login.defs The DoD requirement is 1. If it is not set to the required value, this is a finding. To specify password minimum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MIN_DAYS [DAYS] A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. CCI-000198 CCI-000198 draft 9/15/2009 DISA FSO The information system enforces minimum password lifetime restrictions. technical 4 IA-5 (1) (d) 3 IA-5 (1) (d) 1 IA-5 (1).1 (v)
38478 RHEL-06-000009 The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite. SRG-OS-000096 low If the system uses RHN or an RHN Satellite, this is not applicable. To check that the "rhnsd" service is disabled in system boot configuration, run the following command: # chkconfig "rhnsd" --list Output should indicate the "rhnsd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "rhnsd" --list "rhnsd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "rhnsd" is disabled through current runtime configuration: # service rhnsd status If the service is disabled the command will return the following output: rhnsd is stopped If the service is running, this is a finding. The Red Hat Network service automatically queries Red Hat Network servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system was registered to an RHN server or satellite and managed as such. The "rhnsd" service can be disabled with the following commands: # chkconfig rhnsd off # service rhnsd stop CCI-000382 CCI-000382 draft 9/18/2009 DISA FSO The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. technical 4 CM-7 b 3 CM-7 1 CM-7.1 (iii)
38479 RHEL-06-000053 User passwords must be changed at least every 60 days. SRG-OS-000076 medium To check the maximum password age, run the command: $ grep PASS_MAX_DAYS /etc/login.defs The DoD requirement is 60. If it is not set to the required value, this is a finding. To specify password maximum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MAX_DAYS [DAYS] The DoD requirement is 60. CCI-000199 CCI-000199 draft 9/15/2009 DISA FSO The information system enforces maximum password lifetime restrictions. technical 4 IA-5 (1) (d) 3 IA-5 (1) (d) 1 IA-5 (1).1 (v)
38480 RHEL-06-000054 Users must be warned 7 days in advance of password expiration. SRG-OS-999999 low To check the password warning age, run the command: $ grep PASS_WARN_AGE /etc/login.defs The DoD requirement is 7. If it is not set to the required value, this is a finding. To specify how many days prior to password expiration that a warning will be issued to users, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_WARN_AGE [DAYS] The DoD requirement is 7. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38481 RHEL-06-000011 System security patches and updates must be installed and up-to-date. SRG-OS-000191 medium If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server which provides updates, invoking the following command will indicate if updates are available: # yum check-update If the system is not configured to update from one of these sources, run the following command to list when each package was last updated: $ rpm -qa -last Compare this to Red Hat Security Advisories (RHSA) listed at https://access.redhat.com/security/updates/active/ to determine whether the system is missing applicable security and bugfix updates. If updates are not installed, this is a finding. If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: # yum update If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using "rpm". CCI-001233 CCI-001233 draft 9/22/2009 DISA FSO The organization employs automated mechanisms on an organization-defined frequency to determine the state of information system components with regard to flaw remediation. technical 4 SI-2 (2) 3 SI-2 (2) 1 SI-2 (2).1 (ii)
38482 RHEL-06-000056 The system must require passwords to contain at least one numeric character. SRG-OS-000071 low To check how many digits are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The "dcredit" parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as "dcredit=-1". If dcredit is not found or not set to the required value, this is a finding. The pam_cracklib module's "dcredit" parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add "dcredit=-1" after pam_cracklib.so to require use of a digit in passwords. CCI-000194 CCI-000194 draft 9/15/2009 DISA FSO The information system enforces password complexity by the minimum number of numeric characters used. technical 4 IA-5 (1) (a) 3 IA-5 (1) (a) 1 IA-5 (1).1 (v)
38483 RHEL-06-000013 The system package management tool must cryptographically verify the authenticity of system software packages during installation. SRG-OS-000103 medium To determine whether "yum" is configured to use "gpgcheck", inspect "/etc/yum.conf" and ensure the following appears in the "[main]" section: gpgcheck=1 A value of "1" indicates that "gpgcheck" is enabled. Absence of a "gpgcheck" line or a setting of "0" indicates that it is disabled. If GPG checking is not enabled, this is a finding. If the "yum" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed. The "gpgcheck" option should be used to ensure checking of an RPM package's signature always occurs prior to its installation. To configure yum to check package signatures before installing them, ensure the following line appears in "/etc/yum.conf" in the "[main]" section: gpgcheck=1 CCI-000663 CCI-000663 draft 9/21/2009 DISA FSO The organization (or information system) enforces explicit rules governing the installation of software by users. technical 3 SA-7 1 SA-7.1 (ii)
38484 RHEL-06-000507 The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh. SRG-OS-000025 medium Verify the value associated with the "PrintLastLog" keyword in /etc/ssh/sshd_config: # grep -i "^PrintLastLog" /etc/ssh/sshd_config If the "PrintLastLog" keyword is not present, this is not a finding. If the value is not set to "yes", this is a finding. Update the "PrintLastLog" keyword to "yes" in /etc/ssh/sshd_config: PrintLastLog yes While it is acceptable to remove the keyword entirely since the default action for the SSH daemon is to print the last logon date and time, it is preferred to have the value explicitly documented. CCI-000052 CCI-000052 draft 9/14/2009 DISA FSO The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access). technical 4 AC-9 3 AC-9 1 AC-9.1
38486 RHEL-06-000505 The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives. SRG-OS-000100 medium Ask an administrator if a process exists to back up OS data from the system, including configuration data. If such a process does not exist, this is a finding. Procedures to back up OS data from the system must be established and executed. The Red Hat operating system provides utilities for automating such a process. Commercial and open-source products are also available. Implement a process whereby OS data is backed up from the system in accordance with local policies. CCI-000537 CCI-000537 draft 9/21/2009 DISA FSO The organization conducts backups of system-level information contained in the information system per organization-defined frequency that is consistent with recovery time and recovery point objectives. policy 4 CP-9 (b) 3 CP-9 (b) 1 CP-9.1 (v)
38487 RHEL-06-000015 The system package management tool must cryptographically verify the authenticity of all software packages during installation. SRG-OS-000103 low To determine whether "yum" has been configured to disable "gpgcheck" for any repos, inspect all files in "/etc/yum.repos.d" and ensure the following does not appear in any sections: gpgcheck=0 A value of "0" indicates that "gpgcheck" has been disabled for that repo. If GPG checking is disabled, this is a finding. If the "yum" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed. To ensure signature checking is not disabled for any repos, remove any lines from files in "/etc/yum.repos.d" of the form: gpgcheck=0 CCI-000663 CCI-000663 draft 9/21/2009 DISA FSO The organization (or information system) enforces explicit rules governing the installation of software by users. technical 3 SA-7 1 SA-7.1 (ii)
38488 RHEL-06-000504 The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives. SRG-OS-000099 medium Ask an administrator if a process exists to back up user data from the system. If such a process does not exist, this is a finding. Procedures to back up user data from the system must be established and executed. The Red Hat operating system provides utilities for automating such a process. Commercial and open-source products are also available. Implement a process whereby user data is backed up from the system in accordance with local policies. CCI-000535 CCI-000535 draft 9/21/2009 DISA FSO The organization conducts backups of user-level information contained in the information system per organization-defined frequency that is consistent with recovery time and recovery point objectives. policy 4 CP-9 (a) 3 CP-9 (a) 1 CP-9.1 (iv)
38489 RHEL-06-000016 A file integrity tool must be installed. SRG-OS-000232 medium If another file integrity tool is installed, this is not a finding. Run the following command to determine if the "aide" package is installed: # rpm -q aide If the package is not installed, this is a finding. Install the AIDE package with the command: # yum install aide CCI-001069 CCI-001069 draft 9/21/2009 DISA FSO The organization employs automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency. technical 3 RA-5 (7) 1 RA-5 (7).1 (ii)
38490 RHEL-06-000503 The operating system must enforce requirements for the connection of mobile devices to operating systems. SRG-OS-000273 medium If the system is configured to prevent the loading of the "usb-storage" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding. To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the "usb-storage" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install usb-storage /bin/true This will prevent the "modprobe" program from loading the "usb-storage" module, but will not prevent an administrator (or another program) from using the "insmod" program to load the module manually. CCI-000086 CCI-000086 draft 5/19/2009 DISA FSO The organization enforces requirements for the connection of mobile devices to organizational information systems. technical 3 AC-19 d 1 AC-19.1 (iv)
38491 RHEL-06-000019 There must be no .rhosts or hosts.equiv files on the system. SRG-OS-000248 high The existence of the file "/etc/hosts.equiv" or a file named ".rhosts" inside a user home directory indicates the presence of an Rsh trust relationship. If these files exist, this is a finding. The files "/etc/hosts.equiv" and "~/.rhosts" (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location. # rm /etc/hosts.equiv $ rm ~/.rhosts CCI-001436 CCI-001436 draft 9/25/2009 DISA FSO The organization disables organization-defined networking protocols within the information system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements. technical 3 AC-17 (8) 1 AC-17 (8).1 (ii)
38492 RHEL-06-000027 The system must prevent the root account from logging in from virtual consoles. SRG-OS-000109 medium To check for virtual console entries which permit root login, run the following command: # grep '^vc/[0-9]' /etc/securetty If any output is returned, then root logins over virtual console devices is permitted. If root login over virtual console devices is permitted, this is a finding. To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in "/etc/securetty": vc/1 vc/2 vc/3 vc/4 Note: Virtual console entries are not limited to those listed above. Any lines starting with "vc/" followed by numerals should be removed. CCI-000770 CCI-000770 draft 9/17/2009 DISA FSO The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. policy 4 IA-2 (5) 3 IA-2 (5) (b) 1 IA-2 (5).2 (ii)
38493 RHEL-06-000385 Audit log directories must have mode 0755 or less permissive. SRG-OS-000059 medium Run the following command to check the mode of the system audit directories: grep "^log_file" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//'|xargs stat -c %a:%n Audit directories must be mode 0755 or less permissive. If any are more permissive, this is a finding. Change the mode of the audit log directories with the following command: # chmod go-w [audit_directory] CCI-000164 CCI-000164 draft 5/22/2009 DISA FSO The information system protects audit information from unauthorized deletion. technical 4 AU-9 3 AU-9 1 AU-9.1
38494 RHEL-06-000028 The system must prevent the root account from logging in from serial consoles. SRG-OS-000109 low To check for serial port entries which permit root login, run the following command: # grep '^ttyS[0-9]' /etc/securetty If any output is returned, then root login over serial ports is permitted. If root login over serial ports is permitted, this is a finding. To restrict root logins on serial ports, ensure lines of this form do not appear in "/etc/securetty": ttyS0 ttyS1 Note: Serial port entries are not limited to those listed above. Any lines starting with "ttyS" followed by numerals should be removed CCI-000770 CCI-000770 draft 9/17/2009 DISA FSO The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. policy 4 IA-2 (5) 3 IA-2 (5) (b) 1 IA-2 (5).2 (ii)
38495 RHEL-06-000384 Audit log files must be owned by root. SRG-OS-000057 medium Run the following command to check the owner of the system audit logs: grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %U:%n Audit logs must be owned by root. If they are not, this is a finding. Change the owner of the audit log files with the following command: # chown root [audit_file] CCI-000162 CCI-000162 draft 5/22/2009 DISA FSO The information system protects audit information from unauthorized access. technical 4 AU-9 3 AU-9 1 AU-9.1
38496 RHEL-06-000029 Default operating system accounts, other than root, must be locked. SRG-OS-999999 medium To obtain a listing of all users and the contents of their shadow password field, run the command: $ awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 ":" $2}' /etc/shadow Identify the operating system accounts from this listing. These will primarily be the accounts with UID numbers less than 500, other than root. If any default operating system account (other than root) has a valid password hash, this is a finding. Some accounts are not associated with a human user of the system, and exist to perform some administrative function. An attacker should not be able to log into these accounts. Disable logon access to these accounts with the command: # passwd -l [SYSACCT] CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38497 RHEL-06-000030 The system must not have accounts configured with blank or null passwords. SRG-OS-999999 high To verify that null passwords cannot be used, run the following command: # grep nullok /etc/pam.d/system-auth If this produces any output, it may be possible to log into accounts with empty passwords. If NULL passwords can be used, this is a finding. If an account is configured for password authentication but does not have an assigned password, it may be possible to log onto the account without authentication. Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" to prevent logons with empty passwords. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38498 RHEL-06-000383 Audit log files must have mode 0640 or less permissive. SRG-OS-000058 medium Run the following command to check the mode of the system audit logs: grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %a:%n Audit logs must be mode 0640 or less permissive. If any are more permissive, this is a finding. Change the mode of the audit log files with the following command: # chmod 0640 [audit_file] CCI-000163 CCI-000163 draft 5/22/2009 DISA FSO The information system protects audit information from unauthorized modification. technical 4 AU-9 3 AU-9 1 AU-9.1
38499 RHEL-06-000031 The /etc/passwd file must not contain password hashes. SRG-OS-999999 medium To check that no password hashes are stored in "/etc/passwd", run the following command: # awk -F: '($2 != "x") {print}' /etc/passwd If it produces any output, then a password hash is stored in "/etc/passwd". If any stored hashes are found in /etc/passwd, this is a finding. If any password hashes are stored in "/etc/passwd" (in the second field, instead of an "x"), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38500 RHEL-06-000032 The root account must be the only account having a UID of 0. SRG-OS-999999 medium To list all password file entries for accounts with UID 0, run the following command: # awk -F: '($3 == 0) {print}' /etc/passwd This should print only one line, for the user root. If any account other than root has a UID of 0, this is a finding. If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38501 RHEL-06-000357 The system must disable accounts after excessive login failures within a 15-minute interval. SRG-OS-000249 medium To ensure the failed password attempt policy is configured correctly, run the following command: $ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth For each file, the output should show "fail_interval=<interval-in-seconds>" where "interval-in-seconds" is 900 (15 minutes) or greater. If the "fail_interval" parameter is not set, the default setting of 900 seconds is acceptable. If that is not the case, this is a finding. Utilizing "pam_faillock.so", the "fail_interval" directive configures the system to lock out accounts after a number of incorrect logon attempts. Modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used. CCI-001452 CCI-001452 draft 5/25/2009 DISA FSO The information system enforces the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted. technical 3 AC-7 a 1 AC-7.1 (ii)
38502 RHEL-06-000033 The /etc/shadow file must be owned by root. SRG-OS-999999 medium To check the ownership of "/etc/shadow", run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding. To properly set the owner of "/etc/shadow", run the command: # chown root /etc/shadow CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38503 RHEL-06-000034 The /etc/shadow file must be group-owned by root. SRG-OS-999999 medium To check the group ownership of "/etc/shadow", run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding. To properly set the group owner of "/etc/shadow", run the command: # chgrp root /etc/shadow CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38504 RHEL-06-000035 The /etc/shadow file must have mode 0000. SRG-OS-999999 medium To check the permissions of "/etc/shadow", run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following permissions: "----------" If it does not, this is a finding. To properly set the permissions of "/etc/shadow", run the command: # chmod 0000 /etc/shadow CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38511 RHEL-06-000082 IP forwarding for IPv4 must not be enabled, unless the system is a router. SRG-OS-999999 medium The status of the "net.ipv4.ip_forward" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.ip_forward The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.ip_forward /etc/sysctl.conf The ability to forward packets is only appropriate for routers. If the correct value is not returned, this is a finding. To set the runtime status of the "net.ipv4.ip_forward" kernel parameter, run the following command: # sysctl -w net.ipv4.ip_forward=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.ip_forward = 0 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38512 RHEL-06-000117 The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. SRG-OS-000146 medium If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the "iptables" service: # service iptables status If the service is not running, it should return the following: iptables: Firewall is not running. If the service is not running, this is a finding. The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start CCI-001100 CCI-001100 draft 9/21/2009 DISA FSO The information system prevents public access into the organization's internal networks except as appropriately mediated by managed interfaces employing boundary protection devices. technical 3 SC-7 (2) 1 SC-7 (2).1 (ii)
38513 RHEL-06-000120 The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets. SRG-OS-000231 medium Inspect the file "/etc/sysconfig/iptables" to determine the default policy for the INPUT chain. It should be set to DROP. # grep ":INPUT" /etc/sysconfig/iptables If the default policy for the INPUT chain is not set to DROP, this is a finding. To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/iptables": :INPUT DROP [0:0] CCI-000066 CCI-000066 draft 9/14/2009 DISA FSO The organization enforces requirements for remote connections to the information system. technical 3 AC-17 e 1 AC-17.1 (v)
38514 RHEL-06-000124 The Datagram Congestion Control Protocol (DCCP) must be disabled unless required. SRG-OS-000096 medium If the system is configured to prevent the loading of the "dccp" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r dccp /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding. The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the "dccp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install dccp /bin/true CCI-000382 CCI-000382 draft 9/18/2009 DISA FSO The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. technical 4 CM-7 b 3 CM-7 1 CM-7.1 (iii)
38515 RHEL-06-000125 The Stream Control Transmission Protocol (SCTP) must be disabled unless required. SRG-OS-000096 medium If the system is configured to prevent the loading of the "sctp" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r sctp /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding. The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the "sctp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install sctp /bin/true CCI-000382 CCI-000382 draft 9/18/2009 DISA FSO The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. technical 4 CM-7 b 3 CM-7 1 CM-7.1 (iii)
38516 RHEL-06-000126 The Reliable Datagram Sockets (RDS) protocol must be disabled unless required. SRG-OS-000096 low If the system is configured to prevent the loading of the "rds" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated "/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r rds /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding. The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the "rds" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install rds /bin/true CCI-000382 CCI-000382 draft 9/18/2009 DISA FSO The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. technical 4 CM-7 b 3 CM-7 1 CM-7.1 (iii)
38517 RHEL-06-000127 The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required. SRG-OS-000096 medium If the system is configured to prevent the loading of the "tipc" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r tipc /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding. The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the "tipc" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install tipc /bin/true CCI-000382 CCI-000382 draft 9/18/2009 DISA FSO The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. technical 4 CM-7 b 3 CM-7 1 CM-7.1 (iii)
38518 RHEL-06-000133 All rsyslog-generated log files must be owned by root. SRG-OS-000206 medium The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". To see the owner of a given log file, run the following command: $ ls -l [LOGFILE] Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration. If the owner is not root, this is a finding. The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's owner: $ ls -l [LOGFILE] If the owner is not "root", run the following command to correct this: # chown root [LOGFILE] CCI-001314 CCI-001314 draft 9/22/2009 DISA FSO The information system reveals error messages only to organization-defined personnel or roles. technical 4 SI-11 b 3 SI-11 c 1 SI-11.1 (iv)
38519 RHEL-06-000134 All rsyslog-generated log files must be group-owned by root. SRG-OS-000206 medium The group-owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". To see the group-owner of a given log file, run the following command: $ ls -l [LOGFILE] Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration. If the group-owner is not root, this is a finding. The group-owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's group owner: $ ls -l [LOGFILE] If the owner is not "root", run the following command to correct this: # chgrp root [LOGFILE] CCI-001314 CCI-001314 draft 9/22/2009 DISA FSO The information system reveals error messages only to organization-defined personnel or roles. technical 4 SI-11 b 3 SI-11 c 1 SI-11.1 (iv)
38520 RHEL-06-000136 The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited. SRG-OS-000215 medium To ensure logs are sent to a remote host, examine the file "/etc/rsyslog.conf". If using UDP, a line similar to the following should be present: *.* @[loghost.example.com] If using TCP, a line similar to the following should be present: *.* @@[loghost.example.com] If using RELP, a line similar to the following should be present: *.* :omrelp:[loghost.example.com] If none of these are present, this is a finding. To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: *.* @[loghost.example.com] To use TCP for log message delivery: *.* @@[loghost.example.com] To use RELP for log message delivery: *.* :omrelp:[loghost.example.com] CCI-001348 CCI-001348 draft 9/22/2009 DISA FSO The information system backs up audit records on an organization-defined frequency onto a different system or system component than the system or component being audited. technical 4 AU-9 (2) 3 AU-9 (2) 1 AU-9 (2).1 (iii)
38521 RHEL-06-000137 The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components. SRG-OS-000043 medium To ensure logs are sent to a remote host, examine the file "/etc/rsyslog.conf". If using UDP, a line similar to the following should be present: *.* @[loghost.example.com] If using TCP, a line similar to the following should be present: *.* @@[loghost.example.com] If using RELP, a line similar to the following should be present: *.* :omrelp:[loghost.example.com] If none of these are present, this is a finding. To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: *.* @[loghost.example.com] To use TCP for log message delivery: *.* @@[loghost.example.com] To use RELP for log message delivery: *.* :omrelp:[loghost.example.com] CCI-000169 CCI-000169 draft 5/22/2009 DISA FSO The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. technical 4 AU-12 a 3 AU-12 a 1 AU-12.1 (ii)
38522 RHEL-06-000167 The audit system must be configured to audit all attempts to alter system time through settimeofday. SRG-OS-000062 low To determine if the system is configured to audit calls to the "settimeofday" system call, run the following command: $ sudo grep -w "settimeofday" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding. On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S settimeofday -k audit_time_rules On a 64-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules CCI-000169 CCI-000169 draft 5/22/2009 DISA FSO The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. technical 4 AU-12 a 3 AU-12 a 1 AU-12.1 (ii)
38523 RHEL-06-000083 The system must not accept IPv4 source-routed packets on any interface. SRG-OS-999999 medium The status of the "net.ipv4.conf.all.accept_source_route" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_source_route The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf If the correct value is not returned, this is a finding. To set the runtime status of the "net.ipv4.conf.all.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_source_route=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.accept_source_route = 0 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38524 RHEL-06-000084 The system must not accept ICMPv4 redirect packets on any interface. SRG-OS-999999 medium The status of the "net.ipv4.conf.all.accept_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.all.accept_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding. To set the runtime status of the "net.ipv4.conf.all.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.accept_redirects = 0 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38525 RHEL-06-000169 The audit system must be configured to audit all attempts to alter system time through stime. SRG-OS-000062 low If the system is 64-bit only, this is not applicable. To determine if the system is configured to audit calls to the "stime" system call, run the following command: $ sudo grep -w "stime" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding. On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S stime -k audit_time_rules On a 64-bit system, the "-S stime" is not necessary. The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules CCI-000169 CCI-000169 draft 5/22/2009 DISA FSO The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. technical 4 AU-12 a 3 AU-12 a 1 AU-12.1 (ii)
38526 RHEL-06-000086 The system must not accept ICMPv4 secure redirect packets on any interface. SRG-OS-999999 medium The status of the "net.ipv4.conf.all.secure_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.secure_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.all.secure_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding. To set the runtime status of the "net.ipv4.conf.all.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.secure_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.secure_redirects = 0 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38527 RHEL-06-000171 The audit system must be configured to audit all attempts to alter system time through clock_settime. SRG-OS-000062 low To determine if the system is configured to audit calls to the "clock_settime" system call, run the following command: $ sudo grep -w "clock_settime" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding. On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules On a 64-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules CCI-000169 CCI-000169 draft 5/22/2009 DISA FSO The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. technical 4 AU-12 a 3 AU-12 a 1 AU-12.1 (ii)
38528 RHEL-06-000088 The system must log Martian packets. SRG-OS-999999 low The status of the "net.ipv4.conf.all.log_martians" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.log_martians The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.all.log_martians /etc/sysctl.conf If the correct value is not returned, this is a finding. To set the runtime status of the "net.ipv4.conf.all.log_martians" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.log_martians=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.log_martians = 1 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38529 RHEL-06-000089 The system must not accept IPv4 source-routed packets by default. SRG-OS-999999 medium The status of the "net.ipv4.conf.default.accept_source_route" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_source_route The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf If the correct value is not returned, this is a finding. To set the runtime status of the "net.ipv4.conf.default.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_source_route=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.accept_source_route = 0 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38530 RHEL-06-000173 The audit system must be configured to audit all attempts to alter system time through /etc/localtime. SRG-OS-000062 low To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command: $ sudo grep -w "/etc/localtime" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding. Add the following to "/etc/audit/audit.rules": -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used. CCI-000169 CCI-000169 draft 5/22/2009 DISA FSO The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. technical 4 AU-12 a 3 AU-12 a 1 AU-12.1 (ii)
38531 RHEL-06-000174 The operating system must automatically audit account creation. SRG-OS-000004 low To determine if the system is configured to audit account changes, run the following command: $ sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding. Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes CCI-000018 CCI-000018 draft 5/13/2009 DISA FSO The information system automatically audits account creation actions. technical 4 AC-2 (4) 3 AC-2 (4) 1 AC-2 (4).1 (i and ii)
38532 RHEL-06-000090 The system must not accept ICMPv4 secure redirect packets by default. SRG-OS-999999 medium The status of the "net.ipv4.conf.default.secure_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.secure_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.default.secure_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding. To set the runtime status of the "net.ipv4.conf.default.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.secure_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.secure_redirects = 0 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38533 RHEL-06-000091 The system must ignore ICMPv4 redirect messages by default. SRG-OS-999999 low The status of the "net.ipv4.conf.default.accept_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.default.accept_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding. To set the runtime status of the "net.ipv4.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.accept_redirects = 0 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38534 RHEL-06-000175 The operating system must automatically audit account modification. SRG-OS-000239 low To determine if the system is configured to audit account changes, run the following command: $sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding. Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes CCI-001403 CCI-001403 draft 9/24/2009 DISA FSO The information system automatically audits account modification actions. technical 4 AC-2 (4) 3 AC-2 (4) 1 AC-2 (4).1 (i and ii)
38535 RHEL-06-000092 The system must not respond to ICMPv4 sent to a broadcast address. SRG-OS-999999 low The status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_echo_ignore_broadcasts The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf If the correct value is not returned, this is a finding. To set the runtime status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.icmp_echo_ignore_broadcasts = 1 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38536 RHEL-06-000176 The operating system must automatically audit account disabling actions. SRG-OS-000240 low To determine if the system is configured to audit account changes, run the following command: $sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding. Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes CCI-001404 CCI-001404 draft 9/24/2009 DISA FSO The information system automatically audits account disabling actions. technical 4 AC-2 (4) 3 AC-2 (4) 1 AC-2 (4).1 (i and ii)
38537 RHEL-06-000093 The system must ignore ICMPv4 bogus error responses. SRG-OS-999999 low The status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_ignore_bogus_error_responses The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf If the correct value is not returned, this is a finding. To set the runtime status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.icmp_ignore_bogus_error_responses = 1 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38538 RHEL-06-000177 The operating system must automatically audit account termination. SRG-OS-000241 low To determine if the system is configured to audit account changes, run the following command: $sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding. Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes CCI-001405 CCI-001405 draft 9/24/2009 DISA FSO The information system automatically audits account removal actions. technical 4 AC-2 (4) 3 AC-2 (4) 1 AC-2 (4).1 (i and ii)
38539 RHEL-06-000095 The system must be configured to use TCP syncookies when experiencing a TCP SYN flood. SRG-OS-000142 medium The status of the "net.ipv4.tcp_syncookies" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.tcp_syncookies The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.tcp_syncookies /etc/sysctl.conf If the correct value is not returned, this is a finding. To set the runtime status of the "net.ipv4.tcp_syncookies" kernel parameter, run the following command: # sysctl -w net.ipv4.tcp_syncookies=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.tcp_syncookies = 1 CCI-001095 CCI-001095 draft 9/21/2009 DISA FSO The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks. technical 4 SC-5 (2) 3 SC-5 (2) 1 SC-5 (2).1
38540 RHEL-06-000182 The audit system must be configured to audit modifications to the systems network configuration. SRG-OS-999999 low If you are running x86_64 architecture, determine the values for sethostname: $ uname -m; ausyscall i386 sethostname; ausyscall x86_64 sethostname If the values returned are not identical verify that the system is configured to monitor network configuration changes for the i386 and x86_64 architectures: $ sudo egrep -w '(sethostname|setdomainname|/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)' /etc/audit/audit.rules -a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications -a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications If the system is configured to watch for network configuration changes, a line should be returned for each file specified for both (and "-p wa" should be indicated for each). If the system is not configured to audit changes of the network configuration, this is a finding. Add the following to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system: # audit_network_modifications -a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38541 RHEL-06-000183 The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux). SRG-OS-999999 low To determine if the system is configured to audit changes to its SELinux configuration files, run the following command: $ sudo grep -w "/etc/selinux" /etc/audit/audit.rules If the system is configured to watch for changes to its SELinux configuration, a line should be returned (including "-p wa" indicating permissions that are watched). If the system is not configured to audit attempts to change the MAC policy, this is a finding. Add the following to "/etc/audit/audit.rules": -w /etc/selinux/ -p wa -k MAC-policy CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38542 RHEL-06-000096 The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces. SRG-OS-999999 medium The status of the "net.ipv4.conf.all.rp_filter" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.rp_filter The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf If the correct value is not returned, this is a finding. To set the runtime status of the "net.ipv4.conf.all.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.rp_filter=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.rp_filter = 1 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38543 RHEL-06-000184 The audit system must be configured to audit all discretionary access control permission modifications using chmod. SRG-OS-000064 low To determine if the system is configured to audit calls to the "chmod" system call, run the following command: $ sudo grep -w "chmod" /etc/audit/audit.rules If the system is configured to audit this activity, it will return several lines. If the system is not configured to audit permission changes, this is a finding. At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod CCI-000172 CCI-000172 draft 9/15/2009 DISA FSO The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. technical 4 AU-12 c 3 AU-12 c 1 AU-12.1 (iv)
38544 RHEL-06-000097 The system must use a reverse-path filter for IPv4 network traffic when possible by default. SRG-OS-999999 medium The status of the "net.ipv4.conf.default.rp_filter" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.rp_filter The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf If the correct value is not returned, this is a finding. To set the runtime status of the "net.ipv4.conf.default.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.rp_filter=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.rp_filter = 1 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38545 RHEL-06-000185 The audit system must be configured to audit all discretionary access control permission modifications using chown. SRG-OS-000064 low To determine if the system is configured to audit calls to the "chown" system call, run the following command: $ sudo grep -w "chown" /etc/audit/audit.rules If the system is configured to audit this activity, it will return several lines. If no line is returned, this is a finding. At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod CCI-000172 CCI-000172 draft 9/15/2009 DISA FSO The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. technical 4 AU-12 c 3 AU-12 c 1 AU-12.1 (iv)
38546 RHEL-06-000098 The IPv6 protocol handler must not be bound to the network stack unless needed. SRG-OS-999999 medium If the system uses IPv6, this is not applicable. If the system is configured to disable the "ipv6" kernel module, it will contain a line of the form: options ipv6 disable=1 Such lines may be inside any file in "/etc/modprobe.d" or the deprecated "/etc/modprobe.conf". This permits insertion of the IPv6 kernel module (which other parts of the system expect to be present), but otherwise keeps it inactive. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r ipv6 /etc/modprobe.conf /etc/modprobe.d If the IPv6 kernel module is not disabled, look to see if it is unhooked by inspecting the "sysctl.conf" file for the following output: $ grep -r ipv6 /etc/sysctl.conf net.ipv6.conf.all.disable_ipv6 = 1 If the IPv6 kernel module is not disabled or unhooked, this is a finding. To prevent the IPv6 kernel module ("ipv6") from binding to the IPv6 networking stack, add the following line to "/etc/modprobe.d/disabled.conf" (or another file in "/etc/modprobe.d"): options ipv6 disable=1 This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol. Or add the following line to "/etc/sysctl.conf" to unhook the module: net.ipv6.conf.all.disable_ipv6 = 1 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38547 RHEL-06-000186 The audit system must be configured to audit all discretionary access control permission modifications using fchmod. SRG-OS-000064 low To determine if the system is configured to audit calls to the "fchmod" system call, run the following command: $ sudo grep -w "fchmod" /etc/audit/audit.rules If the system is configured to audit this activity, it will return several lines. If no line is returned, this is a finding. At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod CCI-000172 CCI-000172 draft 9/15/2009 DISA FSO The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. technical 4 AU-12 c 3 AU-12 c 1 AU-12.1 (iv)
38548 RHEL-06-000099 The system must ignore ICMPv6 redirects by default. SRG-OS-999999 medium If IPv6 is disabled, this is not applicable. The status of the "net.ipv6.conf.default.accept_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.default.accept_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv6.conf.default.accept_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding. To set the runtime status of the "net.ipv6.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv6.conf.default.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv6.conf.default.accept_redirects = 0 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38549 RHEL-06-000103 The system must employ a local IPv6 firewall. SRG-OS-000152 medium If the system is a cross-domain system, this is not applicable. If IPv6 is disabled, this is not applicable. Run the following command to determine the current status of the "ip6tables" service: # service ip6tables status If the service is not running, it should return the following: ip6tables: Firewall is not running. If the service is not running, this is a finding. The "ip6tables" service can be enabled with the following commands: # chkconfig ip6tables on # service ip6tables start CCI-001118 CCI-001118 draft 9/21/2009 DISA FSO The information system implements host-based boundary protection mechanisms for servers, workstations, and mobile devices. technical 3 SC-7 (12) 1 SC-7 (12).1
38550 RHEL-06-000187 The audit system must be configured to audit all discretionary access control permission modifications using fchmodat. SRG-OS-000064 low To determine if the system is configured to audit calls to the "fchmodat" system call, run the following command: $ sudo grep -w "fchmodat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return several lines. If no line is returned, this is a finding. At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod CCI-000172 CCI-000172 draft 9/15/2009 DISA FSO The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. technical 4 AU-12 c 3 AU-12 c 1 AU-12.1 (iv)
38551 RHEL-06-000106 The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. SRG-OS-000145 medium If the system is a cross-domain system, this is not applicable. If IPV6 is disabled, this is not applicable. Run the following command to determine the current status of the "ip6tables" service: # service ip6tables status If the service is not running, it should return the following: ip6tables: Firewall is not running. If the service is not running, this is a finding. The "ip6tables" service can be enabled with the following commands: # chkconfig ip6tables on # service ip6tables start CCI-001098 CCI-001098 draft 9/21/2009 DISA FSO The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. policy 4 SC-7 c 3 SC-7 b 1 SC-7.1 (iv)
38552 RHEL-06-000188 The audit system must be configured to audit all discretionary access control permission modifications using fchown. SRG-OS-000064 low To determine if the system is configured to audit calls to the "fchown" system call, run the following command: $ sudo grep -w "fchown" /etc/audit/audit.rules If the system is configured to audit this activity, it will return several lines. If no line is returned, this is a finding. At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod CCI-000172 CCI-000172 draft 9/15/2009 DISA FSO The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. technical 4 AU-12 c 3 AU-12 c 1 AU-12.1 (iv)
38553 RHEL-06-000107 The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. SRG-OS-000146 medium If the system is a cross-domain system, this is not applicable. If IPv6 is disabled, this is not applicable. Run the following command to determine the current status of the "ip6tables" service: # service ip6tables status If the service is not running, it should return the following: ip6tables: Firewall is not running. If the service is not running, this is a finding. The "ip6tables" service can be enabled with the following commands: # chkconfig ip6tables on # service ip6tables start CCI-001100 CCI-001100 draft 9/21/2009 DISA FSO The information system prevents public access into the organization's internal networks except as appropriately mediated by managed interfaces employing boundary protection devices. technical 3 SC-7 (2) 1 SC-7 (2).1 (ii)
38554 RHEL-06-000189 The audit system must be configured to audit all discretionary access control permission modifications using fchownat. SRG-OS-000064 low To determine if the system is configured to audit calls to the "fchownat" system call, run the following command: $ sudo grep -w "fchownat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return several lines. If no line is returned, this is a finding. At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod CCI-000172 CCI-000172 draft 9/15/2009 DISA FSO The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. technical 4 AU-12 c 3 AU-12 c 1 AU-12.1 (iv)
38555 RHEL-06-000113 The system must employ a local IPv4 firewall. SRG-OS-000152 medium If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the "iptables" service: # service iptables status If the service is not running, it should return the following: iptables: Firewall is not running. If the service is not running, this is a finding. The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start CCI-001118 CCI-001118 draft 9/21/2009 DISA FSO The information system implements host-based boundary protection mechanisms for servers, workstations, and mobile devices. technical 3 SC-7 (12) 1 SC-7 (12).1
38556 RHEL-06-000190 The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr. SRG-OS-000064 low To determine if the system is configured to audit calls to the "fremovexattr" system call, run the following command: $ sudo grep -w "fremovexattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return several lines. If no line is returned, this is a finding. At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod CCI-000172 CCI-000172 draft 9/15/2009 DISA FSO The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. technical 4 AU-12 c 3 AU-12 c 1 AU-12.1 (iv)
38557 RHEL-06-000191 The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr. SRG-OS-000064 low To determine if the system is configured to audit calls to the "fsetxattr" system call, run the following command: $ sudo grep -w "fsetxattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return several lines. If no line is returned, this is a finding. At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod CCI-000172 CCI-000172 draft 9/15/2009 DISA FSO The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. technical 4 AU-12 c 3 AU-12 c 1 AU-12.1 (iv)
38558 RHEL-06-000192 The audit system must be configured to audit all discretionary access control permission modifications using lchown. SRG-OS-000064 low To determine if the system is configured to audit calls to the "lchown" system call, run the following command: $ sudo grep -w "lchown" /etc/audit/audit.rules If the system is configured to audit this activity, it will return several lines. If no line is returned, this is a finding. At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod CCI-000172 CCI-000172 draft 9/15/2009 DISA FSO The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. technical 4 AU-12 c 3 AU-12 c 1 AU-12.1 (iv)
38559 RHEL-06-000193 The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr. SRG-OS-000064 low To determine if the system is configured to audit calls to the "lremovexattr" system call, run the following command: $ sudo grep -w "lremovexattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return several lines. If no line is returned, this is a finding. At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod CCI-000172 CCI-000172 draft 9/15/2009 DISA FSO The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. technical 4 AU-12 c 3 AU-12 c 1 AU-12.1 (iv)
38560 RHEL-06-000116 The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. SRG-OS-000145 medium If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the "iptables" service: # service iptables status If the service is not running, it should return the following: iptables: Firewall is not running. If the service is not running, this is a finding. The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start CCI-001098 CCI-001098 draft 9/21/2009 DISA FSO The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. policy 4 SC-7 c 3 SC-7 b 1 SC-7.1 (iv)
38561 RHEL-06-000194 The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr. SRG-OS-000064 low To determine if the system is configured to audit calls to the "lsetxattr" system call, run the following command: $ sudo grep -w "lsetxattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return several lines. If no line is returned, this is a finding. At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod CCI-000172 CCI-000172 draft 9/15/2009 DISA FSO The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. technical 4 AU-12 c 3 AU-12 c 1 AU-12.1 (iv)
38563 RHEL-06-000195 The audit system must be configured to audit all discretionary access control permission modifications using removexattr. SRG-OS-000064 low To determine if the system is configured to audit calls to the "removexattr" system call, run the following command: $ sudo grep -w "removexattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return several lines. If no line is returned, this is a finding. At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod CCI-000172 CCI-000172 draft 9/15/2009 DISA FSO The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. technical 4 AU-12 c 3 AU-12 c 1 AU-12.1 (iv)
38565 RHEL-06-000196 The audit system must be configured to audit all discretionary access control permission modifications using setxattr. SRG-OS-000064 low To determine if the system is configured to audit calls to the "setxattr" system call, run the following command: $ sudo grep -w "setxattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return several lines. If no line is returned, this is a finding. At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod CCI-000172 CCI-000172 draft 9/15/2009 DISA FSO The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. technical 4 AU-12 c 3 AU-12 c 1 AU-12.1 (iv)
38566 RHEL-06-000197 The audit system must be configured to audit failed attempts to access files and programs. SRG-OS-000064 low To verify that the audit system collects unauthorized file accesses, run the following commands: # grep EACCES /etc/audit/audit.rules # grep EPERM /etc/audit/audit.rules If either command lacks output, this is a finding. At a minimum, the audit system should collect unauthorized file accesses for all users and root. Add the following to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access CCI-000172 CCI-000172 draft 9/15/2009 DISA FSO The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. technical 4 AU-12 c 3 AU-12 c 1 AU-12.1 (iv)
38567 RHEL-06-000198 The audit system must be configured to audit all use of setuid and setgid programs. SRG-OS-000020 low To verify that auditing of privileged command use is configured, run the following command once for each local partition [PART] to find relevant setuid / setgid programs: $ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: $ sudo grep path /etc/audit/audit.rules It should be the case that all relevant setuid / setgid programs have a line in the audit rules. If that is not the case, this is a finding. At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition [PART]: $ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null Then, for each setuid / setgid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid / setgid program in the list: -a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged CCI-000040 CCI-000040 draft 9/14/2009 DISA FSO The organization audits any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions. technical 3 AC-6 (2) 1 AC-6 (2).1 (iii)
38568 RHEL-06-000199 The audit system must be configured to audit successful file system mounts. SRG-OS-000064 low To verify that auditing is configured for all media exportation events, run the following command: $ sudo grep -w "mount" /etc/audit/audit.rules If the system is configured to audit this activity, it will return several lines. If no line is returned, this is a finding. At a minimum, the audit system should collect media exportation events for all users and root. Add the following to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=ARCH -S mount -F auid=0 -k export CCI-000172 CCI-000172 draft 9/15/2009 DISA FSO The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. technical 4 AU-12 c 3 AU-12 c 1 AU-12.1 (iv)
38569 RHEL-06-000057 The system must require passwords to contain at least one uppercase alphabetic character. SRG-OS-000069 low To check how many uppercase characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The "ucredit" parameter (as a negative number) will indicate how many uppercase characters are required. The DoD requires at least one uppercase character in a password. This would appear as "ucredit=-1". If ucredit is not found or not set to the required value, this is a finding. The pam_cracklib module's "ucredit=" parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add "ucredit=-1" after pam_cracklib.so to require use of an uppercase character in passwords. CCI-000192 CCI-000192 draft 9/15/2009 DISA FSO The information system enforces password complexity by the minimum number of upper case characters used. technical 4 IA-5 (1) (a) 3 IA-5 (1) (a) 1 IA-5 (1).1 (v)
38570 RHEL-06-000058 The system must require passwords to contain at least one special character. SRG-OS-000266 low To check how many special characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The "ocredit" parameter (as a negative number) will indicate how many special characters are required. The DoD requires at least one special character in a password. This would appear as "ocredit=-1". If ocredit is not found or not set to the required value, this is a finding. The pam_cracklib module's "ocredit=" parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Add "ocredit=-1" after pam_cracklib.so to require use of a special character in passwords. CCI-001619 CCI-001619 draft 5/12/2010 DISA FSO The information system enforces password complexity by the minimum number of special characters used. technical 4 IA-5 (1) (a) 3 IA-5 (1) (a) 1 IA-5 (1).1 (v)
38571 RHEL-06-000059 The system must require passwords to contain at least one lower-case alphabetic character. SRG-OS-000070 low To check how many lower-case characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The "lcredit" parameter (as a negative number) will indicate how many lower-case characters are required. The DoD requires at least one lower-case character in a password. This would appear as "lcredit=-1". If lcredit is not found or not set to the required value, this is a finding. The pam_cracklib module's "lcredit=" parameter controls requirements for usage of lower-case letters in a password. When set to a negative number, any password will be required to contain that many lower-case characters. Add "lcredit=-1" after pam_cracklib.so to require use of a lower-case character in passwords. CCI-000193 CCI-000193 draft 9/15/2009 DISA FSO The information system enforces password complexity by the minimum number of lower case characters used. technical 4 IA-5 (1) (a) 3 IA-5 (1) (a) 1 IA-5 (1).1 (v)
38572 RHEL-06-000060 The system must require at least eight characters be changed between the old and new passwords during a password change. SRG-OS-000072 low To check how many characters must differ during a password change, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The "difok" parameter will indicate how many characters must differ. The DoD requires eight characters differ during a password change. This would appear as "difok=8". If difok is not found or not set to the required value, this is a finding. The pam_cracklib module's "difok" parameter controls requirements for usage of different characters during a password change. Add "difok=[NUM]" after pam_cracklib.so to require differing characters when changing passwords, substituting [NUM] appropriately. The DoD requirement is 8. CCI-000195 CCI-000195 draft 9/15/2009 DISA FSO The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed. technical 4 IA-5 (1) (b) 3 IA-5 (1) (b) 1 IA-5 (1).1 (v)
38573 RHEL-06-000061 The system must disable accounts after three consecutive unsuccessful logon attempts. SRG-OS-000021 medium To ensure the failed password attempt policy is configured correctly, run the following command: # grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth The output should show "deny=3" for both files. If that is not the case, this is a finding. To configure the system to lock out accounts after a number of incorrect logon attempts using "pam_faillock.so", modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used. CCI-000044 CCI-000044 draft 9/14/2009 DISA FSO The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. technical 4 AC-7 a 3 AC-7 a 1 AC-7.1 (ii)
38574 RHEL-06-000062 The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth). SRG-OS-000120 medium Inspect the "password" section of "/etc/pam.d/system-auth","/etc/pam.d/system-auth-ac", and other files in "/etc/pam.d" and ensure that the "pam_unix.so" module includes the argument "sha512". $ grep password /etc/pam.d/* | grep pam_unix.so | grep sha512 If it does not, this is a finding. In "/etc/pam.d/system-auth" and "/etc/pam.d/system-auth-ac", among potentially other files, the "password" section of the files control which PAM modules execute during a password change. Set the "pam_unix.so" module in the "password" section to include the argument "sha512", as shown below: password sufficient pam_unix.so sha512 [other arguments...] This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. Note that any updates made to "/etc/pam.d/system-auth" will be overwritten by the "authconfig" program. The "authconfig" program should not be used. CCI-000803 CCI-000803 draft 9/17/2009 DISA FSO The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. technical 4 IA-7 3 IA-7 1 IA-7.1
38575 RHEL-06-000200 The audit system must be configured to audit user deletions of files and programs. SRG-OS-000064 low To determine if the system is configured to audit calls to the "rmdir" system call, run the following command: $ sudo grep -w "rmdir" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the "unlink" system call, run the following command: $ sudo grep -w "unlink" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the "unlinkat" system call, run the following command: $ sudo grep -w "unlinkat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the "rename" system call, run the following command: $ sudo grep -w "rename" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the "renameat" system call, run the following command: $ sudo grep -w "renameat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding. At a minimum, the audit system should collect file deletion events for all users and root. Add the following (or equivalent) to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete CCI-000172 CCI-000172 draft 9/15/2009 DISA FSO The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. technical 4 AU-12 c 3 AU-12 c 1 AU-12.1 (iv)
38576 RHEL-06-000063 The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs). SRG-OS-000120 medium Inspect "/etc/login.defs" and ensure the following line appears: ENCRYPT_METHOD SHA512 If it does not, this is a finding. In "/etc/login.defs", add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: ENCRYPT_METHOD SHA512 CCI-000803 CCI-000803 draft 9/17/2009 DISA FSO The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. technical 4 IA-7 3 IA-7 1 IA-7.1
38577 RHEL-06-000064 The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf). SRG-OS-000120 medium Inspect "/etc/libuser.conf" and ensure the following line appears in the "[default]" section: crypt_style = sha512 If it does not, this is a finding. In "/etc/libuser.conf", add or correct the following line in its "[defaults]" section to ensure the system will use the SHA-512 algorithm for password hashing: crypt_style = sha512 CCI-000803 CCI-000803 draft 9/17/2009 DISA FSO The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. technical 4 IA-7 3 IA-7 1 IA-7.1
38578 RHEL-06-000201 The audit system must be configured to audit changes to the /etc/sudoers file. SRG-OS-000064 low To verify that auditing is configured for system administrator actions, run the following command: $ sudo grep -w "/etc/sudoers" /etc/audit/audit.rules If the system is configured to watch for changes to its sudoers configuration, a line should be returned (including "-p wa" indicating permissions that are watched). If there is no output, this is a finding. At a minimum, the audit system should collect administrator actions for all users and root. Add the following to "/etc/audit/audit.rules": -w /etc/sudoers -p wa -k actions CCI-000172 CCI-000172 draft 9/15/2009 DISA FSO The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. technical 4 AU-12 c 3 AU-12 c 1 AU-12.1 (iv)
38579 RHEL-06-000065 The system boot loader configuration file(s) must be owned by root. SRG-OS-999999 medium To check the ownership of "/boot/grub/grub.conf", run the command: $ ls -lL /boot/grub/grub.conf If properly configured, the output should indicate that the owner is "root". If it does not, this is a finding. The file "/boot/grub/grub.conf" should be owned by the "root" user to prevent destruction or modification of the file. To properly set the owner of "/boot/grub/grub.conf", run the command: # chown root /boot/grub/grub.conf CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38580 RHEL-06-000202 The audit system must be configured to audit the loading and unloading of dynamic kernel modules. SRG-OS-000064 medium To determine if the system is configured to audit execution of module management programs, run the following commands: $ sudo egrep -e "(-w |-F path=)/sbin/insmod" /etc/audit/audit.rules $ sudo egrep -e "(-w |-F path=)/sbin/rmmod" /etc/audit/audit.rules $ sudo egrep -e "(-w |-F path=)/sbin/modprobe" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the "init_module" system call, run the following command: $ sudo grep -w "init_module" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the "delete_module" system call, run the following command: $ sudo grep -w "delete_module" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. If no line is returned for any of these commands, this is a finding. Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=[ARCH] -S init_module -S delete_module -k modules CCI-000172 CCI-000172 draft 9/15/2009 DISA FSO The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. technical 4 AU-12 c 3 AU-12 c 1 AU-12.1 (iv)
38581 RHEL-06-000066 The system boot loader configuration file(s) must be group-owned by root. SRG-OS-999999 medium To check the group ownership of "/boot/grub/grub.conf", run the command: $ ls -lL /boot/grub/grub.conf If properly configured, the output should indicate the group-owner is "root". If it does not, this is a finding. The file "/boot/grub/grub.conf" should be group-owned by the "root" group to prevent destruction or modification of the file. To properly set the group owner of "/boot/grub/grub.conf", run the command: # chgrp root /boot/grub/grub.conf CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38582 RHEL-06-000203 The xinetd service must be disabled if no network services utilizing it are enabled. SRG-OS-000096 medium If network services are using the xinetd service, this is not applicable. To check that the "xinetd" service is disabled in system boot configuration, run the following command: # chkconfig "xinetd" --list Output should indicate the "xinetd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "xinetd" --list "xinetd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "xinetd" is disabled through current runtime configuration: # service xinetd status If the service is disabled the command will return the following output: xinetd is stopped If the service is running, this is a finding. The "xinetd" service can be disabled with the following commands: # chkconfig xinetd off # service xinetd stop CCI-000382 CCI-000382 draft 9/18/2009 DISA FSO The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. technical 4 CM-7 b 3 CM-7 1 CM-7.1 (iii)
38583 RHEL-06-000067 The system boot loader configuration file(s) must have mode 0600 or less permissive. SRG-OS-999999 medium To check the permissions of "/boot/grub/grub.conf", run the command: $ sudo ls -lL /boot/grub/grub.conf If properly configured, the output should indicate the following permissions: "-rw-------" If it does not, this is a finding. File permissions for "/boot/grub/grub.conf" should be set to 600, which is the default. To properly set the permissions of "/boot/grub/grub.conf", run the command: # chmod 600 /boot/grub/grub.conf Boot partitions based on VFAT, NTFS, or other non-standard configurations may require alternative measures. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38584 RHEL-06-000204 The xinetd service must be uninstalled if no network services utilizing it are enabled. SRG-OS-000096 low If network services are using the xinetd service, this is not applicable. Run the following command to determine if the "xinetd" package is installed: # rpm -q xinetd If the package is installed, this is a finding. The "xinetd" package can be uninstalled with the following command: # yum erase xinetd CCI-000382 CCI-000382 draft 9/18/2009 DISA FSO The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. technical 4 CM-7 b 3 CM-7 1 CM-7.1 (iii)
38585 RHEL-06-000068 The system boot loader must require authentication. SRG-OS-000080 medium To verify the boot loader password has been set and encrypted, run the following command: # grep password /boot/grub/grub.conf The output should show the following: password --encrypted $6$[rest-of-the-password-hash] If it does not, this is a finding. The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command: # grub-crypt --sha-512 When prompted to enter a password, insert the following line into "/boot/grub/grub.conf" immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]): password --encrypted [password-hash] CCI-000213 CCI-000213 draft 9/14/2009 DISA FSO The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. technical 4 AC-3 3 AC-3 1 AC-3.1
38586 RHEL-06-000069 The system must require authentication upon booting into single-user and maintenance modes. SRG-OS-000080 medium To check if authentication is required for single-user mode, run the following command: $ grep SINGLE /etc/sysconfig/init The output should be the following: SINGLE=/sbin/sulogin If the output is different, this is a finding. Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file "/etc/sysconfig/init": SINGLE=/sbin/sulogin CCI-000213 CCI-000213 draft 9/14/2009 DISA FSO The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. technical 4 AC-3 3 AC-3 1 AC-3.1
38587 RHEL-06-000206 The telnet-server package must not be installed. SRG-OS-000095 high Run the following command to determine if the "telnet-server" package is installed: # rpm -q telnet-server If the package is installed, this is a finding. The "telnet-server" package can be uninstalled with the following command: # yum erase telnet-server CCI-000381 CCI-000381 draft 9/18/2009 DISA FSO The organization configures the information system to provide only essential capabilities. technical 4 CM-7 a 3 CM-7 1 CM-7.1 (ii)
38588 RHEL-06-000070 The system must not permit interactive boot. SRG-OS-000080 medium To check whether interactive boot is disabled, run the following command: $ grep PROMPT /etc/sysconfig/init If interactive boot is disabled, the output will show: PROMPT=no If it does not, this is a finding. To disable the ability for users to perform interactive startups, edit the file "/etc/sysconfig/init". Add or correct the line: PROMPT=no The "PROMPT" option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot. CCI-000213 CCI-000213 draft 9/14/2009 DISA FSO The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. technical 4 AC-3 3 AC-3 1 AC-3.1
38589 RHEL-06-000211 The telnet daemon must not be running. SRG-OS-000129 high To check that the "telnet" service is disabled in system boot configuration, run the following command: # chkconfig "telnet" --list Output should indicate the "telnet" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "telnet" --list telnet off OR error reading information on service telnet: No such file or directory If the service is running, this is a finding. The "telnet" service can be disabled with the following command: # chkconfig telnet off CCI-000888 CCI-000888 draft 9/18/2009 DISA FSO The organization employs cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications. technical 3 MA-4 (6) 1 MA-4 (6).1
38590 RHEL-06-000071 The system must allow locking of the console screen in text mode. SRG-OS-000030 low Run the following command to determine if the "screen" package is installed: # rpm -q screen If the package is not installed, this is a finding. To enable console screen locking when in text mode, install the "screen" package: # yum install screen Instruct users to begin new terminal sessions with the following command: $ screen The console can now be locked with the following key combination: ctrl+a x CCI-000058 CCI-000058 draft 5/19/2009 DISA FSO The information system provides the capability for users to directly initiate session lock mechanisms. technical 4 AC-11 a 3 AC-11 a 1 AC-11
38591 RHEL-06-000213 The rsh-server package must not be installed. SRG-OS-000095 high Run the following command to determine if the "rsh-server" package is installed: # rpm -q rsh-server If the package is installed, this is a finding. The "rsh-server" package can be uninstalled with the following command: # yum erase rsh-server CCI-000381 CCI-000381 draft 9/18/2009 DISA FSO The organization configures the information system to provide only essential capabilities. technical 4 CM-7 a 3 CM-7 1 CM-7.1 (ii)
38592 RHEL-06-000356 The system must require administrator action to unlock an account locked by excessive failed login attempts. SRG-OS-000022 medium To ensure the failed password attempt policy is configured correctly, run the following command: # grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth The output should show "unlock_time=<some-large-number>"; the largest acceptable value is 604800 seconds (one week). If that is not the case, this is a finding. To configure the system to lock out accounts after a number of incorrect logon attempts and require an administrator to unlock the account using "pam_faillock.so", modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used. CCI-000047 CCI-000047 draft 9/14/2009 DISA FSO The information system delays next login prompt according to the organization-defined delay algorithm, when the maximum number of unsuccessful attempts is exceeded, automatically locks the account/node for an organization-defined time period or locks the account/node until released by an Administrator IAW organizational policy. technical 3 AC-7 b 1 AC-7.1 (iv)
38593 RHEL-06-000073 The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts. SRG-OS-000228 medium To check if the system login banner is compliant, run the following command: $ cat /etc/issue If it does not display the required banner, this is a finding. To configure the system login banner: Edit "/etc/issue". Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." OR: "I've read & consent to terms in IS user agreem't." CCI-001384 CCI-001384 draft 9/22/2009 DISA FSO The information system, for publicly accessible systems, displays system use information organization-defined conditions before granting further access. technical 4 AC-8 c 1 3 AC-8 c 1 AC-8.2 (i)
38594 RHEL-06-000214 The rshd service must not be running. SRG-OS-000033 high To check that the "rsh" service is disabled in system boot configuration, run the following command: # chkconfig "rsh" --list Output should indicate the "rsh" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "rsh" --list rsh off OR error reading information on service rsh: No such file or directory If the service is running, this is a finding. The "rsh" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rsh" service can be disabled with the following command: # chkconfig rsh off CCI-000068 CCI-000068 draft 9/14/2009 DISA FSO The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. technical 4 AC-17 (2) 3 AC-17 (2) 1 AC-17 (2).1
38595 RHEL-06-000349 The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication. SRG-OS-000105 medium Interview the SA to determine if all accounts not exempted by policy are using CAC authentication. For DoD systems, the following systems and accounts are exempt from using smart card (CAC) authentication: Standalone systems Application accounts Temporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIV Operational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALT Test systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT. If non-exempt accounts are not using CAC authentication, this is a finding. To enable smart card authentication, consult the documentation at: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273 CCI-000765 CCI-000765 draft 9/17/2009 DISA FSO The information system implements multifactor authentication for network access to privileged accounts. technical 4 IA-2 (1) 3 IA-2 (1) 1 IA-2 (1).1
38596 RHEL-06-000078 The system must implement virtual address space randomization. SRG-OS-999999 medium The status of the "kernel.randomize_va_space" kernel parameter can be queried by running the following commands: $ sysctl kernel.randomize_va_space $ grep kernel.randomize_va_space /etc/sysctl.conf The output of the command should indicate a value of at least "1" (preferably "2"). If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding. To set the runtime status of the "kernel.randomize_va_space" kernel parameter, run the following command: # sysctl -w kernel.randomize_va_space=2 If this is not the system's default value, add the following line to "/etc/sysctl.conf": kernel.randomize_va_space = 2 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38597 RHEL-06-000079 The system must limit the ability of processes to have simultaneous write and execute access to memory. SRG-OS-999999 medium The status of the "kernel.exec-shield" kernel parameter can be queried by running the following command: $ sysctl kernel.exec-shield $ grep kernel.exec-shield /etc/sysctl.conf The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding. To set the runtime status of the "kernel.exec-shield" kernel parameter, run the following command: # sysctl -w kernel.exec-shield=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": kernel.exec-shield = 1 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38598 RHEL-06-000216 The rexecd service must not be running. SRG-OS-000033 high To check that the "rexec" service is disabled in system boot configuration, run the following command: # chkconfig "rexec" --list Output should indicate the "rexec" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "rexec" --list rexec off OR error reading information on service rexec: No such file or directory If the service is running, this is a finding. The "rexec" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rexec" service can be disabled with the following command: # chkconfig rexec off CCI-000068 CCI-000068 draft 9/14/2009 DISA FSO The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. technical 4 AC-17 (2) 3 AC-17 (2) 1 AC-17 (2).1
38599 RHEL-06-000348 The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner. SRG-OS-000023 medium To verify this configuration, run the following command: grep "banner_file" /etc/vsftpd/vsftpd.conf The output should show the value of "banner_file" is set to "/etc/issue", an example of which is shown below. # grep "banner_file" /etc/vsftpd/vsftpd.conf banner_file=/etc/issue If it does not, this is a finding. Edit the vsftpd configuration file, which resides at "/etc/vsftpd/vsftpd.conf" by default. Add or correct the following configuration options. banner_file=/etc/issue Restart the vsftpd daemon. # service vsftpd restart CCI-000048 CCI-000048 draft 5/19/2009 DISA FSO The information system displays an organization-defined system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. technical 4 AC-8 a 3 AC-8 a 1 AC-8.1 (ii)
38600 RHEL-06-000080 The system must not send ICMPv4 redirects by default. SRG-OS-999999 medium The status of the "net.ipv4.conf.default.send_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.send_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.default.send_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding. To set the runtime status of the "net.ipv4.conf.default.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.send_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.send_redirects = 0 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38601 RHEL-06-000081 The system must not send ICMPv4 redirects from any interface. SRG-OS-999999 medium The status of the "net.ipv4.conf.all.send_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.send_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.all.send_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding. To set the runtime status of the "net.ipv4.conf.all.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.send_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.send_redirects = 0 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38602 RHEL-06-000218 The rlogind service must not be running. SRG-OS-000248 high To check that the "rlogin" service is disabled in system boot configuration, run the following command: # chkconfig "rlogin" --list Output should indicate the "rlogin" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "rlogin" --list rlogin off OR error reading information on service rlogin: No such file or directory If the service is running, this is a finding. The "rlogin" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rlogin" service can be disabled with the following command: # chkconfig rlogin off CCI-001436 CCI-001436 draft 9/25/2009 DISA FSO The organization disables organization-defined networking protocols within the information system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements. technical 3 AC-17 (8) 1 AC-17 (8).1 (ii)
38603 RHEL-06-000220 The ypserv package must not be installed. SRG-OS-000095 medium Run the following command to determine if the "ypserv" package is installed: # rpm -q ypserv If the package is installed, this is a finding. The "ypserv" package can be uninstalled with the following command: # yum erase ypserv CCI-000381 CCI-000381 draft 9/18/2009 DISA FSO The organization configures the information system to provide only essential capabilities. technical 4 CM-7 a 3 CM-7 1 CM-7.1 (ii)
38604 RHEL-06-000221 The ypbind service must not be running. SRG-OS-000096 medium To check that the "ypbind" service is disabled in system boot configuration, run the following command: # chkconfig "ypbind" --list Output should indicate the "ypbind" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "ypbind" --list "ypbind" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "ypbind" is disabled through current runtime configuration: # service ypbind status If the service is disabled the command will return the following output: ypbind is stopped If the service is running, this is a finding. The "ypbind" service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The "ypbind" service can be disabled with the following commands: # chkconfig ypbind off # service ypbind stop CCI-000382 CCI-000382 draft 9/18/2009 DISA FSO The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. technical 4 CM-7 b 3 CM-7 1 CM-7.1 (iii)
38605 RHEL-06-000224 The cron service must be running. SRG-OS-999999 medium Run the following command to determine the current status of the "crond" service: # service crond status If the service is enabled, it should return the following: crond is running... If the service is not running, this is a finding. The "crond" service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The "crond" service can be enabled with the following commands: # chkconfig crond on # service crond start CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38606 RHEL-06-000222 The tftp-server package must not be installed unless required. SRG-OS-000095 medium Run the following command to determine if the "tftp-server" package is installed: # rpm -q tftp-server If the package is installed, this is a finding. The "tftp-server" package can be removed with the following command: # yum erase tftp-server CCI-000381 CCI-000381 draft 9/18/2009 DISA FSO The organization configures the information system to provide only essential capabilities. technical 4 CM-7 a 3 CM-7 1 CM-7.1 (ii)
38607 RHEL-06-000227 The SSH daemon must be configured to use only the SSHv2 protocol. SRG-OS-000112 high To check which SSH protocol version is allowed, run the following command: # grep Protocol /etc/ssh/sshd_config If configured properly, output should be Protocol 2 If it is not, this is a finding. Only SSH protocol version 2 connections should be permitted. The default setting in "/etc/ssh/sshd_config" is correct, and can be verified by ensuring that the following line appears: Protocol 2 CCI-000774 CCI-000774 draft 9/17/2009 DISA FSO The information system uses organization-defined replay-resistant authentication mechanisms for network access to privileged accounts. technical 3 IA-2 (8) 1 IA-2 (8).1 (ii)
38608 RHEL-06-000230 The SSH daemon must set a timeout interval on idle sessions. SRG-OS-000163 low Run the following command to see what the timeout interval is: # grep ClientAliveInterval /etc/ssh/sshd_config If properly configured, the output should be: ClientAliveInterval 900 If it is not, this is a finding. SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in "/etc/ssh/sshd_config" as follows: ClientAliveInterval [interval] The timeout [interval] is given in seconds. To have a timeout of 15 minutes, set [interval] to 900. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle. CCI-001133 CCI-001133 draft 9/21/2009 DISA FSO The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity. technical 4 SC-10 3 SC-10 1 SC-10.1 (ii)
38609 RHEL-06-000223 The TFTP service must not be running. SRG-OS-000248 medium To check that the "tftp" service is disabled in system boot configuration, run the following command: # chkconfig "tftp" --list Output should indicate the "tftp" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "tftp" --list tftp off OR error reading information on service tftp: No such file or directory If the service is running, this is a finding. The "tftp" service should be disabled. The "tftp" service can be disabled with the following command: # chkconfig tftp off CCI-001436 CCI-001436 draft 9/25/2009 DISA FSO The organization disables organization-defined networking protocols within the information system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements. technical 3 AC-17 (8) 1 AC-17 (8).1 (ii)
38610 RHEL-06-000231 The SSH daemon must set a timeout count on idle sessions. SRG-OS-000126 low To ensure the SSH idle timeout will occur when the "ClientAliveCountMax" is set, run the following command: # grep ClientAliveCountMax /etc/ssh/sshd_config If properly configured, output should be: ClientAliveCountMax 0 If it is not, this is a finding. To ensure the SSH idle timeout occurs precisely when the "ClientAliveCountMax" is set, edit "/etc/ssh/sshd_config" as follows: ClientAliveCountMax 0 CCI-000879 CCI-000879 draft 9/18/2009 DISA FSO The organization terminates sessions and network connections when nonlocal maintenance is completed. technical 4 MA-4 e 3 MA-4 e 1 MA-4.1 (vi)
38611 RHEL-06-000234 The SSH daemon must ignore .rhosts files. SRG-OS-000106 medium To determine how the SSH daemon's "IgnoreRhosts" option is set, run the following command: # grep -i IgnoreRhosts /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value "yes" is returned, then the required value is set. If the required value is not set, this is a finding. SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via ".rhosts" files. To ensure this behavior is disabled, add or correct the following line in "/etc/ssh/sshd_config": IgnoreRhosts yes CCI-000766 CCI-000766 draft 9/17/2009 DISA FSO The information system implements multifactor authentication for network access to non-privileged accounts. technical 4 IA-2 (2) 3 IA-2 (2) 1 IA-2 (2).1
38612 RHEL-06-000236 The SSH daemon must not allow host-based authentication. SRG-OS-000106 medium To determine how the SSH daemon's "HostbasedAuthentication" option is set, run the following command: # grep -i HostbasedAuthentication /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value "no" is returned, then the required value is set. If the required value is not set, this is a finding. SSH's cryptographic host-based authentication is more secure than ".rhosts" authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization. To disable host-based authentication, add or correct the following line in "/etc/ssh/sshd_config": HostbasedAuthentication no CCI-000766 CCI-000766 draft 9/17/2009 DISA FSO The information system implements multifactor authentication for network access to non-privileged accounts. technical 4 IA-2 (2) 3 IA-2 (2) 1 IA-2 (2).1
38613 RHEL-06-000237 The system must not permit root logins using remote access programs such as ssh. SRG-OS-000109 medium To determine how the SSH daemon's "PermitRootLogin" option is set, run the following command: # grep -i PermitRootLogin /etc/ssh/sshd_config If a line indicating "no" is returned, then the required value is set. If the required value is not set, this is a finding. The root user should never be allowed to log in to a system directly over a network. To disable root login via SSH, add or correct the following line in "/etc/ssh/sshd_config": PermitRootLogin no CCI-000770 CCI-000770 draft 9/17/2009 DISA FSO The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. policy 4 IA-2 (5) 3 IA-2 (5) (b) 1 IA-2 (5).2 (ii)
38614 RHEL-06-000239 The SSH daemon must not allow authentication using an empty password. SRG-OS-000106 high To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command: # grep -i PermitEmptyPasswords /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value "no" is returned, then the required value is set. If the required value is not set, this is a finding. To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config": PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. CCI-000766 CCI-000766 draft 9/17/2009 DISA FSO The information system implements multifactor authentication for network access to non-privileged accounts. technical 4 IA-2 (2) 3 IA-2 (2) 1 IA-2 (2).1
38615 RHEL-06-000240 The SSH daemon must be configured with the Department of Defense (DoD) login banner. SRG-OS-000023 medium To determine how the SSH daemon's "Banner" option is set, run the following command: # grep -i Banner /etc/ssh/sshd_config If a line indicating /etc/issue is returned, then the required value is set. If the required value is not set, this is a finding. To enable the warning banner and ensure it is consistent across the system, add or correct the following line in "/etc/ssh/sshd_config": Banner /etc/issue Another section contains information on how to create an appropriate system-wide warning banner. CCI-000048 CCI-000048 draft 5/19/2009 DISA FSO The information system displays an organization-defined system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. technical 4 AC-8 a 3 AC-8 a 1 AC-8.1 (ii)
38616 RHEL-06-000241 The SSH daemon must not permit user environment settings. SRG-OS-000242 low To ensure users are not able to present environment daemons, run the following command: # grep PermitUserEnvironment /etc/ssh/sshd_config If properly configured, output should be: PermitUserEnvironment no If it is not, this is a finding. To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in "/etc/ssh/sshd_config": PermitUserEnvironment no CCI-001414 CCI-001414 draft 9/24/2009 DISA FSO The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. technical 4 AC-4 3 AC-4 1 AC-4.1 (iii)
38617 RHEL-06-000243 The SSH daemon must be configured to use only FIPS 140-2 approved ciphers. SRG-OS-000169 medium Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: # grep Ciphers /etc/ssh/sshd_config The output should contain only those ciphers which are FIPS-approved, namely, the AES and 3DES ciphers. If that is not the case, this is a finding. Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in "/etc/ssh/sshd_config" demonstrates use of FIPS-approved ciphers: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc The man page "sshd_config(5)" contains a list of supported ciphers. CCI-001144 CCI-001144 draft 9/21/2009 DISA FSO The information system implements required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. technical 3 SC-13 1 SC-13.1
38618 RHEL-06-000246 The avahi service must be disabled. SRG-OS-999999 low To check that the "avahi-daemon" service is disabled in system boot configuration, run the following command: # chkconfig "avahi-daemon" --list Output should indicate the "avahi-daemon" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "avahi-daemon" --list "avahi-daemon" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "avahi-daemon" is disabled through current runtime configuration: # service avahi-daemon status If the service is disabled the command will return the following output: avahi-daemon is stopped If the service is running, this is a finding. The "avahi-daemon" service can be disabled with the following commands: # chkconfig avahi-daemon off # service avahi-daemon stop CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38619 RHEL-06-000347 There must be no .netrc files on the system. SRG-OS-000073 medium To check the system for the existence of any ".netrc" files, run the following command: $ sudo find /root /home -xdev -name .netrc If any .netrc files exist, this is a finding. The ".netrc" files contain logon information used to auto-logon into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any ".netrc" files should be removed. CCI-000196 CCI-000196 draft 9/15/2009 DISA FSO The information system, for password-based authentication, stores only cryptographically-protected passwords. technical 4 IA-5 (1) (c) 3 IA-5 (1) (c) 1 IA-5 (1).1 (v)
38620 RHEL-06-000247 The system clock must be synchronized continuously, or at least daily. SRG-OS-000056 medium Run the following command to determine the current status of the "ntpd" service: # service ntpd status If the service is enabled, it should return the following: ntpd is running... If the service is not running, this is a finding. The "ntpd" service can be enabled with the following command: # chkconfig ntpd on # service ntpd start CCI-000160 CCI-000160 draft 5/22/2009 DISA FSO The information system synchronizes internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source. technical 3 AU-8 (1) 1 AU-8 (1).1 (iii)
38621 RHEL-06-000248 The system clock must be synchronized to an authoritative DoD time source. SRG-OS-000056 medium A remote NTP server should be configured for time synchronization. To verify one is configured, open the following file. /etc/ntp.conf In the file, there should be a section similar to the following: # --- OUR TIMESERVERS ----- server [ntpserver] If this is not the case, this is a finding. To specify a remote NTP server for time synchronization, edit the file "/etc/ntp.conf". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver. server [ntpserver] This instructs the NTP software to contact that remote server to obtain time data. CCI-000160 CCI-000160 draft 5/22/2009 DISA FSO The information system synchronizes internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source. technical 3 AU-8 (1) 1 AU-8 (1).1 (iii)
38622 RHEL-06-000249 Mail relaying must be restricted. SRG-OS-000096 medium If the system is an authorized mail relay host, this is not applicable. Run the following command to ensure postfix accepts mail messages from only the local system: $ grep inet_interfaces /etc/postfix/main.cf If properly configured, the output should show only "localhost". If it does not, this is a finding. Edit the file "/etc/postfix/main.cf" to ensure that only the following "inet_interfaces" line appears: inet_interfaces = localhost CCI-000382 CCI-000382 draft 9/18/2009 DISA FSO The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. technical 4 CM-7 b 3 CM-7 1 CM-7.1 (iii)
38623 RHEL-06-000135 All rsyslog-generated log files must have mode 0600 or less permissive. SRG-OS-000206 medium The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's permissions: $ ls -l [LOGFILE] The permissions should be 600, or more restrictive. Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration. If the permissions are not correct, this is a finding. The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's permissions: $ ls -l [LOGFILE] If the permissions are not 600 or more restrictive, run the following command to correct this: # chmod 0600 [LOGFILE] CCI-001314 CCI-001314 draft 9/22/2009 DISA FSO The information system reveals error messages only to organization-defined personnel or roles. technical 4 SI-11 b 3 SI-11 c 1 SI-11.1 (iv)
38624 RHEL-06-000138 System logs must be rotated daily. SRG-OS-999999 low Run the following commands to determine the current status of the "logrotate" service: # grep logrotate /var/log/cron* If the logrotate service is not run on a daily basis by cron, this is a finding. The "logrotate" service should be installed or reinstalled if it is not installed and operating properly, by running the following command: # yum reinstall logrotate CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38625 RHEL-06-000252 If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms. SRG-OS-000250 medium If the system does not use LDAP for authentication or account information, this is not applicable. To ensure LDAP is configured to use TLS for all transactions, run the following command: # ps –ef | grep “slapd” If the LDAP daemon is not using “ldaps:///”, this is a finding. If the LDAP daemon is using “ldap:///”, this is a finding. Verify that the LDAP client cannot connect using an unencrypted method. # openssl s_client –connect [HOST]:389 If the following line is not returned, this is a finding: Socket: Connection refused. Note: The default port for unencrypted LDAP connections is 389. Configure the LDAP server to enforce TLS use. CCI-001453 CCI-001453 draft 9/29/2009 DISA FSO The information system implements cryptographic mechanisms to protect the integrity of remote access sessions. technical 4 AC-17 (2) 3 AC-17 (2) 1 AC-17 (2).1
38626 RHEL-06-000253 The LDAP client must use a TLS connection using trust certificates signed by the site CA. SRG-OS-000113 medium If the system does not use LDAP for authentication or account information, this is not applicable. To ensure TLS is configured with trust certificates, run the following command: # grep cert /etc/pam_ldap.conf If there is no output, or the lines are commented out, this is a finding. Ensure a copy of the site's CA certificate has been placed in the file "/etc/pki/tls/CA/cacert.pem". Configure LDAP to enforce TLS use and to trust certificates signed by the site's CA. First, edit the file "/etc/pam_ldap.conf", and add or correct either of the following lines: tls_cacertdir /etc/pki/tls/CA or tls_cacertfile /etc/pki/tls/CA/cacert.pem Then review the LDAP server and ensure TLS has been configured. CCI-000776 CCI-000776 draft 9/17/2009 DISA FSO The information system uses organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts. technical 3 IA-2 (9) 1 IA-2 (9).1 (ii)
38627 RHEL-06-000256 The openldap-servers package must not be installed unless required. SRG-OS-999999 low To verify the "openldap-servers" package is not installed, run the following command: $ rpm -q openldap-servers The output should show the following. package openldap-servers is not installed If it does not, this is a finding. The "openldap-servers" package should be removed if not in use. Is this machine the OpenLDAP server? If not, remove the package. # yum erase openldap-servers The openldap-servers RPM is not installed by default on RHEL6 machines. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38628 RHEL-06-000145 The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event. SRG-OS-000255 medium Run the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, it should return the following: auditd is running... If the service is not running, this is a finding. The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands: # chkconfig auditd on # service auditd start CCI-001487 CCI-001487 draft 9/29/2009 DISA FSO The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event. technical 4 AU-3 3 AU-3 1 AU-3.1
38629 RHEL-06-000257 The graphical desktop environment must set the idle timeout to no more than 15 minutes. SRG-OS-000029 medium If the GConf2 package is not installed, this is not applicable. To check the current idle time-out value, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_delay If properly configured, the output should be "15". If it is not, this is a finding. Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes: # gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /apps/gnome-screensaver/idle_delay 15 CCI-000057 CCI-000057 draft 5/19/2009 DISA FSO The information system initiates a session lock after the organization-defined time period of inactivity. technical 4 AC-11 a 3 AC-11 a 1 AC-11.1 (ii)
38630 RHEL-06-000258 The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment. SRG-OS-000029 medium If the GConf2 package is not installed, this is not applicable. To check the screensaver mandatory use status, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_activation_enabled If properly configured, the output should be "true". If it is not, this is a finding. Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true CCI-000057 CCI-000057 draft 5/19/2009 DISA FSO The information system initiates a session lock after the organization-defined time period of inactivity. technical 4 AC-11 a 3 AC-11 a 1 AC-11.1 (ii)
38631 RHEL-06-000148 The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods. SRG-OS-000032 medium Run the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, it should return the following: auditd is running... If the service is not running, this is a finding. The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands: # chkconfig auditd on # service auditd start CCI-000067 CCI-000067 draft 9/14/2009 DISA FSO The information system monitors remote access methods. technical 4 AC-17 (1) 3 AC-17 (1) 1 AC-17 (1).1
38632 RHEL-06-000154 The operating system must produce audit records containing sufficient information to establish what type of events occurred. SRG-OS-000037 medium Run the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, it should return the following: auditd is running... If the service is not running, this is a finding. The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands: # chkconfig auditd on # service auditd start CCI-000130 CCI-000130 draft 5/20/2009 DISA FSO The information system generates audit records containing information that establishes what type of event occurred. technical 4 AU-3 3 AU-3 1 AU-3.1
38633 RHEL-06-000160 The system must set a maximum audit log file size. SRG-OS-999999 medium Inspect "/etc/audit/auditd.conf" and locate the following line to determine how much data the system will retain in each audit log file: "# grep max_log_file /etc/audit/auditd.conf" max_log_file = 6 If the system audit data threshold hasn't been properly set up, this is a finding. Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting the correct value for [STOREMB]: max_log_file = [STOREMB] Set the value to "6" (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38634 RHEL-06-000161 The system must rotate audit log files that reach the maximum file size. SRG-OS-999999 medium Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to rotate logs when they reach their maximum size: # grep max_log_file_action /etc/audit/auditd.conf max_log_file_action = rotate If the "keep_logs" option is configured for the "max_log_file_action" line in "/etc/audit/auditd.conf" and an alternate process is in place to ensure audit data does not overwhelm local audit storage, this is not a finding. If the system has not been properly set up to rotate audit logs, this is a finding. The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by "auditd", add or correct the line in "/etc/audit/auditd.conf": max_log_file_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "suspend" "rotate" "keep_logs" Set the "[ACTION]" to "rotate" to ensure log rotation occurs. This is the default. The setting is case-insensitive. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38635 RHEL-06-000165 The audit system must be configured to audit all attempts to alter system time through adjtimex. SRG-OS-000062 low To determine if the system is configured to audit calls to the "adjtimex" system call, run the following command: $ sudo grep -w "adjtimex" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding. On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules On a 64-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b64 -S adjtimex -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules CCI-000169 CCI-000169 draft 5/22/2009 DISA FSO The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. technical 4 AU-12 a 3 AU-12 a 1 AU-12.1 (ii)
38636 RHEL-06-000159 The system must retain enough rotated audit logs to cover the required log retention period. SRG-OS-999999 medium Inspect "/etc/audit/auditd.conf" and locate the following line to determine how many logs the system is configured to retain after rotation: "# grep num_logs /etc/audit/auditd.conf" num_logs = 5 If the overall system log file(s) retention hasn't been properly set up, this is a finding. Determine how many log files "auditd" should retain when it rotates logs. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [NUMLOGS] with the correct value: num_logs = [NUMLOGS] Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38637 RHEL-06-000281 The system package management tool must verify contents of all files associated with the audit package. SRG-OS-000278 medium The following command will list which audit files on the system have file hashes different from what is expected by the RPM database. # rpm -V audit | awk '$1 ~ /..5/ && $2 != "c"' If there is output, this is a finding. The RPM package management system can check the hashes of audit system package files. Run the following command to list which audit files on the system have hashes that differ from what is expected by the RPM database: # rpm -V audit | grep '^..5' A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file that has changed was not expected to then refresh from distribution media or online repositories. rpm -Uvh [affected_package] OR yum reinstall [affected_package] CCI-001496 CCI-001496 draft 9/29/2009 DISA FSO The information system implements cryptographic mechanisms to protect the integrity of audit tools. technical 4 AU-9 (3) 3 AU-9 (3) 1 AU-9 (3).1
38638 RHEL-06-000259 The graphical desktop environment must have automatic lock enabled. SRG-OS-000029 medium If the GConf2 package is not installed, this is not applicable. To check the status of the idle screen lock activation, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/lock_enabled If properly configured, the output should be "true". If it is not, this is a finding. Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/lock_enabled true CCI-000057 CCI-000057 draft 5/19/2009 DISA FSO The information system initiates a session lock after the organization-defined time period of inactivity. technical 4 AC-11 a 3 AC-11 a 1 AC-11.1 (ii)
38639 RHEL-06-000260 The system must display a publicly-viewable pattern during a graphical desktop environment session lock. SRG-OS-000031 low If the GConf2 package is not installed, this is not applicable. To ensure the screensaver is configured to be blank, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode If properly configured, the output should be "blank-only". If it is not, this is a finding. Run the following command to set the screensaver mode in the GNOME desktop to a blank screen: # gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome-screensaver/mode blank-only CCI-000060 CCI-000060 draft 5/19/2009 DISA FSO The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. technical 4 AC-11 (1) 3 AC-11 (1) 1 AC-11 (1).1
38640 RHEL-06-000261 The Automatic Bug Reporting Tool (abrtd) service must not be running. SRG-OS-000096 low To check that the "abrtd" service is disabled in system boot configuration, run the following command: # chkconfig "abrtd" --list Output should indicate the "abrtd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "abrtd" --list "abrtd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "abrtd" is disabled through current runtime configuration: # service abrtd status If the service is disabled the command will return the following output: abrtd is stopped If the service is running, this is a finding. The Automatic Bug Reporting Tool ("abrtd") daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The "abrtd" service can be disabled with the following commands: # chkconfig abrtd off # service abrtd stop CCI-000382 CCI-000382 draft 9/18/2009 DISA FSO The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. technical 4 CM-7 b 3 CM-7 1 CM-7.1 (iii)
38641 RHEL-06-000262 The atd service must be disabled. SRG-OS-000096 low If the system uses the "atd" service, this is not applicable. To check that the "atd" service is disabled in system boot configuration, run the following command: # chkconfig "atd" --list Output should indicate the "atd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "atd" --list "atd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "atd" is disabled through current runtime configuration: # service atd status If the service is disabled the command will return the following output: atd is stopped If the service is running, this is a finding. The "at" and "batch" commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon "atd" keeps track of tasks scheduled via "at" and "batch", and executes them at the specified time. The "atd" service can be disabled with the following commands: # chkconfig atd off # service atd stop CCI-000382 CCI-000382 draft 9/18/2009 DISA FSO The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. technical 4 CM-7 b 3 CM-7 1 CM-7.1 (iii)
38642 RHEL-06-000346 The system default umask for daemons must be 027 or 022. SRG-OS-999999 low To check the value of the "umask", run the following command: $ grep umask /etc/init.d/functions The output should show either "022" or "027". If it does not, this is a finding. The file "/etc/init.d/functions" includes initialization parameters for most or all daemons started at boot time. The default umask of 022 prevents creation of group- or world-writable files. To set the default umask for daemons, edit the following line, inserting 022 or 027 for [UMASK] appropriately: umask [UMASK] Setting the umask to too restrictive a setting can cause serious errors at runtime. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38643 RHEL-06-000282 There must be no world-writable files on the system. SRG-OS-999999 medium To find world-writable files, run the following command for each local partition [PART], excluding special filesystems such as /selinux, /proc, or /sys: # find [PART] -xdev -type f -perm -002 If there is output, this is a finding. It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38644 RHEL-06-000265 The ntpdate service must not be running. SRG-OS-000096 low To check that the "ntpdate" service is disabled in system boot configuration, run the following command: # chkconfig "ntpdate" --list Output should indicate the "ntpdate" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "ntpdate" --list "ntpdate" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "ntpdate" is disabled through current runtime configuration: # service ntpdate status If the service is disabled the command will return the following output: ntpdate is stopped If the service is running, this is a finding. The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in "/etc/ntp/step-tickers" or "/etc/ntp.conf" and then sets the local hardware clock to the newly synchronized system time. The "ntpdate" service can be disabled with the following commands: # chkconfig ntpdate off # service ntpdate stop CCI-000382 CCI-000382 draft 9/18/2009 DISA FSO The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. technical 4 CM-7 b 3 CM-7 1 CM-7.1 (iii)
38645 RHEL-06-000345 The system default umask in /etc/login.defs must be 077. SRG-OS-999999 low Verify the "umask" setting is configured correctly in the "/etc/login.defs" file by running the following command: # grep -i "umask" /etc/login.defs All output must show the value of "umask" set to 077, as shown in the below: # grep -i "umask" /etc/login.defs UMASK 077 If the above command returns no output, or if the umask is configured incorrectly, this is a finding. To ensure the default umask controlled by "/etc/login.defs" is set properly, add or correct the "umask" setting in "/etc/login.defs" to read as follows: UMASK 077 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38646 RHEL-06-000266 The oddjobd service must not be running. SRG-OS-000096 low To check that the "oddjobd" service is disabled in system boot configuration, run the following command: # chkconfig "oddjobd" --list Output should indicate the "oddjobd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "oddjobd" --list "oddjobd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "oddjobd" is disabled through current runtime configuration: # service oddjobd status If the service is disabled the command will return the following output: oddjobd is stopped If the service is running, this is a finding. The "oddjobd" service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with "oddjobd" is through the system message bus. The "oddjobd" service can be disabled with the following commands: # chkconfig oddjobd off # service oddjobd stop CCI-000382 CCI-000382 draft 9/18/2009 DISA FSO The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. technical 4 CM-7 b 3 CM-7 1 CM-7.1 (iii)
38647 RHEL-06-000344 The system default umask in /etc/profile must be 077. SRG-OS-999999 low Verify the "umask" setting is configured correctly in the "/etc/profile" file by running the following command: # grep "umask" /etc/profile All output must show the value of "umask" set to 077, as shown in the below: # grep "umask" /etc/profile umask 077 If the above command returns no output, or if the umask is configured incorrectly, this is a finding. To ensure the default umask controlled by "/etc/profile" is set properly, add or correct the "umask" setting in "/etc/profile" to read as follows: umask 077 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38648 RHEL-06-000267 The qpidd service must not be running. SRG-OS-000096 low To check that the "qpidd" service is disabled in system boot configuration, run the following command: # chkconfig "qpidd" --list Output should indicate the "qpidd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "qpidd" --list "qpidd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "qpidd" is disabled through current runtime configuration: # service qpidd status If the service is disabled the command will return the following output: qpidd is stopped If the service is running, this is a finding. The "qpidd" service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The "qpidd" service can be disabled with the following commands: # chkconfig qpidd off # service qpidd stop CCI-000382 CCI-000382 draft 9/18/2009 DISA FSO The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. technical 4 CM-7 b 3 CM-7 1 CM-7.1 (iii)
38649 RHEL-06-000343 The system default umask for the csh shell must be 077. SRG-OS-999999 low Verify the "umask" setting is configured correctly in the "/etc/csh.cshrc" file by running the following command: # grep "umask" /etc/csh.cshrc All output must show the value of "umask" set to 077, as shown in the below: # grep "umask" /etc/csh.cshrc umask 077 If the above command returns no output, or if the umask is configured incorrectly, this is a finding. To ensure the default umask for users of the C shell is set properly, add or correct the "umask" setting in "/etc/csh.cshrc" to read as follows: umask 077 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38650 RHEL-06-000268 The rdisc service must not be running. SRG-OS-000096 low To check that the "rdisc" service is disabled in system boot configuration, run the following command: # chkconfig "rdisc" --list Output should indicate the "rdisc" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "rdisc" --list "rdisc" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "rdisc" is disabled through current runtime configuration: # service rdisc status If the service is disabled the command will return the following output: rdisc is stopped If the service is running, this is a finding. The "rdisc" service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. The "rdisc" service can be disabled with the following commands: # chkconfig rdisc off # service rdisc stop CCI-000382 CCI-000382 draft 9/18/2009 DISA FSO The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. technical 4 CM-7 b 3 CM-7 1 CM-7.1 (iii)
38651 RHEL-06-000342 The system default umask for the bash shell must be 077. SRG-OS-999999 low Verify the "umask" setting is configured correctly in the "/etc/bashrc" file by running the following command: # grep "umask" /etc/bashrc All output must show the value of "umask" set to 077, as shown below: # grep "umask" /etc/bashrc umask 077 umask 077 If the above command returns no output, or if the umask is configured incorrectly, this is a finding. To ensure the default umask for users of the Bash shell is set properly, add or correct the "umask" setting in "/etc/bashrc" to read as follows: umask 077 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38652 RHEL-06-000269 Remote file systems must be mounted with the nodev option. SRG-OS-999999 medium To verify the "nodev" option is configured for all NFS mounts, run the following command: $ mount | grep "nfs " All NFS mounts should show the "nodev" setting in parentheses, along with other mount options. If the setting does not show, this is a finding. Add the "nodev" option to the fourth column of "/etc/fstab" for the line which controls mounting of any NFS mounts. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38653 RHEL-06-000341 The snmpd service must not use a default password. SRG-OS-999999 high To ensure the default password is not set, run the following command: # grep -v "^#" /etc/snmp/snmpd.conf| grep public There should be no output. If there is output, this is a finding. Edit "/etc/snmp/snmpd.conf", remove default community string "public". Upon doing that, restart the SNMP service: # service snmpd restart CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38654 RHEL-06-000270 Remote file systems must be mounted with the nosuid option. SRG-OS-999999 medium To verify the "nosuid" option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the "nosuid" setting in parentheses, along with other mount options. If the setting does not show, this is a finding. Add the "nosuid" option to the fourth column of "/etc/fstab" for the line which controls mounting of any NFS mounts. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38655 RHEL-06-000271 The noexec option must be added to removable media partitions. SRG-OS-000035 low To verify that binaries cannot be directly executed from removable media, run the following command: # grep noexec /etc/fstab The output should show "noexec" in use. If it does not, this is a finding. The "noexec" mount option prevents the direct execution of binaries on the mounted filesystem. Users should not be allowed to execute binaries that exist on partitions mounted from removable media (such as a USB key). The "noexec" option prevents code from being executed directly from the media itself, and may therefore provide a line of defense against certain types of worms or malicious code. Add the "noexec" option to the fourth column of "/etc/fstab" for the line which controls mounting of any removable media partitions. CCI-000087 CCI-000087 draft 5/19/2009 DISA FSO The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction. technical 3 AC-19 e 1 AC-19.1 (v)
38656 RHEL-06-000272 The system must use SMB client signing for connecting to samba servers using smbclient. SRG-OS-999999 low To verify that Samba clients running smbclient must use packet signing, run the following command: # grep signing /etc/samba/smb.conf The output should show: client signing = mandatory If it is not, this is a finding. To require samba clients running "smbclient" to use packet signing, add the following to the "[global]" section of the Samba configuration file in "/etc/samba/smb.conf": client signing = mandatory Requiring samba clients such as "smbclient" to use packet signing ensures they can only communicate with servers that support packet signing. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38657 RHEL-06-000273 The system must use SMB client signing for connecting to samba servers using mount.cifs. SRG-OS-999999 low If Samba is not in use, this is not applicable. To verify that Samba clients using mount.cifs must use packet signing, run the following command: # grep sec /etc/fstab /etc/mtab The output should show either "krb5i" or "ntlmv2i" in use. If it does not, this is a finding. Require packet signing of clients who mount Samba shares using the "mount.cifs" program (e.g., those who specify shares in "/etc/fstab"). To do so, ensure signing options (either "sec=krb5i" or "sec=ntlmv2i") are used. See the "mount.cifs(8)" man page for more information. A Samba client should only communicate with servers who can support SMB packet signing. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38658 RHEL-06-000274 The system must prohibit the reuse of passwords within five iterations. SRG-OS-000077 medium To verify the password reuse setting is compliant, run the following command: # grep remember /etc/pam.d/system-auth The output must be a line beginning with "password sufficient pam_pwhistory.so" and ending with "remember=5". If the line is commented out, the line does not contain the specified elements, or the value for "remember" is less than 5, this is a finding. Do not allow users to reuse recent passwords. This can be accomplished by using the "remember" option for the "pam_pwhistory" PAM module. In the file "/etc/pam.d/system-auth", append "remember=5" to the line which refers to the "pam_pwhistory.so" module, as shown: password sufficient pam_pwhistory.so [existing_options] remember=5 The DoD requirement is five passwords. CCI-000200 CCI-000200 draft 5/22/2009 DISA FSO The information system prohibits password reuse for the organization-defined number of generations. technical 4 IA-5 (1) (e) 3 IA-5 (1) (e) 1 IA-5 (1).1 (v)
38659 RHEL-06-000275 The operating system must employ cryptographic mechanisms to protect information in storage. SRG-OS-000131 low Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding. Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE] Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation web site: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html CCI-001019 CCI-001019 draft 9/21/2009 DISA FSO The organization employs cryptographic mechanisms to protect information in storage. technical 3 MP-4 (1) 1 MP-4 (1).1
38660 RHEL-06-000340 The snmpd service must use only SNMP protocol version 3 or newer. SRG-OS-999999 medium To ensure only SNMPv3 or newer is used, run the following command: # grep 'v1\|v2c\|com2sec' /etc/snmp/snmpd.conf | grep -v '^#' There should be no output. If there is output, this is a finding. Edit "/etc/snmp/snmpd.conf", removing any references to "v1","v2c", or "com2sec". Upon doing that, restart the SNMP service: # service snmpd restart CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38661 RHEL-06-000276 The operating system must protect the confidentiality and integrity of data at rest. SRG-OS-000185 low Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding. Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE] Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation web site: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html CCI-001199 CCI-001199 draft 9/21/2009 DISA FSO The information system protects the confidentiality and/or integrity of organization-defined information at rest. technical 4 SC-28 3 SC-28 1 SC-28.1
38662 RHEL-06-000277 The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures. SRG-OS-000230 low Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding. Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE] Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation web site: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html CCI-001200 CCI-001200 draft 9/21/2009 DISA FSO The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures. technical 3 SC-28 (1) 1 SC-28 (1).1 (i)
38663 RHEL-06-000278 The system package management tool must verify permissions on all files and directories associated with the audit package. SRG-OS-000256 medium The following command will list which audit files on the system have permissions different from what is expected by the RPM database: # rpm -V audit | grep '^.M' If there is any output, for each file or directory found, compare the RPM-expected permissions with the permissions on the file or directory: # rpm -q --queryformat "[%{FILENAMES} %{FILEMODES:perms}\n]" audit | grep [filename] # ls -lL [filename] If the existing permissions are more permissive than those expected by RPM, this is a finding. The RPM package management system can restore file access permissions of the audit package files and directories. The following command will update audit files with permissions different from what is expected by the RPM database: # rpm --setperms audit CCI-001493 CCI-001493 draft 9/29/2009 DISA FSO The information system protects audit tools from unauthorized access. technical 4 AU-9 3 AU-9 1 AU-9.1
38664 RHEL-06-000279 The system package management tool must verify ownership on all files and directories associated with the audit package. SRG-OS-000257 medium The following command will list which audit files on the system have ownership different from what is expected by the RPM database: # rpm -V audit | grep '^.....U' If there is output, this is a finding. The RPM package management system can restore file ownership of the audit package files and directories. The following command will update audit files with ownership different from what is expected by the RPM database: # rpm --setugids audit CCI-001494 CCI-001494 draft 9/29/2009 DISA FSO The information system protects audit tools from unauthorized modification. technical 4 AU-9 3 AU-9 1 AU-9.1
38665 RHEL-06-000280 The system package management tool must verify group-ownership on all files and directories associated with the audit package. SRG-OS-000258 medium The following command will list which audit files on the system have group-ownership different from what is expected by the RPM database: # rpm -V audit | grep '^......G' If there is output, this is a finding. The RPM package management system can restore file group-ownership of the audit package files and directories. The following command will update audit files with group-ownership different from what is expected by the RPM database: # rpm --setugids audit CCI-001495 CCI-001495 draft 9/29/2009 DISA FSO The information system protects audit tools from unauthorized deletion. technical 4 AU-9 3 AU-9 1 AU-9.1
38666 RHEL-06-000284 The system must use and update a DoD-approved virus scan program. SRG-OS-000270 high Inspect the system for a cron job or system service which executes a virus scanning tool regularly. To verify the McAfee VSEL system service is operational, run the following command: # /etc/init.d/nails status To check on the age of uvscan virus definition files, run the following command: # cd /opt/NAI/LinuxShield/engine/dat # ls -la avvscan.dat avvnames.dat avvclean.dat If virus scanning software does not run continuously, or at least daily, or has signatures that are out of date, this is a finding. Install virus scanning software, which uses signatures to search for the presence of viruses on the filesystem. The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems. Ensure virus definition files are no older than 7 days, or their last release. Configure the virus scanning software to perform scans dynamically on all accessed files. If this is not possible, configure the system to scan all altered files on the system on a daily basis. If the system processes inbound SMTP mail, configure the virus scanner to scan all received mail. CCI-001668 CCI-001668 draft 5/12/2010 DISA FSO The organization employs malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities. technical 3 SI-3 a 1 SI-3.1 (ii)
38667 RHEL-06-000285 The system must have a host-based intrusion detection tool installed. SRG-OS-000196 medium Inspect the system to determine if intrusion detection software has been installed. Verify the intrusion detection software is active. If no host-based intrusion detection tools are installed, this is a finding. The base Red Hat platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user sessions which may become compromised. In DoD environments, supplemental intrusion detection tools, such as, the McAfee Host-based Security System, are available to integrate with existing infrastructure. When these supplemental tools interfere with the proper functioning of SELinux, SELinux takes precedence. CCI-001263 CCI-001263 draft 9/22/2009 DISA FSO The information system provides near real-time alerts when any of the organization-defined list of compromise or potential compromise indicators occurs. technical 3 SI-4 (5) 1 SI-4 (5).1 (ii)
38668 RHEL-06-000286 The x86 Ctrl-Alt-Delete key sequence must be disabled. SRG-OS-999999 high To ensure the system is configured to log a message instead of rebooting the system when Ctrl-Alt-Delete is pressed, ensure the following line is in "/etc/init/control-alt-delete.override": exec /usr/bin/logger -p security.info "Ctrl-Alt-Delete pressed" If the system is not configured to block the shutdown command when Ctrl-Alt-Delete is pressed, this is a finding. By default, the system includes the following line in "/etc/init/control-alt-delete.conf" to reboot the system when the Ctrl-Alt-Delete key sequence is pressed: exec /sbin/shutdown -r now "Ctrl-Alt-Delete pressed" To configure the system to log a message instead of rebooting the system, add the following line to "/etc/init/control-alt-delete.override" to read as follows: exec /usr/bin/logger -p security.info "Ctrl-Alt-Delete pressed" CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38669 RHEL-06-000287 The postfix service must be enabled for mail delivery. SRG-OS-999999 low Run the following command to determine the current status of the "postfix" service: # service postfix status If the service is enabled, it should return the following: postfix is running... If the service is not enabled, this is a finding. The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The "postfix" service can be enabled with the following command: # chkconfig postfix on # service postfix start CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38670 RHEL-06-000306 The operating system must detect unauthorized changes to software and information. SRG-OS-000202 medium To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding. AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example. CCI-001297 CCI-001297 draft 9/22/2009 DISA FSO The information system detects unauthorized changes to software and information. technical 3 SI-7 1 SI-7.1
38671 RHEL-06-000288 The sendmail package must be removed. SRG-OS-999999 medium Run the following command to determine if the "sendmail" package is installed: # rpm -q sendmail If the package is installed, this is a finding. Sendmail is not the default mail transfer agent and is not installed by default. The "sendmail" package can be removed with the following command: # yum erase sendmail CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38672 RHEL-06-000289 The netconsole service must be disabled unless required. SRG-OS-000096 low To check that the "netconsole" service is disabled in system boot configuration, run the following command: # chkconfig "netconsole" --list Output should indicate the "netconsole" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "netconsole" --list "netconsole" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "netconsole" is disabled through current runtime configuration: # service netconsole status If the service is disabled the command will return the following output: netconsole is stopped If the service is running, this is a finding. The "netconsole" service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. The "netconsole" service can be disabled with the following commands: # chkconfig netconsole off # service netconsole stop CCI-000382 CCI-000382 draft 9/18/2009 DISA FSO The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. technical 4 CM-7 b 3 CM-7 1 CM-7.1 (iii)
38673 RHEL-06-000307 The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked. SRG-OS-000265 medium To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding. AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example. CCI-001589 CCI-001589 draft 5/12/2010 DISA FSO The organization incorporates detection of unauthorized, security-relevant configuration changes into the organization’s incident response capability to ensure they are tracked. technical 3 CM-6 (3) 1 CM-6 (3).1 (ii)
38674 RHEL-06-000290 X Windows must not be enabled unless required. SRG-OS-000248 medium To verify the default runlevel is 3, run the following command: # grep initdefault /etc/inittab The output should show the following: id:3:initdefault: If it does not, this is a finding. Setting the system's runlevel to 3 will prevent automatic startup of the X server. To do so, ensure the following line in "/etc/inittab" features a "3" as shown: id:3:initdefault: CCI-001436 CCI-001436 draft 9/25/2009 DISA FSO The organization disables organization-defined networking protocols within the information system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements. technical 3 AC-17 (8) 1 AC-17 (8).1 (ii)
38675 RHEL-06-000308 Process core dumps must be disabled unless needed. SRG-OS-999999 low To verify that core dumps are disabled for all users, run the following command: $ grep core /etc/security/limits.conf /etc/security/limits.d/*.conf The output should be: * hard core 0 If it is not, this is a finding. To disable core dumps for all users, add the following line to "/etc/security/limits.conf": * hard core 0 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38676 RHEL-06-000291 The xorg-x11-server-common (X Windows) package must not be installed, unless required. SRG-OS-999999 low To ensure the X Windows package group is removed, run the following command: $ rpm -qi xorg-x11-server-common The output should be: package xorg-x11-server-common is not installed If it is not, this is a finding. Removing all packages which constitute the X Window System ensures users or malicious software cannot start X. To do so, run the following command: # yum groupremove "X Window System" CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38677 RHEL-06-000309 The NFS server must not have the insecure file locking option enabled. SRG-OS-000104 high To verify insecure file locking has been disabled, run the following command: # grep insecure_locks /etc/exports If there is output, this is a finding. By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files. To get around this, the "insecure_locks" option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. Remove any instances of the "insecure_locks" option from the file "/etc/exports". CCI-000764 CCI-000764 draft 9/17/2009 DISA FSO The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). technical 4 IA-2 3 IA-2 1 IA-2.1
38678 RHEL-06-000311 The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity. SRG-OS-000048 medium Inspect "/etc/audit/auditd.conf" and locate the following line to determine whether the system is configured to email the administrator when disk space is starting to run low: # grep space_left /etc/audit/auditd.conf space_left = [num_megabytes] If the "num_megabytes" value does not correspond to a documented value for remaining audit partition capacity or if there is no locally documented value for remaining audit partition capacity, this is a finding. The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [num_megabytes] appropriately: space_left = [num_megabytes] The "num_megabytes" value should be set to a fraction of the total audit storage capacity available that will allow a system administrator to be notified with enough time to respond to the situation causing the capacity issues. This value must also be documented locally. CCI-000143 CCI-000143 draft 5/20/2009 DISA FSO The information system provides a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity. technical 3 AU-5 (1) 1 AU-5 (1).1 (ii)
38679 RHEL-06-000292 The DHCP client must be disabled if not needed. SRG-OS-999999 medium To verify that DHCP is not being used, examine the following file for each interface. # /etc/sysconfig/network-scripts/ifcfg-[IFACE] If there is any network interface without a associated "ifcfg" file, this is a finding. Look for the following: BOOTPROTO=none Also verify the following, substituting the appropriate values based on your site's addressing scheme: NETMASK=[local LAN netmask] IPADDR=[assigned IP address] GATEWAY=[local LAN default gateway] If it does not, this is a finding. For each interface [IFACE] on the system (e.g. eth0), edit "/etc/sysconfig/network-scripts/ifcfg-[IFACE]" and make the following changes. Correct the BOOTPROTO line to read: BOOTPROTO=none Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: NETMASK=[local LAN netmask] IPADDR=[assigned IP address] GATEWAY=[local LAN default gateway] CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38680 RHEL-06-000313 The audit system must identify staff members to receive notifications of audit log storage volume capacity issues. SRG-OS-000046 medium Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator: action_mail_acct = root If auditd is not configured to send emails per identified actions, this is a finding. The "auditd" service can be configured to send email to a designated account in certain situations. Add or correct the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations: action_mail_acct = root CCI-000139 CCI-000139 draft 9/15/2009 DISA FSO The information system alerts designated organization-defined personnel or roles in the event of an audit processing failure. technical 4 AU-5 a 3 AU-5 a 1 AU-5.1 (ii)
38681 RHEL-06-000294 All GIDs referenced in /etc/passwd must be defined in /etc/group SRG-OS-999999 low To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, run the following command: # pwck -r | grep 'no group' There should be no output. If there is output, this is a finding. Add a group to the system for each GID referenced without a corresponding group. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38682 RHEL-06-000315 The Bluetooth kernel module must be disabled. SRG-OS-000034 medium If the system is configured to prevent the loading of the "bluetooth" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d If the system is configured to prevent the loading of the "net-pf-31" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r net-pf-31 /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding. The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate "/etc/modprobe.d" configuration file to prevent the loading of the Bluetooth module: install net-pf-31 /bin/true install bluetooth /bin/true CCI-000085 CCI-000085 draft 5/19/2009 DISA FSO The organization monitors for unauthorized connections of mobile devices to organizational information systems. technical 3 AC-19 c 1 AC-19.1 (iii)
38683 RHEL-06-000296 All accounts on the system must have unique user or account names SRG-OS-000121 low Run the following command to check for duplicate account names: # pwck -rq If there are no duplicate names, no line will be returned. If a line is returned, this is a finding. Change usernames, or delete accounts, so each has a unique name. CCI-000804 CCI-000804 draft 9/17/2009 DISA FSO The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). technical 4 IA-8 3 IA-8 1 IA-8.1
38684 RHEL-06-000319 The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements. SRG-OS-000027 low Run the following command to ensure the "maxlogins" value is configured for all users on the system: $ grep "maxlogins" /etc/security/limits.conf /etc/security/limits.d/*.conf You should receive output similar to the following: * hard maxlogins 10 If it is not similar, this is a finding. Limiting the number of allowed users and sessions per user can limit risks related to denial of service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in "/etc/security/limits.conf": * hard maxlogins 10 A documented site-defined number may be substituted for 10 in the above. CCI-000054 CCI-000054 draft 5/19/2009 DISA FSO The information system limits the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number of sessions. technical 4 AC-10 3 AC-10 1 AC-10.1 (ii)
38685 RHEL-06-000297 Temporary accounts must be provisioned with an expiration date. SRG-OS-000002 low For every temporary account, run the following command to obtain its account aging and expiration information: # chage -l [USER] Verify each of these accounts has an expiration date set as documented. If any temporary accounts have no expiration date set or do not expire within a documented time frame, this is a finding. In the event temporary accounts are required, configure the system to terminate them after a documented time period. For every temporary account, run the following command to set an expiration date on it, substituting "[USER]" and "[YYYY-MM-DD]" appropriately: # chage -E [YYYY-MM-DD] [USER] "[YYYY-MM-DD]" indicates the documented expiration date for the account. CCI-000016 CCI-000016 draft 5/13/2009 DISA FSO The information system automatically removes or disables temporary accounts after an organization-defined time period for each type of account. technical 4 AC-2 (2) 3 AC-2 (2) 1 AC-2 (2).1 (ii)
38686 RHEL-06-000320 The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets. SRG-OS-000147 medium Run the following command to ensure the default "FORWARD" policy is "DROP": grep ":FORWARD" /etc/sysconfig/iptables The output must be the following: # grep ":FORWARD" /etc/sysconfig/iptables :FORWARD DROP [0:0] If it is not, this is a finding. To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in "/etc/sysconfig/iptables": :FORWARD DROP [0:0] CCI-001109 CCI-001109 draft 9/21/2009 DISA FSO The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception). technical 4 SC-7 (5) 3 SC-7 (5) 1 SC-7 (5).1 (i) (ii)
38687 RHEL-06-000321 The system must provide VPN connectivity for communications over untrusted networks. SRG-OS-000160 low If the system does not communicate over untrusted networks, this is not applicable. Run the following command to determine if the "openswan" package is installed: # rpm -q openswan If the package is not installed, this is a finding. The Openswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The "openswan" package can be installed with the following command: # yum install openswan CCI-001130 CCI-001130 draft 9/21/2009 DISA FSO The information system protects the confidentiality of transmitted information. technical 3 SC-9 1 SC-9.1
38688 RHEL-06-000324 A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. SRG-OS-000024 medium If the GConf2 package is not installed, this is not applicable. To ensure a login warning banner is enabled, run the following: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_enable Search for the "banner_message_enable" schema. If properly configured, the "default" value should be "true". If it is not, this is a finding. To enable displaying a login warning banner in the GNOME Display Manager's login screen, run the following command: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gdm/simple-greeter/banner_message_enable true To display a banner, this setting must be enabled and then banner text must also be set. CCI-000050 CCI-000050 draft 9/14/2009 DISA FSO The information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system. technical 4 AC-8 b 3 AC-8 b 1 AC-8.1 (iii)
38689 RHEL-06-000326 The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. SRG-OS-000228 medium If the GConf2 package is not installed, this is not applicable. To ensure login warning banner text is properly set, run the following: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_text If properly configured, the proper banner text will appear within this schema. The DoD required text is either: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." OR: "I've read & consent to terms in IS user agreem't." If the DoD required banner text does not appear in the schema, this is a finding. To set the text shown by the GNOME Display Manager in the login screen, run the following command: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gdm/simple-greeter/banner_message_text \ "[DoD required text]" Where the DoD required text is either: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." OR: "I've read & consent to terms in IS user agreem't." When entering a warning banner that spans several lines, remember to begin and end the string with """. This command writes directly to the file "/etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml", and this file can later be edited directly if necessary. CCI-001384 CCI-001384 draft 9/22/2009 DISA FSO The information system, for publicly accessible systems, displays system use information organization-defined conditions before granting further access. technical 4 AC-8 c 1 3 AC-8 c 1 AC-8.2 (i)
38690 RHEL-06-000298 Emergency accounts must be provisioned with an expiration date.## SRG-OS-000123 low For every emergency account, run the following command to obtain its account aging and expiration information: # chage -l [USER] Verify each of these accounts has an expiration date set as documented. If any emergency accounts have no expiration date set or do not expire within a documented time frame, this is a finding. In the event emergency accounts are required, configure the system to terminate them after a documented time period. For every emergency account, run the following command to set an expiration date on it, substituting "[USER]" and "[YYYY-MM-DD]" appropriately: # chage -E [YYYY-MM-DD] [USER] "[YYYY-MM-DD]" indicates the documented expiration date for the account. CCI-001682 CCI-001682 draft 5/3/2011 DISA FSO The information system automatically removes or disables emergency accounts after an organization-defined time period for each type of account. technical 4 AC-2 (2) 3 AC-2 (2) 1 AC-2 (2).1 (ii)
38691 RHEL-06-000331 The Bluetooth service must be disabled. SRG-OS-000034 medium To check that the "bluetooth" service is disabled in system boot configuration, run the following command: # chkconfig "bluetooth" --list Output should indicate the "bluetooth" service has either not been installed or has been disabled at all runlevels, as shown in the example below: # chkconfig "bluetooth" --list "bluetooth" 0:off 1:off 2:off 3:off 4:off 5:off 6:off If the service is configured to run, this is a finding. The "bluetooth" service can be disabled with the following command: # chkconfig bluetooth off # service bluetooth stop CCI-000085 CCI-000085 draft 5/19/2009 DISA FSO The organization monitors for unauthorized connections of mobile devices to organizational information systems. technical 3 AC-19 c 1 AC-19.1 (iii)
38692 RHEL-06-000334 Accounts must be locked upon 35 days of inactivity. GEN006660 low To verify the "INACTIVE" setting, run the following command: grep "INACTIVE" /etc/default/useradd The output should indicate the "INACTIVE" configuration option is set to an appropriate integer as shown in the example below: # grep "INACTIVE" /etc/default/useradd INACTIVE=35 If it does not, this is a finding. To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately: INACTIVE=[NUM_DAYS] A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the "useradd" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users. CCI-000017 CCI-000017 draft 5/13/2009 DISA FSO The information system automatically disables inactive accounts after an organization-defined time period. technical 4 AC-2 (3) 3 AC-2 (3) 1 AC-2 (3).1 (ii)
38693 RHEL-06-000299 The system must require passwords to contain no more than three consecutive repeating characters. SRG-OS-999999 low To check the maximum value for consecutive repeating characters, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth Look for the value of the "maxrepeat" parameter. The DoD requirement is 3. If maxrepeat is not found or not set to the required value, this is a finding. The pam_cracklib module's "maxrepeat" parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Add "maxrepeat=3" after pam_cracklib.so to prevent a run of (3 + 1) or more identical characters. password required pam_cracklib.so maxrepeat=3 CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38694 RHEL-06-000335 The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity. SRG-OS-000118 low To verify the "INACTIVE" setting, run the following command: grep "INACTIVE" /etc/default/useradd The output should indicate the "INACTIVE" configuration option is set to an appropriate integer as shown in the example below: # grep "INACTIVE" /etc/default/useradd INACTIVE=35 If it does not, this is a finding. To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately: INACTIVE=[NUM_DAYS] A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the "useradd" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users. CCI-000795 CCI-000795 draft 9/17/2009 DISA FSO The organization manages information system identifiers by disabling the identifier after an organization-defined time period of inactivity. policy 4 IA-4 e 3 IA-4 e 1 IA-4.1 (iii)
38695 RHEL-06-000302 A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries. SRG-OS-000094 medium To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output or if aide is not run at least weekly, this is a finding. AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example. CCI-000374 CCI-000374 draft 9/18/2009 DISA FSO The organization employs automated mechanisms to respond to unauthorized changes to organization-defined configuration settings. technical 3 CM-6 (2) 1 CM-6 (2).1 (ii)
38696 RHEL-06-000303 The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system. SRG-OS-000098 medium To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding. AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example. CCI-000416 CCI-000416 draft 9/18/2009 DISA FSO The organization employs automated mechanisms, per organization-defined frequency, to detect the presence of unauthorized hardware, software, and firmware components within the information system. policy 4 CM-8 (3) (a) 3 CM-8 (3) (a) 1 CM-8 (3).1 (ii)
38697 RHEL-06-000336 The sticky bit must be set on all public directories. SRG-OS-999999 low To find world-writable directories that lack the sticky bit, run the following command for each local partition [PART]: # find [PART] -xdev -type d -perm -002 \! -perm -1000 If any world-writable directories are missing the sticky bit, this is a finding. When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes. To set the sticky bit on a world-writable directory [DIR], run the following command: # chmod +t [DIR] CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38698 RHEL-06-000304 The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency. SRG-OS-000232 medium To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding. AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example. CCI-001069 CCI-001069 draft 9/21/2009 DISA FSO The organization employs automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency. technical 3 RA-5 (7) 1 RA-5 (7).1 (ii)
38699 RHEL-06-000337 All public directories must be owned by a system account. SRG-OS-999999 low The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 500. Run it once for each local partition [PART]: # find [PART] -xdev -type d -perm -0002 -uid +499 -print If there is output, this is a finding. All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38700 RHEL-06-000305 The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs. SRG-OS-000196 medium To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding. AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example. CCI-001263 CCI-001263 draft 9/22/2009 DISA FSO The information system provides near real-time alerts when any of the organization-defined list of compromise or potential compromise indicators occurs. technical 3 SI-4 (5) 1 SI-4 (5).1 (ii)
38701 RHEL-06-000338 The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system. SRG-OS-999999 high Verify "tftp" is configured by with the "-s" option by running the following command: grep "server_args" /etc/xinetd.d/tftp The output should indicate the "server_args" variable is configured with the "-s" flag, matching the example below: # grep "server_args" /etc/xinetd.d/tftp server_args = -s /var/lib/tftpboot If it does not, this is a finding. If running the "tftp" service is necessary, it should be configured to change its root directory at startup. To do so, ensure "/etc/xinetd.d/tftp" includes "-s" as a command line argument, as shown in the following example (which is also the default): server_args = -s /var/lib/tftpboot CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
38702 RHEL-06-000339 The FTP daemon must be configured for logging or verbose mode. SRG-OS-000037 low Find if logging is applied to the ftp daemon. Procedures: If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file. # grep vsftpd /etc/xinetd.d/* # grep server_args [vsftpd xinetd.d startup file] This will indicate the vsftpd config file used when starting through xinetd. If the [server_args]line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used. # grep xferlog_enable [vsftpd config file] If xferlog_enable is missing, or is not set to yes, this is a finding. Add or correct the following configuration options within the "vsftpd" configuration file, located at "/etc/vsftpd/vsftpd.conf". xferlog_enable=YES xferlog_std_format=NO log_ftp_protocol=YES CCI-000130 CCI-000130 draft 5/20/2009 DISA FSO The information system generates audit records containing information that establishes what type of event occurred. technical 4 AU-3 3 AU-3 1 AU-3.1
43150 RHEL-06-000527 The login user list must be disabled. SRG-OS-999999 medium If the GConf2 package is not installed, this is not applicable. To ensure the user list is disabled, run the following command: $ gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --get /apps/gdm/simple-greeter/disable_user_list The output should be "true". If it is not, this is a finding. In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled. Run the following command to disable the user list: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool --set /apps/gdm/simple-greeter/disable_user_list true CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
51337 RHEL-06-000017 The system must use a Linux Security Module at boot time. SRG-OS-999999 medium Inspect "/boot/grub/grub.conf" for any instances of "selinux=0" in the kernel boot arguments. Presence of "selinux=0" indicates that SELinux is disabled at boot time. If SELinux is disabled at boot time, this is a finding. SELinux can be disabled at boot time by an argument in "/boot/grub/grub.conf". Remove any instances of "selinux=0" from the kernel arguments in that file to prevent SELinux from being disabled at boot. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
51363 RHEL-06-000020 The system must use a Linux Security Module configured to enforce limits on system services. SRG-OS-999999 medium Check the file "/etc/selinux/config" and ensure the following line appears: SELINUX=enforcing If SELINUX is not set to enforcing, this is a finding. The SELinux state should be set to "enforcing" at system boot time. In the file "/etc/selinux/config", add or correct the following line to configure the system to boot into enforcing mode: SELINUX=enforcing CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
51369 RHEL-06-000023 The system must use a Linux Security Module configured to limit the privileges of system services. SRG-OS-999999 low Check the file "/etc/selinux/config" and ensure the following line appears: SELINUXTYPE=targeted If it does not, this is a finding. The SELinux "targeted" policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in "/etc/selinux/config": SELINUXTYPE=targeted Other policies, such as "mls", provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
51379 RHEL-06-000025 All device files must be monitored by the system Linux Security Module. SRG-OS-999999 low To check for unlabeled device files, run the following command: # ls -RZ /dev | grep unlabeled_t It should produce no output in a well-configured system. If there is output, this is a finding. Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type "unlabeled_t", investigate the cause and correct the file's context. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
51391 RHEL-06-000018 A file integrity baseline must be created. SRG-OS-000232 medium To find the location of the AIDE database file, run the following command: # grep DBDIR /etc/aide.conf Using the defined values of the [DBDIR] and [database] variables, verify the existence of the AIDE database file: # ls -l [DBDIR]/[database_file_name] If there is no database file, this is a finding. Run the following command to generate a new database: # /usr/sbin/aide --init By default, the database will be written to the file "/var/lib/aide/aide.db.new.gz". Storing the database, the configuration file "/etc/aide.conf", and the binary "/usr/sbin/aide" (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: # cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz To initiate a manual check, run the following command: # /usr/sbin/aide --check If this check produces any unexpected output, investigate. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
51875 RHEL-06-000372 The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access. SRG-OS-999999 medium To ensure that last logon/access notification is configured correctly, run the following command: # grep pam_lastlog.so /etc/pam.d/system-auth The output should show output "showfailed". If that is not the case, this is a finding. To configure the system to notify users of last logon/access using "pam_lastlog", add the following line immediately after "session required pam_limits.so": session required pam_lastlog.so showfailed CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
54381 RHEL-06-000163 The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low. SRG-OS-999999 medium Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to either suspend, switch to single-user mode, or halt when disk space has run low: admin_space_left_action = single If the system is not configured to switch to single-user mode, suspend, or halt for corrective action, this is a finding. The "auditd" service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [ACTION] appropriately: admin_space_left_action = [ACTION] Set this value to "single" to cause the system to switch to single-user mode for corrective action. Acceptable values also include "suspend" and "halt". For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for [ACTION] are described in the "auditd.conf" man page. CCI-000366 CCI-000366 draft 9/18/2009 DISA FSO The organization implements the security configuration settings. policy 4 CM-6 b 3 CM-6 b 1 CM-6.1 (iv)
57569 RHEL-06-000528 The noexec option must be added to the /tmp partition. SRG-OS-999999 medium To verify that binaries cannot be directly executed from the /tmp directory, run the following command: $ grep '\s/tmp' /etc/fstab The resulting output will show whether the /tmp partition has the "noexec" flag set. If the /tmp partition does not have the noexec flag set, this is a finding. The "noexec" mount option can be used to prevent binaries from being executed out of "/tmp". Add the "noexec" option to the fourth column of "/etc/fstab" for the line which controls mounting of "/tmp". CCI-000381 CCI-000381 draft 9/18/2009 DISA FSO The organization configures the information system to provide only essential capabilities. technical 4 CM-7 a 3 CM-7 1 CM-7.1 (ii)
58901 RHEL-06-000529 The sudo command must require authentication. SRG-OS-000373 medium Verify neither the "NOPASSWD" option nor the "!authenticate" option is configured for use in "/etc/sudoers" and associated files. Note that the "#include" and "#includedir" directives may be used to include configuration data from locations other than the defaults enumerated here. # egrep '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/* # egrep '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/* If the "NOPASSWD" or "!authenticate" options are configured for use in "/etc/sudoers" or associated files, this is a finding. Update the "/etc/sudoers" or other sudo configuration files to remove or comment out lines utilizing the "NOPASSWD" and "!authenticate" options. # visudo # visudo -f [other sudo configuration file] CCI-002038 CCI-002038 draft 5/3/2013 DISA FSO The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication. technical 4 IA-11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment