Last active
August 29, 2015 14:04
-
-
Save gregelin/e4f28469005328dfb54f to your computer and use it in GitHub Desktop.
SCAP-Security-Guide XCCDF file Excerpt showing rule and entire SCAP-Security-Guide XCCDF file for RHEL 6 (January 2014)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Rule id="file_permissions_etc_passwd" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify Permissions on passwd File</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To properly set the permissions of <xhtml:code>/etc/passwd</xhtml:code>, run the command: | |
<xhtml:pre xml:space="preserve"># chmod 0644 /etc/passwd</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">225</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the <xhtml:code>/etc/passwd</xhtml:code> file is writable by a group-owner or the | |
world the risk of its compromise is increased. The file contains the list of | |
accounts on the system and associated information, and protection of this file | |
is critical for system security.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26868-0</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:671" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the permissions of <xhtml:code>/etc/passwd</xhtml:code>, run the command: | |
<xhtml:pre>$ ls -l /etc/passwd</xhtml:pre> | |
If properly configured, the output should indicate the following permissions: | |
<xhtml:code>-rw-r--r--</xhtml:code> | |
</check-content> | |
</check> | |
</Rule> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHEL-6" resolved="1" xml:lang="en-US"> | |
<status date="2013-10-24">draft</status> | |
<title xml:lang="en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux 6</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant | |
configuration settings for Red Hat Enterprise Linux 6 formatted in the | |
eXtensible Configuration Checklist Description Format (XCCDF). | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
Providing system administrators with such guidance informs them how to securely | |
configure systems under their control in a variety of network roles. Policy | |
makers and baseline creators can use this catalog of settings, with its | |
associated references to higher-level security control catalogs, in order to | |
assist them in security baseline creation. This guide is a <i xmlns="http://www.w3.org/1999/xhtml">catalog, not a | |
checklist,</i> and satisfaction of every item is not likely to be possible or | |
sensible in many operational scenarios. However, the XCCDF format enables | |
granular selection and adjustment of settings, and their association with OVAL | |
and OCIL content provides an automated checking capability. Transformations of | |
this document, and its associated automated checking content, are capable of | |
providing baselines that meet a diverse set of policy objectives. Some example | |
XCCDF <i xmlns="http://www.w3.org/1999/xhtml">Profiles</i>, which are selections of items that form checklists and | |
can be used as baselines, are available with this guide. They can be | |
processed, in an automated fashion, with tools that support the Security | |
Content Automation Protocol (SCAP). The DISA STIG for RHEL 6 is one example of | |
a baseline created from this guidance. | |
</description> | |
<notice xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" id="terms_of_use">Do not attempt to implement any of the settings in | |
this guide without first testing them in a non-operational environment. The | |
creators of this guidance assume no responsibility whatsoever for its use by | |
other parties, and makes no guarantees, expressed or implied, about its | |
quality, reliability, or any other characteristic.</notice> | |
<front-matter xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The SCAP Security Guide Project<br xmlns="http://www.w3.org/1999/xhtml"/>https://fedorahosted.org/scap-security-guide</front-matter> | |
<rear-matter xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Red Hat and Red Hat Enterprise Linux are either registered | |
trademarks or trademarks of Red Hat, Inc. in the United States and other | |
countries. All other names are registered trademarks or trademarks of their | |
respective companies.</rear-matter> | |
<platform idref="cpe:/o:redhat:enterprise_linux:6"/> | |
<platform idref="cpe:/o:redhat:enterprise_linux:6::client"/> | |
<version>0.9</version> | |
<model system="urn:xccdf:scoring:default"/> | |
<Profile id="test"> | |
<title xml:lang="en-US">test</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This profile is for testing.</description> | |
<select idref="no_empty_passwords" selected="true"/> | |
<select idref="no_hashes_outside_shadow" selected="true"/> | |
<select idref="user_umask_bashrc" selected="true"/> | |
<!-- | |
<select idref="configure_auditd_num_logs" selected="true"/> | |
<select idref="configure_auditd_max_log_file" selected="true"/> | |
<select idref="auditd_data_retention_action_mail_acct" selected="true"/> | |
<select idref="auditd_data_retention_space_left_action" selected="true"/> | |
<select idref="auditd_data_retention_admin_space_left_action" selected="true"/> | |
<select idref="configure_auditd_max_log_file_action" selected="true"/> | |
<select idref="user_umask_bashrc" selected="true"/> | |
<select idref="user_umask_cshrc" selected="true"/> | |
<select idref="user_umask_profile" selected="true"/> | |
<select idref="user_umask_logindefs" selected="true"/> | |
<select idref="umask_for_daemons" selected="true"/> | |
<refine-value idref="var_auditd_num_logs" selector="5"/> | |
<refine-value idref="var_auditd_max_log_file" selector="6"/> | |
<refine-value idref="var_auditd_max_log_file_action" selector="rotate"/> | |
<refine-value idref="var_auditd_space_left_action" selector="syslog"/> | |
<refine-value idref="var_auditd_admin_space_left_action" selector="single"/> | |
<refine-value idref="var_auditd_action_mail_acct" selector="root"/> | |
<refine-value idref="var_accounts_user_umask" selector="077"/> | |
<refine-value idref="var_umask_for_daemons" selector="027"/> | |
<refine-value idref="var_accounts_password_minlen_login_defs" selector="12"/> | |
<refine-value idref="var_accounts_maximum_age_login_defs" selector="90"/> | |
<refine-value idref="var_accounts_minimum_age_login_defs" selector="7"/> | |
<refine-value idref="var_accounts_password_warn_age_login_defs" selector="7"/> | |
--> | |
</Profile> | |
<Profile id="CS2"> | |
<title xml:lang="en-US">Example Server Profile</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This profile is an example of a customized server profile.</description> | |
<select idref="accounts_password_minlen_login_defs" selected="true"/> | |
<select idref="accounts_minimum_age_login_defs" selected="true"/> | |
<select idref="acounts_maximum_age_login_defs" selected="true"/> | |
<select idref="password_require_digits" selected="true"/> | |
<select idref="password_require_uppercases" selected="true"/> | |
<select idref="password_require_specials" selected="true"/> | |
<select idref="password_require_lowercases" selected="true"/> | |
<select idref="password_require_diffchars" selected="true"/> | |
<select idref="limiting_password_reuse" selected="true"/> | |
<select idref="accounts_password_warn_age_login_defs" selected="true"/> | |
<select idref="account_disable_post_pw_expiration" selected="true"/> | |
<select idref="deny_password_attempts" selected="true"/> | |
<select idref="accounts_password_pam_cracklib_retry" selected="true"/> | |
<select idref="max_concurrent_login_sessions" selected="true"/> | |
<select idref="partition_for_tmp" selected="true"/> | |
<select idref="partition_for_var" selected="true"/> | |
<select idref="partition_for_var_log" selected="true"/> | |
<select idref="partition_for_var_log_audit" selected="true"/> | |
<select idref="partition_for_home" selected="true"/> | |
<select idref="ensure_redhat_gpgkey_installed" selected="true"/> | |
<select idref="ensure_gpgcheck_globally_activated" selected="true"/> | |
<select idref="ensure_gpgcheck_never_disabled" selected="true"/> | |
<select idref="rpm_verify_hashes" selected="true"/> | |
<select idref="rpm_verify_permissions" selected="true"/> | |
<select idref="package_aide_installed" selected="true"/> | |
<select idref="aide_build_database" selected="true"/> | |
<select idref="mountopt_nodev_on_removable_partitions" selected="true"/> | |
<select idref="mountopt_noexec_on_removable_partitions" selected="true"/> | |
<select idref="mountopt_nosuid_on_removable_partitions" selected="true"/> | |
<select idref="mount_option_tmp_nodev" selected="true"/> | |
<select idref="mount_option_tmp_noexec" selected="true"/> | |
<select idref="mount_option_tmp_nosuid" selected="true"/> | |
<select idref="mount_option_dev_shm_nodev" selected="true"/> | |
<select idref="mount_option_dev_shm_noexec" selected="true"/> | |
<select idref="mount_option_dev_shm_nosuid" selected="true"/> | |
<select idref="mount_option_var_tmp_bind_var" selected="true"/> | |
<select idref="kernel_module_usb-storage_disabled" selected="true"/> | |
<select idref="bootloader_nousb_argument" selected="true"/> | |
<select idref="kernel_module_cramfs_disabled" selected="true"/> | |
<select idref="kernel_module_freevxfs_disabled" selected="true"/> | |
<select idref="kernel_module_jffs2_disabled" selected="true"/> | |
<select idref="kernel_module_hfs_disabled" selected="true"/> | |
<select idref="kernel_module_hfsplus_disabled" selected="true"/> | |
<select idref="kernel_module_squashfs_disabled" selected="true"/> | |
<select idref="kernel_module_udf_disabled" selected="true"/> | |
<select idref="sticky_world_writable_dirs" selected="true"/> | |
<select idref="world_writeable_files" selected="true"/> | |
<select idref="no_files_unowned_by_user" selected="true"/> | |
<select idref="no_files_unowned_by_group" selected="true"/> | |
<select idref="world_writable_files_system_ownership" selected="true"/> | |
<select idref="umask_for_daemons" selected="true"/> | |
<select idref="disable_users_coredumps" selected="true"/> | |
<select idref="enable_randomize_va_space" selected="true"/> | |
<select idref="enable_execshield" selected="true"/> | |
<select idref="install_PAE_kernel_on_x86-32" selected="true"/> | |
<select idref="disable_prelink" selected="true"/> | |
<select idref="account_unique_name" selected="true"/> | |
<select idref="no_hashes_outside_shadow" selected="true"/> | |
<select idref="no_uidzero_except_root" selected="true"/> | |
<select idref="set_password_hashing_algorithm_systemauth" selected="true"/> | |
<select idref="set_password_hashing_algorithm_logindefs" selected="true"/> | |
<select idref="set_password_hashing_algorithm_libuserconf" selected="true"/> | |
<select idref="root_paths" selected="true"/> | |
<select idref="root_path_no_groupother_writable" selected="true"/> | |
<select idref="user_umask_bashrc" selected="true"/> | |
<select idref="user_umask_logindefs" selected="true"/> | |
<select idref="no_shelllogin_for_systemaccounts" selected="true"/> | |
<select idref="root_path_default" selected="true"/> | |
<select idref="no_empty_passwords" selected="true"/> | |
<select idref="user_umask_cshrc" selected="true"/> | |
<select idref="user_umask_profile" selected="true"/> | |
<select idref="no_netrc_files" selected="true"/> | |
<select idref="disable_interactive_boot" selected="true"/> | |
<select idref="package_screen_installed" selected="true"/> | |
<select idref="kernel_module_dccp_disabled" selected="true"/> | |
<select idref="kernel_module_sctp_disabled" selected="true"/> | |
<select idref="kernel_module_rds_disabled" selected="true"/> | |
<select idref="kernel_module_tipc_disabled" selected="true"/> | |
<select idref="package_rsyslog_installed" selected="true"/> | |
<select idref="service_rsyslog_enabled" selected="true"/> | |
<select idref="rsyslog_send_messages_to_logserver" selected="true"/> | |
<select idref="ensure_logrotate_activated" selected="true"/> | |
<select idref="disable_logwatch_for_logserver" selected="true"/> | |
<select idref="userowner_rsyslog_files" selected="true"/> | |
<select idref="groupowner_rsyslog_files" selected="true"/> | |
<select idref="rsyslog_file_permissions" selected="true"/> | |
<select idref="rsyslog_accept_remote_messages_none" selected="true"/> | |
<select idref="configure_logwatch_splithosts" selected="true"/> | |
<select idref="audit_rules_time_adjtimex" selected="true"/> | |
<select idref="audit_rules_time_settimeofday" selected="true"/> | |
<select idref="audit_rules_time_stime" selected="true"/> | |
<select idref="audit_rules_time_clock_settime" selected="true"/> | |
<select idref="audit_rules_time_watch_localtime" selected="true"/> | |
<select idref="audit_account_changes" selected="true"/> | |
<select idref="audit_network_modifications" selected="true"/> | |
<select idref="audit_mac_changes" selected="true"/> | |
<select idref="audit_rules_dac_modification_chmod" selected="true"/> | |
<select idref="audit_rules_dac_modification_chown" selected="true"/> | |
<select idref="audit_rules_dac_modification_fchmod" selected="true"/> | |
<select idref="audit_rules_dac_modification_fchmodat" selected="true"/> | |
<select idref="audit_rules_dac_modification_fchown" selected="true"/> | |
<select idref="audit_rules_dac_modification_fchownat" selected="true"/> | |
<select idref="audit_rules_dac_modification_fremovexattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_fsetxattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_lchown" selected="true"/> | |
<select idref="audit_rules_dac_modification_lremovexattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_lsetxattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_removexattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_setxattr" selected="true"/> | |
<select idref="audit_kernel_module_loading" selected="true"/> | |
<select idref="audit_config_immutable" selected="true"/> | |
<select idref="audit_logs_permissions" selected="true"/> | |
<select idref="audit_logs_rootowner" selected="true"/> | |
<select idref="audit_manual_logon_edits" selected="true"/> | |
<select idref="audit_manual_session_edits" selected="true"/> | |
<select idref="audit_file_access" selected="true"/> | |
<select idref="audit_privileged_commands" selected="true"/> | |
<select idref="audit_media_exports" selected="true"/> | |
<select idref="audit_file_deletions" selected="true"/> | |
<select idref="securety_root_login_console_only" selected="true"/> | |
<select idref="no_direct_root_logins" selected="true"/> | |
<select idref="userowner_shadow_file" selected="true"/> | |
<select idref="groupowner_shadow_file" selected="true"/> | |
<select idref="perms_shadow_file" selected="true"/> | |
<select idref="userowner_gshadow_file" selected="true"/> | |
<select idref="groupowner_gshadow_file" selected="true"/> | |
<select idref="perms_gshadow_file" selected="true"/> | |
<select idref="userowner_passwd_file" selected="true"/> | |
<select idref="groupowner_passwd_file" selected="true"/> | |
<select idref="file_permissions_etc_passwd" selected="true"/> | |
<select idref="userowner_group_file" selected="true"/> | |
<select idref="groupowner_group_file" selected="true"/> | |
<select idref="perms_group_file" selected="true"/> | |
<select idref="file_permissions_library_dirs" selected="true"/> | |
<select idref="file_ownership_library_dirs" selected="true"/> | |
<select idref="file_permissions_binary_dirs" selected="true"/> | |
<select idref="file_ownership_binary_dirs" selected="true"/> | |
<select idref="gid_passwd_group_same" selected="true"/> | |
<select idref="homedir_perms_no_groupwrite_worldread" selected="true"/> | |
<select idref="user_owner_grub_conf" selected="true"/> | |
<select idref="group_owner_grub_conf" selected="true"/> | |
<select idref="permissions_grub_conf" selected="true"/> | |
<select idref="disable_setuid_coredumps" selected="true"/> | |
<select idref="service_restorecond_enabled" selected="true"/> | |
<select idref="selinux_confinement_of_daemons" selected="true"/> | |
<select idref="selinux_all_devicefiles_labeled" selected="true"/> | |
<select idref="set_selinux_state" selected="true"/> | |
<select idref="set_selinux_policy" selected="true"/> | |
<select idref="require_singleuser_auth" selected="true"/> | |
<select idref="disable_ctrlaltdel_reboot" selected="true"/> | |
<select idref="bootloader_password" selected="true"/> | |
<select idref="set_screensaver_inactivity_timeout" selected="true"/> | |
<select idref="enable_screensaver_after_idle" selected="true"/> | |
<select idref="enable_screensaver_password_lock" selected="true"/> | |
<select idref="set_system_login_banner" selected="true"/> | |
<select idref="enable_gdm_login_banner" selected="true"/> | |
<select idref="set_gdm_login_banner_text" selected="true"/> | |
<select idref="disable_user_list" selected="true"/> | |
<select idref="disable_gnome_thumbnailers" selected="true"/> | |
<select idref="gconf_gnome_disable_automount" selected="true"/> | |
<select idref="network_disable_zeroconf" selected="true"/> | |
<select idref="disable_sysctl_ipv4_default_send_redirects" selected="true"/> | |
<select idref="disable_sysctl_ipv4_all_send_redirects" selected="true"/> | |
<select idref="disable_sysctl_ipv4_ip_forward" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_log_martians" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/> | |
<select idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/> | |
<select idref="sysctl_net_ipv4_tcp_syncookies" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_rp_filter" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_rp_filter" selected="true"/> | |
<select idref="kernel_module_ipv6_option_disabled" selected="true"/> | |
<select idref="network_ipv6_disable_interfaces" selected="true"/> | |
<select idref="network_ipv6_disable_rpc" selected="true"/> | |
<select idref="network_ipv6_static_address" selected="true"/> | |
<select idref="network_ipv6_privacy_extensions" selected="true"/> | |
<select idref="network_ipv6_default_gateway" selected="true"/> | |
<select idref="network_ipv6_limit_requests" selected="true"/> | |
<select idref="sysctl_net_ipv6_conf_default_accept_ra" selected="true"/> | |
<select idref="sysctl_ipv6_default_accept_redirects" selected="true"/> | |
<select idref="network_sniffer_disabled" selected="true"/> | |
<select idref="wireless_disable_in_bios" selected="true"/> | |
<select idref="deactivate_wireless_interfaces" selected="true"/> | |
<select idref="service_bluetooth_disabled" selected="true"/> | |
<select idref="kernel_module_bluetooth_disabled" selected="true"/> | |
<select idref="service_crond_enabled" selected="true"/> | |
<select idref="disable_anacron" selected="true"/> | |
<select idref="service_abrtd_disabled" selected="true"/> | |
<select idref="service_acpid_disabled" selected="true"/> | |
<select idref="service_atd_disabled" selected="true"/> | |
<select idref="service_autofs_disabled" selected="true"/> | |
<select idref="service_certmonger_disabled" selected="true"/> | |
<select idref="service_cgconfig_disabled" selected="true"/> | |
<select idref="service_cgred_disabled" selected="true"/> | |
<select idref="service_cpuspeed_disabled" selected="true"/> | |
<select idref="service_haldaemon_disabled" selected="true"/> | |
<select idref="service_irqbalance_enabled" selected="true"/> | |
<select idref="service_kdump_disabled" selected="true"/> | |
<select idref="service_mdmonitor_disabled" selected="true"/> | |
<select idref="service_messagebus_disabled" selected="true"/> | |
<select idref="service_netconsole_disabled" selected="true"/> | |
<select idref="service_ntpdate_disabled" selected="true"/> | |
<select idref="service_oddjobd_disabled" selected="true"/> | |
<select idref="service_portreserve_disabled" selected="true"/> | |
<select idref="service_qpidd_disabled" selected="true"/> | |
<select idref="service_rdisc_disabled" selected="true"/> | |
<select idref="service_rhnsd_disabled" selected="true"/> | |
<select idref="service_saslauthd_disabled" selected="true"/> | |
<select idref="service_rhsmcertd_disabled" selected="true"/> | |
<select idref="service_smartd_disabled" selected="true"/> | |
<select idref="service_sysstat_disabled" selected="true"/> | |
<select idref="disable_xinetd" selected="true"/> | |
<select idref="uninstall_xinetd" selected="true"/> | |
<select idref="uninstall_telnet_server" selected="true"/> | |
<select idref="disable_telnet_service" selected="true"/> | |
<select idref="uninstall_rsh-server" selected="true"/> | |
<select idref="disable_rsh" selected="true"/> | |
<select idref="uninstall_ypserv" selected="true"/> | |
<select idref="disable_ypbind" selected="true"/> | |
<select idref="ssh_server_disabled" selected="true"/> | |
<select idref="sshd_allow_only_protocol2" selected="true"/> | |
<select idref="sshd_set_idle_timeout" selected="true"/> | |
<select idref="sshd_set_keepalive" selected="true"/> | |
<select idref="sshd_disable_rhosts" selected="true"/> | |
<select idref="sshd_disable_root_login" selected="true"/> | |
<select idref="sshd_disable_empty_passwords" selected="true"/> | |
<select idref="sshd_enable_warning_banner" selected="true"/> | |
<select idref="sshd_do_not_permit_user_env" selected="true"/> | |
<select idref="sshd_limit_user_access" selected="true"/> | |
<select idref="sshd_use_approved_ciphers" selected="true"/> | |
<select idref="disable_xwindows_with_runlevel" selected="true"/> | |
<select idref="packagegroup_xwindows_remove" selected="true"/> | |
<select idref="service_cups_disabled" selected="true"/> | |
<select idref="cups_disable_browsing" selected="true"/> | |
<select idref="disable_dhcp_client" selected="true"/> | |
<select idref="dhcp_server_disable_ddns" selected="true"/> | |
<select idref="dhcp_server_deny_decline" selected="true"/> | |
<select idref="dhcp_server_deny_bootp" selected="true"/> | |
<select idref="dhcp_server_minimize_served_info" selected="true"/> | |
<select idref="dhcp_server_configure_logging" selected="true"/> | |
<select idref="service_ntpd_enabled" selected="true"/> | |
<select idref="ntpd_specify_remote_server" selected="true"/> | |
<select idref="service_postfix_enabled" selected="true"/> | |
<select idref="package_sendmail_removed" selected="true"/> | |
<select idref="ldap_client_start_tls" selected="true"/> | |
<select idref="service_nfslock_disabled" selected="true"/> | |
<select idref="service_rpcgssd_disabled" selected="true"/> | |
<select idref="service_rpcidmapd_disabled" selected="true"/> | |
<select idref="service_netfs_disabled" selected="true"/> | |
<select idref="nfs_fixed_lockd_tcp_port" selected="true"/> | |
<select idref="nfs_fixed_lockd_udp_port" selected="true"/> | |
<select idref="nfs_fixed_statd_port" selected="true"/> | |
<select idref="nfs_fixed_mountd_port" selected="true"/> | |
<select idref="service_nfs_disabled" selected="true"/> | |
<select idref="service_rpcsvcgssd_disabled" selected="true"/> | |
<select idref="use_nodev_option_on_nfs_mounts" selected="true"/> | |
<select idref="use_nosuid_option_on_nfs_mounts" selected="true"/> | |
<select idref="use_root_squashing_all_exports" selected="true"/> | |
<select idref="restrict_nfs_clients_to_privileged_ports" selected="true"/> | |
<select idref="no_insecure_locks_exports" selected="true"/> | |
<select idref="nfs_no_anonymous" selected="true"/> | |
<select idref="disable_dns_server" selected="true"/> | |
<select idref="uninstall_bind" selected="true"/> | |
<select idref="dns_server_disable_dynamic_updates" selected="true"/> | |
<select idref="uninstall_tftp-server" selected="true"/> | |
<select idref="disable_tftp" selected="true"/> | |
<select idref="disable_vsftpd" selected="true"/> | |
<select idref="uninstall_vsftpd" selected="true"/> | |
<select idref="ftp_log_transactions" selected="true"/> | |
<select idref="ftp_present_banner" selected="true"/> | |
<select idref="uninstall_httpd" selected="true"/> | |
<select idref="httpd_servertokens_prod" selected="true"/> | |
<select idref="httpd_mod_rewrite" selected="true"/> | |
<select idref="httpd_server_side_includes" selected="true"/> | |
<select idref="httpd_webdav" selected="true"/> | |
<select idref="httpd_server_activity_status" selected="true"/> | |
<select idref="httpd_server_configuration_display" selected="true"/> | |
<select idref="httpd_url_correction" selected="true"/> | |
<select idref="httpd_proxy_support" selected="true"/> | |
<select idref="httpd_cache_support" selected="true"/> | |
<select idref="httpd_cgi_support" selected="true"/> | |
<select idref="httpd_digest_authentication" selected="true"/> | |
<select idref="httpd_ldap_support" selected="true"/> | |
<select idref="httpd_mime_magic" selected="true"/> | |
<select idref="httpd_restrict_root_directory" selected="true"/> | |
<select idref="httpd_restrict_web_directory" selected="true"/> | |
<select idref="httpd_restrict_critical_directories" selected="true"/> | |
<select idref="httpd_limit_available_methods" selected="true"/> | |
<select idref="httpd_install_mod_ssl" selected="true"/> | |
<select idref="httpd_install_mod_security" selected="true"/> | |
<select idref="httpd_conf_dir_permissions" selected="true"/> | |
<select idref="httpd_conf_files_permissions" selected="true"/> | |
<select idref="disable_dovecot" selected="true"/> | |
<select idref="uninstall_dovecot" selected="true"/> | |
<select idref="dovecot_enable_ssl" selected="true"/> | |
<select idref="dovecot_configure_ssl_cert" selected="true"/> | |
<select idref="dovecot_configure_ssl_key" selected="true"/> | |
<select idref="disable_smb_server" selected="true"/> | |
<select idref="require_smb_client_signing" selected="true"/> | |
<select idref="require_smb_client_signing_mount.cifs" selected="true"/> | |
<select idref="smb_server_disable_root" selected="true"/> | |
<select idref="disable_squid" selected="true"/> | |
<select idref="uninstall_squid" selected="true"/> | |
<select idref="disable_snmpd" selected="true"/> | |
<select idref="uninstall_net-snmp" selected="true"/> | |
<select idref="install_openswan" selected="true"/> | |
<select idref="no_rsh_trust_files" selected="true"/> | |
<select idref="tftpd_uses_secure_mode" selected="true"/> | |
<select idref="disable_avahi" selected="true"/> | |
<select idref="avahi_ip_only" selected="true"/> | |
<select idref="avahi_check_ttl" selected="true"/> | |
<select idref="avahi_prevent_port_sharing" selected="true"/> | |
<select idref="avahi_disable_publishing" selected="true"/> | |
<refine-value idref="var_accounts_password_minlen_login_defs" selector="14"/> | |
<refine-value idref="var_accounts_minimum_age_login_defs" selector="1"/> | |
<refine-value idref="var_acounts_maximum_age_login_defs" selector="180"/> | |
<refine-value idref="password_history_retain_number" selector="10"/> | |
<refine-value idref="max_concurrent_login_sessions_value" selector="3"/> | |
<refine-value idref="var_umask_for_daemons" selector="027"/> | |
<refine-value idref="var_accounts_user_umask" selector="077"/> | |
<refine-value idref="inactivity_timeout_value" selector="15_minutes"/> | |
<refine-value idref="login_banner_text" selector="dod_default"/> | |
</Profile> | |
<Profile id="common"> | |
<title xml:lang="en-US">Common Profile for General-Purpose Systems</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This profile contains items common to general-purpose desktop and server installations.</description> | |
<select idref="partition_for_tmp" selected="true"/> | |
<select idref="partition_for_var" selected="true"/> | |
<select idref="partition_for_var_log" selected="true"/> | |
<select idref="partition_for_var_log_audit" selected="true"/> | |
<select idref="partition_for_home" selected="true"/> | |
<select idref="ensure_redhat_gpgkey_installed" selected="true"/> | |
<select idref="service_rhnsd_disabled" selected="true"/> | |
<select idref="security_patches_up_to_date" selected="true"/> | |
<select idref="ensure_gpgcheck_globally_activated" selected="true"/> | |
<select idref="ensure_gpgcheck_never_disabled" selected="true"/> | |
<select idref="package_aide_installed" selected="true"/> | |
<select idref="enable_selinux_bootloader" selected="true"/> | |
<select idref="no_rsh_trust_files" selected="true"/> | |
<select idref="set_selinux_state" selected="true"/> | |
<select idref="set_selinux_policy" selected="true"/> | |
<select idref="selinux_all_devicefiles_labeled" selected="true"/> | |
<select idref="securetty_root_login_console_only" selected="true"/> | |
<select idref="restrict_serial_port_logins" selected="true"/> | |
<select idref="no_shelllogin_for_systemaccounts" selected="true"/> | |
<select idref="no_empty_passwords" selected="true"/> | |
<select idref="no_hashes_outside_shadow" selected="true"/> | |
<select idref="no_uidzero_except_root" selected="true"/> | |
<select idref="userowner_shadow_file" selected="true"/> | |
<select idref="groupowner_shadow_file" selected="true"/> | |
<select idref="perms_shadow_file" selected="true"/> | |
<select idref="userowner_gshadow_file" selected="true"/> | |
<select idref="groupowner_gshadow_file" selected="true"/> | |
<select idref="perms_gshadow_file" selected="true"/> | |
<select idref="userowner_passwd_file" selected="true"/> | |
<select idref="groupowner_passwd_file" selected="true"/> | |
<select idref="file_permissions_etc_passwd" selected="true"/> | |
<select idref="userowner_group_file" selected="true"/> | |
<select idref="groupowner_group_file" selected="true"/> | |
<select idref="perms_group_file" selected="true"/> | |
<select idref="file_permissions_library_dirs" selected="true"/> | |
<select idref="file_ownership_library_dirs" selected="true"/> | |
<select idref="file_permissions_binary_dirs" selected="true"/> | |
<select idref="file_ownership_binary_dirs" selected="true"/> | |
<select idref="audit_logs_permissions" selected="true"/> | |
<select idref="accounts_password_minlen_login_defs" selected="true"/> | |
<select idref="accounts_minimum_age_login_defs" selected="true"/> | |
<select idref="accounts_maximum_age_login_defs" selected="true"/> | |
<select idref="accounts_password_warn_age_login_defs" selected="true"/> | |
<select idref="accounts_password_pam_cracklib_retry" selected="true"/> | |
<select idref="password_require_digits" selected="true"/> | |
<select idref="password_require_uppercases" selected="true"/> | |
<select idref="password_require_specials" selected="true"/> | |
<select idref="password_require_lowercases" selected="true"/> | |
<select idref="password_require_diffchars" selected="true"/> | |
<select idref="deny_password_attempts" selected="true"/> | |
<select idref="set_password_hashing_algorithm_systemauth" selected="true"/> | |
<select idref="set_password_hashing_algorithm_logindefs" selected="true"/> | |
<select idref="set_password_hashing_algorithm_libuserconf" selected="true"/> | |
<select idref="user_owner_grub_conf" selected="true"/> | |
<select idref="group_owner_grub_conf" selected="true"/> | |
<select idref="permissions_grub_conf" selected="true"/> | |
<select idref="bootloader_password" selected="true"/> | |
<select idref="require_singleuser_auth" selected="true"/> | |
<select idref="disable_interactive_boot" selected="true"/> | |
<select idref="package_screen_installed" selected="true"/> | |
<select idref="set_system_login_banner" selected="true"/> | |
<select idref="enable_randomize_va_space" selected="true"/> | |
<select idref="enable_execshield" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_send_redirects" selected="true"/> | |
<select idref="sysctl_ipv4_all_send_redirects" selected="true"/> | |
<select idref="sysctl_ipv4_ip_forward" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_log_martians" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/> | |
<select idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/> | |
<select idref="sysctl_net_ipv4_tcp_syncookies" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_rp_filter" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_rp_filter" selected="true"/> | |
<select idref="kernel_module_ipv6_option_disabled" selected="true"/> | |
<select idref="sysctl_ipv6_default_accept_redirects" selected="true"/> | |
<select idref="service_ip6tables_enabled" selected="true"/> | |
<select idref="service_iptables_enabled" selected="true"/> | |
<select idref="set_iptables_default_rule" selected="true"/> | |
<select idref="kernel_module_dccp_disabled" selected="true"/> | |
<select idref="kernel_module_sctp_disabled" selected="true"/> | |
<select idref="kernel_module_rds_disabled" selected="true"/> | |
<select idref="kernel_module_tipc_disabled" selected="true"/> | |
<select idref="package_rsyslog_installed" selected="true"/> | |
<select idref="service_rsyslog_enabled" selected="true"/> | |
<select idref="userowner_rsyslog_files" selected="true"/> | |
<select idref="groupowner_rsyslog_files" selected="true"/> | |
<select idref="rsyslog_file_permissions" selected="true"/> | |
<select idref="rsyslog_send_messages_to_logserver" selected="true"/> | |
<select idref="ensure_logrotate_activated" selected="true"/> | |
<select idref="service_auditd_enabled" selected="true"/> | |
<select idref="enable_auditd_bootloader" selected="true"/> | |
<select idref="configure_auditd_num_logs" selected="true"/> | |
<select idref="configure_auditd_max_log_file" selected="true"/> | |
<select idref="configure_auditd_max_log_file_action" selected="true"/> | |
<select idref="auditd_data_retention_admin_space_left_action" selected="true"/> | |
<select idref="audit_rules_time_adjtimex" selected="true"/> | |
<select idref="audit_rules_time_settimeofday" selected="true"/> | |
<select idref="audit_rules_time_stime" selected="true"/> | |
<select idref="audit_rules_time_clock_settime" selected="true"/> | |
<select idref="audit_rules_time_watch_localtime" selected="true"/> | |
<select idref="audit_account_changes" selected="true"/> | |
<select idref="audit_network_modifications" selected="true"/> | |
<select idref="audit_mac_changes" selected="true"/> | |
<select idref="audit_rules_dac_modification_chmod" selected="true"/> | |
<select idref="audit_rules_dac_modification_chown" selected="true"/> | |
<select idref="audit_rules_dac_modification_fchmod" selected="true"/> | |
<select idref="audit_rules_dac_modification_fchmodat" selected="true"/> | |
<select idref="audit_rules_dac_modification_fchown" selected="true"/> | |
<select idref="audit_rules_dac_modification_fchownat" selected="true"/> | |
<select idref="audit_rules_dac_modification_fremovexattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_fsetxattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_lchown" selected="true"/> | |
<select idref="audit_rules_dac_modification_lremovexattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_lsetxattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_removexattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_setxattr" selected="true"/> | |
<select idref="audit_file_access" selected="true"/> | |
<select idref="audit_privileged_commands" selected="true"/> | |
<select idref="audit_media_exports" selected="true"/> | |
<select idref="audit_file_deletions" selected="true"/> | |
<select idref="audit_sysadmin_actions" selected="true"/> | |
<select idref="audit_kernel_module_loading" selected="true"/> | |
<select idref="disable_xinetd" selected="true"/> | |
<select idref="uninstall_xinetd" selected="true"/> | |
<select idref="uninstall_telnet_server" selected="true"/> | |
<select idref="disable_telnet_service" selected="true"/> | |
<select idref="uninstall_rsh-server" selected="true"/> | |
<select idref="disable_rsh" selected="true"/> | |
<select idref="disable_rexec" selected="true"/> | |
<select idref="disable_rlogin" selected="true"/> | |
<select idref="uninstall_ypserv" selected="true"/> | |
<select idref="disable_ypbind" selected="true"/> | |
<select idref="uninstall_tftp-server" selected="true"/> | |
<select idref="disable_tftp" selected="true"/> | |
<select idref="service_crond_enabled" selected="true"/> | |
<select idref="sshd_allow_only_protocol2" selected="true"/> | |
<select idref="sshd_set_idle_timeout" selected="true"/> | |
<select idref="sshd_set_keepalive" selected="true"/> | |
<select idref="sshd_disable_rhosts" selected="true"/> | |
<select idref="disable_host_auth" selected="true"/> | |
<select idref="sshd_disable_root_login" selected="true"/> | |
<select idref="sshd_disable_empty_passwords" selected="true"/> | |
<select idref="sshd_enable_warning_banner" selected="true"/> | |
<select idref="sshd_do_not_permit_user_env" selected="true"/> | |
<select idref="sshd_use_approved_ciphers" selected="true"/> | |
<select idref="disable_avahi" selected="true"/> | |
<select idref="service_ntpd_enabled" selected="true"/> | |
<select idref="ntpd_specify_remote_server" selected="true"/> | |
<select idref="postfix_network_listening" selected="true"/> | |
<select idref="ldap_client_start_tls" selected="true"/> | |
<select idref="ldap_client_tls_cacertpath" selected="true"/> | |
<select idref="package_openldap-servers_removed" selected="true"/> | |
<select idref="set_screensaver_inactivity_timeout" selected="true"/> | |
<select idref="enable_screensaver_after_idle" selected="true"/> | |
<select idref="enable_screensaver_password_lock" selected="true"/> | |
<select idref="set_blank_screensaver" selected="true"/> | |
<select idref="service_abrtd_disabled" selected="true"/> | |
<select idref="service_atd_disabled" selected="true"/> | |
<select idref="service_autofs_disabled" selected="true"/> | |
<select idref="service_ntpdate_disabled" selected="true"/> | |
<select idref="service_oddjobd_disabled" selected="true"/> | |
<select idref="service_qpidd_disabled" selected="true"/> | |
<select idref="service_rdisc_disabled" selected="true"/> | |
<select idref="use_nodev_option_on_nfs_mounts" selected="true"/> | |
<select idref="use_nosuid_option_on_nfs_mounts" selected="true"/> | |
<select idref="mountopt_noexec_on_removable_partitions" selected="true"/> | |
<select idref="require_smb_client_signing" selected="true"/> | |
<select idref="require_smb_client_signing_mount.cifs" selected="true"/> | |
<select idref="limiting_password_reuse" selected="true"/> | |
<refine-value idref="inactivity_timeout_value" selector="15_minutes"/> | |
<refine-value idref="var_umask_for_daemons" selector="027"/> | |
<refine-value idref="var_accounts_password_minlen_login_defs" selector="14"/> | |
<refine-value idref="var_accounts_maximum_age_login_defs" selector="90"/> | |
<refine-value idref="var_accounts_minimum_age_login_defs" selector="7"/> | |
<refine-value idref="var_accounts_password_warn_age_login_defs" selector="7"/> | |
<refine-value idref="var_password_pam_cracklib_retry" selector="3"/> | |
<refine-value idref="var_password_pam_cracklib_minlen" selector="14"/> | |
<refine-value idref="var_password_pam_cracklib_dcredit" selector="1"/> | |
<refine-value idref="var_password_pam_cracklib_ucredit" selector="2"/> | |
<refine-value idref="var_password_pam_cracklib_ocredit" selector="2"/> | |
<refine-value idref="var_password_pam_cracklib_lcredit" selector="2"/> | |
<refine-value idref="var_password_pam_cracklib_difok" selector="3"/> | |
<refine-value idref="password_history_retain_number" selector="5"/> | |
<refine-value idref="var_accounts_user_umask" selector="077"/> | |
<refine-value idref="login_banner_text" selector="usgcb_default"/> | |
<refine-value idref="var_selinux_state_name" selector="enforcing"/> | |
<refine-value idref="var_selinux_policy_name" selector="targeted"/> | |
<refine-value idref="var_auditd_num_logs" selector="5"/> | |
<refine-value idref="var_auditd_max_log_file" selector="6"/> | |
<refine-value idref="var_auditd_max_log_file_action" selector="rotate"/> | |
<refine-value idref="var_auditd_admin_space_left_action" selector="single"/> | |
<refine-value idref="sysctl_net_ipv4_conf_all_accept_source_route_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_all_accept_redirects_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_all_secure_redirects_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_all_log_martians_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_default_accept_source_route_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_default_accept_redirects_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_default_secure_redirects_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv4_icmp_ignore_bogus_error_messages_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv4_tcp_syncookies_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_all_rp_filter_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_default_rp_filter_value" selector="enabled"/> | |
<refine-value idref="file_owner_logfiles_value" selector="root"/> | |
<refine-value idref="file_groupowner_logfiles_value" selector="root"/> | |
<refine-value idref="sshd_idle_timeout_value" selector="5_minutes"/> | |
</Profile> | |
<Profile id="server"> | |
<title xml:lang="en-US">Common Profile for General-Purpose SystemsServer Baseline</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This profile contains items common to general-purpose desktop and server installations.This profile is for RHEL 6 acting as a server.</description> | |
<select idref="partition_for_tmp" selected="true"/> | |
<select idref="partition_for_var" selected="true"/> | |
<select idref="partition_for_var_log" selected="true"/> | |
<select idref="partition_for_var_log_audit" selected="true"/> | |
<select idref="partition_for_home" selected="true"/> | |
<select idref="ensure_redhat_gpgkey_installed" selected="true"/> | |
<select idref="service_rhnsd_disabled" selected="true"/> | |
<select idref="security_patches_up_to_date" selected="true"/> | |
<select idref="ensure_gpgcheck_globally_activated" selected="true"/> | |
<select idref="ensure_gpgcheck_never_disabled" selected="true"/> | |
<select idref="package_aide_installed" selected="true"/> | |
<select idref="enable_selinux_bootloader" selected="true"/> | |
<select idref="no_rsh_trust_files" selected="true"/> | |
<select idref="set_selinux_state" selected="true"/> | |
<select idref="set_selinux_policy" selected="true"/> | |
<select idref="selinux_all_devicefiles_labeled" selected="true"/> | |
<select idref="securetty_root_login_console_only" selected="true"/> | |
<select idref="restrict_serial_port_logins" selected="true"/> | |
<select idref="no_shelllogin_for_systemaccounts" selected="true"/> | |
<select idref="no_empty_passwords" selected="true"/> | |
<select idref="no_hashes_outside_shadow" selected="true"/> | |
<select idref="no_uidzero_except_root" selected="true"/> | |
<select idref="userowner_shadow_file" selected="true"/> | |
<select idref="groupowner_shadow_file" selected="true"/> | |
<select idref="perms_shadow_file" selected="true"/> | |
<select idref="userowner_gshadow_file" selected="true"/> | |
<select idref="groupowner_gshadow_file" selected="true"/> | |
<select idref="perms_gshadow_file" selected="true"/> | |
<select idref="userowner_passwd_file" selected="true"/> | |
<select idref="groupowner_passwd_file" selected="true"/> | |
<select idref="file_permissions_etc_passwd" selected="true"/> | |
<select idref="userowner_group_file" selected="true"/> | |
<select idref="groupowner_group_file" selected="true"/> | |
<select idref="perms_group_file" selected="true"/> | |
<select idref="file_permissions_library_dirs" selected="true"/> | |
<select idref="file_ownership_library_dirs" selected="true"/> | |
<select idref="file_permissions_binary_dirs" selected="true"/> | |
<select idref="file_ownership_binary_dirs" selected="true"/> | |
<select idref="audit_logs_permissions" selected="true"/> | |
<select idref="accounts_password_minlen_login_defs" selected="true"/> | |
<select idref="accounts_minimum_age_login_defs" selected="true"/> | |
<select idref="accounts_maximum_age_login_defs" selected="true"/> | |
<select idref="accounts_password_warn_age_login_defs" selected="true"/> | |
<select idref="accounts_password_pam_cracklib_retry" selected="true"/> | |
<select idref="password_require_digits" selected="true"/> | |
<select idref="password_require_uppercases" selected="true"/> | |
<select idref="password_require_specials" selected="true"/> | |
<select idref="password_require_lowercases" selected="true"/> | |
<select idref="password_require_diffchars" selected="true"/> | |
<select idref="deny_password_attempts" selected="true"/> | |
<select idref="set_password_hashing_algorithm_systemauth" selected="true"/> | |
<select idref="set_password_hashing_algorithm_logindefs" selected="true"/> | |
<select idref="set_password_hashing_algorithm_libuserconf" selected="true"/> | |
<select idref="user_owner_grub_conf" selected="true"/> | |
<select idref="group_owner_grub_conf" selected="true"/> | |
<select idref="permissions_grub_conf" selected="true"/> | |
<select idref="bootloader_password" selected="true"/> | |
<select idref="require_singleuser_auth" selected="true"/> | |
<select idref="disable_interactive_boot" selected="true"/> | |
<select idref="package_screen_installed" selected="true"/> | |
<select idref="set_system_login_banner" selected="true"/> | |
<select idref="enable_randomize_va_space" selected="true"/> | |
<select idref="enable_execshield" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_send_redirects" selected="true"/> | |
<select idref="sysctl_ipv4_all_send_redirects" selected="true"/> | |
<select idref="sysctl_ipv4_ip_forward" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_log_martians" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/> | |
<select idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/> | |
<select idref="sysctl_net_ipv4_tcp_syncookies" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_rp_filter" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_rp_filter" selected="true"/> | |
<select idref="kernel_module_ipv6_option_disabled" selected="true"/> | |
<select idref="sysctl_ipv6_default_accept_redirects" selected="true"/> | |
<select idref="service_ip6tables_enabled" selected="true"/> | |
<select idref="service_iptables_enabled" selected="true"/> | |
<select idref="set_iptables_default_rule" selected="true"/> | |
<select idref="kernel_module_dccp_disabled" selected="true"/> | |
<select idref="kernel_module_sctp_disabled" selected="true"/> | |
<select idref="kernel_module_rds_disabled" selected="true"/> | |
<select idref="kernel_module_tipc_disabled" selected="true"/> | |
<select idref="package_rsyslog_installed" selected="true"/> | |
<select idref="service_rsyslog_enabled" selected="true"/> | |
<select idref="userowner_rsyslog_files" selected="true"/> | |
<select idref="groupowner_rsyslog_files" selected="true"/> | |
<select idref="rsyslog_file_permissions" selected="true"/> | |
<select idref="rsyslog_send_messages_to_logserver" selected="true"/> | |
<select idref="ensure_logrotate_activated" selected="true"/> | |
<select idref="service_auditd_enabled" selected="true"/> | |
<select idref="enable_auditd_bootloader" selected="true"/> | |
<select idref="configure_auditd_num_logs" selected="true"/> | |
<select idref="configure_auditd_max_log_file" selected="true"/> | |
<select idref="configure_auditd_max_log_file_action" selected="true"/> | |
<select idref="auditd_data_retention_admin_space_left_action" selected="true"/> | |
<select idref="audit_rules_time_adjtimex" selected="true"/> | |
<select idref="audit_rules_time_settimeofday" selected="true"/> | |
<select idref="audit_rules_time_stime" selected="true"/> | |
<select idref="audit_rules_time_clock_settime" selected="true"/> | |
<select idref="audit_rules_time_watch_localtime" selected="true"/> | |
<select idref="audit_account_changes" selected="true"/> | |
<select idref="audit_network_modifications" selected="true"/> | |
<select idref="audit_mac_changes" selected="true"/> | |
<select idref="audit_rules_dac_modification_chmod" selected="true"/> | |
<select idref="audit_rules_dac_modification_chown" selected="true"/> | |
<select idref="audit_rules_dac_modification_fchmod" selected="true"/> | |
<select idref="audit_rules_dac_modification_fchmodat" selected="true"/> | |
<select idref="audit_rules_dac_modification_fchown" selected="true"/> | |
<select idref="audit_rules_dac_modification_fchownat" selected="true"/> | |
<select idref="audit_rules_dac_modification_fremovexattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_fsetxattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_lchown" selected="true"/> | |
<select idref="audit_rules_dac_modification_lremovexattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_lsetxattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_removexattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_setxattr" selected="true"/> | |
<select idref="audit_file_access" selected="true"/> | |
<select idref="audit_privileged_commands" selected="true"/> | |
<select idref="audit_media_exports" selected="true"/> | |
<select idref="audit_file_deletions" selected="true"/> | |
<select idref="audit_sysadmin_actions" selected="true"/> | |
<select idref="audit_kernel_module_loading" selected="true"/> | |
<select idref="disable_xinetd" selected="true"/> | |
<select idref="uninstall_xinetd" selected="true"/> | |
<select idref="uninstall_telnet_server" selected="true"/> | |
<select idref="disable_telnet_service" selected="true"/> | |
<select idref="uninstall_rsh-server" selected="true"/> | |
<select idref="disable_rsh" selected="true"/> | |
<select idref="disable_rexec" selected="true"/> | |
<select idref="disable_rlogin" selected="true"/> | |
<select idref="uninstall_ypserv" selected="true"/> | |
<select idref="disable_ypbind" selected="true"/> | |
<select idref="uninstall_tftp-server" selected="true"/> | |
<select idref="disable_tftp" selected="true"/> | |
<select idref="service_crond_enabled" selected="true"/> | |
<select idref="sshd_allow_only_protocol2" selected="true"/> | |
<select idref="sshd_set_idle_timeout" selected="true"/> | |
<select idref="sshd_set_keepalive" selected="true"/> | |
<select idref="sshd_disable_rhosts" selected="true"/> | |
<select idref="disable_host_auth" selected="true"/> | |
<select idref="sshd_disable_root_login" selected="true"/> | |
<select idref="sshd_disable_empty_passwords" selected="true"/> | |
<select idref="sshd_enable_warning_banner" selected="true"/> | |
<select idref="sshd_do_not_permit_user_env" selected="true"/> | |
<select idref="sshd_use_approved_ciphers" selected="true"/> | |
<select idref="disable_avahi" selected="true"/> | |
<select idref="service_ntpd_enabled" selected="true"/> | |
<select idref="ntpd_specify_remote_server" selected="true"/> | |
<select idref="postfix_network_listening" selected="true"/> | |
<select idref="ldap_client_start_tls" selected="true"/> | |
<select idref="ldap_client_tls_cacertpath" selected="true"/> | |
<select idref="package_openldap-servers_removed" selected="true"/> | |
<select idref="set_screensaver_inactivity_timeout" selected="true"/> | |
<select idref="enable_screensaver_after_idle" selected="true"/> | |
<select idref="enable_screensaver_password_lock" selected="true"/> | |
<select idref="set_blank_screensaver" selected="true"/> | |
<select idref="service_abrtd_disabled" selected="true"/> | |
<select idref="service_atd_disabled" selected="true"/> | |
<select idref="service_autofs_disabled" selected="true"/> | |
<select idref="service_ntpdate_disabled" selected="true"/> | |
<select idref="service_oddjobd_disabled" selected="true"/> | |
<select idref="service_qpidd_disabled" selected="true"/> | |
<select idref="service_rdisc_disabled" selected="true"/> | |
<select idref="use_nodev_option_on_nfs_mounts" selected="true"/> | |
<select idref="use_nosuid_option_on_nfs_mounts" selected="true"/> | |
<select idref="mountopt_noexec_on_removable_partitions" selected="true"/> | |
<select idref="require_smb_client_signing" selected="true"/> | |
<select idref="require_smb_client_signing_mount.cifs" selected="true"/> | |
<select idref="limiting_password_reuse" selected="true"/> | |
<select idref="deactivate_wireless_interfaces" selected="true"/> | |
<select idref="disable_xwindows_with_runlevel" selected="true"/> | |
<select idref="packagegroup_xwindows_remove" selected="true"/> | |
<select idref="disable_dhcp_client" selected="true"/> | |
<refine-value idref="inactivity_timeout_value" selector="15_minutes"/> | |
<refine-value idref="var_umask_for_daemons" selector="027"/> | |
<refine-value idref="var_accounts_password_minlen_login_defs" selector="14"/> | |
<refine-value idref="var_accounts_maximum_age_login_defs" selector="90"/> | |
<refine-value idref="var_accounts_minimum_age_login_defs" selector="7"/> | |
<refine-value idref="var_accounts_password_warn_age_login_defs" selector="7"/> | |
<refine-value idref="var_password_pam_cracklib_retry" selector="3"/> | |
<refine-value idref="var_password_pam_cracklib_minlen" selector="14"/> | |
<refine-value idref="var_password_pam_cracklib_dcredit" selector="1"/> | |
<refine-value idref="var_password_pam_cracklib_ucredit" selector="2"/> | |
<refine-value idref="var_password_pam_cracklib_ocredit" selector="2"/> | |
<refine-value idref="var_password_pam_cracklib_lcredit" selector="2"/> | |
<refine-value idref="var_password_pam_cracklib_difok" selector="3"/> | |
<refine-value idref="password_history_retain_number" selector="5"/> | |
<refine-value idref="var_accounts_user_umask" selector="077"/> | |
<refine-value idref="login_banner_text" selector="usgcb_default"/> | |
<refine-value idref="var_selinux_state_name" selector="enforcing"/> | |
<refine-value idref="var_selinux_policy_name" selector="targeted"/> | |
<refine-value idref="var_auditd_num_logs" selector="5"/> | |
<refine-value idref="var_auditd_max_log_file" selector="6"/> | |
<refine-value idref="var_auditd_max_log_file_action" selector="rotate"/> | |
<refine-value idref="var_auditd_admin_space_left_action" selector="single"/> | |
<refine-value idref="sysctl_net_ipv4_conf_all_accept_source_route_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_all_accept_redirects_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_all_secure_redirects_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_all_log_martians_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_default_accept_source_route_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_default_accept_redirects_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_default_secure_redirects_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv4_icmp_ignore_bogus_error_messages_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv4_tcp_syncookies_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_all_rp_filter_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_default_rp_filter_value" selector="enabled"/> | |
<refine-value idref="file_owner_logfiles_value" selector="root"/> | |
<refine-value idref="file_groupowner_logfiles_value" selector="root"/> | |
<refine-value idref="sshd_idle_timeout_value" selector="5_minutes"/> | |
</Profile> | |
<Profile id="stig-rhel6-server"> | |
<title xml:lang="en-US">Common Profile for General-Purpose SystemsPre-release Draft STIG for RHEL 6 Server</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This profile contains items common to general-purpose desktop and server installations.This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description> | |
<select idref="partition_for_tmp" selected="true"/> | |
<select idref="partition_for_var" selected="true"/> | |
<select idref="partition_for_var_log" selected="true"/> | |
<select idref="partition_for_var_log_audit" selected="true"/> | |
<select idref="partition_for_home" selected="true"/> | |
<select idref="ensure_redhat_gpgkey_installed" selected="true"/> | |
<select idref="service_rhnsd_disabled" selected="true"/> | |
<select idref="security_patches_up_to_date" selected="true"/> | |
<select idref="ensure_gpgcheck_globally_activated" selected="true"/> | |
<select idref="ensure_gpgcheck_never_disabled" selected="true"/> | |
<select idref="package_aide_installed" selected="true"/> | |
<select idref="enable_selinux_bootloader" selected="true"/> | |
<select idref="no_rsh_trust_files" selected="true"/> | |
<select idref="set_selinux_state" selected="true"/> | |
<select idref="set_selinux_policy" selected="true"/> | |
<select idref="selinux_all_devicefiles_labeled" selected="true"/> | |
<select idref="securetty_root_login_console_only" selected="true"/> | |
<select idref="restrict_serial_port_logins" selected="true"/> | |
<select idref="no_shelllogin_for_systemaccounts" selected="true"/> | |
<select idref="no_empty_passwords" selected="true"/> | |
<select idref="no_hashes_outside_shadow" selected="true"/> | |
<select idref="no_uidzero_except_root" selected="true"/> | |
<select idref="userowner_shadow_file" selected="true"/> | |
<select idref="groupowner_shadow_file" selected="true"/> | |
<select idref="perms_shadow_file" selected="true"/> | |
<select idref="userowner_gshadow_file" selected="true"/> | |
<select idref="groupowner_gshadow_file" selected="true"/> | |
<select idref="perms_gshadow_file" selected="true"/> | |
<select idref="userowner_passwd_file" selected="true"/> | |
<select idref="groupowner_passwd_file" selected="true"/> | |
<select idref="file_permissions_etc_passwd" selected="true"/> | |
<select idref="userowner_group_file" selected="true"/> | |
<select idref="groupowner_group_file" selected="true"/> | |
<select idref="perms_group_file" selected="true"/> | |
<select idref="file_permissions_library_dirs" selected="true"/> | |
<select idref="file_ownership_library_dirs" selected="true"/> | |
<select idref="file_permissions_binary_dirs" selected="true"/> | |
<select idref="file_ownership_binary_dirs" selected="true"/> | |
<select idref="audit_logs_permissions" selected="true"/> | |
<select idref="accounts_password_minlen_login_defs" selected="true"/> | |
<select idref="accounts_minimum_age_login_defs" selected="true"/> | |
<select idref="accounts_maximum_age_login_defs" selected="true"/> | |
<select idref="accounts_password_warn_age_login_defs" selected="true"/> | |
<select idref="accounts_password_pam_cracklib_retry" selected="true"/> | |
<select idref="password_require_digits" selected="true"/> | |
<select idref="password_require_uppercases" selected="true"/> | |
<select idref="password_require_specials" selected="true"/> | |
<select idref="password_require_lowercases" selected="true"/> | |
<select idref="password_require_diffchars" selected="true"/> | |
<select idref="deny_password_attempts" selected="true"/> | |
<select idref="set_password_hashing_algorithm_systemauth" selected="true"/> | |
<select idref="set_password_hashing_algorithm_logindefs" selected="true"/> | |
<select idref="set_password_hashing_algorithm_libuserconf" selected="true"/> | |
<select idref="user_owner_grub_conf" selected="true"/> | |
<select idref="group_owner_grub_conf" selected="true"/> | |
<select idref="permissions_grub_conf" selected="true"/> | |
<select idref="bootloader_password" selected="true"/> | |
<select idref="require_singleuser_auth" selected="true"/> | |
<select idref="disable_interactive_boot" selected="true"/> | |
<select idref="package_screen_installed" selected="true"/> | |
<select idref="set_system_login_banner" selected="true"/> | |
<select idref="enable_randomize_va_space" selected="true"/> | |
<select idref="enable_execshield" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_send_redirects" selected="true"/> | |
<select idref="sysctl_ipv4_all_send_redirects" selected="true"/> | |
<select idref="sysctl_ipv4_ip_forward" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_log_martians" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/> | |
<select idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/> | |
<select idref="sysctl_net_ipv4_tcp_syncookies" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_rp_filter" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_rp_filter" selected="true"/> | |
<select idref="kernel_module_ipv6_option_disabled" selected="true"/> | |
<select idref="sysctl_ipv6_default_accept_redirects" selected="true"/> | |
<select idref="service_ip6tables_enabled" selected="true"/> | |
<select idref="service_iptables_enabled" selected="true"/> | |
<select idref="set_iptables_default_rule" selected="true"/> | |
<select idref="kernel_module_dccp_disabled" selected="true"/> | |
<select idref="kernel_module_sctp_disabled" selected="true"/> | |
<select idref="kernel_module_rds_disabled" selected="true"/> | |
<select idref="kernel_module_tipc_disabled" selected="true"/> | |
<select idref="package_rsyslog_installed" selected="true"/> | |
<select idref="service_rsyslog_enabled" selected="true"/> | |
<select idref="userowner_rsyslog_files" selected="true"/> | |
<select idref="groupowner_rsyslog_files" selected="true"/> | |
<select idref="rsyslog_file_permissions" selected="true"/> | |
<select idref="rsyslog_send_messages_to_logserver" selected="true"/> | |
<select idref="ensure_logrotate_activated" selected="true"/> | |
<select idref="service_auditd_enabled" selected="true"/> | |
<select idref="enable_auditd_bootloader" selected="true"/> | |
<select idref="configure_auditd_num_logs" selected="true"/> | |
<select idref="configure_auditd_max_log_file" selected="true"/> | |
<select idref="configure_auditd_max_log_file_action" selected="true"/> | |
<select idref="auditd_data_retention_admin_space_left_action" selected="true"/> | |
<select idref="audit_rules_time_adjtimex" selected="true"/> | |
<select idref="audit_rules_time_settimeofday" selected="true"/> | |
<select idref="audit_rules_time_stime" selected="true"/> | |
<select idref="audit_rules_time_clock_settime" selected="true"/> | |
<select idref="audit_rules_time_watch_localtime" selected="true"/> | |
<select idref="audit_account_changes" selected="true"/> | |
<select idref="audit_network_modifications" selected="true"/> | |
<select idref="audit_mac_changes" selected="true"/> | |
<select idref="audit_rules_dac_modification_chmod" selected="true"/> | |
<select idref="audit_rules_dac_modification_chown" selected="true"/> | |
<select idref="audit_rules_dac_modification_fchmod" selected="true"/> | |
<select idref="audit_rules_dac_modification_fchmodat" selected="true"/> | |
<select idref="audit_rules_dac_modification_fchown" selected="true"/> | |
<select idref="audit_rules_dac_modification_fchownat" selected="true"/> | |
<select idref="audit_rules_dac_modification_fremovexattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_fsetxattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_lchown" selected="true"/> | |
<select idref="audit_rules_dac_modification_lremovexattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_lsetxattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_removexattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_setxattr" selected="true"/> | |
<select idref="audit_file_access" selected="true"/> | |
<select idref="audit_privileged_commands" selected="true"/> | |
<select idref="audit_media_exports" selected="true"/> | |
<select idref="audit_file_deletions" selected="true"/> | |
<select idref="audit_sysadmin_actions" selected="true"/> | |
<select idref="audit_kernel_module_loading" selected="true"/> | |
<select idref="disable_xinetd" selected="true"/> | |
<select idref="uninstall_xinetd" selected="true"/> | |
<select idref="uninstall_telnet_server" selected="true"/> | |
<select idref="disable_telnet_service" selected="true"/> | |
<select idref="uninstall_rsh-server" selected="true"/> | |
<select idref="disable_rsh" selected="true"/> | |
<select idref="disable_rexec" selected="true"/> | |
<select idref="disable_rlogin" selected="true"/> | |
<select idref="uninstall_ypserv" selected="true"/> | |
<select idref="disable_ypbind" selected="true"/> | |
<select idref="uninstall_tftp-server" selected="true"/> | |
<select idref="disable_tftp" selected="true"/> | |
<select idref="service_crond_enabled" selected="true"/> | |
<select idref="sshd_allow_only_protocol2" selected="true"/> | |
<select idref="sshd_set_idle_timeout" selected="true"/> | |
<select idref="sshd_set_keepalive" selected="true"/> | |
<select idref="sshd_disable_rhosts" selected="true"/> | |
<select idref="disable_host_auth" selected="true"/> | |
<select idref="sshd_disable_root_login" selected="true"/> | |
<select idref="sshd_disable_empty_passwords" selected="true"/> | |
<select idref="sshd_enable_warning_banner" selected="true"/> | |
<select idref="sshd_do_not_permit_user_env" selected="true"/> | |
<select idref="sshd_use_approved_ciphers" selected="true"/> | |
<select idref="disable_avahi" selected="true"/> | |
<select idref="service_ntpd_enabled" selected="true"/> | |
<select idref="ntpd_specify_remote_server" selected="true"/> | |
<select idref="postfix_network_listening" selected="true"/> | |
<select idref="ldap_client_start_tls" selected="true"/> | |
<select idref="ldap_client_tls_cacertpath" selected="true"/> | |
<select idref="package_openldap-servers_removed" selected="true"/> | |
<select idref="set_screensaver_inactivity_timeout" selected="true"/> | |
<select idref="enable_screensaver_after_idle" selected="true"/> | |
<select idref="enable_screensaver_password_lock" selected="true"/> | |
<select idref="set_blank_screensaver" selected="true"/> | |
<select idref="service_abrtd_disabled" selected="true"/> | |
<select idref="service_autofs_disabled" selected="true"/> | |
<select idref="service_ntpdate_disabled" selected="true"/> | |
<select idref="service_oddjobd_disabled" selected="true"/> | |
<select idref="service_qpidd_disabled" selected="true"/> | |
<select idref="service_rdisc_disabled" selected="true"/> | |
<select idref="use_nodev_option_on_nfs_mounts" selected="true"/> | |
<select idref="use_nosuid_option_on_nfs_mounts" selected="true"/> | |
<select idref="mountopt_noexec_on_removable_partitions" selected="true"/> | |
<select idref="require_smb_client_signing" selected="true"/> | |
<select idref="require_smb_client_signing_mount.cifs" selected="true"/> | |
<select idref="encrypt_partitions" selected="true"/> | |
<select idref="rpm_verify_permissions" selected="true"/> | |
<select idref="rpm_verify_hashes" selected="true"/> | |
<select idref="world_writeable_files" selected="true"/> | |
<select idref="install_antivirus" selected="true"/> | |
<select idref="install_hids" selected="true"/> | |
<select idref="disable_ctrlaltdel_reboot" selected="true"/> | |
<select idref="service_postfix_enabled" selected="true"/> | |
<select idref="package_sendmail_removed" selected="true"/> | |
<select idref="service_netconsole_disabled" selected="true"/> | |
<select idref="disable_xwindows_with_runlevel" selected="true"/> | |
<select idref="packagegroup_xwindows_remove" selected="true"/> | |
<select idref="disable_dhcp_client" selected="true"/> | |
<select idref="limiting_password_reuse" selected="true"/> | |
<select idref="gid_passwd_group_same" selected="true"/> | |
<select idref="account_unique_name" selected="true"/> | |
<select idref="account_temp_expire_date" selected="true"/> | |
<select idref="password_require_consecrepeat" selected="true"/> | |
<select idref="no_files_unowned_by_user" selected="true"/> | |
<select idref="no_files_unowned_by_group" selected="true"/> | |
<select idref="aide_periodic_cron_checking" selected="true"/> | |
<select idref="disable_users_coredumps" selected="true"/> | |
<select idref="no_insecure_locks_exports" selected="true"/> | |
<select idref="auditd_data_retention_space_left_action" selected="true"/> | |
<select idref="auditd_data_retention_action_mail_acct" selected="true"/> | |
<select idref="kernel_module_bluetooth_disabled" selected="true"/> | |
<select idref="kernel_module_usb-storage_disabled" selected="true"/> | |
<select idref="max_concurrent_login_sessions" selected="true"/> | |
<select idref="set_iptables_default_rule_forward" selected="true"/> | |
<select idref="install_openswan" selected="true"/> | |
<select idref="enable_gdm_login_banner" selected="true"/> | |
<select idref="set_gdm_login_banner_text" selected="true"/> | |
<select idref="service_bluetooth_disabled" selected="true"/> | |
<select idref="account_disable_post_pw_expiration" selected="true"/> | |
<select idref="sticky_world_writable_dirs" selected="true"/> | |
<select idref="world_writable_files_system_ownership" selected="true"/> | |
<select idref="tftpd_uses_secure_mode" selected="true"/> | |
<select idref="ftp_log_transactions" selected="true"/> | |
<select idref="snmpd_use_newer_protocol" selected="true"/> | |
<select idref="snmpd_not_default_password" selected="true"/> | |
<select idref="user_umask_bashrc" selected="true"/> | |
<select idref="user_umask_cshrc" selected="true"/> | |
<select idref="user_umask_profile" selected="true"/> | |
<select idref="user_umask_logindefs" selected="true"/> | |
<select idref="umask_for_daemons" selected="true"/> | |
<select idref="no_netrc_files" selected="true"/> | |
<select idref="ftp_present_banner" selected="true"/> | |
<select idref="smartcard_auth" selected="true"/> | |
<select idref="display_login_attempts" selected="true"/> | |
<select idref="deny_password_attempts_unlock_time" selected="true"/> | |
<select idref="deny_password_attempts_fail_interval" selected="true"/> | |
<select idref="service_atd_disabled" selected="false"/> | |
<refine-value idref="inactivity_timeout_value" selector="15_minutes"/> | |
<refine-value idref="var_accounts_password_minlen_login_defs" selector="14"/> | |
<refine-value idref="var_accounts_password_warn_age_login_defs" selector="7"/> | |
<refine-value idref="var_password_pam_cracklib_retry" selector="3"/> | |
<refine-value idref="var_password_pam_cracklib_minlen" selector="14"/> | |
<refine-value idref="var_password_pam_cracklib_dcredit" selector="1"/> | |
<refine-value idref="var_password_pam_cracklib_difok" selector="3"/> | |
<refine-value idref="var_selinux_state_name" selector="enforcing"/> | |
<refine-value idref="var_selinux_policy_name" selector="targeted"/> | |
<refine-value idref="var_auditd_num_logs" selector="5"/> | |
<refine-value idref="var_auditd_max_log_file" selector="6"/> | |
<refine-value idref="var_auditd_max_log_file_action" selector="rotate"/> | |
<refine-value idref="var_auditd_admin_space_left_action" selector="single"/> | |
<refine-value idref="sysctl_net_ipv4_conf_all_accept_source_route_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_all_accept_redirects_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_all_secure_redirects_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_all_log_martians_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_default_accept_source_route_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_default_accept_redirects_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_default_secure_redirects_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv4_icmp_ignore_bogus_error_messages_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv4_tcp_syncookies_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_all_rp_filter_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_default_rp_filter_value" selector="enabled"/> | |
<refine-value idref="file_owner_logfiles_value" selector="root"/> | |
<refine-value idref="file_groupowner_logfiles_value" selector="root"/> | |
<refine-value idref="max_concurrent_login_sessions_value" selector="10"/> | |
<refine-value idref="login_banner_text" selector="dod_default"/> | |
<refine-value idref="var_accounts_user_umask" selector="077"/> | |
<refine-value idref="var_umask_for_daemons" selector="027"/> | |
<refine-value idref="var_accounts_passwords_pam_faillock_unlock_time" selector="604800"/> | |
<refine-value idref="var_accounts_passwords_pam_faillock_fail_interval" selector="900"/> | |
<refine-value idref="password_history_retain_number" selector="24"/> | |
<refine-value idref="var_accounts_maximum_age_login_defs" selector="60"/> | |
<refine-value idref="var_accounts_minimum_age_login_defs" selector="1"/> | |
<refine-value idref="var_accounts_passwords_pam_faillock_deny" selector="3"/> | |
<refine-value idref="var_password_pam_cracklib_ucredit" selector="1"/> | |
<refine-value idref="var_password_pam_cracklib_ocredit" selector="1"/> | |
<refine-value idref="var_password_pam_cracklib_lcredit" selector="1"/> | |
<refine-value idref="sshd_idle_timeout_value" selector="15_minutes"/> | |
</Profile> | |
<Profile id="usgcb-rhel6-server"> | |
<title xml:lang="en-US">United States Government Configuration Baseline (USGCB)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This profile is a working draft for a USGCB submission against RHEL6 Server.</description> | |
<select idref="partition_for_tmp" selected="true"/> | |
<select idref="partition_for_var" selected="true"/> | |
<select idref="partition_for_var_log" selected="true"/> | |
<select idref="partition_for_var_log_audit" selected="true"/> | |
<select idref="partition_for_home" selected="true"/> | |
<select idref="ensure_redhat_gpgkey_installed" selected="true"/> | |
<select idref="service_rhnsd_disabled" selected="true"/> | |
<select idref="security_patches_up_to_date" selected="true"/> | |
<select idref="ensure_gpgcheck_globally_activated" selected="true"/> | |
<select idref="ensure_gpgcheck_never_disabled" selected="true"/> | |
<select idref="package_aide_installed" selected="true"/> | |
<select idref="rpm_verify_permissions" selected="true"/> | |
<select idref="rpm_verify_hashes" selected="true"/> | |
<select idref="mountopt_nodev_on_nonroot_partitions" selected="true"/> | |
<select idref="mountopt_nodev_on_removable_partitions" selected="true"/> | |
<select idref="mountopt_noexec_on_removable_partitions" selected="true"/> | |
<select idref="mountopt_nosuid_on_removable_partitions" selected="true"/> | |
<select idref="mount_option_tmp_nodev" selected="true"/> | |
<select idref="mount_option_tmp_nosuid" selected="true"/> | |
<select idref="mount_option_tmp_noexec" selected="true"/> | |
<select idref="mount_option_dev_shm_nodev" selected="true"/> | |
<select idref="mount_option_dev_shm_nosuid" selected="true"/> | |
<select idref="mount_option_dev_shm_noexec" selected="true"/> | |
<select idref="mount_option_var_tmp_bind_var" selected="true"/> | |
<select idref="kernel_module_cramfs_disabled" selected="true"/> | |
<select idref="kernel_module_freevxfs_disabled" selected="true"/> | |
<select idref="kernel_module_hfs_disabled" selected="true"/> | |
<select idref="kernel_module_hfsplus_disabled" selected="true"/> | |
<select idref="kernel_module_jffs2_disabled" selected="true"/> | |
<select idref="kernel_module_squashfs_disabled" selected="true"/> | |
<select idref="kernel_module_udf_disabled" selected="true"/> | |
<select idref="perms_gshadow_file" selected="true"/> | |
<select idref="userowner_gshadow_file" selected="true"/> | |
<select idref="groupowner_gshadow_file" selected="true"/> | |
<select idref="perms_shadow_file" selected="true"/> | |
<select idref="userowner_shadow_file" selected="true"/> | |
<select idref="groupowner_shadow_file" selected="true"/> | |
<select idref="perms_group_file" selected="true"/> | |
<select idref="userowner_group_file" selected="true"/> | |
<select idref="groupowner_group_file" selected="true"/> | |
<select idref="file_permissions_etc_passwd" selected="true"/> | |
<select idref="userowner_passwd_file" selected="true"/> | |
<select idref="groupowner_passwd_file" selected="true"/> | |
<select idref="sticky_world_writable_dirs" selected="true"/> | |
<select idref="world_writeable_files" selected="true"/> | |
<select idref="no_unpackaged_sgid_files" selected="true"/> | |
<select idref="no_unpackaged_suid_files" selected="true"/> | |
<select idref="no_files_unowned_by_user" selected="true"/> | |
<select idref="no_files_unowned_by_group" selected="true"/> | |
<select idref="world_writable_files_system_ownership" selected="true"/> | |
<select idref="umask_for_daemons" selected="true"/> | |
<select idref="disable_setuid_coredumps" selected="true"/> | |
<select idref="disable_users_coredumps" selected="true"/> | |
<select idref="enable_randomize_va_space" selected="true"/> | |
<select idref="enable_execshield" selected="true"/> | |
<select idref="install_PAE_kernel_on_x86-32" selected="true"/> | |
<select idref="securetty_root_login_console_only" selected="true"/> | |
<select idref="restrict_serial_port_logins" selected="true"/> | |
<select idref="no_empty_passwords" selected="true"/> | |
<select idref="no_hashes_outside_shadow" selected="true"/> | |
<select idref="no_uidzero_except_root" selected="true"/> | |
<select idref="accounts_password_warn_age_login_defs" selected="true"/> | |
<select idref="accounts_maximum_age_login_defs" selected="true"/> | |
<select idref="accounts_password_minlen_login_defs" selected="true"/> | |
<select idref="accounts_password_pam_cracklib_retry" selected="true"/> | |
<select idref="password_require_digits" selected="true"/> | |
<select idref="password_require_uppercases" selected="true"/> | |
<select idref="password_require_lowercases" selected="true"/> | |
<select idref="password_require_specials" selected="true"/> | |
<select idref="password_require_diffchars" selected="true"/> | |
<select idref="deny_password_attempts" selected="true"/> | |
<select idref="set_password_hashing_algorithm_systemauth" selected="true"/> | |
<select idref="set_password_hashing_algorithm_logindefs" selected="true"/> | |
<select idref="limiting_password_reuse" selected="true"/> | |
<select idref="root_path_no_dot" selected="true"/> | |
<select idref="root_path_no_groupother_writable" selected="true"/> | |
<select idref="homedir_perms_no_groupwrite_worldread" selected="true"/> | |
<select idref="user_umask_bashrc" selected="true"/> | |
<select idref="user_umask_cshrc" selected="true"/> | |
<select idref="user_umask_profile" selected="true"/> | |
<select idref="user_umask_logindefs" selected="true"/> | |
<select idref="user_owner_grub_conf" selected="true"/> | |
<select idref="group_owner_grub_conf" selected="true"/> | |
<select idref="permissions_grub_conf" selected="true"/> | |
<select idref="bootloader_password" selected="true"/> | |
<select idref="disable_interactive_boot" selected="true"/> | |
<select idref="set_screensaver_inactivity_timeout" selected="true"/> | |
<select idref="enable_screensaver_after_idle" selected="true"/> | |
<select idref="enable_screensaver_password_lock" selected="true"/> | |
<select idref="set_blank_screensaver" selected="true"/> | |
<select idref="set_system_login_banner" selected="true"/> | |
<select idref="set_selinux_state" selected="true"/> | |
<select idref="set_selinux_policy" selected="true"/> | |
<select idref="enable_selinux_bootloader" selected="true"/> | |
<select idref="selinux_confinement_of_daemons" selected="true"/> | |
<select idref="selinux_all_devicefiles_labeled" selected="true"/> | |
<select idref="sysctl_ipv4_ip_forward" selected="true"/> | |
<select idref="sysctl_ipv4_all_send_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_send_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/> | |
<select idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/> | |
<select idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_log_martians" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_all_rp_filter" selected="true"/> | |
<select idref="sysctl_net_ipv4_tcp_syncookies" selected="true"/> | |
<select idref="sysctl_net_ipv4_conf_default_rp_filter" selected="true"/> | |
<select idref="wireless_disable_in_bios" selected="true"/> | |
<select idref="service_bluetooth_disabled" selected="true"/> | |
<select idref="kernel_module_ipv6_option_disabled" selected="true"/> | |
<select idref="network_ipv6_disable_rpc" selected="true"/> | |
<select idref="sysctl_net_ipv6_conf_default_accept_ra" selected="true"/> | |
<select idref="sysctl_ipv6_default_accept_redirects" selected="true"/> | |
<select idref="service_ip6tables_enabled" selected="true"/> | |
<select idref="service_iptables_enabled" selected="true"/> | |
<select idref="set_iptables_default_rule" selected="true"/> | |
<select idref="set_iptables_default_rule_forward" selected="true"/> | |
<select idref="kernel_module_dccp_disabled" selected="true"/> | |
<select idref="kernel_module_sctp_disabled" selected="true"/> | |
<select idref="kernel_module_rds_disabled" selected="true"/> | |
<select idref="kernel_module_tipc_disabled" selected="true"/> | |
<select idref="package_rsyslog_installed" selected="true"/> | |
<select idref="service_rsyslog_enabled" selected="true"/> | |
<select idref="rsyslog_file_permissions" selected="true"/> | |
<select idref="groupowner_rsyslog_files" selected="true"/> | |
<select idref="userowner_rsyslog_files" selected="true"/> | |
<select idref="rsyslog_send_messages_to_logserver" selected="true"/> | |
<select idref="rsyslog_accept_remote_messages_none" selected="true"/> | |
<select idref="ensure_logrotate_activated" selected="true"/> | |
<select idref="service_auditd_enabled" selected="true"/> | |
<select idref="enable_auditd_bootloader" selected="true"/> | |
<select idref="audit_rules_time_adjtimex" selected="true"/> | |
<select idref="audit_rules_time_settimeofday" selected="true"/> | |
<select idref="audit_rules_time_stime" selected="true"/> | |
<select idref="audit_rules_time_clock_settime" selected="true"/> | |
<select idref="audit_rules_time_watch_localtime" selected="true"/> | |
<select idref="audit_account_changes" selected="true"/> | |
<select idref="audit_network_modifications" selected="true"/> | |
<select idref="audit_mac_changes" selected="true"/> | |
<select idref="audit_rules_dac_modification_chmod" selected="true"/> | |
<select idref="audit_rules_dac_modification_chown" selected="true"/> | |
<select idref="audit_rules_dac_modification_fchmod" selected="true"/> | |
<select idref="audit_rules_dac_modification_fchmodat" selected="true"/> | |
<select idref="audit_rules_dac_modification_fchown" selected="true"/> | |
<select idref="audit_rules_dac_modification_fchownat" selected="true"/> | |
<select idref="audit_rules_dac_modification_fremovexattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_fsetxattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_lchown" selected="true"/> | |
<select idref="audit_rules_dac_modification_lremovexattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_lsetxattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_removexattr" selected="true"/> | |
<select idref="audit_rules_dac_modification_setxattr" selected="true"/> | |
<select idref="audit_file_access" selected="true"/> | |
<select idref="audit_privileged_commands" selected="true"/> | |
<select idref="audit_media_exports" selected="true"/> | |
<select idref="audit_file_deletions" selected="true"/> | |
<select idref="audit_sysadmin_actions" selected="true"/> | |
<select idref="audit_kernel_module_loading" selected="true"/> | |
<select idref="audit_config_immutable" selected="true"/> | |
<select idref="disable_xinetd" selected="true"/> | |
<select idref="uninstall_xinetd" selected="true"/> | |
<select idref="disable_telnet_service" selected="true"/> | |
<select idref="uninstall_telnet_server" selected="true"/> | |
<select idref="uninstall_rsh-server" selected="true"/> | |
<select idref="disable_ypbind" selected="true"/> | |
<select idref="uninstall_ypserv" selected="true"/> | |
<select idref="disable_tftp" selected="true"/> | |
<select idref="uninstall_tftp-server" selected="true"/> | |
<select idref="deactivate_wireless_interfaces" selected="true"/> | |
<select idref="kernel_module_bluetooth_disabled" selected="true"/> | |
<select idref="service_kdump_disabled" selected="true"/> | |
<select idref="network_disable_zeroconf" selected="true"/> | |
<select idref="service_crond_enabled" selected="true"/> | |
<select idref="disable_anacron" selected="true"/> | |
<select idref="sshd_allow_only_protocol2" selected="true"/> | |
<select idref="service_atd_disabled" selected="true"/> | |
<select idref="sshd_set_keepalive" selected="true"/> | |
<select idref="sshd_set_idle_timeout" selected="true"/> | |
<select idref="sshd_disable_rhosts" selected="true"/> | |
<select idref="disable_host_auth" selected="true"/> | |
<select idref="sshd_disable_root_login" selected="true"/> | |
<select idref="sshd_disable_empty_passwords" selected="true"/> | |
<select idref="sshd_enable_warning_banner" selected="true"/> | |
<select idref="sshd_do_not_permit_user_env" selected="true"/> | |
<select idref="sshd_use_approved_ciphers" selected="true"/> | |
<select idref="enable_gdm_login_banner" selected="true"/> | |
<select idref="disable_avahi" selected="true"/> | |
<select idref="disable_dhcp_server" selected="true"/> | |
<select idref="uninstall_dhcp_server" selected="true"/> | |
<select idref="service_ntpd_enabled" selected="true"/> | |
<select idref="ntpd_specify_remote_server" selected="true"/> | |
<select idref="package_sendmail_removed" selected="true"/> | |
<select idref="postfix_network_listening" selected="true"/> | |
<select idref="ldap_client_start_tls" selected="true"/> | |
<select idref="ldap_client_tls_cacertpath" selected="true"/> | |
<select idref="package_openldap-servers_removed" selected="true"/> | |
<select idref="service_nfslock_disabled" selected="true"/> | |
<select idref="service_rpcgssd_disabled" selected="true"/> | |
<select idref="service_rpcidmapd_disabled" selected="true"/> | |
<select idref="service_netfs_disabled" selected="true"/> | |
<select idref="service_portreserve_disabled" selected="true"/> | |
<select idref="service_rpcsvcgssd_disabled" selected="true"/> | |
<select idref="use_nodev_option_on_nfs_mounts" selected="true"/> | |
<select idref="use_nosuid_option_on_nfs_mounts" selected="true"/> | |
<select idref="disable_dns_server" selected="true"/> | |
<select idref="uninstall_bind" selected="true"/> | |
<select idref="disable_vsftpd" selected="true"/> | |
<select idref="uninstall_vsftpd" selected="true"/> | |
<select idref="disable_httpd" selected="true"/> | |
<select idref="uninstall_httpd" selected="true"/> | |
<select idref="disable_dovecot" selected="true"/> | |
<select idref="uninstall_dovecot" selected="true"/> | |
<select idref="disable_smb_server" selected="true"/> | |
<select idref="require_smb_client_signing" selected="true"/> | |
<select idref="require_smb_client_signing_mount.cifs" selected="true"/> | |
<select idref="disable_squid" selected="true"/> | |
<select idref="uninstall_squid" selected="true"/> | |
<select idref="disable_snmpd" selected="true"/> | |
<select idref="uninstall_net-snmp" selected="true"/> | |
<select idref="service_autofs_disabled" selected="true"/> | |
<select idref="account_disable_post_pw_expiration" selected="true"/> | |
<refine-value idref="var_umask_for_daemons" selector="027"/> | |
<refine-value idref="var_accounts_password_warn_age_login_defs" selector="14"/> | |
<refine-value idref="var_accounts_maximum_age_login_defs" selector="60"/> | |
<refine-value idref="var_accounts_password_minlen_login_defs" selector="12"/> | |
<refine-value idref="var_password_pam_cracklib_retry" selector="3"/> | |
<refine-value idref="var_password_pam_cracklib_dcredit" selector="1"/> | |
<refine-value idref="var_password_pam_cracklib_ucredit" selector="1"/> | |
<refine-value idref="var_password_pam_cracklib_lcredit" selector="1"/> | |
<refine-value idref="var_password_pam_cracklib_ocredit" selector="1"/> | |
<refine-value idref="var_password_pam_cracklib_difok" selector="3"/> | |
<refine-value idref="var_accounts_passwords_pam_faillock_deny" selector="5"/> | |
<refine-value idref="password_history_retain_number" selector="24"/> | |
<refine-value idref="umask_user_value" selector="077"/> | |
<refine-value idref="inactivity_timeout_value" selector="15_minutes"/> | |
<refine-value idref="login_banner_text" selector="usgcb_default"/> | |
<refine-value idref="var_selinux_state_name" selector="enforcing"/> | |
<refine-value idref="var_selinux_policy_name" selector="targeted"/> | |
<refine-value idref="sysctl_net_ipv4_conf_all_secure_redirects_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_all_accept_redirects_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_all_accept_source_route_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_default_secure_redirects_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_default_accept_redirects_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_default_accept_source_route_value" selector="disabled"/> | |
<refine-value idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_all_log_martians_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_all_rp_filter_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv4_tcp_syncookies_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv4_conf_default_rp_filter_value" selector="enabled"/> | |
<refine-value idref="sysctl_net_ipv6_conf_default_accept_ra_value" selector="disabled"/> | |
<refine-value idref="var_account_disable_post_pw_expiration" selector="30"/> | |
</Profile> | |
<Profile id="rht-ccp"> | |
<title xml:lang="en-US">Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This is a *draft* SCAP profile for Red Hat Certified Cloud Providers</description> | |
<select idref="partition_for_tmp" selected="true"/> | |
<select idref="partition_for_var" selected="true"/> | |
<select idref="partition_for_var_log" selected="true"/> | |
<select idref="partition_for_var_log_audit" selected="true"/> | |
<select idref="enable_selinux_bootloader" selected="true"/> | |
<select idref="set_selinux_state" selected="true"/> | |
<select idref="set_selinux_policy" selected="true"/> | |
<select idref="selinux_all_devicefiles_labeled" selected="true"/> | |
<select idref="ensure_redhat_gpgkey_installed" selected="true"/> | |
<select idref="security_patches_up_to_date" selected="true"/> | |
<select idref="ensure_gpgcheck_globally_activated" selected="true"/> | |
<select idref="ensure_gpgcheck_never_disabled" selected="true"/> | |
<select idref="package_aide_installed" selected="true"/> | |
<select idref="limiting_password_reuse" selected="true"/> | |
<select idref="no_shelllogin_for_systemaccounts" selected="true"/> | |
<select idref="no_empty_passwords" selected="true"/> | |
<select idref="no_hashes_outside_shadow" selected="true"/> | |
<select idref="no_uidzero_except_root" selected="true"/> | |
<select idref="accounts_password_minlen_login_defs" selected="true"/> | |
<select idref="accounts_minimum_age_login_defs" selected="true"/> | |
<select idref="accounts_maximum_age_login_defs" selected="true"/> | |
<select idref="accounts_password_warn_age_login_defs" selected="true"/> | |
<select idref="accounts_password_pam_cracklib_retry" selected="true"/> | |
<select idref="password_require_digits" selected="true"/> | |
<select idref="password_require_uppercases" selected="true"/> | |
<select idref="password_require_specials" selected="true"/> | |
<select idref="password_require_lowercases" selected="true"/> | |
<select idref="password_require_diffchars" selected="true"/> | |
<select idref="deny_password_attempts" selected="true"/> | |
<select idref="set_password_hashing_algorithm_systemauth" selected="true"/> | |
<select idref="set_password_hashing_algorithm_logindefs" selected="true"/> | |
<select idref="set_password_hashing_algorithm_libuserconf" selected="true"/> | |
<select idref="require_singleuser_auth" selected="true"/> | |
<select idref="userowner_shadow_file" selected="true"/> | |
<select idref="groupowner_shadow_file" selected="true"/> | |
<select idref="perms_shadow_file" selected="true"/> | |
<select idref="userowner_gshadow_file" selected="true"/> | |
<select idref="groupowner_gshadow_file" selected="true"/> | |
<select idref="perms_gshadow_file" selected="true"/> | |
<select idref="userowner_passwd_file" selected="true"/> | |
<select idref="groupowner_passwd_file" selected="true"/> | |
<select idref="file_permissions_etc_passwd" selected="true"/> | |
<select idref="userowner_group_file" selected="true"/> | |
<select idref="groupowner_group_file" selected="true"/> | |
<select idref="perms_group_file" selected="true"/> | |
<select idref="file_permissions_library_dirs" selected="true"/> | |
<select idref="file_ownership_library_dirs" selected="true"/> | |
<select idref="file_permissions_binary_dirs" selected="true"/> | |
<select idref="file_ownership_binary_dirs" selected="true"/> | |
<select idref="audit_logs_permissions" selected="true"/> | |
<select idref="user_owner_grub_conf" selected="true"/> | |
<select idref="group_owner_grub_conf" selected="true"/> | |
<select idref="permissions_grub_conf" selected="true"/> | |
<select idref="bootloader_password" selected="true"/> | |
<select idref="enable_randomize_va_space" selected="true"/> | |
<select idref="enable_execshield" selected="true"/> | |
<select idref="kernel_module_ipv6_option_disabled" selected="true"/> | |
<select idref="service_ip6tables_enabled" selected="true"/> | |
<select idref="service_iptables_enabled" selected="true"/> | |
<select idref="set_iptables_default_rule" selected="true"/> | |
<select idref="kernel_module_dccp_disabled" selected="true"/> | |
<select idref="kernel_module_sctp_disabled" selected="true"/> | |
<select idref="kernel_module_rds_disabled" selected="true"/> | |
<select idref="kernel_module_tipc_disabled" selected="true"/> | |
<select idref="disable_xinetd" selected="true"/> | |
<select idref="uninstall_xinetd" selected="true"/> | |
<select idref="uninstall_telnet_server" selected="true"/> | |
<select idref="disable_telnet_service" selected="true"/> | |
<select idref="uninstall_rsh-server" selected="true"/> | |
<select idref="disable_rsh" selected="true"/> | |
<select idref="disable_rexec" selected="true"/> | |
<select idref="disable_rlogin" selected="true"/> | |
<select idref="uninstall_ypserv" selected="true"/> | |
<select idref="disable_ypbind" selected="true"/> | |
<select idref="uninstall_tftp-server" selected="true"/> | |
<select idref="disable_tftp" selected="true"/> | |
<select idref="disable_avahi" selected="true"/> | |
<select idref="service_abrtd_disabled" selected="true"/> | |
<select idref="service_atd_disabled" selected="true"/> | |
<select idref="service_autofs_disabled" selected="true"/> | |
<select idref="service_ntpdate_disabled" selected="true"/> | |
<select idref="service_oddjobd_disabled" selected="true"/> | |
<select idref="service_qpidd_disabled" selected="true"/> | |
<select idref="service_rdisc_disabled" selected="true"/> | |
<select idref="sshd_allow_only_protocol2" selected="true"/> | |
<select idref="sshd_set_idle_timeout" selected="true"/> | |
<select idref="sshd_set_keepalive" selected="true"/> | |
<select idref="sshd_disable_rhosts" selected="true"/> | |
<select idref="disable_host_auth" selected="true"/> | |
<select idref="sshd_disable_root_login" selected="true"/> | |
<select idref="sshd_disable_empty_passwords" selected="true"/> | |
<select idref="sshd_enable_warning_banner" selected="true"/> | |
<select idref="sshd_do_not_permit_user_env" selected="true"/> | |
<select idref="sshd_use_approved_ciphers" selected="true"/> | |
<refine-value idref="var_selinux_state_name" selector="enforcing"/> | |
<refine-value idref="var_selinux_policy_name" selector="targeted"/> | |
<refine-value idref="file_owner_logfiles_value" selector="root"/> | |
<refine-value idref="file_groupowner_logfiles_value" selector="root"/> | |
<refine-value idref="sshd_idle_timeout_value" selector="5_minutes"/> | |
<refine-value idref="var_password_min_len" selector="6"/> | |
<refine-value idref="var_password_max_age" selector="90"/> | |
<refine-value idref="var_password_min_age" selector="7"/> | |
<refine-value idref="var_password_warn_age" selector="7"/> | |
<refine-value idref="var_password_pam_cracklib_retry" selector="3"/> | |
<refine-value idref="var_password_pam_cracklib_minlen" selector="14"/> | |
<refine-value idref="var_password_pam_cracklib_dcredit" selector="1"/> | |
<refine-value idref="var_password_pam_cracklib_ucredit" selector="2"/> | |
<refine-value idref="var_password_pam_cracklib_ocredit" selector="2"/> | |
<refine-value idref="var_password_pam_cracklib_lcredit" selector="2"/> | |
<refine-value idref="var_password_pam_cracklib_difok" selector="3"/> | |
<refine-value idref="password_history_retain_number" selector="5"/> | |
<refine-value idref="var_accounts_user_umask" selector="077"/> | |
<refine-value idref="login_banner_text" selector="usgcb_default"/> | |
</Profile> | |
<Value id="conditional_clause" operator="equals" type="string"> | |
<title xml:lang="en-US">A conditional clause for check statements.</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A conditional clause for check statements.</description> | |
<value>This is a placeholder.</value> | |
</Value> | |
<Group id="intro"> | |
<title xml:lang="en-US">Introduction</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"><!-- purpose and scope of guidance --> | |
The purpose of this guidance is to provide security configuration | |
recommendations and baselines for the Red Hat Enterprise Linux (RHEL) 6 operating | |
system. The guidance provided here should be applicable to all variants | |
(Desktop, Server, Advanced Platform) of the product. Recommended | |
settings for the basic operating system are provided, as well as for many | |
network services that the system can provide to other systems. | |
<!-- audience -->The guide is intended for system administrators. Readers are assumed to | |
possess basic system administration skills for Unix-like systems, as well | |
as some familiarity with Red Hat's documentation and administration | |
conventions. Some instructions within this guide are complex. | |
All directions should be followed completely and with understanding of | |
their effects in order to avoid serious adverse effects on the system | |
and its security. | |
</description> | |
<Group id="general-principles"> | |
<title xml:lang="en-US">General Principles</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The following general principles motivate much of the advice in this | |
guide and should also influence any configuration decisions that are | |
not explicitly covered. | |
</description> | |
<Group id="principle-encrypt-transmitted-data"> | |
<title xml:lang="en-US">Encrypt Transmitted Data Whenever Possible</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Data transmitted over a network, whether wired or wireless, is susceptible | |
to passive monitoring. Whenever practical solutions for encrypting | |
such data exist, they should be applied. Even if data is expected to | |
be transmitted only over a local network, it should still be encrypted. | |
Encrypting authentication data, such as passwords, is particularly | |
important. Networks of RHEL 6 machines can and should be configured | |
so that no unencrypted authentication data is ever transmitted between | |
machines. | |
</description> | |
</Group> | |
<Group id="principle-minimize-software"> | |
<title xml:lang="en-US">Minimize Software to Minimize Vulnerability</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The simplest way to avoid vulnerabilities in software is to avoid | |
installing that software. On RHEL, the RPM Package Manager (originally | |
Red Hat Package Manager, abbreviated RPM) allows for careful management of | |
the set of software packages installed on a system. Installed software | |
contributes to system vulnerability in several ways. Packages that | |
include setuid programs may provide local attackers a potential path to | |
privilege escalation. Packages that include network services may give | |
this opportunity to network-based attackers. Packages that include | |
programs which are predictably executed by local users (e.g. after | |
graphical login) may provide opportunities for trojan horses or other | |
attack code to be run undetected. The number of software packages | |
installed on a system can almost always be significantly pruned to include | |
only the software for which there is an environmental or operational need. | |
</description> | |
</Group> | |
<Group id="principle-separate-servers"> | |
<title xml:lang="en-US">Run Different Network Services on Separate Systems</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Whenever possible, a server should be dedicated to serving exactly one | |
network service. This limits the number of other services that can | |
be compromised in the event that an attacker is able to successfully | |
exploit a software flaw in one network service. | |
</description> | |
</Group> | |
<Group id="principle-use-security-tools"> | |
<title xml:lang="en-US">Configure Security Tools to Improve System Robustness</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Several tools exist which can be effectively used to improve a system's | |
resistance to and detection of unknown attacks. These tools can improve | |
robustness against attack at the cost of relatively little configuration | |
effort. In particular, this guide recommends and discusses the use of | |
Iptables for host-based firewalling, SELinux for protection against | |
vulnerable services, and a logging and auditing infrastructure for | |
detection of problems. | |
</description> | |
</Group> | |
<Group id="principle-least-privilege"> | |
<title xml:lang="en-US">Least Privilege</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Grant the least privilege necessary for user accounts and software to perform tasks. | |
For example, <xhtml:code>sudo</xhtml:code> can be implemented to limit authorization to super user | |
accounts on the system only to designated personnel. Another example is to limit | |
logins on server systems to only those administrators who need to log into them in | |
order to perform administration tasks. Using SELinux also follows the principle of | |
least privilege: SELinux policy can confine software to perform only actions on the | |
system that are specifically allowed. This can be far more restrictive than the | |
actions permissible by the traditional Unix permissions model. | |
</description> | |
</Group> | |
</Group> | |
<Group id="how-to-use"> | |
<title xml:lang="en-US">How to Use This Guide</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Readers should heed the following points when using the guide. | |
</description> | |
<Group id="intro-read-sections-completely"> | |
<title xml:lang="en-US">Read Sections Completely and in Order</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Each section may build on information and recommendations discussed in | |
prior sections. Each section should be read and understood completely; | |
instructions should never be blindly applied. Relevant discussion may | |
occur after instructions for an action. | |
</description> | |
</Group> | |
<Group id="intro-test-non-production"> | |
<title xml:lang="en-US">Test in Non-Production Environment</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
This guidance should always be tested in a non-production environment | |
before deployment. This test environment should simulate the setup in | |
which the system will be deployed as closely as possible. | |
</description> | |
</Group> | |
<Group id="intro-root-shell-assumed"> | |
<title xml:lang="en-US">Root Shell Environment Assumed</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Most of the actions listed in this document are written with the | |
assumption that they will be executed by the root user running the | |
<xhtml:code>/bin/bash</xhtml:code> shell. Commands preceded with a hash mark (#) | |
assume that the administrator will execute the commands as root, i.e. | |
apply the command via <xhtml:code>sudo</xhtml:code> whenever possible, or use | |
<xhtml:code>su</xhtml:code> to gain root privileges if <xhtml:code>sudo</xhtml:code> cannot be | |
used. Commands which can be executed as a non-root user are are preceded | |
by a dollar sign ($) prompt. | |
</description> | |
</Group> | |
<Group id="intro-formatting-conventions"> | |
<title xml:lang="en-US">Formatting Conventions</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Commands intended for shell execution, as well as configuration file text, | |
are featured in a <xhtml:code>monospace font</xhtml:code>. <i xmlns="http://www.w3.org/1999/xhtml">Italics</i> are used | |
to indicate instances where the system administrator must substitute | |
the appropriate information into a command or configuration file. | |
</description> | |
</Group> | |
<Group id="intro-reboot-required"> | |
<title xml:lang="en-US">Reboot Required</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
A system reboot is implicitly required after some actions in order to | |
complete the reconfiguration of the system. In many cases, the changes | |
will not take effect until a reboot is performed. In order to ensure | |
that changes are applied properly and to test functionality, always | |
reboot the system after applying a set of recommendations from this guide. | |
</description> | |
</Group> | |
</Group> | |
</Group> | |
<Group id="system"> | |
<title xml:lang="en-US">System Settings</title> | |
<Group id="software"> | |
<title xml:lang="en-US">Installing and Maintaining Software</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The following sections contain information on | |
security-relevant choices during the initial operating system | |
installation process and the setup of software | |
updates.</description> | |
<Group id="disk_partitioning"> | |
<title xml:lang="en-US">Disk Partitioning</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To ensure separation and protection of data, there | |
are top-level system directories which should be placed on their | |
own physical partition or logical volume. The installer's default | |
partitioning scheme creates separate logical volumes for | |
<xhtml:code>/</xhtml:code>, <xhtml:code>/boot</xhtml:code>, and <xhtml:code>swap</xhtml:code>. | |
<ul xmlns="http://www.w3.org/1999/xhtml"><li>If starting with any of the default layouts, check the box to | |
"Review and modify partitioning." This allows for the easy creation | |
of additional logical volumes inside the volume group already | |
created, though it may require making <xhtml:code>/</xhtml:code>'s logical volume smaller to | |
create space. In general, using logical volumes is preferable to | |
using partitions because they can be more easily adjusted | |
later.</li><li>If creating a custom layout, create the partitions mentioned in | |
the previous paragraph (which the installer will require anyway), | |
as well as separate ones described in the following sections.</li></ul> | |
If a system has already been installed, and the default | |
partitioning scheme was used, it is possible but nontrivial to | |
modify it to create separate logical volumes for the directories | |
listed above. The Logical Volume Manager (LVM) makes this possible. | |
See the LVM HOWTO at http://tldp.org/HOWTO/LVM-HOWTO/ for more | |
detailed information on LVM.</description> | |
<Rule id="partition_for_tmp" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure /tmp Located On Separate Partition</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The <xhtml:code>/tmp</xhtml:code> directory is a world-writable directory used | |
for temporary file storage. Ensure it has its own partition or | |
logical volume at installation time, or migrate it using LVM. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<reference href="http://iase.disa.mil/cci/index.html">1208</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>MM</dc:contributor> | |
<dc:date>20120928</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The <xhtml:code>/tmp</xhtml:code> partition is used as temporary storage by many programs. | |
Placing <xhtml:code>/tmp</xhtml:code> in its own partition enables the setting of more | |
restrictive mount options, which can help protect programs which use it. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26435-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:215" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to determine if <xhtml:code>/tmp </xhtml:code> | |
is on its own partition or logical volume: | |
<xhtml:pre>$ mount | grep "on /tmp "</xhtml:pre> | |
If <xhtml:code>/tmp </xhtml:code> has its own partition or volume group, a line | |
will be returned. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="partition_for_var" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure /var Located On Separate Partition</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>/var</xhtml:code> directory is used by daemons and other system | |
services to store frequently-changing data. Ensure that <xhtml:code>/var</xhtml:code> has its own partition | |
or logical volume at installation time, or migrate it using LVM. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<reference href="http://iase.disa.mil/cci/index.html">1208</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>MM</dc:contributor> | |
<dc:date>20120928</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Ensuring that <xhtml:code>/var</xhtml:code> is mounted on its own partition enables the | |
setting of more restrictive mount options. This helps protect | |
system services such as daemons or other programs which use it. | |
It is not uncommon for the <xhtml:code>/var</xhtml:code> directory to contain | |
world-writable directories, installed by other software packages. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26639-5</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:980" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to determine if <xhtml:code>/var </xhtml:code> | |
is on its own partition or logical volume: | |
<xhtml:pre>$ mount | grep "on /var "</xhtml:pre> | |
If <xhtml:code>/var </xhtml:code> has its own partition or volume group, a line | |
will be returned. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="partition_for_var_log" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure /var/log Located On Separate Partition</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
System logs are stored in the <xhtml:code>/var/log</xhtml:code> directory. | |
Ensure that it has its own partition or logical | |
volume at installation time, or migrate it using LVM. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-9</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1208</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>MM</dc:contributor> | |
<dc:date>20120928</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Placing <xhtml:code>/var/log</xhtml:code> in its own partition | |
enables better separation between log files | |
and other files in <xhtml:code>/var/</xhtml:code>. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26215-4</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:734" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to determine if <xhtml:code>/var/log </xhtml:code> | |
is on its own partition or logical volume: | |
<xhtml:pre>$ mount | grep "on /var/log "</xhtml:pre> | |
If <xhtml:code>/var/log </xhtml:code> has its own partition or volume group, a line | |
will be returned. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="partition_for_var_log_audit" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure /var/log/audit Located On Separate Partition</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Audit logs are stored in the <xhtml:code>/var/log/audit</xhtml:code> directory. Ensure that it | |
has its own partition or logical volume at installation time, or migrate it | |
later using LVM. Make absolutely certain that it is large enough to store all | |
audit logs that will be created by the auditing daemon. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-4</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-9</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">137</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">138</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1208</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>MM</dc:contributor> | |
<dc:date>20120928</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Placing <xhtml:code>/var/log/audit</xhtml:code> in its own partition | |
enables better separation between audit files | |
and other files, and helps ensure that | |
auditing cannot be halted due to the partition running out | |
of space. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26436-6</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:374" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to determine if <xhtml:code>/var/log/audit </xhtml:code> | |
is on its own partition or logical volume: | |
<xhtml:pre>$ mount | grep "on /var/log/audit "</xhtml:pre> | |
If <xhtml:code>/var/log/audit </xhtml:code> has its own partition or volume group, a line | |
will be returned. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="partition_for_home" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure /home Located On Separate Partition</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
If user home directories will be stored locally, create a separate partition | |
for <xhtml:code>/home</xhtml:code> at installation time (or migrate it later using LVM). If | |
<xhtml:code>/home</xhtml:code> will be mounted from another system such as an NFS server, then | |
creating a separate partition is not necessary at installation time, and the | |
mountpoint can instead be configured later. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<reference href="http://iase.disa.mil/cci/index.html">1208</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>MM</dc:contributor> | |
<dc:date>20120928</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Ensuring that <xhtml:code>/home</xhtml:code> is mounted on its own partition enables the | |
setting of more restrictive mount options, and also helps ensure that | |
users cannot trivially fill partitions used for log or audit data storage. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26557-9</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:645" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to determine if <xhtml:code>/home </xhtml:code> | |
is on its own partition or logical volume: | |
<xhtml:pre>$ mount | grep "on /home "</xhtml:pre> | |
If <xhtml:code>/home </xhtml:code> has its own partition or volume group, a line | |
will be returned. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="encrypt_partitions" selected="false" severity="low"> | |
<title xml:lang="en-US">Encrypt Partitions</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Red Hat Enterprise Linux 6 natively supports partition encryption through the | |
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to | |
encrypt a partition is during installation time. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
For manual installations, select the <xhtml:code>Encrypt</xhtml:code> checkbox during | |
partition creation to encrypt the partition. When this | |
option is selected the system will prompt for a passphrase to use in | |
decrypting the partition. The passphrase will subsequently need to be entered manually | |
every time the system boots. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
For automated/unattended installations, it is possible to use Kickstart by adding | |
the <xhtml:code>--encrypted</xhtml:code> and <xhtml:code>--passphrase=</xhtml:code> options to the definition of each partition to be | |
encrypted. For example, the following line would encrypt the root partition: | |
<pre xmlns="http://www.w3.org/1999/xhtml">part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=<i>PASSPHRASE</i></pre> | |
Any <i xmlns="http://www.w3.org/1999/xhtml">PASSPHRASE</i> is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. | |
Omitting the <xhtml:code>--passphrase=</xhtml:code> option from the partition definition will cause the | |
installer to pause and interactively ask for the passphrase during installation. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Detailed information on encrypting partitions using LUKS can be found on | |
the Red Had Documentation web site:<br xmlns="http://www.w3.org/1999/xhtml"/> | |
https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-13</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1019</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1199</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1200</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The risk of a system's physical compromise, particularly mobile systems such as | |
laptops, places its data at risk of compromise. Encrypting this data mitigates | |
the risk of its loss if the system is lost. | |
</rationale> | |
<check system="ocil-transitional"> | |
<check-export export-name="encryption must be used and is not employed" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Determine if encryption must be used to protect data on the system. | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="updating"> | |
<title xml:lang="en-US">Updating Software</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>yum</xhtml:code> command line tool is used to install and | |
update software packages. The system also provides a graphical | |
software update tool in the <b xmlns="http://www.w3.org/1999/xhtml">System</b> menu, in the <b xmlns="http://www.w3.org/1999/xhtml">Administration</b> submenu, | |
called <b xmlns="http://www.w3.org/1999/xhtml">Software Update</b>. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Red Hat Enterprise Linux systems contain an installed software catalog called | |
the RPM database, which records metadata of installed packages. Consistently using | |
<xhtml:code>yum</xhtml:code> or the graphical <b xmlns="http://www.w3.org/1999/xhtml">Software Update</b> for all software installation | |
allows for insight into the current inventory of installed software on the system. | |
</description> | |
<Rule id="ensure_redhat_gpgkey_installed" selected="false" severity="high"> | |
<title xml:lang="en-US">Ensure Red Hat GPG Key Installed</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To ensure the system can cryptographically verify base software | |
packages come from Red Hat (and to connect to the Red Hat Network to | |
receive them), the Red Hat GPG key must properly be installed. | |
To install the Red Hat GPG key, run: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># rhn_register</pre> | |
If the system is not connected to the Internet or an RHN Satellite, | |
then install the Red Hat GPG key from trusted media such as | |
the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted | |
in <xhtml:code>/media/cdrom</xhtml:code>, use the following command as the root user to import | |
it into the keyring: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm --import /media/cdrom/RPM-GPG-KEY</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MA-1(b)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">351</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>MM</dc:contributor> | |
<dc:date>20120928</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The Red Hat GPG key is necessary to cryptographically verify packages | |
are from Red Hat. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26506-6</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1206" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the Red Hat GPG Key is not installed" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To ensure that the GPG key is installed, run: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey</pre> | |
The command should return the string below: | |
<pre xmlns="http://www.w3.org/1999/xhtml">gpg(Red Hat, Inc. (release key 2) <security@redhat.com></pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="ensure_gpgcheck_globally_activated" selected="false" severity="high"> | |
<title xml:lang="en-US">Ensure gpgcheck Enabled In Main Yum Configuration</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>gpgcheck</xhtml:code> option controls whether | |
RPM packages' signatures are always checked prior to installation. | |
To configure yum to check package signatures before installing | |
them, ensure the following line appears in <xhtml:code>/etc/yum.conf</xhtml:code> in | |
the <xhtml:code>[main]</xhtml:code> section: | |
<pre xmlns="http://www.w3.org/1999/xhtml">gpgcheck=1</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MA-1(b)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">352</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">663</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>MM</dc:contributor> | |
<dc:date>20120928</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Ensuring the validity of packages' cryptographic signatures prior to | |
installation ensures the authenticity of the software and | |
protects against malicious tampering. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26709-6</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:413" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="GPG checking is not enabled" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine whether <xhtml:code>yum</xhtml:code> is configured to use <xhtml:code>gpgcheck</xhtml:code>, | |
inspect <xhtml:code>/etc/yum.conf</xhtml:code> and ensure the following appears in the | |
<xhtml:code>[main]</xhtml:code> section: | |
<pre xmlns="http://www.w3.org/1999/xhtml">gpgcheck=1</pre> | |
A value of <xhtml:code>1</xhtml:code> indicates that <xhtml:code>gpgcheck</xhtml:code> is enabled. Absence of a | |
<xhtml:code>gpgcheck</xhtml:code> line or a setting of <xhtml:code>0</xhtml:code> indicates that it is | |
disabled. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="ensure_gpgcheck_never_disabled" selected="false" severity="high"> | |
<title xml:lang="en-US">Ensure gpgcheck Enabled For All Yum Package Repositories</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To ensure signature checking is not disabled for | |
any repos, remove any lines from files in <xhtml:code>/etc/yum.repos.d</xhtml:code> of the form: | |
<pre xmlns="http://www.w3.org/1999/xhtml">gpgcheck=0</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MA-1(b)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">352</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">663</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>MM</dc:contributor> | |
<dc:date>20120928</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Ensuring all packages' cryptographic signatures are valid prior to | |
installation ensures the authenticity of the software and | |
protects against malicious tampering. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26647-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:478" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="GPG checking is disabled" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine whether <xhtml:code>yum</xhtml:code> has been configured to disable | |
<xhtml:code>gpgcheck</xhtml:code> for any repos, inspect all files in | |
<xhtml:code>/etc/yum.repos.d</xhtml:code> and ensure the following does not appear in any | |
sections: | |
<pre xmlns="http://www.w3.org/1999/xhtml">gpgcheck=0</pre> | |
A value of <xhtml:code>0</xhtml:code> indicates that <xhtml:code>gpgcheck</xhtml:code> has been disabled for that repo. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="security_patches_up_to_date" selected="false" severity="high"> | |
<title xml:lang="en-US">Ensure Software Patches Installed</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the system is joined to the Red Hat Network, a Red Hat Satellite Server, | |
or a yum server, run the following command to install updates: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># yum update</pre> | |
If the system is not configured to use one of these sources, updates (in the form of RPM packages) | |
can be manually downloaded from the Red Hat Network and installed using <xhtml:code>rpm</xhtml:code>. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-2</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MA-1(b)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1227</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1233</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>MM</dc:contributor> | |
<dc:date>20120928</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Installing software updates is a fundamental mitigation against | |
the exploitation of publicly-known vulnerabilities. | |
</rationale> | |
<check system="ocil-transitional"> | |
<check-export export-name="updates are not installed" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or | |
a yum server which provides updates, invoking the following command will | |
indicate if updates are available: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># yum check-update</pre> | |
If the system is not configured to update from one of these sources, | |
run the following command to list when each package was last updated: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ rpm -qa -last</pre> | |
Compare this to Red Hat Security Advisories (RHSA) listed at | |
https://access.redhat.com/security/updates/active/ | |
to determine if the system is missing applicable updates. | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="integrity"> | |
<title xml:lang="en-US">Software Integrity Checking</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Both the AIDE (Advanced Intrusion Detection Environment) | |
software and the RPM package management system provide | |
mechanisms for verifying the integrity of installed software. | |
AIDE uses snapshots of file metadata (such as hashes) and compares these | |
to current system files in order to detect changes. | |
The RPM package management system can conduct integrity | |
checks by comparing information in its metadata database with | |
files installed on the system. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Integrity checking cannot <i xmlns="http://www.w3.org/1999/xhtml">prevent</i> intrusions, | |
but can detect that they have occurred. Requirements | |
for software integrity checking may be highly dependent on | |
the environment in which the system will be used. Snapshot-based | |
approaches such as AIDE may induce considerable overhead | |
in the presence of frequent software updates. | |
</description> | |
<Group id="aide"> | |
<title xml:lang="en-US">Verify Integrity with AIDE</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">AIDE conducts integrity checks by comparing information about | |
files with previously-gathered information. Ideally, the AIDE database is | |
created immediately after initial system configuration, and then again after any | |
software update. AIDE is highly configurable, with further configuration | |
information located in <xhtml:code>/usr/share/doc/aide-<i xmlns="http://www.w3.org/1999/xhtml">VERSION</i></xhtml:code>. | |
</description> | |
<Rule id="package_aide_installed" selected="false" severity="medium"> | |
<title xml:lang="en-US">Install AIDE</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Install the AIDE package with the command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># yum install aide</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(e)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1069</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The AIDE package must be installed if it is to be available for integrity checking. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27024-9</ident> | |
<fix system="urn:xccdf:fix:script:sh">yum -y install aide | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:245" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the package is not installed" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to determine if the <xhtml:code>aide</xhtml:code> package is installed: | |
<xhtml:pre># rpm -q aide</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="disable_prelink" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Prelinking</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The prelinking feature changes binaries in an attempt to decrease their startup | |
time. In order to disable it, change or add the following line inside the file | |
<xhtml:code>/etc/sysconfig/prelink</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">PRELINKING=no</pre> | |
Next, run the following command to return binaries to a normal, non-prelinked state: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># /usr/sbin/prelink -ua</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The prelinking feature can interfere with the operation | |
of AIDE, because it changes binaries. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27221-1</ident> | |
</Rule> | |
<Rule id="aide_build_database" selected="false" severity="low"> | |
<title xml:lang="en-US">Build and Test AIDE Database</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Run the following command to generate a new database: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># /usr/sbin/aide --init</pre> | |
By default, the database will be written to the file <xhtml:code>/var/lib/aide/aide.db.new.gz</xhtml:code>. | |
Storing the database, the configuration file <xhtml:code>/etc/aide.conf</xhtml:code>, and the binary | |
<xhtml:code>/usr/sbin/aide</xhtml:code> (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. | |
The newly-generated database can be installed as follows: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz</pre> | |
To initiate a manual check, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># /usr/sbin/aide --check</pre> | |
If this check produces any unexpected output, investigate. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(e)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
For AIDE to be effective, an initial database of "known-good" information about files | |
must be captured and it should be able to be verified against the installed files. | |
</rationale> | |
</Rule> | |
<Rule id="aide_periodic_cron_checking" selected="false" severity="medium"> | |
<title xml:lang="en-US">Configure Periodic Execution of AIDE</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To implement a daily execution of AIDE at 4:05am using cron, add the following line to <xhtml:code>/etc/crontab</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">05 4 * * * root /usr/sbin/aide --check</pre> | |
AIDE can be executed periodically through other means; this is merely one example. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(e)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">374</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">416</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1069</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1263</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1297</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1589</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
By default, AIDE does not install itself for periodic execution. Periodically | |
running AIDE is necessary to reveal unexpected changes in installed files. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27222-9</ident> | |
<check system="ocil-transitional"> | |
<check-export export-name="there is no output" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine that periodic AIDE execution has been scheduled, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep aide /etc/crontab</pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="rpm_verification"> | |
<title xml:lang="en-US">Verify Integrity with RPM</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The RPM package management system includes the ability | |
to verify the integrity of installed packages by comparing the | |
installed files with information about the files taken from the | |
package metadata stored in the RPM database. Although an attacker | |
could corrupt the RPM database (analogous to attacking the AIDE | |
database as described above), this check can still reveal | |
modification of important files. To list which files on the system differ from what is expected by the RPM database: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -qVa</pre> | |
See the man page for <xhtml:code>rpm</xhtml:code> to see a complete explanation of each column. | |
</description> | |
<Rule id="rpm_verify_permissions" selected="false" severity="low"> | |
<title xml:lang="en-US">Verify and Correct File Permissions with RPM</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The RPM package management system can check file access | |
permissions of installed software packages, including many that are | |
important to system security. | |
After locating a file with incorrect permissions, run the following command to determine which package owns it: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -qf <i>FILENAME</i></pre> | |
Next, run the following command to reset its permissions to | |
the correct values: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm --setperms <i>PACKAGENAME</i></pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1493</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1494</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1495</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Permissions on system binaries and configuration files that are too generous | |
could allow an unauthorized user to gain privileges that they should not have. | |
The permissions set by the vendor should be maintained. Any deviations from | |
this baseline should be investigated.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26731-0</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1234" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="there is output" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The following command will list which files on the system have permissions different from what | |
is expected by the RPM database: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -Va | grep '^.M'</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="rpm_verify_hashes" selected="false" severity="low"> | |
<title xml:lang="en-US">Verify File Hashes with RPM</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The RPM package management system can check the hashes of | |
installed software packages, including many that are important to system | |
security. Run the following command to list which files on the system | |
have hashes that differ from what is expected by the RPM database: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -Va | grep '^..5'</pre> | |
A "c" in the second column indicates that a file is a configuration file, which | |
may appropriately be expected to change. If the file was not expected to | |
change, investigate the cause of the change using audit logs or other means. | |
The package can then be reinstalled to restore the file. | |
Run the following command to determine which package owns the file: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -qf <i>FILENAME</i></pre> | |
The package can be reinstalled from a yum repository using the command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">yum reinstall <i>PACKAGENAME</i></pre> | |
Alternatively, the package can be reinstalled from trusted media using the command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">rpm -Uvh <i>PACKAGENAME</i></pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1496</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The hashes of important files like system executables should match the | |
information given by the RPM database. Executables with erroneous hashes could | |
be a sign of nefarious activity on the system.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27223-7</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:237" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="there is output" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> The following command will list which files on the system | |
have file hashes different from what is expected by the RPM database. | |
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -Va | grep '$1 ~ /..5/ && $2 != "c"'</pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="additional_security_software"> | |
<title xml:lang="en-US">Additional Security Software</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Additional security software that is not provided or supported | |
by Red Hat can be installed to provide complementary or duplicative | |
security capabilities to those provided by the base platform. Add-on | |
software may not be appropriate for some specialized systems. | |
</description> | |
<Rule id="install_hids" selected="false" severity="high"> | |
<title xml:lang="en-US">Install Intrusion Detection Software</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The Red Hat platform includes a sophisticated auditing system | |
and SELinux, which provide host-based intrusion detection capabilities. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1263</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Host-based intrusion detection tools provide a system-level defense when an | |
intruder gains access to a system or network. | |
</rationale> | |
<check system="ocil-transitional"> | |
<check-export export-name="SELinux is installed, this is not a finding. However, if neither SELinux nor HBSS is used on the system" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Inspect the system to determine if intrusion detection software has been installed. | |
SELinux is the intrusion detection system included with RHEL. Another one is | |
McAfee HBSS, which is available through Cybercom. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="install_antivirus" selected="false" severity="low"> | |
<title xml:lang="en-US">Install Virus Scanning Software</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Install virus scanning software, which uses signatures to search for the | |
presence of viruses on the filesystem. | |
The McAfee uvscan virus scanning tool is provided for DoD systems. | |
Ensure virus definition files are no older than 7 days, or their last release. | |
<!-- need info here on where DoD admins can go to get this --> | |
Configure the virus scanning software to perform scans dynamically on all | |
accessed files. If this is not possible, configure the | |
system to scan all altered files on the system on a daily | |
basis. If the system processes inbound SMTP mail, configure the virus scanner | |
to scan all received mail. | |
<!-- what's the basis for the IAO language? would not failure of a check | |
imply a discussion, for every check in this document, | |
with the IAO (or SSO or ISSO or ISSM or whatever is the right acronym in your | |
particular neighborhood) should occur? --> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-3</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1239</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1668</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Virus scanning software can be used to detect if a system has been compromised by | |
computer viruses, as well as to limit their spread to other systems. | |
</rationale> | |
<check system="ocil-transitional"> | |
<check-export export-name="virus scanning software does not run daily, or has signatures that are out of date" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Inspect the system for a cron job or system service which executes | |
a virus scanning tool regularly. | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
<!-- this should be handled as DoD-specific text in a future revision --> | |
To verify the McAfee command line scan tool (uvscan) is scheduled for | |
regular execution, run the following command to check for a cron job: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep uvscan /etc/cron* /var/spool/cron/*</pre> | |
This will reveal if and when the uvscan program will be run. | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
To check on the age of uvscan virus definition files, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># cd /usr/local/uvscan | |
# ls -la avvscan.dat avvnames.dat avvclean.dat</pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
</Group> | |
</Group> | |
<Group id="permissions"> | |
<title xml:lang="en-US">File Permissions and Masks</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Traditional Unix security relies heavily on file and | |
directory permissions to prevent unauthorized users from reading or | |
modifying files to which they should not have access. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Several of the commands in this section search filesystems | |
for files or directories with certain characteristics, and are | |
intended to be run on every local partition on a given machine. | |
When the variable <i xmlns="http://www.w3.org/1999/xhtml">PART</i> appears in one of the commands below, | |
it means that the command is intended to be run repeatedly, with the | |
name of each local partition substituted for <i xmlns="http://www.w3.org/1999/xhtml">PART</i> in turn. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
The following command prints a list of all ext4 partitions on the local | |
system, which is the default filesystem for Red Hat Enterprise Linux | |
6 installations: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ mount -t ext4 | awk '{print $3}'</pre> | |
For any systems that use a different | |
local filesystem type, modify this command as appropriate. | |
</description> | |
<Group id="partitions"> | |
<title xml:lang="en-US">Restrict Partition Mount Options</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">System partitions can be mounted with certain options | |
that limit what files on those partitions can do. These options | |
are set in the <xhtml:code>/etc/fstab</xhtml:code> configuration file, and can be | |
used to make certain types of malicious behavior more difficult.</description> | |
<Value id="var_removable_partition" operator="equals" type="string"> | |
<title xml:lang="en-US">Removable Partition</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This value is used by the checks mount_option_nodev_removable_partitions, mount_option_nodev_removable_partitions, | |
and mount_option_nodev_removable_partitions to ensure that the correct mount options are set on partitions mounted from | |
removable media such as CD-ROMs, USB keys, and floppy drives. This value should be modified to reflect any removable | |
partitions that are required on the local system.</description> | |
<value selector="dev_cdrom">/dev/cdrom</value> | |
</Value> | |
<Rule id="mountopt_nodev_on_nonroot_partitions" selected="false" severity="low"> | |
<title xml:lang="en-US">Add nodev Option to Non-Root Local Partitions</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>nodev</xhtml:code> mount option prevents files from being | |
interpreted as character or block devices. | |
Legitimate character and block devices should exist only in | |
the <xhtml:code>/dev</xhtml:code> directory on the root partition or within chroot | |
jails built for system services. | |
Add the <xhtml:code>nodev</xhtml:code> option to the fourth column of | |
<xhtml:code>/etc/fstab</xhtml:code> for the line which controls mounting of | |
any non-root local partitions. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>nodev</xhtml:code> mount option prevents files from being | |
interpreted as character or block devices. The only legitimate location | |
for device files is the <xhtml:code>/dev</xhtml:code> directory located on the root partition. | |
The only exception to this is chroot jails, for which it is not advised | |
to set <xhtml:code>nodev</xhtml:code> on these filesystems.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27045-4</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:472" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="mountopt_nodev_on_removable_partitions" selected="false" severity="low"> | |
<title xml:lang="en-US">Add nodev Option to Removable Media Partitions</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>nodev</xhtml:code> mount option prevents files from being | |
interpreted as character or block devices. | |
Legitimate character and block devices should exist only in | |
the <xhtml:code>/dev</xhtml:code> directory on the root partition or within chroot | |
jails built for system services. | |
Add the <xhtml:code>nodev</xhtml:code> option to the fourth column of | |
<xhtml:code>/etc/fstab</xhtml:code> for the line which controls mounting of | |
any removable media partitions. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MP-2</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> The only legitimate location for device files is the <xhtml:code>/dev</xhtml:code> directory | |
located on the root partition. An exception to this is chroot jails, and it is | |
not advised to set <xhtml:code>nodev</xhtml:code> on partitions which contain their root | |
filesystems. </rationale> | |
<ident system="http://cce.mitre.org">CCE-26860-7</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2272" value-id="var_removable_partition"/> | |
<check-content-ref name="oval:ssg:def:668" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="mountopt_noexec_on_removable_partitions" selected="false" severity="low"> | |
<title xml:lang="en-US">Add noexec Option to Removable Media Partitions</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>noexec</xhtml:code> mount option prevents the direct | |
execution of binaries on the mounted filesystem. | |
Preventing the direct execution of binaries from removable media (such as a USB | |
key) provides a defense against malicious software that may be present on such | |
untrusted media. | |
Add the <xhtml:code>noexec</xhtml:code> option to the fourth column of | |
<xhtml:code>/etc/fstab</xhtml:code> for the line which controls mounting of | |
any removable media partitions. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MP-2</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">87</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Allowing users to execute binaries from removable media such as USB keys exposes | |
the system to potential compromise.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27196-5</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2272" value-id="var_removable_partition"/> | |
<check-content-ref name="oval:ssg:def:336" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="removable media partitions are present" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To verify that binaries cannot be directly executed from removable media, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep -v noexec /etc/fstab</pre> | |
The resulting output will show partitions which do not have the <xhtml:code>noexec</xhtml:code> flag. Verify all partitions | |
in the output are not removable media. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="mountopt_nosuid_on_removable_partitions" selected="false" severity="low"> | |
<title xml:lang="en-US">Add nosuid Option to Removable Media Partitions</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>nosuid</xhtml:code> mount option prevents set-user-identifier (suid) | |
and set-group-identifier (sgid) permissions from taking effect. These permissions | |
allow users to execute binaries with the same permissions as the owner and group | |
of the file respectively. Users should not be allowed to introduce suid and guid | |
files into the system via partitions mounted from removeable media. | |
Add the <xhtml:code>nosuid</xhtml:code> option to the fourth column of | |
<xhtml:code>/etc/fstab</xhtml:code> for the line which controls mounting of | |
any removable media partitions. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MP-2</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The presence of suid and sgid executables should be tightly controlled. Allowing | |
users to introduce suid or sgid binaries from partitions mounted off of | |
removable media would allow them to introduce their own highly-privileged programs.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27056-1</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2272" value-id="var_removable_partition"/> | |
<check-content-ref name="oval:ssg:def:1118" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="mount_option_tmp_nodev" selected="false" severity="low"> | |
<title xml:lang="en-US">Add nodev Option to /tmp</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The <xhtml:code>nodev</xhtml:code> mount option can be used to prevent device files from | |
being created in <xhtml:code>/tmp</xhtml:code>. | |
Legitimate character and block devices should not exist | |
within temporary directories like <xhtml:code>/tmp</xhtml:code>. | |
Add the <xhtml:code>nodev</xhtml:code> option to the fourth column of | |
<xhtml:code>/etc/fstab</xhtml:code> for the line which controls mounting of | |
<xhtml:code>/tmp</xhtml:code>. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MP-2</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The only legitimate location for device files is the <xhtml:code>/dev</xhtml:code> directory | |
located on the root partition. The only exception to this is chroot jails.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26499-4</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:976" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="mount_option_tmp_noexec" selected="false" severity="low"> | |
<title xml:lang="en-US">Add noexec Option to /tmp</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>noexec</xhtml:code> mount option can be used to prevent binaries | |
from being executed out of <xhtml:code>/tmp</xhtml:code>. | |
Add the <xhtml:code>noexec</xhtml:code> option to the fourth column of | |
<xhtml:code>/etc/fstab</xhtml:code> for the line which controls mounting of | |
<xhtml:code>/tmp</xhtml:code>. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MP-2</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Allowing users to execute binaries from world-writable directories | |
such as <xhtml:code>/tmp</xhtml:code> should never be necessary in normal operation and | |
can expose the system to potential compromise.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26720-3</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:675" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="mount_option_tmp_nosuid" selected="false" severity="low"> | |
<title xml:lang="en-US">Add nosuid Option to /tmp</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>nosuid</xhtml:code> mount option can be used to prevent | |
execution of setuid programs in <xhtml:code>/tmp</xhtml:code>. The suid/sgid permissions | |
should not be required in these world-writable directories. | |
Add the <xhtml:code>nosuid</xhtml:code> option to the fourth column of | |
<xhtml:code>/etc/fstab</xhtml:code> for the line which controls mounting of | |
<xhtml:code>/tmp</xhtml:code>. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MP-2</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The presence of suid and sgid executables should be tightly controlled. Users | |
should not be able to execute suid or sgid binaries from temporary storage partitions.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26762-5</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:570" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="mount_option_dev_shm_nodev" selected="false" severity="low"> | |
<title xml:lang="en-US">Add nodev Option to /dev/shm</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>nodev</xhtml:code> mount option can be used to prevent creation | |
of device files in <xhtml:code>/dev/shm</xhtml:code>. | |
Legitimate character and block devices should not exist | |
within temporary directories like <xhtml:code>/dev/shm</xhtml:code>. | |
Add the <xhtml:code>nodev</xhtml:code> option to the fourth column of | |
<xhtml:code>/etc/fstab</xhtml:code> for the line which controls mounting of | |
<xhtml:code>/dev/shm</xhtml:code>. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MP-2</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The only legitimate location for device files is the <xhtml:code>/dev</xhtml:code> directory | |
located on the root partition. The only exception to this is chroot jails.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26778-1</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:932" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="mount_option_dev_shm_noexec" selected="false" severity="low"> | |
<title xml:lang="en-US">Add noexec Option to /dev/shm</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>noexec</xhtml:code> mount option can be used to prevent binaries | |
from being executed out of <xhtml:code>/dev/shm</xhtml:code>. | |
It can be dangerous to allow the execution of binaries | |
from world-writable temporary storage directories such as <xhtml:code>/dev/shm</xhtml:code>. | |
Add the <xhtml:code>noexec</xhtml:code> option to the fourth column of | |
<xhtml:code>/etc/fstab</xhtml:code> for the line which controls mounting of | |
<xhtml:code>/dev/shm</xhtml:code>. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MP-2</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Allowing users to execute binaries from world-writable directories | |
such as <xhtml:code>/dev/shm</xhtml:code> can expose the system to potential compromise.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26622-1</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:738" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="mount_option_dev_shm_nosuid" selected="false" severity="low"> | |
<title xml:lang="en-US">Add nosuid Option to /dev/shm</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>nosuid</xhtml:code> mount option can be used to prevent execution | |
of setuid programs in <xhtml:code>/dev/shm</xhtml:code>. The suid/sgid permissions should not | |
be required in these world-writable directories. | |
Add the <xhtml:code>nosuid</xhtml:code> option to the fourth column of | |
<xhtml:code>/etc/fstab</xhtml:code> for the line which controls mounting of | |
<xhtml:code>/dev/shm</xhtml:code>. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MP-2</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The presence of suid and sgid executables should be tightly controlled. Users | |
should not be able to execute suid or sgid binaries from temporary storage partitions.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26486-1</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:636" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="mount_option_var_tmp_bind_var" selected="false" severity="low"> | |
<title xml:lang="en-US">Bind Mount /var/tmp To /tmp</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>/var/tmp</xhtml:code> directory is a world-writable directory. | |
Bind-mount it to <xhtml:code>/tmp</xhtml:code> in order to consolidate temporary storage into | |
one location protected by the same techniques as <xhtml:code>/tmp</xhtml:code>. To do so, edit | |
<xhtml:code>/etc/fstab</xhtml:code> and add the following line: | |
<pre xmlns="http://www.w3.org/1999/xhtml">/tmp /var/tmp none rw,nodev,noexec,nosuid,bind 0 0</pre> | |
See the <xhtml:code>mount(8)</xhtml:code> man page for further explanation of bind mounting. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Having multiple locations for temporary storage is not required. Unless absolutely | |
necessary to meet requirements, the storage location <xhtml:code>/var/tmp</xhtml:code> should be bind mounted to | |
<xhtml:code>/tmp</xhtml:code> and thus share the same protections.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26582-7</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:231" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="mounting"> | |
<title xml:lang="en-US">Restrict Dynamic Mounting and Unmounting of | |
Filesystems</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Linux includes a number of facilities for the automated addition | |
and removal of filesystems on a running system. These facilities may be | |
necessary in many environments, but this capability also carries some risk -- whether direct | |
risk from allowing users to introduce arbitrary filesystems, | |
or risk that software flaws in the automated mount facility itself could | |
allow an attacker to compromise the system. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
This command can be used to list the types of filesystems that are | |
available to the currently executing kernel: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko'</pre> | |
If these filesystems are not required then they can be explicitly disabled | |
in a configuratio file in <xhtml:code>/etc/modprobe.d</xhtml:code>. | |
</description> | |
<Rule id="kernel_module_usb-storage_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Modprobe Loading of USB Storage Driver</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To prevent USB storage devices from being used, configure the kernel module loading system | |
to prevent automatic loading of the USB storage driver. | |
To configure the system to prevent the <xhtml:code>usb-storage</xhtml:code> | |
kernel module from being loaded, add the following line to a file in the directory <xhtml:code>/etc/modprobe.d</xhtml:code>: | |
<xhtml:pre xml:space="preserve">install usb-storage /bin/false</xhtml:pre> | |
This will prevent the <xhtml:code>modprobe</xhtml:code> program from loading the <xhtml:code>usb-storage</xhtml:code> | |
module, but will not prevent an administrator (or another program) from using the | |
<xhtml:code>insmod</xhtml:code> program to load the module manually.</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1250</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">85</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">USB storage devices such as thumb drives can be used to introduce | |
malicious software.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27016-5</ident> | |
<fix system="urn:xccdf:fix:script:sh">echo "install usb-storage /bin/false" > /etc/modprobe.d/usb-storage.conf | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:907" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
If the system is configured to prevent the loading of the | |
<xhtml:code>usb-storage</xhtml:code> kernel module, | |
it will contain lines inside any file in <xhtml:code>/etc/modprobe.d</xhtml:code> or the deprecated<xhtml:code>/etc/modprobe.conf</xhtml:code>. | |
These lines instruct the module loading system to run another program (such as | |
<xhtml:code>/bin/false</xhtml:code>) upon a module <xhtml:code>install</xhtml:code> event. | |
Run the following command to search for such lines in all files in <xhtml:code>/etc/modprobe.d</xhtml:code> | |
and the deprecated <xhtml:code>/etc/modprobe.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="bootloader_nousb_argument" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Kernel Support for USB via Bootloader Configuration</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
All USB support can be disabled by adding the <xhtml:code>nousb</xhtml:code> | |
argument to the kernel's boot loader configuration. To do so, | |
append "nousb" to the kernel line in <xhtml:code>/etc/grub.conf</xhtml:code> as shown: | |
<pre xmlns="http://www.w3.org/1999/xhtml">kernel /vmlinuz-<i>VERSION</i> ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb</pre> | |
<i xmlns="http://www.w3.org/1999/xhtml"><b>WARNING:</b> Disabling all kernel support for USB will cause problems for | |
systems with USB-based keyboards, mice, or printers. This configuration is | |
infeasible for systems which require USB devices, which is common.</i></description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1250</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disabling the USB subsystem within the Linux kernel at system boot will | |
protect against potentially malicious USB devices, although it is only practical | |
in specialized systems. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27011-6</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:428" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="bios_disable_usb_boot" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Booting from USB Devices in Boot Firmware</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure the system boot firmware (historically called BIOS on PC | |
systems) to disallow booting from USB drives. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1250</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Booting a system from a USB device would allow an attacker to | |
circumvent any security measures provided by the operating system. Attackers | |
could mount partitions and modify the configuration of the OS.</rationale> | |
</Rule> | |
<Rule id="bios_assign_password" selected="false" severity="low"> | |
<title xml:lang="en-US">Assign Password to Prevent Changes to Boot Firmware Configuration</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Assign a password to the system boot firmware (historically called BIOS on PC | |
systems) to require a password for any configuration changes. | |
</description> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Assigning a password to the system boot firmware prevents anyone | |
with physical access from configuring the system to boot | |
from local media and circumvent the operating system's access controls. | |
For systems in physically secure locations, such as | |
a data center or Sensitive Compartmented Information Facility (SCIF), this risk must be weighed | |
against the risk of administrative personnel being unable to conduct recovery operations in | |
a timely fashion. | |
</rationale> | |
</Rule> | |
<Rule id="service_autofs_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable the Automounter</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>autofs</xhtml:code> daemon mounts and unmounts filesystems, such as user | |
home directories shared via NFS, on demand. In addition, autofs can be used to handle | |
removable media, and the default configuration provides the cdrom device as <xhtml:code>/misc/cd</xhtml:code>. | |
However, this method of providing access to removable media is not common, so autofs | |
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be | |
possible to configure filesystem mounts statically by editing <xhtml:code>/etc/fstab</xhtml:code> | |
rather than relying on the automounter. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
The <xhtml:code>autofs</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig autofs off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1250</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">85</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disabling the automounter permits the administrator to | |
statically control filesystem mounting through <xhtml:code>/etc/fstab</xhtml:code>. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26976-1</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable autofs for all run levels | |
# | |
chkconfig --level 0123456 autofs off | |
# | |
# Stop autofs if currently running | |
# | |
service autofs stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1040" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>autofs</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>autofs</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>autofs</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>autofs</xhtml:code> --list | |
<xhtml:code>autofs</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>autofs</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service autofs status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>autofs is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="gconf_gnome_disable_automount" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable GNOME Automounting</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The system's default desktop environment, GNOME, will mount | |
devices and removable media (such as DVDs, CDs and USB flash drives) whenever | |
they are inserted into the system. Disable automount and autorun within GNOME | |
by running the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># gconftool-2 --direct \ | |
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ | |
--type bool \ | |
--set /apps/nautilus/preferences/media_automount false | |
# gconftool-2 --direct \ | |
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ | |
--type bool \ | |
--set /apps/nautilus/preferences/media_autorun_never true</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disabling | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27035-5</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1133" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="GNOME automounting is not disabled" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
These settings can be verified by running the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ gconftool-2 --direct \ | |
--config-source xml:read:/etc/gconf/gconf.xml.mandatory \ | |
--get /apps/nautilus/preferences/media_automount | |
$ gconftool-2 --direct \ | |
--config-source xml:read:/etc/gconf/gconf.xml.mandatory \ | |
--get /apps/nautilus/preferences/media_autorun_never</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="kernel_module_cramfs_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Mounting of cramfs</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To configure the system to prevent the <xhtml:code>cramfs</xhtml:code> | |
kernel module from being loaded, add the following line to a file in the directory <xhtml:code>/etc/modprobe.d</xhtml:code>: | |
<xhtml:pre xml:space="preserve">install cramfs /bin/false</xhtml:pre> | |
This effectively prevents usage of this uncommon filesystem. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the | |
local system should be disabled.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26340-0</ident> | |
<fix system="urn:xccdf:fix:script:sh">echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:455" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="kernel_module_freevxfs_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Mounting of freevxfs</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To configure the system to prevent the <xhtml:code>freevxfs</xhtml:code> | |
kernel module from being loaded, add the following line to a file in the directory <xhtml:code>/etc/modprobe.d</xhtml:code>: | |
<xhtml:pre xml:space="preserve">install freevxfs /bin/false</xhtml:pre> | |
This effectively prevents usage of this uncommon filesystem. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the | |
local system should be disabled.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26544-7</ident> | |
<fix system="urn:xccdf:fix:script:sh">echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:708" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="kernel_module_jffs2_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Mounting of jffs2</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To configure the system to prevent the <xhtml:code>jffs2</xhtml:code> | |
kernel module from being loaded, add the following line to a file in the directory <xhtml:code>/etc/modprobe.d</xhtml:code>: | |
<xhtml:pre xml:space="preserve">install jffs2 /bin/false</xhtml:pre> | |
This effectively prevents usage of this uncommon filesystem. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the | |
local system should be disabled.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26670-0</ident> | |
<fix system="urn:xccdf:fix:script:sh">echo "install jffs2 /bin/false" > /etc/modprobe.d/jffs2.conf | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:647" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="kernel_module_hfs_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Mounting of hfs</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To configure the system to prevent the <xhtml:code>hfs</xhtml:code> | |
kernel module from being loaded, add the following line to a file in the directory <xhtml:code>/etc/modprobe.d</xhtml:code>: | |
<xhtml:pre xml:space="preserve">install hfs /bin/false</xhtml:pre> | |
This effectively prevents usage of this uncommon filesystem. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the | |
local system should be disabled.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26800-3</ident> | |
<fix system="urn:xccdf:fix:script:sh">echo "install hfs /bin/false" > /etc/modprobe.d/hfs.conf | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:148" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="kernel_module_hfsplus_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Mounting of hfsplus</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To configure the system to prevent the <xhtml:code>hfsplus</xhtml:code> | |
kernel module from being loaded, add the following line to a file in the directory <xhtml:code>/etc/modprobe.d</xhtml:code>: | |
<xhtml:pre xml:space="preserve">install hfsplus /bin/false</xhtml:pre> | |
This effectively prevents usage of this uncommon filesystem. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the | |
local system should be disabled.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26361-6</ident> | |
<fix system="urn:xccdf:fix:script:sh">echo "install hfsplus /bin/false" > /etc/modprobe.d/hfsplus.conf | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:941" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="kernel_module_squashfs_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Mounting of squashfs</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To configure the system to prevent the <xhtml:code>squashfs</xhtml:code> | |
kernel module from being loaded, add the following line to a file in the directory <xhtml:code>/etc/modprobe.d</xhtml:code>: | |
<xhtml:pre xml:space="preserve">install squashfs /bin/false</xhtml:pre> | |
This effectively prevents usage of this uncommon filesystem. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the | |
local system should be disabled.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26404-4</ident> | |
<fix system="urn:xccdf:fix:script:sh">echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:796" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="kernel_module_udf_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Mounting of udf</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To configure the system to prevent the <xhtml:code>udf</xhtml:code> | |
kernel module from being loaded, add the following line to a file in the directory <xhtml:code>/etc/modprobe.d</xhtml:code>: | |
<xhtml:pre xml:space="preserve">install udf /bin/false</xhtml:pre> | |
This effectively prevents usage of this uncommon filesystem. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the | |
local system should be disabled.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26677-5</ident> | |
<fix system="urn:xccdf:fix:script:sh">echo "install udf /bin/false" > /etc/modprobe.d/udf.conf | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:744" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="disable_gnome_thumbnailers" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable All GNOME Thumbnailers</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The system's default desktop environment, GNOME, uses | |
a number of different thumbnailer programs to generate thumbnails | |
for any new or modified content in an opened folder. The following | |
command can disable the execution of these thumbnail applications: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># gconftool-2 --direct \ | |
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ | |
--type bool \ | |
--set /desktop/gnome/thumbnailers/disable_all true</pre> | |
This effectively prevents an attacker from gaining access to a | |
system through a flaw in GNOME's Nautilus thumbnail creators. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">An attacker with knowledge of a flaw in a GNOME thumbnailer application could craft a malicious | |
file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem | |
(via a web upload for example) and assuming a user browses the same location using Nautilus, the | |
malicious file would exploit the thumbnailer with the potential for malicious code execution. It | |
is best to disable these thumbnailer applications unless they are explicitly required.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27224-5</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:847" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="files"> | |
<title xml:lang="en-US">Verify Permissions on Important Files and | |
Directories</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Permissions for many files on a system must be set | |
restrictively to ensure sensitive information is properly protected. | |
This section discusses important | |
permission restrictions which can be verified | |
to ensure that no harmful discrepancies have | |
arisen.</description> | |
<Group id="permissions_important_account_files"> | |
<title xml:lang="en-US">Verify Permissions on Files with Local Account Information and Credentials</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The default restrictive permissions for files which act as | |
important security databases such as <xhtml:code>passwd</xhtml:code>, <xhtml:code>shadow</xhtml:code>, | |
<xhtml:code>group</xhtml:code>, and <xhtml:code>gshadow</xhtml:code> files must be maintained. Many utilities | |
need read access to the <xhtml:code>passwd</xhtml:code> file in order to function properly, but | |
read access to the <xhtml:code>shadow</xhtml:code> file allows malicious attacks against system | |
passwords, and should never be enabled.</description> | |
<Rule id="userowner_shadow_file" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify User Who Owns shadow File</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To properly set the owner of <xhtml:code>/etc/shadow</xhtml:code>, run the command: | |
<xhtml:pre xml:space="preserve"># chown root /etc/shadow </xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">225</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>/etc/shadow</xhtml:code> file contains the list of local | |
system accounts and stores password hashes. Protection of this file is | |
critical for system security. Failure to give ownership of this file | |
to root provides the designated owner with access to sensitive information | |
which could weaken the system security posture.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26947-2</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1069" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the ownership of <xhtml:code>/etc/shadow</xhtml:code>, run the command: | |
<xhtml:pre>$ ls -lL /etc/shadow</xhtml:pre> | |
If properly configured, the output should indicate the following owner: | |
<xhtml:code>root</xhtml:code> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="groupowner_shadow_file" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify Group Who Owns shadow File</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To properly set the group owner of <xhtml:code>/etc/shadow</xhtml:code>, run the command: | |
<xhtml:pre xml:space="preserve"># chgrp root /etc/shadow </xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">225</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>/etc/shadow</xhtml:code> file stores password hashes. Protection of this file is | |
critical for system security.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26967-0</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:543" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the group ownership of <xhtml:code>/etc/shadow</xhtml:code>, run the command: | |
<xhtml:pre>$ ls -lL /etc/shadow</xhtml:pre> | |
If properly configured, the output should indicate the following group-owner. | |
<xhtml:code>root</xhtml:code> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="perms_shadow_file" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify Permissions on shadow File</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To properly set the permissions of <xhtml:code>/etc/shadow</xhtml:code>, run the command: | |
<xhtml:pre xml:space="preserve"># chmod 0000 /etc/shadow</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">225</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>/etc/shadow</xhtml:code> file contains the list of local | |
system accounts and stores password hashes. Protection of this file is | |
critical for system security. Failure to give ownership of this file | |
to root provides the designated owner with access to sensitive information | |
which could weaken the system security posture.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26992-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:673" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the permissions of <xhtml:code>/etc/shadow</xhtml:code>, run the command: | |
<xhtml:pre>$ ls -l /etc/shadow</xhtml:pre> | |
If properly configured, the output should indicate the following permissions: | |
<xhtml:code>----------</xhtml:code> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="userowner_group_file" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify User Who Owns group File</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To properly set the owner of <xhtml:code>/etc/group</xhtml:code>, run the command: | |
<xhtml:pre xml:space="preserve"># chown root /etc/group </xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>/etc/group</xhtml:code> file contains information regarding groups that are configured | |
on the system. Protection of this file is important for system security.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26822-7</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:476" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the ownership of <xhtml:code>/etc/group</xhtml:code>, run the command: | |
<xhtml:pre>$ ls -lL /etc/group</xhtml:pre> | |
If properly configured, the output should indicate the following owner: | |
<xhtml:code>root</xhtml:code> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="groupowner_group_file" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify Group Who Owns group File</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To properly set the group owner of <xhtml:code>/etc/group</xhtml:code>, run the command: | |
<xhtml:pre xml:space="preserve"># chgrp root /etc/group </xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">225</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>/etc/group</xhtml:code> file contains information regarding groups that are configured | |
on the system. Protection of this file is important for system security.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26930-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1092" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the group ownership of <xhtml:code>/etc/group</xhtml:code>, run the command: | |
<xhtml:pre>$ ls -lL /etc/group</xhtml:pre> | |
If properly configured, the output should indicate the following group-owner. | |
<xhtml:code>root</xhtml:code> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="perms_group_file" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify Permissions on group File</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To properly set the permissions of <xhtml:code>/etc/group</xhtml:code>, run the command: | |
<xhtml:pre xml:space="preserve"># chmod 644 /etc/group</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">225</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>/etc/group</xhtml:code> file contains information regarding groups that are configured | |
on the system. Protection of this file is important for system security.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26954-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:523" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the permissions of <xhtml:code>/etc/group</xhtml:code>, run the command: | |
<xhtml:pre>$ ls -l /etc/group</xhtml:pre> | |
If properly configured, the output should indicate the following permissions: | |
<xhtml:code>-rw-r--r--</xhtml:code> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="userowner_gshadow_file" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify User Who Owns gshadow File</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To properly set the owner of <xhtml:code>/etc/gshadow</xhtml:code>, run the command: | |
<xhtml:pre xml:space="preserve"># chown root /etc/gshadow </xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">225</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>/etc/gshadow</xhtml:code> file contains group password hashes. Protection of this file | |
is critical for system security.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27026-4</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:698" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the ownership of <xhtml:code>/etc/gshadow</xhtml:code>, run the command: | |
<xhtml:pre>$ ls -lL /etc/gshadow</xhtml:pre> | |
If properly configured, the output should indicate the following owner: | |
<xhtml:code>root</xhtml:code> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="groupowner_gshadow_file" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify Group Who Owns gshadow File</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To properly set the group owner of <xhtml:code>/etc/gshadow</xhtml:code>, run the command: | |
<xhtml:pre xml:space="preserve"># chgrp root /etc/gshadow </xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">225</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>/etc/gshadow</xhtml:code> file contains group password hashes. Protection of this file | |
is critical for system security.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26975-3</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1238" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the group ownership of <xhtml:code>/etc/gshadow</xhtml:code>, run the command: | |
<xhtml:pre>$ ls -lL /etc/gshadow</xhtml:pre> | |
If properly configured, the output should indicate the following group-owner. | |
<xhtml:code>root</xhtml:code> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="perms_gshadow_file" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify Permissions on gshadow File</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To properly set the permissions of <xhtml:code>/etc/gshadow</xhtml:code>, run the command: | |
<xhtml:pre xml:space="preserve"># chmod 0000 /etc/gshadow</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">225</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>/etc/gshadow</xhtml:code> file contains group password hashes. Protection of this file | |
is critical for system security.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26951-4</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:849" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the permissions of <xhtml:code>/etc/gshadow</xhtml:code>, run the command: | |
<xhtml:pre>$ ls -l /etc/gshadow</xhtml:pre> | |
If properly configured, the output should indicate the following permissions: | |
<xhtml:code>----------</xhtml:code> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="userowner_passwd_file" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify User Who Owns passwd File</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To properly set the owner of <xhtml:code>/etc/passwd</xhtml:code>, run the command: | |
<xhtml:pre xml:space="preserve"># chown root /etc/passwd </xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">225</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>/etc/passwd</xhtml:code> file contains information about the users that are configured on | |
the system. Protection of this file is critical for system security.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26953-0</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1027" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the ownership of <xhtml:code>/etc/passwd</xhtml:code>, run the command: | |
<xhtml:pre>$ ls -lL /etc/passwd</xhtml:pre> | |
If properly configured, the output should indicate the following owner: | |
<xhtml:code>root</xhtml:code> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="groupowner_passwd_file" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify Group Who Owns passwd File</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To properly set the group owner of <xhtml:code>/etc/passwd</xhtml:code>, run the command: | |
<xhtml:pre xml:space="preserve"># chgrp root /etc/passwd </xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">225</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>/etc/passwd</xhtml:code> file contains information about the users that are configured on | |
the system. Protection of this file is critical for system security.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26856-5</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:727" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the group ownership of <xhtml:code>/etc/passwd</xhtml:code>, run the command: | |
<xhtml:pre>$ ls -lL /etc/passwd</xhtml:pre> | |
If properly configured, the output should indicate the following group-owner. | |
<xhtml:code>root</xhtml:code> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="file_permissions_etc_passwd" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify Permissions on passwd File</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To properly set the permissions of <xhtml:code>/etc/passwd</xhtml:code>, run the command: | |
<xhtml:pre xml:space="preserve"># chmod 0644 /etc/passwd</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">225</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the <xhtml:code>/etc/passwd</xhtml:code> file is writable by a group-owner or the | |
world the risk of its compromise is increased. The file contains the list of | |
accounts on the system and associated information, and protection of this file | |
is critical for system security.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26868-0</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:671" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the permissions of <xhtml:code>/etc/passwd</xhtml:code>, run the command: | |
<xhtml:pre>$ ls -l /etc/passwd</xhtml:pre> | |
If properly configured, the output should indicate the following permissions: | |
<xhtml:code>-rw-r--r--</xhtml:code> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="permissions_within_important_dirs"> | |
<title xml:lang="en-US">Verify File Permissions Within Some Important Directories</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Some directories contain files whose confidentiality or integrity | |
is notably important and may also be susceptible to misconfiguration over time, particularly if | |
unpackaged software is installed. As such, | |
an argument exists to verify that files' permissions within these directories remain | |
configured correctly and restrictively. | |
</description> | |
<Rule id="file_permissions_library_dirs" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify that Shared Library Files Have Restrictive Permissions</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">System-wide shared library files, which are linked to executables | |
during process load time or run time, are stored in the following directories | |
by default: | |
<pre xmlns="http://www.w3.org/1999/xhtml">/lib | |
/lib64 | |
/usr/lib | |
/usr/lib64 | |
</pre> | |
Kernel modules, which can be added to the kernel during runtime, are | |
stored in <xhtml:code>/lib/modules</xhtml:code>. All files in these directories | |
should not be group-writable or world-writable. If any file in these | |
directories is found to be group-writable or world-writable, correct | |
its permission with the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># chmod go-w <i>FILE</i></pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1499</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Files from shared library directories are loaded into the address | |
space of processes (including privileged ones) or of the kernel itself at | |
runtime. Restrictive permissions are necessary to protect the integrity of the system. | |
</rationale> | |
<fix system="urn:xccdf:fix:script:sh">DIRS="/lib /lib64 /usr/lib /usr/lib64" | |
for dirPath in $DIRS; do | |
find $dirPath -perm -022 -type f -exec chmod go-w '{}' \; | |
done | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:896" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="any of these files are group-writable or world-writable" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Shared libraries are stored in the following directories: | |
<pre xmlns="http://www.w3.org/1999/xhtml">/lib | |
/lib64 | |
/usr/lib | |
/usr/lib64 | |
</pre> | |
To find shared libraries that are group-writable or world-writable, | |
run the following command for each directory <i xmlns="http://www.w3.org/1999/xhtml">DIR</i> which contains shared libraries: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ find <i>DIR</i> -perm /022 -type f</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="file_ownership_library_dirs" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify that Shared Library Files Have Root Ownership</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">System-wide shared library files, which are linked to executables | |
during process load time or run time, are stored in the following directories | |
by default: | |
<pre xmlns="http://www.w3.org/1999/xhtml">/lib | |
/lib64 | |
/usr/lib | |
/usr/lib64 | |
</pre> | |
Kernel modules, which can be added to the kernel during runtime, are also | |
stored in <xhtml:code>/lib/modules</xhtml:code>. All files in these directories should be | |
owned by the <xhtml:code>root</xhtml:code> user. If the directory, or any file in these | |
directories, is found to be owned by a user other than root correct its | |
ownership with the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># chown root <i>FILE</i></pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1499</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>swells</dc:contributor> | |
<dc:date>20130914</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Files from shared library directories are loaded into the address | |
space of processes (including privileged ones) or of the kernel itself at | |
runtime. Proper ownership is necessary to protect the integrity of the system. | |
</rationale> | |
<fix system="urn:xccdf:fix:script:sh">for LIBDIR in /usr/lib /usr/lib64 /lib /lib64 | |
do | |
if [ -d $LIBDIR ] | |
then | |
find -L $LIBDIR \! -user root -exec chown root {} \; | |
fi | |
done | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:499" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="any of these files are not owned by root" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Shared libraries are stored in the following directories: | |
<pre xmlns="http://www.w3.org/1999/xhtml">/lib | |
/lib64 | |
/usr/lib | |
/usr/lib64 | |
Additionlly, kernel modules are stored in <xhtml:code>/lib/modules</xhtml:code>. | |
</pre> | |
For each of these directories, run the following command to find files not | |
owned by root: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># find -L <i>$DIR</i> \! -user root -exec chown root {} \;</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="file_permissions_binary_dirs" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify that System Executables Have Restrictive Permissions</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
System executables are stored in the following directories by default: | |
<pre xmlns="http://www.w3.org/1999/xhtml">/bin | |
/usr/bin | |
/usr/local/bin | |
/sbin | |
/usr/sbin | |
/usr/local/sbin</pre> | |
All files in these directories should not be group-writable or world-writable. | |
If any file <i xmlns="http://www.w3.org/1999/xhtml">FILE</i> in these directories is found | |
to be group-writable or world-writable, correct its permission with the | |
following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># chmod go-w <i>FILE</i></pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1499</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">System binaries are executed by privileged users, as well as system services, | |
and restrictive permissions are necessary to ensure execution of these programs | |
cannot be co-opted. | |
</rationale> | |
<fix system="urn:xccdf:fix:script:sh">DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin" | |
for dirPath in $DIRS; do | |
find $dirPath -perm /022 -exec chmod go-w '{}' \; | |
done | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1197" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="any system executables are found to be group or world writable" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
System executables are stored in the following directories by default: | |
<pre xmlns="http://www.w3.org/1999/xhtml">/bin | |
/usr/bin | |
/usr/local/bin | |
/sbin | |
/usr/sbin | |
/usr/local/sbin</pre> | |
To find system executables that are group-writable or world-writable, | |
run the following command for each directory <i xmlns="http://www.w3.org/1999/xhtml">DIR</i> which contains system executables: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ find <i>DIR</i> -perm /022</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="file_ownership_binary_dirs" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify that System Executables Have Root Ownership</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
System executables are stored in the following directories by default: | |
<pre xmlns="http://www.w3.org/1999/xhtml">/bin | |
/usr/bin | |
/usr/local/bin | |
/sbin | |
/usr/sbin | |
/usr/local/sbin</pre> | |
All files in these directories should be owned by the <xhtml:code>root</xhtml:code> user. | |
If any file <i xmlns="http://www.w3.org/1999/xhtml">FILE</i> in these directories is found | |
to be owned by a user other than root, correct its ownership with the | |
following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># chown root <i>FILE</i></pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1499</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">System binaries are executed by privileged users as well as system services, | |
and restrictive permissions are necessary to ensure that their | |
execution of these programs cannot be co-opted. | |
</rationale> | |
<check system="ocil-transitional"> | |
<check-export export-name="any system executables are found to not be owned by root" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
System executables are stored in the following directories by default: | |
<pre xmlns="http://www.w3.org/1999/xhtml">/bin | |
/usr/bin | |
/usr/local/bin | |
/sbin | |
/usr/sbin | |
/usr/local/sbin</pre> | |
To find system executables that are not owned by <xhtml:code>root</xhtml:code>, | |
run the following command for each directory <i xmlns="http://www.w3.org/1999/xhtml">DIR</i> which contains system executables: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ find <i>DIR</i> \! -user root</pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Rule id="sticky_world_writable_dirs" selected="false" severity="low"> | |
<title xml:lang="en-US">Verify that All World-Writable Directories Have Sticky Bits Set</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">When the so-called 'sticky bit' is set on a directory, | |
only the owner of a given file may remove that file from the | |
directory. Without the sticky bit, any user with write access to a | |
directory may remove any file in the directory. Setting the sticky | |
bit prevents users from removing each other's files. In cases where | |
there is no reason for a directory to be world-writable, a better | |
solution is to remove that permission rather than to set the sticky | |
bit. However, if a directory is used by a particular application, | |
consult that application's documentation instead of blindly | |
changing modes. | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
To set the sticky bit on a world-writable directory <i xmlns="http://www.w3.org/1999/xhtml">DIR</i>, run the | |
following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># chmod +t <i>DIR</i></pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>swells</dc:contributor> | |
<dc:date>20120929</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
The only authorized public directories are those temporary directories supplied with the system, | |
or those designed to be temporary file repositories. The setting is normally reserved for directories | |
used by the system, by users for temporary file storage (such as <xhtml:code>/tmp</xhtml:code>), and for directories | |
requiring global read/write access. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26840-9</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:169" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="any world-writable directories are missing the sticky bit" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To find world-writable directories that lack the sticky bit, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># find / -xdev -type d -perm 002 ! -perm 1000</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="world_writeable_files" selected="false" severity="medium"> | |
<title xml:lang="en-US">Ensure No World-Writable Files Exist</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">It is generally a good idea to remove global (other) write | |
access to a file when it is discovered. However, check with | |
documentation for specific applications before making changes. | |
Also, monitor for recurring world-writable files, as these may be | |
symptoms of a misconfigured application or user | |
account.</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Data in world-writable files can be modified by any | |
user on the system. In almost all circumstances, files can be | |
configured using a combination of user and group permissions to | |
support whatever legitimate access is needed without the risk | |
caused by world-writable files.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26910-0</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:446" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="there is output" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To find world-writable files, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># find / -xdev -type f -perm -002</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="no_unpackaged_sgid_files" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure All SGID Executables Are Authorized</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The SGID (set group id) bit should be set only on files that were | |
installed via authorized means. A straightforward means of identifying | |
unauthorized SGID files is determine if any were not installed as part of an | |
RPM package, which is cryptographically verified. Investigate the origin | |
of any unpackaged SGID files. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Executable files with the SGID permission run with the privileges of | |
the owner of the file. SGID files of uncertain provenance could allow for | |
unprivileged users to elevate privileges. The presence of these files should be | |
strictly controlled on the system.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26769-0</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:466" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="there is output" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To find world-writable files, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># find / -xdev -type f -perm -002</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="no_unpackaged_suid_files" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure All SUID Executables Are Authorized</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The SUID (set user id) bit should be set only on files that were | |
installed via authorized means. A straightforward means of identifying | |
unauthorized SGID files is determine if any were not installed as part of an | |
RPM package, which is cryptographically verified. Investigate the origin | |
of any unpackaged SUID files. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Executable files with the SUID permission run with the privileges of | |
the owner of the file. SUID files of uncertain provenance could allow for | |
unprivileged users to elevate privileges. The presence of these files should be | |
strictly controlled on the system.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26497-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:239" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To find world-writable files, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># find / -xdev -type f -perm -002</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="no_files_unowned_by_user" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure All Files Are Owned by a User</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If any files are not owned by a user, then the | |
cause of their lack of ownership should be investigated. | |
Following this, the files should be deleted or assigned to an | |
appropriate user. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">224</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Unowned files do not directly imply a security problem, but they are generally | |
a sign that something is amiss. They may | |
be caused by an intruder, by incorrect software installation or | |
draft software removal, or by failure to remove all files belonging | |
to a deleted account. The files should be repaired so they | |
will not cause problems when accounts are created in the future, | |
and the cause should be discovered and addressed. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27032-2</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:630" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="files exist that are not owned by a valid user" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The following command will discover and print any | |
files on local partitions which do not belong to a valid user. | |
Run it once for each local partition <i xmlns="http://www.w3.org/1999/xhtml">PART</i>: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># find <i>PART</i> -xdev -nouser -print</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="no_files_unowned_by_group" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure All Files Are Owned by a Group</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If any files are not owned by a group, then the | |
cause of their lack of group-ownership should be investigated. | |
Following this, the files should be deleted or assigned to an | |
appropriate group. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">224</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Unowned files do not directly imply a security problem, but they are generally | |
a sign that something is amiss. They may | |
be caused by an intruder, by incorrect software installation or | |
draft software removal, or by failure to remove all files belonging | |
to a deleted account. The files should be repaired so they | |
will not cause problems when accounts are created in the future, | |
and the cause should be discovered and addressed. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26872-2</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:397" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="there is output" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The following command will discover and print any | |
files on local partitions which do not belong to a valid group. | |
Run it once for each local partition <i xmlns="http://www.w3.org/1999/xhtml">PART</i>: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># find <i>PART</i> -xdev -nogroup -print</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="world_writable_files_system_ownership" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure All World-Writable Directories Are Owned by a System Account</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">All directories in local partitions which are | |
world-writable should be owned by root or another | |
system account. If any world-writable directories are not | |
owned by a system account, this should be investigated. | |
Following this, the files should be deleted or assigned to an | |
appropriate group. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>swells</dc:contributor> | |
<dc:date>20120929</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Allowing a user account to own a world-writable directory is | |
undesirable because it allows the owner of that directory to remove | |
or replace any files that may be placed in the directory by other | |
users. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26642-9</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:521" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="there is output" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The following command will discover and print world-writable directories that | |
are not owned by a system account, given the assumption that only system | |
accounts have a uid lower than 500. Run it once for each local partition <i xmlns="http://www.w3.org/1999/xhtml">PART</i>: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># find <i>PART</i> -xdev -type d -perm 0002 -uid +500 -print</pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="restrictions"> | |
<title xml:lang="en-US">Restrict Programs from Dangerous Execution Patterns</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The recommendations in this section are designed to | |
ensure that the system's features to protect against potentially | |
dangerous program execution are activated. | |
These protections are applied at the system initialization or | |
kernel level, and defend against certain types of badly-configured | |
or compromised programs.</description> | |
<Group id="daemon_umask"> | |
<title xml:lang="en-US">Daemon Umask</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The umask is a per-process setting which limits | |
the default permissions for creation of new files and directories. | |
The system includes initialization scripts which set the default umask | |
for system daemons. | |
</description> | |
<Value id="var_umask_for_daemons" operator="equals" type="string"> | |
<title xml:lang="en-US">daemon umask</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enter umask for daemons</description> | |
<value>022</value> | |
<value selector="022">022</value> | |
<value selector="027">027</value> | |
</Value> | |
<Rule id="umask_for_daemons" selected="false" severity="low"> | |
<title xml:lang="en-US">Set Daemon Umask</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The file <xhtml:code>/etc/init.d/functions</xhtml:code> includes initialization | |
parameters for most or all daemons started at boot time. The default umask of | |
022 prevents creation of group- or world-writable files. To set the default | |
umask for daemons, edit the following line, inserting 022 or 027 for | |
<i xmlns="http://www.w3.org/1999/xhtml">UMASK</i> appropriately: | |
<pre xmlns="http://www.w3.org/1999/xhtml">umask <i>UMASK</i></pre> | |
Setting the umask to too restrictive a setting can cause serious errors at | |
runtime. Many daemons on the system already individually restrict themselves to | |
a umask of 077 in their own init scripts. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The umask influences the permissions assigned to files created by a | |
process at run time. An unnecessarily permissive umask could result in files | |
being created with insecure permissions.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27031-4</ident> | |
<fix system="urn:xccdf:fix:script:sh">var_umask_for_daemons="<sub idref="var_umask_for_daemons"/>" | |
grep -q ^umask /etc/init.d/functions && \ | |
sed -i "s/umask.*/umask $var_umask_for_daemons/g" /etc/init.d/functions | |
if ! [ $? -eq 0 ]; then | |
echo "umask $var_umask_for_daemons" >> /etc/init.d/functions | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2271" value-id="var_umask_for_daemons"/> | |
<check-content-ref name="oval:ssg:def:1229" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the value of the <xhtml:code>umask</xhtml:code>, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep umask /etc/init.d/functions</pre> | |
The output should show either <xhtml:code>022</xhtml:code> or <xhtml:code>027</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="coredumps"> | |
<title xml:lang="en-US">Disable Core Dumps</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A core dump file is the memory image of an executable | |
program when it was terminated by the operating system due to | |
errant behavior. In most cases, only software developers | |
legitimately need to access these files. The core dump files may | |
also contain sensitive information, or unnecessarily occupy large | |
amounts of disk space. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Once a hard limit is set in <xhtml:code>/etc/security/limits.conf</xhtml:code>, a | |
user cannot increase that limit within his or her own session. If access | |
to core dumps is required, consider restricting them to only | |
certain users or groups. See the <xhtml:code>limits.conf</xhtml:code> man page for more | |
information. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
The core dumps of setuid programs are further protected. The | |
<xhtml:code>sysctl</xhtml:code> variable <xhtml:code>fs.suid_dumpable</xhtml:code> controls whether | |
the kernel allows core dumps from these programs at all. The default | |
value of 0 is recommended.</description> | |
<Rule id="disable_users_coredumps" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Core Dumps for All Users</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To disable core dumps for all users, add the following line to | |
<xhtml:code>/etc/security/limits.conf</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">* hard core 0</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-5</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A core dump includes a memory image taken at the time the operating system | |
terminates an application. The memory image could contain sensitive data and is generally useful | |
only for developers trying to debug problems.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27033-0</ident> | |
<fix system="urn:xccdf:fix:script:sh">echo "* hard core 0" >> /etc/security/limits.conf | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:430" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it is not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To verify that core dumps are disabled for all users, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep core /etc/security/limits.conf</pre> | |
The output should be: | |
<pre xmlns="http://www.w3.org/1999/xhtml">* hard core 0</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="disable_setuid_coredumps" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Core Dumps for SUID programs</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>fs.suid_dumpable</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w fs.suid_dumpable=0</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">fs.suid_dumpable = 0</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-11</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The core dump of a setuid program is more likely to contain | |
sensitive data, as the program itself runs with greater privileges than the | |
user who initiated execution of the program. Disabling the ability for any | |
setuid program to write a core file decreases the risk of unauthorized access | |
of such data.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27044-7</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:492" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>fs.suid_dumpable</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl fs.suid_dumpable</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>0</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="enable_execshield_settings"> | |
<title xml:lang="en-US">Enable ExecShield</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ExecShield describes kernel features that provide | |
protection against exploitation of memory corruption errors such as buffer | |
overflows. These features include random placement of the stack and other | |
memory regions, prevention of execution in memory that should only hold data, | |
and special handling of text buffers. These protections are enabled by default and | |
controlled through <xhtml:code>sysctl</xhtml:code> variables <xhtml:code>kernel.exec-shield</xhtml:code> and | |
<xhtml:code>kernel.randomize_va_space</xhtml:code>. | |
</description> | |
<Rule id="enable_execshield" selected="false" severity="medium"> | |
<title xml:lang="en-US">Enable ExecShield</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>kernel.exec-shield</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w kernel.exec-shield=1</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">kernel.exec-shield = 1</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ExecShield uses the segmentation feature on all x86 systems | |
to prevent execution in memory higher than a certain address. It | |
writes an address as a limit in the code segment descriptor, to | |
control where code can be executed, on a per-process basis. When | |
the kernel places a process's memory regions such as the stack and | |
heap higher than this address, the hardware prevents execution in that | |
address range.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27007-4</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:402" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>kernel.exec-shield</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl kernel.exec-shield</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>1</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="enable_randomize_va_space" selected="false" severity="medium"> | |
<title xml:lang="en-US">Enable Randomized Layout of Virtual Address Space</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>kernel.randomize_va_space</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w kernel.randomize_va_space=2</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">kernel.randomize_va_space = 2</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> Address space layout randomization (ASLR) makes it more difficult | |
for an attacker to predict the location of attack code they have introduced | |
into a process's address space during an attempt at exploitation. Additionally, ASLR | |
makes it more difficult for an attacker to know the location of existing code | |
in order to re-purpose it using return oriented programming (ROP) techniques. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26999-3</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:872" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>kernel.randomize_va_space</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl kernel.randomize_va_space</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>2</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="enable_nx"> | |
<title xml:lang="en-US">Enable Execute Disable (XD) or No Execute (NX) Support on | |
x86 Systems</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Recent processors in the x86 family support the | |
ability to prevent code execution on a per memory page basis. | |
Generically and on AMD processors, this ability is called No | |
Execute (NX), while on Intel processors it is called Execute | |
Disable (XD). This ability can help prevent exploitation of buffer | |
overflow vulnerabilities and should be activated whenever possible. | |
Extra steps must be taken to ensure that this protection is | |
enabled, particularly on 32-bit x86 systems. Other processors, such | |
as Itanium and POWER, have included such support since inception | |
and the standard kernel for those platforms supports the | |
feature.</description> | |
<Rule id="install_PAE_kernel_on_x86-32" selected="false" severity="low"> | |
<title xml:lang="en-US">Install PAE Kernel on Supported 32-bit x86 Systems</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Systems that are using the 64-bit x86 kernel package | |
do not need to install the kernel-PAE package because the 64-bit | |
x86 kernel already includes this support. However, if the system is | |
32-bit and also supports the PAE and NX features as | |
determined in the previous section, the kernel-PAE package should | |
be installed to enable XD or NX support: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># yum install kernel-PAE</pre> | |
The installation process should also have configured the | |
bootloader to load the new kernel at boot. Verify this at reboot | |
and modify <xhtml:code>/etc/grub.conf</xhtml:code> if necessary.</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="hardware">The kernel-PAE package should not be | |
installed on older systems that do not support the XD or NX bit, as | |
this may prevent them from booting.</warning> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">On 32-bit systems that support the XD or NX bit, the vendor-supplied | |
PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27010-8</ident> | |
</Rule> | |
<Rule id="bios_enable_execution_restrictions" selected="false" severity="low"> | |
<title xml:lang="en-US">Enable NX or XD Support in the BIOS</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Reboot the system and enter the BIOS or Setup configuration menu. | |
Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located | |
under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) | |
on AMD-based systems.</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will | |
allow users to turn the feature on or off at will.</rationale> | |
</Rule> | |
</Group> | |
<Rule id="enable_dmesg_restriction" selected="false" severity="low"> | |
<title xml:lang="en-US">Restrict Access to Kernel Message Buffer</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>kernel.dmesg_restrict</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w kernel.dmesg_restrict=1</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">kernel.dmesg_restrict = 1</xhtml:pre> | |
</description> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unprivileged access to the kernel syslog can expose sensitive kernel | |
address information.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27366-4</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:399" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>kernel.dmesg_restrict</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl kernel.dmesg_restrict</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>1</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
</Group> | |
<Group id="selinux"> | |
<title xml:lang="en-US">SELinux</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SELinux is a feature of the Linux kernel which can be | |
used to guard against misconfigured or compromised programs. | |
SELinux enforces the idea that programs should be limited in what | |
files they can access and what actions they can take. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
The default SELinux policy, as configured on RHEL 6, has been | |
sufficiently developed and debugged that it should be usable on | |
almost any Red Hat machine with minimal configuration and a small | |
amount of system administrator training. This policy prevents | |
system services - including most of the common network-visible | |
services such as mail servers, FTP servers, and DNS servers - from | |
accessing files which those services have no valid reason to | |
access. This action alone prevents a huge amount of possible damage | |
from network attacks against services, from trojaned software, and | |
so forth. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
This guide recommends that SELinux be enabled using the | |
default (targeted) policy on every Red Hat system, unless that | |
system has requirements which make a stronger policy | |
appropriate. | |
</description> | |
<Group id="enabling_selinux"> | |
<title xml:lang="en-US">Enable SELinux</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Edit the file <xhtml:code>/etc/selinux/config</xhtml:code>. Add or correct the | |
following lines: | |
<pre xmlns="http://www.w3.org/1999/xhtml">SELINUX=enforcing | |
SELINUXTYPE=targeted</pre> | |
Edit the file <xhtml:code>/etc/grub.conf</xhtml:code>. Ensure that the following | |
arguments DO NOT appear on any kernel command line in the file: | |
<pre xmlns="http://www.w3.org/1999/xhtml">selinux=0 | |
enforcing=0</pre> | |
The directive <xhtml:code>SELINUX=enforcing</xhtml:code> enables SELinux at boot time. | |
If SELinux is suspected of involvement with boot-time problems | |
(unlikely), it is possible to boot into the warning-only mode | |
<xhtml:code>SELINUX=permissive</xhtml:code> for debugging purposes. Make certain to change | |
the mode back to enforcing after debugging, set the filesystems to | |
be relabeled for consistency using the command <xhtml:code>touch | |
/.autorelabel</xhtml:code>, and reboot. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
However, the RHEL 6 default SELinux configuration should be | |
sufficiently reasonable that most systems will boot without serious | |
problems. Some applications that require deep or unusual system | |
privileges, such as virtual machine software, may not be compatible | |
with SELinux in its default configuration. However, this should be | |
uncommon, and SELinux's application support continues to improve. | |
In other cases, SELinux may reveal unusual or insecure program | |
behavior by design. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
The directive <xhtml:code>SELINUXTYPE=targeted</xhtml:code> configures SELinux to use | |
the default targeted policy. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
The SELinux boot mode specified in <xhtml:code>/etc/selinux/config</xhtml:code> can be | |
overridden by command-line arguments passed to the kernel. It is | |
necessary to check <xhtml:code>grub.conf</xhtml:code> to ensure that this has not been done | |
and to protect the boot process. | |
</description> | |
<Value id="var_selinux_state_name" operator="equals" type="string"> | |
<title xml:lang="en-US">SELinux state</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">enforcing - SELinux security policy is enforced. | |
<br xmlns="http://www.w3.org/1999/xhtml"/>permissive - SELinux prints warnings instead of enforcing. | |
<br xmlns="http://www.w3.org/1999/xhtml"/>disabled - SELinux is fully disabled.</description> | |
<value>enforcing</value> | |
<value selector="enforcing">enforcing</value> | |
<value selector="permissive">permissive</value> | |
<value selector="disabled">disabled</value> | |
</Value> | |
<Value id="var_selinux_policy_name" operator="equals" type="string"> | |
<title xml:lang="en-US">SELinux policy</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Type of policy in use. Possible values are: | |
<br xmlns="http://www.w3.org/1999/xhtml"/>targeted - Only targeted network daemons are protected. | |
<br xmlns="http://www.w3.org/1999/xhtml"/>strict - Full SELinux protection. | |
<br xmlns="http://www.w3.org/1999/xhtml"/>mls - Multiple levels of security</description> | |
<value>targeted</value> | |
<value selector="targeted">targeted</value> | |
<value selector="mls">mls</value> | |
</Value> | |
<Rule id="enable_selinux_bootloader" selected="false" severity="medium"> | |
<title xml:lang="en-US">Ensure SELinux Not Disabled in /etc/grub.conf</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SELinux can be disabled at boot time by an argument in | |
<xhtml:code>/etc/grub.conf</xhtml:code>. | |
Remove any instances of <xhtml:code>selinux=0</xhtml:code> from the kernel arguments in that | |
file to prevent SELinux from being disabled at boot. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-3</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-3(3)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-9</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">22</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">32</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Disabling a major host protection feature, such as SELinux, at boot time prevents | |
it from confining system services at boot time. Further, it increases | |
the chances that it will remain off during system operation. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26956-3</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:367" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="SELinux is disabled at boot time" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Inspect <xhtml:code>/etc/grub.conf</xhtml:code> for any instances of <xhtml:code>selinux=0</xhtml:code> | |
in the kernel boot arguments. Presence of <xhtml:code>selinux=0</xhtml:code> indicates | |
that SELinux is disabled at boot time. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="set_selinux_state" selected="false" severity="medium"> | |
<title xml:lang="en-US">Ensure SELinux State is Enforcing</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The SELinux state should be set to <xhtml:code>enforcing</xhtml:code> at | |
system boot time. In the file <xhtml:code>/etc/selinux/config</xhtml:code>, add or correct the | |
following line to configure the system to boot into enforcing mode: | |
<pre xmlns="http://www.w3.org/1999/xhtml">SELINUX=enforcing</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-3</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-3(3)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-4</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-9</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">22</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">32</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">26</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Setting the SELinux state to enforcing ensures SELinux is able to confine | |
potentially compromised processes to the security policy, which is designed to | |
prevent them from causing damage to the system or further elevating their | |
privileges. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26969-6</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2264" value-id="var_selinux_state_name"/> | |
<check-content-ref name="oval:ssg:def:859" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="SELINUX is not set to enforcing" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Check the file <xhtml:code>/etc/selinux/config</xhtml:code> and ensure the following line appears: | |
<pre xmlns="http://www.w3.org/1999/xhtml">SELINUX=enforcing</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="set_selinux_policy" selected="false" severity="low"> | |
<title xml:lang="en-US">Configure SELinux Policy</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The SELinux <xhtml:code>targeted</xhtml:code> policy is appropriate for | |
general-purpose desktops and servers, as well as systems in many other roles. | |
To configure the system to use this policy, add or correct the following line | |
in <xhtml:code>/etc/selinux/config</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">SELINUXTYPE=targeted</pre> | |
Other policies, such as <xhtml:code>mls</xhtml:code>, provide additional security labeling | |
and greater confinement but are not compatible with many general-purpose | |
use cases. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-3</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-3(3)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-4</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-9</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">22</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">32</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Setting the SELinux policy to <xhtml:code>targeted</xhtml:code> or a more specialized policy | |
ensures the system will confine processes that are likely to be | |
targeted for exploitation, such as network or system services. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26875-5</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2257" value-id="var_selinux_policy_name"/> | |
<check-content-ref name="oval:ssg:def:593" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Check the file <xhtml:code>/etc/selinux/config</xhtml:code> and ensure the following line appears: | |
<pre xmlns="http://www.w3.org/1999/xhtml">SELINUXTYPE=targeted</pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Rule id="service_restorecond_enabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Enable the SELinux Context Restoration Service (restorecond)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>restorecond</xhtml:code> service utilizes <xhtml:code>inotify</xhtml:code> to look | |
for the creation of new files listed in the | |
<xhtml:code>/etc/selinux/restorecond.conf</xhtml:code> configuration file. When a file is | |
created, <xhtml:code>restorecond</xhtml:code> ensures the file receives the proper SELinux | |
security context. | |
The <xhtml:code>restorecond</xhtml:code> service can be enabled with the following command: | |
<xhtml:pre># chkconfig --level 2345 restorecond on</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-3</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-3(3)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-4</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-9</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>restorecond</xhtml:code> service helps ensure that the default SELinux | |
file context is applied to files. This allows automatic correction | |
of file contexts created by some programs.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26991-0</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Enable restorecond for all run levels | |
# | |
chkconfig --level 0123456 restorecond on | |
# | |
# Start restorecond if not currently running | |
# | |
service restorecond start | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:185" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="selinux_confinement_of_daemons" selected="false" severity="medium"> | |
<title xml:lang="en-US">Ensure No Daemons are Unconfined by SELinux</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Daemons for which the SELinux policy does not contain rules will inherit the | |
context of the parent process. Because daemons are launched during | |
startup and descend from the <xhtml:code>init</xhtml:code> process, they inherit the <xhtml:code>initrc_t</xhtml:code> context. | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
To check for unconfined daemons, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'</pre> | |
It should produce no output in a well-configured system. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-9</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Daemons which run with the <xhtml:code>initrc_t</xhtml:code> context may cause AVC denials, | |
or allow privileges that the daemon does not require. | |
</rationale> | |
</Rule> | |
<Rule id="selinux_all_devicefiles_labeled" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure No Device Files are Unlabeled by SELinux</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Device files, which are used for communication with important | |
system resources, should be labeled with proper SELinux types. If any device | |
files carry the SELinux type <xhtml:code>unlabeled_t</xhtml:code>, investigate the cause and | |
correct the file's context. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-9</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">22</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">32</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
If a device file carries the SELinux type <xhtml:code>unlabeled_t</xhtml:code>, then SELinux | |
cannot properly restrict access to the device file. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26774-0</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:643" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="there is output" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml">To check for unlabeled device files, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># ls -RZ /dev | grep unlabeled_t</pre> | |
It should produce no output in a well-configured system.</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="accounts"> | |
<title xml:lang="en-US">Account and Access Control</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In traditional Unix security, if an attacker gains | |
shell access to a certain login account, they can perform any action | |
or access any file to which that account has access. Therefore, | |
making it more difficult for unauthorized people to gain shell | |
access to accounts, particularly to privileged accounts, is a | |
necessary part of securing a system. This section introduces | |
mechanisms for restricting access to accounts under | |
RHEL 6.</description> | |
<Group id="accounts-restrictions"> | |
<title xml:lang="en-US">Protect Accounts by Restricting Password-Based Login</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Conventionally, Unix shell accounts are accessed by | |
providing a username and password to a login program, which tests | |
these values for correctness using the <xhtml:code>/etc/passwd</xhtml:code> and | |
<xhtml:code>/etc/shadow</xhtml:code> files. Password-based login is vulnerable to | |
guessing of weak passwords, and to sniffing and man-in-the-middle | |
attacks against passwords entered over a network or at an insecure | |
console. Therefore, mechanisms for accessing accounts by entering | |
usernames and passwords should be restricted to those which are | |
operationally necessary.</description> | |
<Group id="root_logins"> | |
<title xml:lang="en-US">Restrict Root Logins</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Direct root logins should be allowed only for emergency use. | |
In normal situations, the administrator should access the system | |
via a unique unprivileged account, and then use <xhtml:code>su</xhtml:code> or <xhtml:code>sudo</xhtml:code> to execute | |
privileged commands. Discouraging administrators from accessing the | |
root account directly ensures an audit trail in organizations with | |
multiple administrators. Locking down the channels through which | |
root can connect directly also reduces opportunities for | |
password-guessing against the root account. The <xhtml:code>login</xhtml:code> program | |
uses the file <xhtml:code>/etc/securetty</xhtml:code> to determine which interfaces | |
should allow root logins. | |
The virtual devices <xhtml:code>/dev/console</xhtml:code> | |
and <xhtml:code>/dev/tty*</xhtml:code> represent the system consoles (accessible via | |
the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default | |
installation). The default securetty file also contains <xhtml:code>/dev/vc/*</xhtml:code>. | |
These are likely to be deprecated in most environments, but may be retained | |
for compatibility. Root should also be prohibited from connecting | |
via network protocols. Other sections of this document | |
include guidance describing how to prevent root from logging in via SSH. | |
</description> | |
<Rule id="no_direct_root_logins" selected="false" severity="medium"> | |
<title xml:lang="en-US">Direct root Logins Not Allowed</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To further limit access to the <xhtml:code>root</xhtml:code> account, administrators | |
can disable root logins at the console by editing the <xhtml:code>/etc/securetty</xhtml:code> file. | |
This file lists all devices the root user is allowed to login to. If the file does | |
not exist at all, the root user can login through any communication device on the | |
system, whether via the console or via a raw network interface. This is dangerous | |
as user can login to his machine as root via Telnet, which sends the password in | |
plain text over the network. By default, Red Hat Enteprise Linux's | |
<xhtml:code>/etc/securetty</xhtml:code> file only allows the root user to login at the console | |
physically attached to the machine. To prevent root from logging in, remove the | |
contents of this file. To prevent direct root logins, remove the contents of this | |
file by typing the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"> | |
echo > /etc/securetty | |
</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-2(1)</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Disabling direct root logins ensures proper accountability and multifactor | |
authentication to privileged accounts. Users will first login, then escalate | |
to privileged (root) access via su / sudo. This is required for FISMA Low | |
and FISMA Moderate systems. | |
</rationale> | |
<check system="ocil-transitional"> | |
<check-export export-name="the /etc/securetty file is not empty" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To ensure root may not directly login to the system over physical consoles, | |
run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">cat /etc/securetty</pre> | |
If any output is returned, this is a finding. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="securetty_root_login_console_only" selected="false" severity="medium"> | |
<title xml:lang="en-US">Restrict Virtual Console Root Logins</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To restrict root logins through the (deprecated) virtual console devices, | |
ensure lines of this form do not appear in <xhtml:code>/etc/securetty</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">vc/1 | |
vc/2 | |
vc/3 | |
vc/4</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6(2)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">770</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Preventing direct root login to virtual console devices | |
helps ensure accountability for actions taken on the system | |
using the root account. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26855-7</ident> | |
<fix system="urn:xccdf:fix:script:sh">sed -i '/^vc\//d' /etc/securetty | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:346" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="root login over virtual console devices is permitted" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check for virtual console entries which permit root login, run the | |
following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep ^vc/[0-9] /etc/securetty</pre> | |
If any output is returned, then root logins over virtual console devices is permitted. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="restrict_serial_port_logins" selected="false" severity="low"> | |
<title xml:lang="en-US">Restrict Serial Port Root Logins</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To restrict root logins on serial ports, | |
ensure lines of this form do not appear in <xhtml:code>/etc/securetty</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">ttyS0 | |
ttyS1</pre> | |
<!-- TODO: discussion/description of serial port --> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6(2)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">770</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Preventing direct root login to serial port interfaces | |
helps ensure accountability for actions taken on the systems | |
using the root account. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27047-0</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:151" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="root login over serial ports is permitted" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check for serial port entries which permit root login, | |
run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep ^ttyS/[0-9] /etc/securetty</pre> | |
If any output is returned, then root login over serial ports is permitted. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="no_root_webbrowsing" selected="false" severity="low"> | |
<title xml:lang="en-US">Restrict Web Browser Use for Administrative Accounts</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Enforce policy requiring administrative accounts use web browsers only for | |
local service administration. | |
</description> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
If a browser vulnerability is exploited while running with administrative privileges, | |
the entire system could be compromised. Specific exceptions for local service | |
administration should be documented in site-defined policy. | |
</rationale> | |
<check system="ocil-transitional"> | |
<check-export export-name="this is not the case" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Check the <xhtml:code>root</xhtml:code> home directory for a <xhtml:code>.mozilla</xhtml:code> directory. If | |
one exists, ensure browsing is limited to local service administration. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="no_shelllogin_for_systemaccounts" selected="false" severity="medium"> | |
<title xml:lang="en-US">Ensure that System Accounts Do Not Run a Shell Upon Login</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Some accounts are not associated with a human | |
user of the system, and exist to perform some administrative | |
function. Should an attacker be able to log into these accounts, | |
they should not be granted access to a shell. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
The login shell for each local account is stored in the last field of each line | |
in <xhtml:code>/etc/passwd</xhtml:code>. System accounts are those user accounts with a user ID less than | |
500. The user ID is stored in the third field. | |
If any system account <i xmlns="http://www.w3.org/1999/xhtml">SYSACCT</i> (other than root) has a login shell, | |
disable it with the command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># usermod -s /sbin/nologin <i>SYSACCT</i></pre> | |
</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="functionality"> | |
Do not perform the steps in this | |
section on the root account. Doing so might cause the system to | |
become inaccessible. | |
</warning> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<reference href="http://iase.disa.mil/cci/index.html">178</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Ensuring shells are not given to system accounts upon login | |
makes it more difficult for attackers to make use of | |
system accounts. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26966-2</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:966" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="any system account (other than root) has a login shell" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To obtain a listing of all users, | |
their UIDs, and their shells, run the command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd</pre> | |
Identify the system accounts from this listing. These will | |
primarily be the accounts with UID numbers less than 500, other | |
than root. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="no_uidzero_except_root" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify Only Root Has UID 0</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
If any account other than root has a UID of 0, | |
this misconfiguration should be investigated and the | |
accounts other than root should be removed or have their UID changed. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-2(1)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">366</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
An account has root authority if it has a UID of 0. Multiple accounts | |
with a UID of 0 afford more opportunity for potential intruders to | |
guess a password for a privileged account. Proper configuration of | |
sudo is recommended to afford multiple system administrators | |
access to root privileges in an accountable manner. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26971-2</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:273" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="any account other than root has a UID of 0" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To list all password file entries for accounts with UID 0, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># awk -F: '($3 == "0") {print}' /etc/passwd</pre> | |
This should print only one line, for the user root. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="root_path_default" selected="false" severity="low"> | |
<title xml:lang="en-US">Root Path Must Be Vendor Default</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Assuming root shell is bash, edit the following files: | |
<pre xmlns="http://www.w3.org/1999/xhtml">~/.profile</pre> | |
<pre xmlns="http://www.w3.org/1999/xhtml">~/.bashrc</pre> | |
Change any <xhtml:code>PATH</xhtml:code> variables to the vendor default for root and remove any | |
empty <xhtml:code>PATH</xhtml:code> entries or references to relative paths. | |
</description> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The root account's executable search path must be the vendor default, and must | |
contain only absolute paths. | |
</rationale> | |
<check system="ocil-transitional"> | |
<check-export export-name="any of these conditions are not met" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To view the root user's <xhtml:code>PATH</xhtml:code>, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># env | grep PATH</pre> | |
If correctly configured, the <xhtml:code>PATH</xhtml:code> must: use vendor default settings, | |
have no empty entries, and have no entries beginning with a character | |
other than a slash (/). | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="password_storage"> | |
<title xml:lang="en-US">Verify Proper Storage and Existence of Password | |
Hashes</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
By default, password hashes for local accounts are stored | |
in the second field (colon-separated) in | |
<xhtml:code>/etc/shadow</xhtml:code>. This file should be readable only by | |
processes running with root credentials, preventing users from | |
casually accessing others' password hashes and attempting | |
to crack them. | |
However, it remains possible to misconfigure the system | |
and store password hashes | |
in world-readable files such as <xhtml:code>/etc/passwd</xhtml:code>, or | |
to even store passwords themselves in plaintext on the system. | |
Using system-provided tools for password change/creation | |
should allow administrators to avoid such misconfiguration. | |
</description> | |
<Rule id="no_empty_passwords" selected="false" severity="high"> | |
<title xml:lang="en-US">Prevent Log In to Accounts With Empty Password</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If an account is configured for password authentication | |
but does not have an assigned password, it may be possible to log | |
into the account without authentication. Remove any instances of the <xhtml:code>nullok</xhtml:code> | |
option in <xhtml:code>/etc/pam.d/system-auth</xhtml:code> to | |
prevent logins with empty passwords. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(a)</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
If an account has an empty password, anyone could log in and | |
run commands with the privileges of that account. Accounts with | |
empty passwords should never be used in operational | |
environments. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27038-9</ident> | |
<fix system="urn:xccdf:fix:script:sh">sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:377" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="NULL passwords can be used" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To verify that null passwords cannot be used, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep nullok /etc/pam.d/system-auth</pre> | |
If this produces any output, it may be possible to log into accounts | |
with empty passwords. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="no_hashes_outside_shadow" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify All Account Password Hashes are Shadowed</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
If any password hashes are stored in <xhtml:code>/etc/passwd</xhtml:code> (in the second field, | |
instead of an <xhtml:code>x</xhtml:code>), the cause of this misconfiguration should be | |
investigated. The account should have its password reset and the hash should be | |
properly stored, or the account should be deleted entirely. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(h)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">201</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The hashes for all user account passwords should be stored in | |
the file <xhtml:code>/etc/shadow</xhtml:code> and never in <xhtml:code>/etc/passwd</xhtml:code>, | |
which is readable by all users. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26476-2</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:717" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="any stored hashes are found in /etc/passwd" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that no password hashes are stored in | |
<xhtml:code>/etc/passwd</xhtml:code>, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># awk -F: '($2 != "x") {print}' /etc/passwd</pre> | |
If it produces any output, then a password hash is | |
stored in <xhtml:code>/etc/passwd</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="gid_passwd_group_same" selected="false" severity="low"> | |
<title xml:lang="en-US">All GIDs referenced in /etc/passwd must be defined in /etc/group</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Add a group to the system for each GID referenced without a corresponding group. | |
</description> | |
<reference href="http://iase.disa.mil/cci/index.html">366</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Inconsistency in GIDs between <xhtml:code>/etc/passwd</xhtml:code> and <xhtml:code>/etc/group</xhtml:code> could lead to a user having unintended rights. | |
</rationale> | |
<check system="ocil-transitional"> | |
<check-export export-name="there is output" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To ensure all GIDs referenced in <xhtml:code>/etc/passwd</xhtml:code> are defined in <xhtml:code>/etc/group</xhtml:code>, | |
run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># pwck -qr</pre> | |
There should be no output. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="no_netrc_files" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify No netrc Files Exist</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>.netrc</xhtml:code> files contain login information | |
used to auto-login into FTP servers and reside in the user's home | |
directory. These files may contain unencrypted passwords to | |
remote FTP servers making them susceptible to access by unauthorized | |
users and should not be used. Any <xhtml:code>.netrc</xhtml:code> files should be removed. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(h)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">196</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Unencrypted passwords for remote FTP servers may be stored in <xhtml:code>.netrc</xhtml:code> | |
files. DoD policy requires passwords be encrypted in storage and not used | |
in access scripts. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27225-2</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1142" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="any .netrc files exist" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the system for the existence of any <xhtml:code>.netrc</xhtml:code> files, | |
run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># find /home -xdev -name .netrc</pre> | |
<!-- needs fixup to limit search to home dirs --> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="password_expiration"> | |
<title xml:lang="en-US">Set Password Expiration Parameters</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The file <xhtml:code>/etc/login.defs</xhtml:code> controls several | |
password-related settings. Programs such as <xhtml:code>passwd</xhtml:code>, | |
<xhtml:code>su</xhtml:code>, and | |
<xhtml:code>login</xhtml:code> consult <xhtml:code>/etc/login.defs</xhtml:code> to determine | |
behavior with regard to password aging, expiration warnings, | |
and length. See the man page <xhtml:code>login.defs(5)</xhtml:code> for more information. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Users should be forced to change their passwords, in order to | |
decrease the utility of compromised passwords. However, the need to | |
change passwords often should be balanced against the risk that | |
users will reuse or write down passwords if forced to change them | |
too often. Forcing password changes every 90-360 days, depending on | |
the environment, is recommended. Set the appropriate value as | |
<xhtml:code>PASS_MAX_DAYS</xhtml:code> and apply it to existing accounts with the | |
<xhtml:code>-M</xhtml:code> flag. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
The <xhtml:code>PASS_MIN_DAYS</xhtml:code> (<xhtml:code>-m</xhtml:code>) setting prevents password | |
changes for 7 days after the first change, to discourage password | |
cycling. If you use this setting, train users to contact an administrator | |
for an emergency password change in case a new password becomes | |
compromised. The <xhtml:code>PASS_WARN_AGE</xhtml:code> (<xhtml:code>-W</xhtml:code>) setting gives | |
users 7 days of warnings at login time that their passwords are about to expire. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
For example, for each existing human user <i xmlns="http://www.w3.org/1999/xhtml">USER</i>, expiration parameters | |
could be adjusted to a 180 day maximum password age, 7 day minimum password | |
age, and 7 day warning period with the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># chage -M 180 -m 7 -W 7 USER</pre> | |
</description> | |
<Value id="var_accounts_password_minlen_login_defs" type="number"> | |
<title xml:lang="en-US">minimum password length</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of characters in password</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">This will only check new passwords</warning> | |
<value>14</value> | |
<value selector="6">6</value> | |
<value selector="8">8</value> | |
<value selector="10">10</value> | |
<value selector="12">12</value> | |
<value selector="14">14</value> | |
</Value> | |
<Value id="var_accounts_maximum_age_login_defs" type="number"> | |
<title xml:lang="en-US">maximum password age</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Maximum age of password in days</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">This will only apply to newly created accounts</warning> | |
<value>60</value> | |
<value selector="60">60</value> | |
<value selector="90">90</value> | |
<value selector="120">120</value> | |
<value selector="180">180</value> | |
</Value> | |
<Value id="var_accounts_minimum_age_login_defs" type="number"> | |
<title xml:lang="en-US">minimum password age</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum age of password in days</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">This will only apply to newly created accounts</warning> | |
<value>7</value> | |
<value selector="7">7</value> | |
<value selector="5">5</value> | |
<value selector="1">1</value> | |
<value selector="2">2</value> | |
<value selector="0">0</value> | |
</Value> | |
<Value id="var_accounts_password_warn_age_login_defs" type="number"> | |
<title xml:lang="en-US">warning days before password expires</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The number of days' warning given before a password expires.</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">This will only apply to newly created accounts</warning> | |
<value>7</value> | |
<value selector="0">0</value> | |
<value selector="7">7</value> | |
<value selector="14">14</value> | |
</Value> | |
<Rule id="accounts_password_minlen_login_defs" selected="false" severity="medium"> | |
<title xml:lang="en-US">Set Password Minimum Length in login.defs</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To specify password length requirements for new accounts, | |
edit the file <xhtml:code>/etc/login.defs</xhtml:code> and add or correct the following | |
lines: | |
<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MIN_LEN 14<!-- <sub idref="var_accounts_password_minlen_login_defs"> --></pre> | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
The DoD requirement is <xhtml:code>14</xhtml:code>. | |
The FISMA requirement is <xhtml:code>12</xhtml:code>. | |
If a program consults <xhtml:code>/etc/login.defs</xhtml:code> and also another PAM module | |
(such as <xhtml:code>pam_cracklib</xhtml:code>) during a password change operation, | |
then the most restrictive must be satisfied. See PAM section | |
for more information about enforcing password quality requirements. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(f)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(a)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">205</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Requiring a minimum password length makes password | |
cracking attacks more difficult by ensuring a larger | |
search space. However, any security benefit from an onerous requirement | |
must be carefully weighed against usability problems, support costs, or counterproductive | |
behavior that may result. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27002-5</ident> | |
<fix system="urn:xccdf:fix:script:sh">var_accounts_password_minlen_login_defs="<sub idref="var_accounts_password_minlen_login_defs"/>" | |
grep -q ^PASS_MIN_LEN /etc/login.defs && \ | |
sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN $var_accounts_password_minlen_login_defs/g" /etc/login.defs | |
if ! [ $? -eq 0 ]; then | |
echo "PASS_MIN_LEN $var_accounts_password_minlen_login_defs" >> /etc/login.defs | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2242" value-id="var_accounts_password_minlen_login_defs"/> | |
<check-content-ref name="oval:ssg:def:217" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it is not set to the required value" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the minimum password length, run the command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep PASS_MIN_LEN /etc/login.defs</pre> | |
The DoD requirement is <xhtml:code>14</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="accounts_minimum_age_login_defs" selected="false" severity="medium"> | |
<title xml:lang="en-US">Set Password Minimum Age</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To specify password minimum age for new accounts, | |
edit the file <xhtml:code>/etc/login.defs</xhtml:code> | |
and add or correct the following line, replacing <i xmlns="http://www.w3.org/1999/xhtml">DAYS</i> appropriately: | |
<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MIN_DAYS <i>DAYS</i></pre> | |
A value of 1 day is considered for sufficient for many | |
environments. | |
The DoD requirement is 1. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(f)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(d)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">198</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Setting the minimum password age protects against | |
users cycling back to a favorite password | |
after satisfying the password reuse requirement. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27013-2</ident> | |
<fix system="urn:xccdf:fix:script:sh">var_accounts_minimum_age_login_defs="<sub idref="var_accounts_minimum_age_login_defs"/>" | |
grep -q ^PASS_MIN_DAYS /etc/login.defs && \ | |
sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g" /etc/login.defs | |
if ! [ $? -eq 0 ]; then | |
echo "PASS_MIN_DAYS $var_accounts_minimum_age_login_defs" >> /etc/login.defs | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2255" value-id="var_accounts_minimum_age_login_defs"/> | |
<check-content-ref name="oval:ssg:def:541" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it is not set to the required value" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the minimum password age, run the command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep PASS_MIN_DAYS /etc/login.defs</pre> | |
The DoD and FISMA requirement is 1. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="accounts_maximum_age_login_defs" selected="false" severity="medium"> | |
<title xml:lang="en-US">Set Password Maximum Age</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To specify password maximum age for new accounts, | |
edit the file <xhtml:code>/etc/login.defs</xhtml:code> | |
and add or correct the following line, replacing <i xmlns="http://www.w3.org/1999/xhtml">DAYS</i> appropriately: | |
<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MAX_DAYS <i>DAYS</i></pre> | |
A value of 180 days is sufficient for many environments. | |
The DoD requirement is 60. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(f)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(g)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(d)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">180</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">199</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Setting the password maximum age ensures users are required to | |
periodically change their passwords. This could possibly decrease | |
the utility of a stolen password. Requiring shorter password lifetimes | |
increases the risk of users writing down the password in a convenient | |
location subject to physical compromise.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26985-2</ident> | |
<fix system="urn:xccdf:fix:script:sh">var_accounts_maximum_age_login_defs="<sub idref="var_accounts_maximum_age_login_defs"/>" | |
grep -q ^PASS_MAX_DAYS /etc/login.defs && \ | |
sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs | |
if ! [ $? -eq 0 ]; then | |
echo "PASS_MAX_DAYS $var_accounts_maximum_age_login_defs" >> /etc/login.defs | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2263" value-id="var_accounts_maximum_age_login_defs"/> | |
<check-content-ref name="oval:ssg:def:756" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it is not set to the required value" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the maximum password age, run the command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep PASS_MAX_DAYS /etc/login.defs</pre> | |
The DoD and FISMA requirement is 60. | |
A value of 180 days is sufficient for many environments. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="accounts_password_warn_age_login_defs" selected="false" severity="low"> | |
<title xml:lang="en-US">Set Password Warning Age</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To specify how many days prior to password | |
expiration that a warning will be issued to users, | |
edit the file <xhtml:code>/etc/login.defs</xhtml:code> and add or correct | |
the following line, replacing <i xmlns="http://www.w3.org/1999/xhtml">DAYS</i> appropriately: | |
<pre xmlns="http://www.w3.org/1999/xhtml">PASS_WARN_AGE <i>DAYS</i></pre> | |
The DoD requirement is 7. | |
<!-- <sub idref="accounts_password_warn_age_login_defs_login_defs_value" /> --> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(f)</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Setting the password warning age enables users to | |
make the change at a practical time. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26988-6</ident> | |
<fix system="urn:xccdf:fix:script:sh">var_accounts_password_warn_age_login_defs="<sub idref="var_accounts_password_warn_age_login_defs"/>" | |
grep -q ^PASS_WARN_DAYS /etc/login.defs && \ | |
sed -i "s/PASS_WARN_DAYS.*/PASS_WARN_DAYS $var_accounts_password_warn_age_login_defs/g" /etc/login.defs | |
if ! [ $? -eq 0 ]; then | |
echo "PASS_WARN_DAYS $var_accounts_password_warn_age_login_defs" >> /etc/login.defs | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2245" value-id="var_accounts_password_warn_age_login_defs"/> | |
<check-content-ref name="oval:ssg:def:351" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it is not set to the required value" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the password warning age, run the command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep PASS_WARN_AGE /etc/login.defs</pre> | |
The DoD requirement is 7. | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="account_expiration"> | |
<title xml:lang="en-US">Set Account Expiration Parameters</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Accounts can be configured to be automatically disabled | |
after a certain time period, | |
meaning that they will require administrator interaction to become usable again. | |
Expiration of accounts after inactivity can be set for all accounts by default | |
and also on a per-account basis, such as for accounts that are known to be temporary. | |
To configure automatic expiration of an account following | |
the expiration of its password (that is, after the password has expired and not been changed), | |
run the following command, substituting <xhtml:code><i xmlns="http://www.w3.org/1999/xhtml">NUM_DAYS</i></xhtml:code> and <xhtml:code><i xmlns="http://www.w3.org/1999/xhtml">USER</i></xhtml:code> appropriately: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># chage -I <i>NUM_DAYS USER</i></pre> | |
Accounts, such as temporary accounts, can also be configured to expire on an explicitly-set date with the | |
<xhtml:code>-E</xhtml:code> option. | |
The file <xhtml:code>/etc/default/useradd</xhtml:code> controls | |
default settings for all newly-created accounts created with the system's | |
normal command line utilities. | |
</description> | |
<Value id="var_account_disable_post_pw_expiration" type="number"> | |
<title xml:lang="en-US">number of days after a password expires until the account is permanently disabled</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The number of days to wait after a password expires, until the account will be permanently disabled.</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">This will only apply to newly created accounts</warning> | |
<value>35</value> | |
<value selector="30">30</value> | |
<value selector="35">35</value> | |
<value selector="60">60</value> | |
<value selector="90">90</value> | |
<value selector="180">180</value> | |
</Value> | |
<Rule id="account_disable_post_pw_expiration" selected="false" severity="low"> | |
<title xml:lang="en-US">Set Account Expiration Following Inactivity</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To specify the number of days after a password expires (which | |
signifies inactivity) until an account is permanently disabled, add or correct | |
the following lines in <xhtml:code>/etc/default/useradd</xhtml:code>, substituting | |
<xhtml:code><i xmlns="http://www.w3.org/1999/xhtml">NUM_DAYS</i></xhtml:code> appropriately: | |
<pre xmlns="http://www.w3.org/1999/xhtml">INACTIVE=<i>NUM_DAYS</i></pre> | |
A value of 35 is recommended. | |
If a password is currently on the | |
verge of expiration, then 35 days remain until the account is automatically | |
disabled. However, if the password will not expire for another 60 days, then 95 | |
days could elapse until the account would be automatically disabled. See the | |
<xhtml:code>useradd</xhtml:code> man page for more information. Determining the inactivity | |
timeout must be done with careful consideration of the length of a "normal" | |
period of inactivity for users in the particular environment. Setting | |
the timeout too low incurs support costs and also has the potential to impact | |
availability of the system to legitimate users. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-2(2)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-2(3)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">16</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">17</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">795</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Disabling inactive accounts ensures that accounts which may not | |
have been responsibly removed are not available to attackers | |
who may have compromised their credentials. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27283-1</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2254" value-id="var_account_disable_post_pw_expiration"/> | |
<check-content-ref name="oval:ssg:def:525" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To verify the <xhtml:code>INACTIVE</xhtml:code> setting, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">grep "INACTIVE" /etc/default/useradd</pre> | |
The output should indicate the <xhtml:code>INACTIVE</xhtml:code> configuration option is set | |
to an appropriate integer as shown in the example below: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep "INACTIVE" /etc/default/useradd | |
INACTIVE=35</pre></check-content> | |
</check> | |
</Rule> | |
<Rule id="account_unique_name" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure All Accounts on the System Have Unique Names</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Change usernames, or delete accounts, so each has a unique name. | |
</description> | |
<reference href="http://iase.disa.mil/cci/index.html">770</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">804</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Unique usernames allow for accountability on the system. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27609-7</ident> | |
<check system="ocil-transitional"> | |
<check-export export-name="a line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to check for duplicate account names: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># pwck -qr</pre> | |
If there are no duplicate names, no line will be returned. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="account_temp_expire_date" selected="false" severity="low"> | |
<title xml:lang="en-US">Assign Expiration Date to Temporary Accounts</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
In the event temporary or emergency accounts are required, configure the system | |
to terminate them after a documented time period. For every temporary and | |
emergency account, run the following command to set an expiration date on it, | |
substituting <xhtml:code><i xmlns="http://www.w3.org/1999/xhtml">USER</i></xhtml:code> and <xhtml:code><i xmlns="http://www.w3.org/1999/xhtml">YYYY-MM-DD</i></xhtml:code> appropriately: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># chage -E <i>YYYY-MM-DD USER</i></pre> | |
<xhtml:code><i xmlns="http://www.w3.org/1999/xhtml">YYYY-MM-DD</i></xhtml:code> indicates the documented expiration date for the account. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-2(2)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-2(3)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">16</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1682</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
When temporary and emergency accounts are created, there is a risk they may | |
remain in place and active after the need for them no longer exists. Account | |
expiration greatly reduces the risk of accounts being misused or hijacked. | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
</rationale> | |
<check system="ocil-transitional"> | |
<check-export export-name="any temporary or emergency accounts have no expiration date set or do not expire within a documented time frame" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
For every temporary and emergency account, run the following command | |
to obtain its account aging and expiration information: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># chage -l <i>USER</i></pre> | |
Verify each of these accounts has an expiration date set as documented. | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
</Group> | |
<Group id="accounts-pam"> | |
<title xml:lang="en-US">Protect Accounts by Configuring PAM</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">PAM, or Pluggable Authentication Modules, is a system | |
which implements modular authentication for Linux programs. PAM provides | |
a flexible and configurable architecture for authentication, and it should be configured | |
to minimize exposure to unnecessary risk. This section contains | |
guidance on how to accomplish that. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
PAM is implemented as a set of shared objects which are | |
loaded and invoked whenever an application wishes to authenticate a | |
user. Typically, the application must be running as root in order | |
to take advantage of PAM, because PAM's modules often need to be able | |
to access sensitive stores of account information, such as /etc/shadow. | |
Traditional privileged network listeners | |
(e.g. sshd) or SUID programs (e.g. sudo) already meet this | |
requirement. An SUID root application, userhelper, is provided so | |
that programs which are not SUID or privileged themselves can still | |
take advantage of PAM. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
PAM looks in the directory <xhtml:code>/etc/pam.d</xhtml:code> for | |
application-specific configuration information. For instance, if | |
the program login attempts to authenticate a user, then PAM's | |
libraries follow the instructions in the file <xhtml:code>/etc/pam.d/login</xhtml:code> | |
to determine what actions should be taken. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
One very important file in <xhtml:code>/etc/pam.d</xhtml:code> is | |
<xhtml:code>/etc/pam.d/system-auth</xhtml:code>. This file, which is included by | |
many other PAM configuration files, defines 'default' system authentication | |
measures. Modifying this file is a good way to make far-reaching | |
authentication changes, for instance when implementing a | |
centralized authentication service.</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">Be careful when making changes to PAM's | |
configuration files. The syntax for these files is complex, and | |
modifications can have unexpected consequences. The default | |
configurations shipped with applications should be sufficient for | |
most users.</warning> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">Running <xhtml:code>authconfig</xhtml:code> or | |
<xhtml:code>system-config-authentication</xhtml:code> will re-write the PAM configuration | |
files, destroying any manually made changes and replacing them with | |
a series of system defaults. One reference to the configuration | |
file syntax can be found at | |
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html.</warning> | |
<Value id="password_history_retain_number" operator="equals" type="number"> | |
<title xml:lang="en-US">remember</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The last n passwords for each user are saved in | |
<xhtml:code>/etc/security/opasswd</xhtml:code> in order to force password change history and | |
keep the user from alternating between the same password too | |
frequently.</description> | |
<value>24</value> | |
<value selector="0">0</value> | |
<value selector="5">5</value> | |
<value selector="10">10</value> | |
<value selector="24">24</value> | |
</Value> | |
<Rule id="display_login_attempts" selected="false" severity="low"> | |
<title xml:lang="en-US">Set Last Logon/Access Notification</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To configure the system to notify users of last logon/access | |
using <xhtml:code>pam_lastlog</xhtml:code>, add the following line immediately after <xhtml:code>session required pam_limits.so</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">session required pam_lastlog.so showfailed</pre> | |
</description> | |
<reference href="http://iase.disa.mil/cci/index.html">53</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Users need to be aware of activity that occurs regarding | |
their account. Providing users with information regarding the number | |
of unsuccessful attempts that were made to login to their account | |
allows the user to determine if any unauthorized activity has occurred | |
and gives them an opportunity to notify administrators. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27291-4</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:495" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="that is not the case" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To ensure that last logon/access notification is configured correctly, run | |
the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep pam_lastlog.so /etc/pam.d/system-auth</pre> | |
The output should show output <xhtml:code>showfailed</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Group id="password_quality"> | |
<title xml:lang="en-US">Set Password Quality Requirements</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The default <xhtml:code>pam_cracklib</xhtml:code> PAM module provides strength | |
checking for passwords. It performs a number of checks, such as | |
making sure passwords are not similar to dictionary words, are of | |
at least a certain length, are not the previous password reversed, | |
and are not simply a change of case from the previous password. It | |
can also require passwords to be in certain character classes. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
The <xhtml:code>pam_passwdqc</xhtml:code> PAM module also provides the ability to enforce | |
stringent password strength requirements. It is provided | |
in an RPM of the same name. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
The man pages <xhtml:code>pam_cracklib(8)</xhtml:code> and <xhtml:code>pam_passwdqc(8)</xhtml:code> | |
provide information on the capabilities and configuration of | |
each.</description> | |
<Group id="password_quality_pamcracklib"> | |
<title xml:lang="en-US">Set Password Quality Requirements, if using | |
pam_cracklib</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>pam_cracklib</xhtml:code> PAM module can be configured to meet | |
requirements for a variety of policies. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
For example, to configure <xhtml:code>pam_cracklib</xhtml:code> to require at least one uppercase | |
character, lowercase character, digit, and other (special) | |
character, locate the following line in <xhtml:code>/etc/pam.d/system-auth</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">password requisite pam_cracklib.so try_first_pass retry=3</pre> | |
and then alter it to read: | |
<pre xmlns="http://www.w3.org/1999/xhtml">password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4</pre> | |
If no such line exists, add one as the first line of the password section in <xhtml:code>/etc/pam.d/system-auth</xhtml:code>. | |
The arguments can be modified to ensure compliance with | |
your organization's security policy. Discussion of each parameter follows. | |
</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">Note that the password quality | |
requirements are not enforced for the root account for some | |
reason.</warning> | |
<Value id="var_password_pam_cracklib_retry" operator="equals" type="number"> | |
<title xml:lang="en-US">retry</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Number of retry attempts before erroring out</description> | |
<value>3</value> | |
<value selector="1">1</value> | |
<value selector="2">2</value> | |
<value selector="3">3</value> | |
</Value> | |
<Value id="var_password_pam_cracklib_minlen" operator="equals" type="number"> | |
<title xml:lang="en-US">minlen</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of characters in password</description> | |
<value>14</value> | |
<value selector="6">6</value> | |
<value selector="8">8</value> | |
<value selector="10">10</value> | |
<value selector="12">12</value> | |
<value selector="14">14</value> | |
<value selector="15">15</value> | |
</Value> | |
<Value id="var_password_pam_cracklib_dcredit" operator="equals" type="number"> | |
<title xml:lang="en-US">dcredit</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of digits in password</description> | |
<value>-1</value> | |
<value selector="2">-2</value> | |
<value selector="1">-1</value> | |
<value selector="0">0</value> | |
</Value> | |
<Value id="var_password_pam_cracklib_ocredit" operator="equals" type="number"> | |
<title xml:lang="en-US">ocredit</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of other (special characters) in | |
password</description> | |
<value>-1</value> | |
<value selector="2">-2</value> | |
<value selector="1">-1</value> | |
<value selector="0">0</value> | |
</Value> | |
<Value id="var_password_pam_cracklib_lcredit" operator="equals" type="number"> | |
<title xml:lang="en-US">lcredit</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of lower case in password</description> | |
<value>-1</value> | |
<value selector="2">-2</value> | |
<value selector="1">-1</value> | |
<value selector="0">0</value> | |
</Value> | |
<Value id="var_password_pam_cracklib_ucredit" operator="equals" type="number"> | |
<title xml:lang="en-US">ucredit</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of upper case in password</description> | |
<value>-1</value> | |
<value selector="2">-2</value> | |
<value selector="1">-1</value> | |
<value selector="0">0</value> | |
</Value> | |
<Value id="var_password_pam_cracklib_difok" operator="equals" type="number"> | |
<title xml:lang="en-US">difok</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of characters not present in old | |
password</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">Keep this high for short | |
passwords</warning> | |
<value>4</value> | |
<value selector="2">2</value> | |
<value selector="3">3</value> | |
<value selector="4">4</value> | |
<value selector="5">5</value> | |
</Value> | |
<Value id="var_accounts_passwords_pam_faillock_deny" operator="equals" type="number"> | |
<title xml:lang="en-US">fail_deny</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Number of failed login attempts before account lockout</description> | |
<value>3</value> | |
<value selector="3">3</value> | |
<value selector="5">5</value> | |
<value selector="10">10</value> | |
</Value> | |
<Value id="var_accounts_passwords_pam_faillock_unlock_time" operator="equals" type="number"> | |
<title xml:lang="en-US">fail_unlock_time</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Seconds before automatic unlocking after excessive failed logins</description> | |
<value>604800</value> | |
<value selector="900">900</value> | |
<value selector="1800">1800</value> | |
<value selector="3600">3600</value> | |
<value selector="86400">86400</value> | |
<value selector="604800">604800</value> | |
</Value> | |
<Value id="var_accounts_passwords_pam_faillock_fail_interval" operator="equals" type="number"> | |
<title xml:lang="en-US">fail_interval</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Interval for counting failed login attempts before account lockout</description> | |
<value>900</value> | |
<value selector="900">900</value> | |
<value selector="1800">1800</value> | |
<value selector="3600">3600</value> | |
<value selector="86400">86400</value> | |
<value selector="100000000">100000000</value> | |
</Value> | |
<Rule id="accounts_password_pam_cracklib_retry" selected="false" severity="low"> | |
<title xml:lang="en-US">Set Password Retry Prompts Permitted Per-Session</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To configure the number of retry prompts that are permitted per-session: | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Edit the <xhtml:code>pam_cracklib.so</xhtml:code> statement in <xhtml:code>/etc/pam.d/system-auth</xhtml:code> to | |
show <xhtml:code>retry=3</xhtml:code>, or a lower value if site policy is more restrictive. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
The DoD requirement is a maximum of 3 prompts per session. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1092</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Setting the password retry prompts that are permitted on a per-session basis to a low value | |
requires some software, such as SSH, to re-connect. This can slow down and | |
draw additional attention to some types of password-guessing attacks. Note that this | |
is different from account lockout, which is provided by the pam_faillock module. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27123-9</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2251" value-id="var_password_pam_cracklib_retry"/> | |
<check-content-ref name="oval:ssg:def:468" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it is not the required value" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check how many retry attempts are permitted on a per-session basis, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep pam_cracklib /etc/pam.d/system-auth</pre> | |
The <xhtml:code>retry</xhtml:code> parameter will indicate how many attempts are permitted. | |
The DoD required value is less than or equal to 3. | |
This would appear as <xhtml:code>retry=3</xhtml:code>, or a lower value. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="password_require_consecrepeat" selected="false" severity="low"> | |
<title xml:lang="en-US">Set Password to Maximum of Three Consecutive Repeating Characters</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_cracklib module's <xhtml:code>maxrepeat</xhtml:code> parameter controls requirements for | |
consecutive repeating characters. When set to a positive number, it will reject passwords | |
which contain more than that number of consecutive characters. Add <xhtml:code>maxrepeat=3</xhtml:code> | |
after pam_cracklib.so to prevent a run of four or more identical characters. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">366</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27227-8</ident> | |
<check system="ocil-transitional"> | |
<check-export export-name="maxrepeat is not found or not set to the required value" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the maximum value for consecutive repeating characters, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep pam_cracklib /etc/pam.d/system-auth</pre> | |
Look for the value of the <xhtml:code>maxrepeat</xhtml:code> parameter. The DoD requirement is 3. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="password_require_digits" selected="false" severity="low"> | |
<title xml:lang="en-US">Set Password Strength Minimum Digit Characters</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_cracklib module's <xhtml:code>dcredit</xhtml:code> parameter controls requirements for | |
usage of digits in a password. When set to a negative number, any password will be required to | |
contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional | |
length credit for each digit. | |
Add <xhtml:code>dcredit=-1</xhtml:code> after pam_cracklib.so to require use of a digit in passwords. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">194</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">194</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Requiring digits makes password guessing attacks more difficult by ensuring a larger | |
search space. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26374-9</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2259" value-id="var_password_pam_cracklib_dcredit"/> | |
<check-content-ref name="oval:ssg:def:678" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="dcredit is not found or not set to the required value" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check how many digits are required in a password, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep pam_cracklib /etc/pam.d/system-auth</pre> | |
The <xhtml:code>dcredit</xhtml:code> parameter (as a negative number) will indicate how many digits are required. | |
The DoD requires at least one digit in a password. | |
This would appear as <xhtml:code>dcredit=-1</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="password_require_uppercases" selected="false" severity="low"> | |
<title xml:lang="en-US">Set Password Strength Minimum Uppercase Characters</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_cracklib module's <xhtml:code>ucredit=</xhtml:code> parameter controls requirements for | |
usage of uppercase letters in a password. When set to a negative number, any password will be required to | |
contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional | |
length credit for each uppercase character. | |
Add <xhtml:code>ucredit=-1</xhtml:code> after pam_cracklib.so to require use of an upper case character in passwords. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(a)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">192</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Requiring a minimum number of uppercase characters makes password guessing attacks | |
more difficult by ensuring a larger search space. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26601-5</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2269" value-id="var_password_pam_cracklib_ucredit"/> | |
<check-content-ref name="oval:ssg:def:1183" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="ucredit is not found or not set to the required value" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check how many uppercase characters are required in a password, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep pam_cracklib /etc/pam.d/system-auth</pre> | |
The <xhtml:code>ucredit</xhtml:code> parameter (as a negative number) will indicate how many uppercase characters are required. | |
The DoD and FISMA require at least one uppercase character in a password. | |
This would appear as <xhtml:code>ucredit=-1</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="password_require_specials" selected="false" severity="low"> | |
<title xml:lang="en-US">Set Password Strength Minimum Special Characters</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_cracklib module's <xhtml:code>ocredit=</xhtml:code> parameter controls requirements for | |
usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to | |
contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional | |
length credit for each special character. | |
Add <xhtml:code>ocredit=-1</xhtml:code> after pam_cracklib.so to require use of a special character in passwords. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(a)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1619</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Requiring a minimum number of special characters makes password guessing attacks | |
more difficult by ensuring a larger search space. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26409-3</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2266" value-id="var_password_pam_cracklib_ocredit"/> | |
<check-content-ref name="oval:ssg:def:1050" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="ocredit is not found or not set to the required value" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check how many special characters are required in a password, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep pam_cracklib /etc/pam.d/system-auth</pre> | |
The <xhtml:code>ocredit</xhtml:code> parameter (as a negative number) will indicate how many special characters are required. | |
The DoD and FISMA require at least one special character in a password. | |
This would appear as <xhtml:code>ocredit=-1</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="password_require_lowercases" selected="false" severity="low"> | |
<title xml:lang="en-US">Set Password Strength Minimum Lowercase Characters</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_cracklib module's <xhtml:code>lcredit=</xhtml:code> parameter controls requirements for | |
usage of lowercase letters in a password. When set to a negative number, any password will be required to | |
contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional | |
length credit for each lowercase character. | |
Add <xhtml:code>lcredit=-1</xhtml:code> after pam_cracklib.so to require use of a lowercase character in passwords. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(a)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">193</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Requiring a minimum number of lowercase characters makes password guessing attacks | |
more difficult by ensuring a larger search space. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26631-2</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2265" value-id="var_password_pam_cracklib_lcredit"/> | |
<check-content-ref name="oval:ssg:def:982" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="lcredit is not found or not set to the required value" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check how many lowercase characters are required in a password, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep pam_cracklib /etc/pam.d/system-auth</pre> | |
The <xhtml:code>lcredit</xhtml:code> parameter (as a negative number) will indicate how many special characters are required. | |
The DoD and FISMA require at least one lowercase character in a password. | |
This would appear as <xhtml:code>lcredit=-1</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="password_require_diffchars" selected="false" severity="low"> | |
<title xml:lang="en-US">Set Password Strength Minimum Different Characters</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_cracklib module's <xhtml:code>difok</xhtml:code> parameter controls requirements for | |
usage of different characters during a password change. | |
Add <xhtml:code>difok=<i xmlns="http://www.w3.org/1999/xhtml">NUM</i></xhtml:code> after pam_cracklib.so to require differing | |
characters when changing passwords, substituting <i xmlns="http://www.w3.org/1999/xhtml">NUM</i> appropriately. | |
The DoD requirement is <xhtml:code>4</xhtml:code>. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(b)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">195</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Requiring a minimum number of different characters during password changes ensures that | |
newly changed passwords should not resemble previously compromised ones. | |
Note that passwords which are changed on compromised systems will still be compromised, however. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26615-5</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2247" value-id="var_password_pam_cracklib_difok"/> | |
<check-content-ref name="oval:ssg:def:395" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="difok is not found or not set to the required value" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check how many characters must differ during a password change, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep pam_cracklib /etc/pam.d/system-auth</pre> | |
The <xhtml:code>difok</xhtml:code> parameter will indicate how many characters must differ. | |
The DoD requires four characters differ during a password change. | |
This would appear as <xhtml:code>difok=4</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
</Group> | |
<Group id="locking_out_password_attempts"> | |
<title xml:lang="en-US">Set Lockouts for Failed Password Attempts</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>pam_faillock</xhtml:code> PAM module provides the capability to | |
lock out user accounts after a number of failed login attempts. Its | |
documentation is available in | |
<xhtml:code>/usr/share/doc/pam-VERSION/txts/README.pam_faillock</xhtml:code>. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">Locking out user accounts presents the | |
risk of a denial-of-service attack. The lockout policy | |
must weigh whether the risk of such a | |
denial-of-service attack outweighs the benefits of thwarting | |
password guessing attacks.</warning> | |
<Rule id="deny_password_attempts" selected="false" severity="medium"> | |
<title xml:lang="en-US">Set Deny For Failed Password Attempts</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To configure the system to lock out accounts after a number of incorrect login | |
attempts using <xhtml:code>pam_faillock.so</xhtml:code>: | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Add the following lines immediately below the <xhtml:code>pam_unix.so</xhtml:code> statement in <xhtml:code>AUTH</xhtml:code> section of | |
<xhtml:code>/etc/pam.d/system-auth</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900</pre> | |
<pre xmlns="http://www.w3.org/1999/xhtml">auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-7(a)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">44</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Locking out user accounts after a number of incorrect attempts | |
prevents direct password guessing attacks. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26844-1</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2248" value-id="var_accounts_passwords_pam_faillock_deny"/> | |
<check-content-ref name="oval:ssg:def:410" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="that is not the case" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To ensure the failed password attempt policy is configured correctly, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep pam_faillock /etc/pam.d/system-auth</pre> | |
The output should show <xhtml:code>deny=3</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="deny_password_attempts_unlock_time" selected="false" severity="medium"> | |
<title xml:lang="en-US">Set Lockout Time For Failed Password Attempts</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To configure the system to lock out accounts after a number of incorrect login | |
attempts and require an administrator to unlock the account using <xhtml:code>pam_faillock.so</xhtml:code>: | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Add the following lines immediately below the <xhtml:code>pam_env.so</xhtml:code> statement in <xhtml:code>/etc/pam.d/system-auth</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900</pre> | |
<pre xmlns="http://www.w3.org/1999/xhtml">auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-7(b)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">47</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Locking out user accounts after a number of incorrect attempts | |
prevents direct password guessing attacks. Ensuring that an administrator is | |
involved in unlocking locked accounts draws appropriate attention to such | |
situations. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27110-6</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2260" value-id="var_accounts_passwords_pam_faillock_unlock_time"/> | |
<check-content-ref name="oval:ssg:def:682" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="that is not the case" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To ensure the failed password attempt policy is configured correctly, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep pam_faillock /etc/pam.d/system-auth</pre> | |
The output should show <xhtml:code>unlock_time=<some-large-number></xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="deny_password_attempts_fail_interval" selected="false" severity="medium"> | |
<title xml:lang="en-US">Set Interval For Counting Failed Password Attempts</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To configure the system to lock out accounts after a number of incorrect login | |
attempts within a 15 minute interval using <xhtml:code>pam_faillock.so</xhtml:code>: | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Add the following lines immediately below the <xhtml:code>pam_env.so</xhtml:code> statement in <xhtml:code>/etc/pam.d/system-auth</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900</pre> | |
<pre xmlns="http://www.w3.org/1999/xhtml">auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-7(a)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1452</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Locking out user accounts after a number of incorrect attempts within a | |
specific period of time prevents direct password guessing attacks. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27215-3</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2244" value-id="var_accounts_passwords_pam_faillock_fail_interval"/> | |
<check-content-ref name="oval:ssg:def:348" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="that is not the case" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To ensure the failed password attempt policy is configured correctly, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep pam_faillock /etc/pam.d/system-auth</pre> | |
The output should show <xhtml:code>fail_interval=<interval-in-seconds></xhtml:code> where <xhtml:code>interval-in-seconds</xhtml:code> is 900 (15 minutes) or greater. If the <xhtml:code>fail_interval</xhtml:code> parameter is not set, the default setting of 900 seconds is acceptable. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="limiting_password_reuse" selected="false" severity="medium"> | |
<title xml:lang="en-US">Limit Password Reuse</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Do not allow users to reuse recent passwords. This can | |
be accomplished by using the <xhtml:code>remember</xhtml:code> option for the <xhtml:code>pam_unix</xhtml:code> PAM | |
module. In the file <xhtml:code>/etc/pam.d/system-auth</xhtml:code>, append <xhtml:code>remember=24</xhtml:code> to the | |
line which refers to the <xhtml:code>pam_unix.so</xhtml:code> module, as shown: | |
<pre xmlns="http://www.w3.org/1999/xhtml">password sufficient pam_unix.so <i>existing_options</i> remember=24</pre> | |
The DoD and FISMA requirement is 24 passwords.</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(f)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(e)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">200</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26741-9</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2267" value-id="password_history_retain_number"/> | |
<check-content-ref name="oval:ssg:def:1072" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To verify the password reuse setting is compliant, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep remember /etc/pam.d/system-auth</pre> | |
The output should show the following at the end of the line: | |
<pre xmlns="http://www.w3.org/1999/xhtml">remember=24</pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="set_password_hashing_algorithm"> | |
<title xml:lang="en-US">Set Password Hashing Algorithm</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The system's default algorithm for storing password hashes in | |
<xhtml:code>/etc/shadow</xhtml:code> is SHA-512. This can be configured in several | |
locations.</description> | |
<Rule id="set_password_hashing_algorithm_systemauth" selected="false" severity="medium"> | |
<title xml:lang="en-US">Set Password Hashing Algorithm in /etc/pam.d/system-auth</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
In <xhtml:code>/etc/pam.d/system-auth</xhtml:code>, the <xhtml:code>password</xhtml:code> section of | |
the file controls which PAM modules execute during a password change. | |
Set the <xhtml:code>pam_unix.so</xhtml:code> module in the | |
<xhtml:code>password</xhtml:code> section to include the argument <xhtml:code>sha512</xhtml:code>, as shown below: | |
<pre xmlns="http://www.w3.org/1999/xhtml">password sufficient pam_unix.so sha512 <i>other arguments...</i></pre> | |
This will help ensure when local users change their passwords, hashes for the new | |
passwords will be generated using the SHA-512 algorithm. | |
This is the default. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">803</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Using a stronger hashing algorithm makes password cracking attacks more difficult. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26303-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:978" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Inspect the <xhtml:code>password</xhtml:code> section of <xhtml:code>/etc/pam.d/system-auth</xhtml:code> and | |
ensure that the <xhtml:code>pam_unix.so</xhtml:code> module includes the argument | |
<xhtml:code>sha512</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep sha512 /etc/pam.d/system-auth</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="set_password_hashing_algorithm_logindefs" selected="false" severity="medium"> | |
<title xml:lang="en-US">Set Password Hashing Algorithm in /etc/login.defs</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
In <xhtml:code>/etc/login.defs</xhtml:code>, add or correct the following line to ensure | |
the system will use SHA-512 as the hashing algorithm: | |
<pre xmlns="http://www.w3.org/1999/xhtml">ENCRYPT_METHOD SHA512</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">803</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Using a stronger hashing algorithm makes password cracking attacks more difficult. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27228-6</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:210" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Inspect <xhtml:code>/etc/login.defs</xhtml:code> and ensure the following line appears: | |
<pre xmlns="http://www.w3.org/1999/xhtml">ENCRYPT_METHOD SHA512</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="set_password_hashing_algorithm_libuserconf" selected="false" severity="medium"> | |
<title xml:lang="en-US">Set Password Hashing Algorithm in /etc/libuser.conf</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
In <xhtml:code>/etc/libuser.conf</xhtml:code>, add or correct the following line in its | |
<xhtml:code>[defaults]</xhtml:code> section to ensure the system will use the SHA-512 | |
algorithm for password hashing: | |
<pre xmlns="http://www.w3.org/1999/xhtml">crypt_style = sha512</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">803</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Using a stronger hashing algorithm makes password cracking attacks more difficult. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27229-4</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1084" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Inspect <xhtml:code>/etc/libuser.conf</xhtml:code> and ensure the following line appears | |
in the <xhtml:code>[default]</xhtml:code> section: | |
<pre xmlns="http://www.w3.org/1999/xhtml">crypt_style = sha512</pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
</Group> | |
<Group id="accounts-session"> | |
<title xml:lang="en-US">Secure Session Configuration Files for Login Accounts</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">When a user logs into a Unix account, the system | |
configures the user's session by reading a number of files. Many of | |
these files are located in the user's home directory, and may have | |
weak permissions as a result of user error or misconfiguration. If | |
an attacker can modify or even read certain types of account | |
configuration information, they can often gain full access to the | |
affected user's account. Therefore, it is important to test and | |
correct configuration file permissions for interactive accounts, | |
particularly those of privileged users such as root or system | |
administrators.</description> | |
<Value id="max_concurrent_login_sessions_value" operator="equals" type="number"> | |
<title xml:lang="en-US">Maximum concurrent login sessions</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Maximum number of concurrent sessions by a user</description> | |
<value>1</value> | |
<value selector="1">1</value> | |
<value selector="3">3</value> | |
<value selector="5">5</value> | |
<value selector="10">10</value> | |
<value selector="15">15</value> | |
<value selector="20">20</value> | |
</Value> | |
<Rule id="max_concurrent_login_sessions" selected="false" severity="low"> | |
<title xml:lang="en-US">Limit the Number of Concurrent Login Sessions Allowed Per User</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Limiting the number of allowed users and sessions per user can limit risks related to Denial of | |
Service attacks. This addresses concurrent sessions for a single account and does not address | |
concurrent sessions by a single user via multiple accounts. The DoD requirement is 10. To set the number of concurrent | |
sessions per user add the following line in <xhtml:code>/etc/security/limits.conf</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">* hard maxlogins 10</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-10</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">54</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Limiting simultaneous user logins can insulate the system from denial of service | |
problems caused by excessive logins. Automated login processes operating improperly or | |
maliciously may result in an exceptional number of simultaneous login sessions. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27457-1</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2256" value-id="max_concurrent_login_sessions_value"/> | |
<check-content-ref name="oval:ssg:def:572" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it is not similar" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to ensure the <xhtml:code>maxlogins</xhtml:code> value is configured for all users | |
on the system: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep "maxlogins" /etc/security/limits.conf</pre> | |
You should receive output similar to the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml">* hard maxlogins 10</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Group id="root_paths"> | |
<title xml:lang="en-US">Ensure that No Dangerous Directories Exist in Root's Path</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The active path of the root account can be obtained by | |
starting a new root shell and running: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># echo $PATH</pre> | |
This will produce a colon-separated list of | |
directories in the path. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Certain path elements could be considered dangerous, as they could lead | |
to root executing unknown or | |
untrusted programs, which could contain malicious | |
code. | |
Since root may sometimes work inside | |
untrusted directories, the <xhtml:code>.</xhtml:code> character, which represents the | |
current directory, should never be in the root path, nor should any | |
directory which can be written to by an unprivileged or | |
semi-privileged (system) user. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
It is a good practice for administrators to always execute | |
privileged commands by typing the full path to the | |
command.</description> | |
<Rule id="root_path_no_dot" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure that Root's Path Does Not Include Relative Paths or Null Directories</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Ensure that none of the directories in root's path is equal to a single | |
<xhtml:code>.</xhtml:code> character, or | |
that it contains any instances that lead to relative path traversal, such as | |
<xhtml:code>..</xhtml:code> or beginning a path without the slash (<xhtml:code>/</xhtml:code>) character. | |
Also ensure that there are no "empty" elements in the path, such as in these examples: | |
<pre xmlns="http://www.w3.org/1999/xhtml">PATH=:/bin | |
PATH=/bin: | |
PATH=/bin::/sbin</pre> | |
These empty elements have the same effect as a single <xhtml:code>.</xhtml:code> character. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Including these entries increases the risk that root could | |
execute code from an untrusted location. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26826-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:986" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="root_path_no_groupother_writable" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure that Root's Path Does Not Include World or Group-Writable Directories</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
For each element in root's path, run: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># ls -ld <i>DIR</i></pre> | |
and ensure that write permissions are disabled for group and | |
other. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Such entries increase the risk that root could | |
execute code provided by unprivileged users, | |
and potentially malicious code. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26768-2</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:359" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="group or other write permissions exist" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To ensure write permissions are disabled for group and other | |
for each element in root's path, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># ls -ld <i>DIR</i></pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Rule id="homedir_perms_no_groupwrite_worldread" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure that User Home Directories are not Group-Writable or World-Readable</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">For each human user of the system, view the | |
permissions of the user's home directory: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># ls -ld /home/<i>USER</i></pre> | |
Ensure that the directory is not group-writable and that it | |
is not world-readable. If necessary, repair the permissions: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># chmod g-w /home/<i>USER</i> | |
# chmod o-rwx /home/<i>USER</i></pre> | |
</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">This action may involve | |
modifying user home directories. Notify your user community, and | |
solicit input if appropriate, before making this type of | |
change.</warning> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
User home directories contain many configuration files which | |
affect the behavior of a user's account. No user should ever have | |
write permission to another user's home directory. Group shared | |
directories can be configured in sub-directories or elsewhere in the | |
filesystem if they are needed. Typically, user home directories | |
should not be world-readable, as it would disclose file names | |
to other users. If a subset of users need read access | |
to one another's home directories, this can be provided using | |
groups or ACLs. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26981-1</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:964" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the user home directory is group-writable or world-readable" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To ensure the user home directory is not group-writable or world-readable, run the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># ls -ld /home/<i>USER</i></pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Group id="user_umask"> | |
<title xml:lang="en-US">Ensure that Users Have Sensible Umask Values</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The umask setting controls the default permissions | |
for the creation of new files. | |
With a default <xhtml:code>umask</xhtml:code> setting of 077, files and directories | |
created by users will not be readable by any other user on the | |
system. Users who wish to make specific files group- or | |
world-readable can accomplish this by using the chmod command. | |
Additionally, users can make all their files readable to their | |
group by default by setting a <xhtml:code>umask</xhtml:code> of 027 in their shell | |
configuration files. If default per-user groups exist (that is, if | |
every user has a default group whose name is the same as that | |
user's username and whose only member is the user), then it may | |
even be safe for users to select a <xhtml:code>umask</xhtml:code> of 007, making it very | |
easy to intentionally share files with groups of which the user is | |
a member. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
<!--In addition, it may be necessary to change root's <tt>umask</tt> | |
temporarily in order to install software or files which must be | |
readable by other users, or to change the default umasks of certain | |
service accounts such as the FTP user. However, setting a | |
restrictive default protects the files of users who have not taken | |
steps to make their files more available, and preventing files from | |
being inadvertently shared.--> | |
</description> | |
<Value id="var_accounts_user_umask" operator="equals" type="string"> | |
<title xml:lang="en-US">Sensible umask</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enter default user umask</description> | |
<value>027</value> | |
<value selector="007">007</value> | |
<value selector="022">022</value> | |
<value selector="027">027</value> | |
<value selector="077">077</value> | |
</Value> | |
<Rule id="user_umask_bashrc" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure the Default Bash Umask is Set Correctly</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To ensure the default umask for users of the Bash shell is set properly, | |
add or correct the <xhtml:code>umask</xhtml:code> setting in <xhtml:code>/etc/bashrc</xhtml:code> to read | |
as follows: | |
<pre xmlns="http://www.w3.org/1999/xhtml">umask 077<!-- <sub idref="umask_user_value" /> --></pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<reference href="http://iase.disa.mil/cci/index.html">366</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>swells</dc:contributor> | |
<dc:date>20120929</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The umask value influences the permissions assigned to files when they are created. | |
A misconfigured umask value could result in files with excessive permissions that can be read or | |
written to by unauthorized users.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26917-5</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2261" value-id="var_accounts_user_umask"/> | |
<check-content-ref name="oval:ssg:def:742" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the above command returns no output, or if the umask is configured incorrectly" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Verify the <xhtml:code>umask</xhtml:code> setting is configured correctly in the <xhtml:code>/etc/bashrc</xhtml:code> file by | |
running the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep "umask" /etc/bashrc</pre> | |
All output must show the value of <xhtml:code>umask</xhtml:code> set to 077, as shown below: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep "umask" /etc/bashrc | |
umask 077 | |
umask 077</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="user_umask_cshrc" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure the Default C Shell Umask is Set Correctly</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To ensure the default umask for users of the C shell is set properly, | |
add or correct the <xhtml:code>umask</xhtml:code> setting in <xhtml:code>/etc/csh.cshrc</xhtml:code> to read as follows: | |
<pre xmlns="http://www.w3.org/1999/xhtml">umask 077<!-- <sub idref="umask_user_value" /> --></pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<reference href="http://iase.disa.mil/cci/index.html">366</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>swells</dc:contributor> | |
<dc:date>20120929</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The umask value influences the permissions assigned to files when they are created. | |
A misconfigured umask value could result in files with excessive permissions that can be read or | |
written to by unauthorized users.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27034-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2261" value-id="var_accounts_user_umask"/> | |
<check-content-ref name="oval:ssg:def:711" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the above command returns no output, or if the umask is configured incorrectly" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Verify the <xhtml:code>umask</xhtml:code> setting is configured correctly in the <xhtml:code>/etc/csh.cshrc</xhtml:code> file by | |
running the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep "umask" /etc/csh.cshrc</pre> | |
All output must show the value of <xhtml:code>umask</xhtml:code> set to 077, as shown in the below: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep "umask" /etc/csh.cshrc | |
umask 077</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="user_umask_profile" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure the Default Umask is Set Correctly in /etc/profile</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To ensure the default umask controlled by <xhtml:code>/etc/profile</xhtml:code> is set properly, | |
add or correct the <xhtml:code>umask</xhtml:code> setting in <xhtml:code>/etc/profile</xhtml:code> to read as follows: | |
<pre xmlns="http://www.w3.org/1999/xhtml">umask 077<!--<sub idref="umask_user_value" /> --></pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<reference href="http://iase.disa.mil/cci/index.html">366</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>swells</dc:contributor> | |
<dc:date>20120929</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The umask value influences the permissions assigned to files when they are created. | |
A misconfigured umask value could result in files with excessive permissions that can be read or | |
written to by unauthorized users.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26669-2</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2261" value-id="var_accounts_user_umask"/> | |
<check-content-ref name="oval:ssg:def:1204" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the above command returns no output, or if the umask is configured incorrectly" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Verify the <xhtml:code>umask</xhtml:code> setting is configured correctly in the <xhtml:code>/etc/profile</xhtml:code> file by | |
running the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep "umask" /etc/profile</pre> | |
All output must show the value of <xhtml:code>umask</xhtml:code> set to 077, as shown in the below: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep "umask" /etc/profile | |
umask 077</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="user_umask_logindefs" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure the Default Umask is Set Correctly in login.defs</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To ensure the default umask controlled by <xhtml:code>/etc/login.defs</xhtml:code> is set properly, | |
add or correct the <xhtml:code>UMASK</xhtml:code> setting in <xhtml:code>/etc/login.defs</xhtml:code> to read as follows: | |
<pre xmlns="http://www.w3.org/1999/xhtml">UMASK 077<!-- <sub idref="umask_user_value" /> --></pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<reference href="http://iase.disa.mil/cci/index.html">366</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>swells</dc:contributor> | |
<dc:date>20120929</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The umask value influences the permissions assigned to files when they are created. | |
A misconfigured umask value could result in files with excessive permissions that can be read and | |
written to by unauthorized users.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26371-5</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2261" value-id="var_accounts_user_umask"/> | |
<check-content-ref name="oval:ssg:def:1160" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the above command returns no output, or if the umask is configured incorrectly" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Verify the <xhtml:code>UMASK</xhtml:code> setting is configured correctly in the <xhtml:code>/etc/login.defs</xhtml:code> file by | |
running the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep -i "UMASK" /etc/login.defs</pre> | |
All output must show the value of <xhtml:code>umask</xhtml:code> set to 077, as shown in the below: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep -i "UMASK" /etc/login.defs | |
umask 077</pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
</Group> | |
<Group id="accounts-physical"> | |
<title xml:lang="en-US">Protect Physical Console Access</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">It is impossible to fully protect a system from an | |
attacker with physical access, so securing the space in which the | |
system is located should be considered a necessary step. However, | |
there are some steps which, if taken, make it more difficult for an | |
attacker to quickly or undetectably modify a system from its | |
console.</description> | |
<Group id="bootloader"> | |
<title xml:lang="en-US">Set Boot Loader Password</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">During the boot process, the boot loader is | |
responsible for starting the execution of the kernel and passing | |
options to it. The boot loader allows for the selection of | |
different kernels - possibly on different partitions or media. | |
The default RHEL boot loader for x86 systems is called GRUB. | |
Options it can pass to the kernel include <i xmlns="http://www.w3.org/1999/xhtml">single-user mode</i>, which | |
provides root access without any authentication, and the ability to | |
disable SELinux. To prevent local users from modifying the boot | |
parameters and endangering security, protect the boot loader configuration | |
with a password and ensure its configuration file's permissions | |
are set properly. | |
</description> | |
<Rule id="user_owner_grub_conf" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify /etc/grub.conf User Ownership</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The file <xhtml:code>/etc/grub.conf</xhtml:code> should | |
be owned by the <xhtml:code>root</xhtml:code> user to prevent destruction | |
or modification of the file. | |
To properly set the owner of <xhtml:code>/etc/grub.conf</xhtml:code>, run the command: | |
<xhtml:pre xml:space="preserve"># chown root /etc/grub.conf </xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<reference href="http://iase.disa.mil/cci/index.html">225</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Only root should be able to modify important boot parameters. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26995-1</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:910" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the ownership of <xhtml:code>/etc/grub.conf</xhtml:code>, run the command: | |
<xhtml:pre>$ ls -lL /etc/grub.conf</xhtml:pre> | |
If properly configured, the output should indicate the following owner: | |
<xhtml:code>root</xhtml:code> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="group_owner_grub_conf" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify /etc/grub.conf Group Ownership</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The file <xhtml:code>/etc/grub.conf</xhtml:code> should | |
be group-owned by the <xhtml:code>root</xhtml:code> group to prevent | |
destruction or modification of the file. | |
To properly set the group owner of <xhtml:code>/etc/grub.conf</xhtml:code>, run the command: | |
<xhtml:pre xml:space="preserve"># chgrp root /etc/grub.conf </xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<reference href="http://iase.disa.mil/cci/index.html">225</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The <xhtml:code>root</xhtml:code> group is a highly-privileged group. Furthermore, the group-owner of this | |
file should not have any access privileges anyway. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27022-3</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:441" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the group ownership of <xhtml:code>/etc/grub.conf</xhtml:code>, run the command: | |
<xhtml:pre>$ ls -lL /etc/grub.conf</xhtml:pre> | |
If properly configured, the output should indicate the following group-owner. | |
<xhtml:code>root</xhtml:code> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="permissions_grub_conf" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify /boot/grub/grub.conf Permissions</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">File permissions for <xhtml:code>/boot/grub/grub.conf</xhtml:code> should be set to 600, which | |
is the default. | |
To properly set the permissions of <xhtml:code>/boot/grub/grub.conf</xhtml:code>, run the command: | |
<xhtml:pre xml:space="preserve"># chmod 600 /boot/grub/grub.conf</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<reference href="http://iase.disa.mil/cci/index.html">225</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Proper permissions ensure that only the root user can modify important boot | |
parameters. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26949-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:510" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the permissions of /etc/grub.conf, run the command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># ls -lL /etc/grub.conf</pre> | |
If properly configured, the output should indicate the following | |
permissions: <xhtml:code>-rw-------</xhtml:code> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="bootloader_password" selected="false" severity="medium"> | |
<title xml:lang="en-US">Set Boot Loader Password</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The grub boot loader should have password protection | |
enabled to protect boot-time settings. | |
To do so, select a password and then generate a hash from it by running the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grub-crypt --sha-512</pre> | |
When prompted to enter a password, insert the following line into <xhtml:code>/etc/grub.conf</xhtml:code> | |
immediately after the header comments. (Use the output from <xhtml:code>grub-crypt</xhtml:code> as the | |
value of <b xmlns="http://www.w3.org/1999/xhtml">password-hash</b>): | |
<pre xmlns="http://www.w3.org/1999/xhtml">password --encrypted <b>password-hash</b></pre> | |
NOTE: To meet FISMA Moderate, the bootloader password MUST differ from the root password. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-2(1)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(e)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">213</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Password protection on the boot loader configuration ensures | |
users with physical access cannot trivially alter | |
important bootloader settings. These include which kernel to use, | |
and whether to enter single-user mode. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26911-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1038" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To verify the boot loader password has been set and encrypted, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep password /etc/grub.conf</pre> | |
The output should show the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml">password --encrypted <b>password-hash</b></pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Rule id="require_singleuser_auth" selected="false" severity="medium"> | |
<title xml:lang="en-US">Require Authentication for Single User Mode</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Single-user mode is intended as a system recovery | |
method, providing a single user root access to the system by | |
providing a boot option at startup. By default, no authentication | |
is performed if single-user mode is selected. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
To require entry of the root password even if the system is | |
started in single-user mode, add or correct the following line in the | |
file <xhtml:code>/etc/sysconfig/init</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">SINGLE=/sbin/sulogin</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-2(1)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">213</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
This prevents attackers with physical access from trivially bypassing security | |
on the machine and gaining root access. Such accesses are further prevented | |
by configuring the bootloader password. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27040-5</ident> | |
<fix system="urn:xccdf:fix:script:sh">grep -q ^SINGLE /etc/sysconfig/init && \ | |
sed -i "s/SINGLE.*/SINGLE=\/sbin\/sulogin/g" /etc/sysconfig/init | |
if ! [ $? -eq 0 ]; then | |
echo "SINGLE=/sbin/sulogin" >> /etc/sysconfig/init | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1000" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the output is different" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check if authentication is required for single-user mode, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep SINGLE /etc/sysconfig/init</pre> | |
The output should be the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml">SINGLE=/sbin/sulogin</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="disable_ctrlaltdel_reboot" selected="false" severity="high"> | |
<title xml:lang="en-US">Disable Ctrl-Alt-Del Reboot Activation</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
By default, the system includes the following line in | |
<xhtml:code>/etc/init/control-alt-delete.conf</xhtml:code> | |
to reboot the system when the Ctrl-Alt-Del key sequence is pressed: | |
<pre xmlns="http://www.w3.org/1999/xhtml">exec /sbin/shutdown -r now "Control-Alt-Delete pressed"</pre> | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
To configure the system to log a message instead of | |
rebooting the system, alter that line to read as follows: | |
<pre xmlns="http://www.w3.org/1999/xhtml">exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"</pre> | |
</description> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
A locally logged-in user who presses Ctrl-Alt-Del, when at the console, | |
can reboot the system. If accidentally pressed, as could happen in | |
the case of mixed OS environment, this can create the risk of short-term | |
loss of availability of systems due to unintentional reboot. | |
In the GNOME graphical environment, risk of unintentional reboot from the | |
Ctrl-Alt-Del sequence is reduced because the user will be | |
prompted before any action is taken. | |
</rationale> | |
<check system="ocil-transitional"> | |
<check-export export-name="the system is configured to run the shutdown command" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To ensure the system is configured to log a message instead of rebooting the system when | |
Ctrl-Alt-Del is pressed, ensure the following line is in <xhtml:code>/etc/init/control-alt-delete.conf</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="disable_interactive_boot" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable Interactive Boot</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To disable the ability for users to perform interactive startups, | |
edit the file <xhtml:code>/etc/sysconfig/init</xhtml:code>. | |
Add or correct the line: | |
<pre xmlns="http://www.w3.org/1999/xhtml">PROMPT=no</pre> | |
The <xhtml:code>PROMPT</xhtml:code> option allows the console user to perform an | |
interactive system startup, in which it is possible to select the | |
set of services which are started on boot. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-2</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">213</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Using interactive boot, | |
the console user could disable auditing, firewalls, or other | |
services, weakening system security. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27043-9</ident> | |
<fix system="urn:xccdf:fix:script:sh">grep -q ^PROMPT /etc/sysconfig/init && \ | |
sed -i "s/PROMPT.*/PROMPT=no/g" /etc/sysconfig/init | |
if ! [ $? -eq 0 ]; then | |
echo "PROMPT=no" >> /etc/sysconfig/init | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:703" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check whether interactive boot is disabled, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep PROMPT /etc/sysconfig/init</pre> | |
If interactive boot is disabled, the output will show: | |
<pre xmlns="http://www.w3.org/1999/xhtml">PROMPT=no</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Group id="screen_locking"> | |
<title xml:lang="en-US">Configure Screen Locking</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">When a user must temporarily leave an account | |
logged-in, screen locking should be employed to prevent passersby | |
from abusing the account. User education and training is | |
particularly important for screen locking to be effective, and policies | |
can be implemented to reinforce this. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Automatic screen locking is only meant as a safeguard for | |
those cases where a user forgot to lock the screen.</description> | |
<Group id="gui_screen_locking"> | |
<title xml:lang="en-US">Configure GUI Screen Locking</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In the default GNOME desktop, the screen can be locked | |
by choosing <b xmlns="http://www.w3.org/1999/xhtml">Lock Screen</b> from the <b xmlns="http://www.w3.org/1999/xhtml">System</b> menu. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
The <xhtml:code>gconftool-2</xhtml:code> program can be used to enforce mandatory | |
screen locking settings for the default GNOME environment. | |
The | |
following sections detail commands to enforce idle activation of the screen saver, | |
screen locking, a blank-screen screensaver, and an idle | |
activation time. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Because users should be trained to lock the screen when they | |
step away from the computer, the automatic locking feature is only | |
meant as a backup. The Lock Screen icon from the System menu can | |
also be dragged to the taskbar in order to facilitate even more | |
convenient screen-locking. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
The root account cannot be screen-locked, but this should | |
<!-- TODO: is this still true? -->have no practical effect as the root account should <i xmlns="http://www.w3.org/1999/xhtml">never</i> be used | |
to log into an X Windows environment, and should only be used to | |
for direct login via console in emergency circumstances. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
For more information about configuring GNOME screensaver, see | |
http://live.gnome.org/GnomeScreensaver. For more information about | |
enforcing preferences in the GNOME environment using the GConf | |
configuration system, see http://projects.gnome.org/gconf and | |
the man page <xhtml:code>gconftool-2(1)</xhtml:code>.</description> | |
<Value id="inactivity_timeout_value" operator="equals" type="string"> | |
<title xml:lang="en-US">Inactivity timeout</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Choose allowed duration of inactive SSH connections, shells, and X sessions</description> | |
<value>15</value> | |
<value selector="5_minutes">5</value> | |
<value selector="10_minutes">10</value> | |
<value selector="15_minutes">15</value> | |
</Value> | |
<Rule id="set_screensaver_inactivity_timeout" selected="false" severity="medium"> | |
<title xml:lang="en-US">Set GNOME Login Inactivity Timeout</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Run the following command to set the idle time-out value for | |
inactivity in the GNOME desktop to 15 minutes: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># gconftool-2 \ | |
--direct \ | |
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ | |
--type int \ | |
--set /apps/gnome-screensaver/idle_delay 15</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-11(a)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">57</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Setting the idle delay controls when the | |
screensaver will start, and can be combined with | |
screen locking to prevent access from passersby. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26828-4</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2253" value-id="inactivity_timeout_value"/> | |
<check-content-ref name="oval:ssg:def:497" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it is not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the current idle time-out value, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ gconftool-2 -g /apps/gnome-screensaver/idle_delay</pre> | |
If properly configured, the output should be <xhtml:code>15</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="enable_screensaver_after_idle" selected="false" severity="medium"> | |
<title xml:lang="en-US">GNOME Desktop Screensaver Mandatory Use</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Run the following command to activate the screensaver | |
in the GNOME desktop after a period of inactivity: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># gconftool-2 --direct \ | |
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ | |
--type bool \ | |
--set /apps/gnome-screensaver/idle_activation_enabled true</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-11(a)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">57</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Enabling idle activation of the screen saver ensures the screensaver will | |
be activated after the idle delay. Applications requiring continuous, | |
real-time screen display (such as network management products) require the | |
login session does not have administrator rights and the display station is located in a | |
controlled-access area. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26600-7</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:653" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it is not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml">To check the screensaver mandatory use status, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ gconftool-2 -g /apps/gnome-screensaver/idle_activation_enabled</pre> | |
If properly configured, the output should be <xhtml:code>true</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="enable_screensaver_password_lock" selected="false" severity="medium"> | |
<title xml:lang="en-US">Enable Screen Lock Activation After Idle Period</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Run the following command to activate locking of the screensaver | |
in the GNOME desktop when it is activated: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># gconftool-2 --direct \ | |
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ | |
--type bool \ | |
--set /apps/gnome-screensaver/lock_enabled true</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-11(a)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">57</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Enabling the activation of the screen lock after an idle period | |
ensures password entry will be required in order to | |
access the system, preventing access by passersby. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26235-2</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:770" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it is not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the status of the idle screen lock activation, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ gconftool-2 -g /apps/gnome-screensaver/lock_enabled</pre> | |
If properly configured, the output should be <xhtml:code>true</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="set_blank_screensaver" selected="false" severity="low"> | |
<title xml:lang="en-US">Implement Blank Screen Saver</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Run the following command to set the screensaver mode | |
in the GNOME desktop to a blank screen: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># gconftool-2 | |
--direct \ | |
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ | |
--type string \ | |
--set /apps/gnome-screensaver/mode blank-only</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-11(b)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">60</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Setting the screensaver mode to blank-only conceals the | |
contents of the display from passersby. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26638-7</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:807" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it is not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To ensure the screensaver is configured to be blank, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ gconftool-2 -g /apps/gnome-screensaver/mode</pre> | |
If properly configured, the output should be <xhtml:code>blank-only</xhtml:code> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="console_screen_locking"> | |
<title xml:lang="en-US">Configure Console Screen Locking</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
A console screen locking mechanism is provided in the | |
<xhtml:code>screen</xhtml:code> package, which is not installed by default. | |
</description> | |
<Rule id="package_screen_installed" selected="false" severity="low"> | |
<title xml:lang="en-US">Install the screen Package</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To enable console screen locking, install the <xhtml:code>screen</xhtml:code> package: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># yum install screen</pre> | |
Instruct users to begin new terminal sessions with the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ screen</pre> | |
The console can now be locked with the following key combination: | |
<pre xmlns="http://www.w3.org/1999/xhtml">ctrl+a x</pre> | |
</description> | |
<reference href="http://iase.disa.mil/cci/index.html">58</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Installing <xhtml:code>screen</xhtml:code> ensures a console locking capability is available | |
for users who may need to suspend console logins. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26940-7</ident> | |
<fix system="urn:xccdf:fix:script:sh">yum -y install screen | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:868" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the package is not installed" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to determine if the <xhtml:code>screen</xhtml:code> package is installed: | |
<xhtml:pre># rpm -q screen</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="smart_card_login"> | |
<title xml:lang="en-US">Hardware Tokens for Authentication</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The use of hardware tokens such as smart cards for system login | |
provides stronger, two-factor authentication than using a username/password. | |
In Red Hat Enterprise Linux servers and workstations, hardware token login | |
is not enabled by default and must be enabled in the system settings. | |
</description> | |
<Rule id="smartcard_auth" selected="false" severity="medium"> | |
<title xml:lang="en-US">Enable Smart Card Login</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To enable smart card authentication, consult the documentation at: | |
<ul xmlns="http://www.w3.org/1999/xhtml"><li>https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html</li></ul> | |
</description> | |
<reference href="http://iase.disa.mil/cci/index.html">765</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">766</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">767</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">768</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">771</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">772</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">884</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Smart card login provides two-factor authentication stronger than | |
that provided by a username/password combination. Smart cards leverage a PKI | |
(public key infrastructure) in order to provide and verify credentials. | |
</rationale> | |
<check system="ocil-transitional"> | |
<check-export export-name="non-exempt accounts are not using CAC authentication" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Interview the SA to determine if all accounts not exempted by policy are | |
using CAC authentication. | |
For DoD systems, the following systems and accounts are exempt from using | |
smart card (CAC) authentication: | |
<ul xmlns="http://www.w3.org/1999/xhtml"><li>SIPRNET systems</li><!-- also any other non-Internet systems? --><li>Standalone systems</li><li>Application accounts</li><li>Temporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIV</li><li>Operational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALT</li><li>Test systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT.</li></ul> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
</Group> | |
</Group> | |
<Group id="accounts-banners"> | |
<title xml:lang="en-US">Warning Banners for System Accesses</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Each system should expose as little information about | |
itself as possible. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
System banners, which are typically displayed just before a | |
login prompt, give out information about the service or the host's | |
operating system. This might include the distribution name and the | |
system kernel version, and the particular version of a network | |
service. This information can assist intruders in gaining access to | |
the system as it can reveal whether the system is running | |
vulnerable software. Most network services can be configured to | |
limit what information is displayed. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Many organizations implement security policies that require a | |
system banner provide notice of the system's ownership, provide | |
warning to unauthorized users, and remind authorized users of their | |
consent to monitoring.</description> | |
<Value id="login_banner_text" operator="equals" type="string"> | |
<title xml:lang="en-US">Login Banner Verbiage</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enter an appropriate login banner for your organization. Please note that new lines must | |
be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'.</description> | |
<value selector="usgcb_default"> | |
-- WARNING --[\s\n]*This system is for the use of authorized users only. Individuals[\s\n]*using this computer system without authority or in excess of their[\s\n]*authority are subject to having all their activities on this system[\s\n]*monitored and recorded by system personnel. Anyone using this[\s\n]*system expressly consents to such monitoring and is advised that[\s\n]*if such monitoring reveals possible evidence of criminal activity[\s\n]*system personal may provide the evidence of such monitoring to law[\s\n]*enforcement officials.</value> | |
<value selector="dod_default">You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests[\s\n]+--[\s\n]+not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.</value> | |
<value selector="dod_short">I\'ve read \& consent to terms in IS user agreem\'t.</value> | |
</Value> | |
<Rule id="set_system_login_banner" selected="false" severity="medium"> | |
<title xml:lang="en-US">Modify the System Login Banner</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To configure the system login banner: | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Edit <xhtml:code>/etc/issue</xhtml:code>. Replace the default text with a message | |
compliant with the local site policy or a legal disclaimer. | |
The DoD required text is either: | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
<xhtml:code>You are accessing a U.S. Government (USG) Information System (IS) that is | |
provided for USG-authorized use only. By using this IS (which includes any | |
device attached to this IS), you consent to the following conditions: | |
<br xmlns="http://www.w3.org/1999/xhtml"/>-The USG routinely intercepts and monitors communications on this IS for purposes | |
including, but not limited to, penetration testing, COMSEC monitoring, network | |
operations and defense, personnel misconduct (PM), law enforcement (LE), and | |
counterintelligence (CI) investigations. | |
<br xmlns="http://www.w3.org/1999/xhtml"/>-At any time, the USG may inspect and seize data stored on this IS. | |
<br xmlns="http://www.w3.org/1999/xhtml"/>-Communications using, or data stored on, this IS are not private, are subject | |
to routine monitoring, interception, and search, and may be disclosed or used | |
for any USG-authorized purpose. | |
<br xmlns="http://www.w3.org/1999/xhtml"/>-This IS includes security measures (e.g., authentication and access controls) | |
to protect USG interests -- not for your personal benefit or privacy. | |
<br xmlns="http://www.w3.org/1999/xhtml"/>-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative | |
searching or monitoring of the content of privileged communications, or work | |
product, related to personal representation or services by attorneys, | |
psychotherapists, or clergy, and their assistants. Such communications and work | |
product are private and confidential. See User Agreement for details.</xhtml:code> | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
OR: | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
<xhtml:code>I've read & consent to terms in IS user agreem't.</xhtml:code> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(c)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">48</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1384</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1385</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1386</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1387</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1388</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
An appropriate warning message reinforces policy awareness during the logon | |
process and facilitates possible legal action against attackers. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26974-6</ident> | |
<fix system="urn:xccdf:fix:script:sh">login_banner_text="<sub idref="login_banner_text"/>" | |
cat <<EOF >/etc/issue | |
$login_banner_text | |
EOF | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2229" value-id="login_banner_text"/> | |
<check-content-ref name="oval:ssg:def:365" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not display the required banner" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check if the system login banner is compliant, | |
run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ cat /etc/issue</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Group id="gui_login_banner"> | |
<title xml:lang="en-US">Implement a GUI Warning Banner</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In the default graphical environment, users logging | |
directly into the system are greeted with a login screen provided | |
by the GNOME Display Manager (GDM). The warning banner should be | |
displayed in this graphical environment for these users. | |
The following sections describe how to configure the GDM login | |
banner. | |
</description> | |
<Rule id="enable_gdm_login_banner" selected="false" severity="medium"> | |
<title xml:lang="en-US">Enable GUI Warning Banner</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To enable displaying a login warning banner in the GNOME | |
Display Manager's login screen, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">sudo -u gdm gconftool-2 \ | |
--type bool \ | |
--set /apps/gdm/simple-greeter/banner_message_enable true</pre> | |
To display a banner, this setting must be enabled and then | |
banner text must also be set. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(c)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">48</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">50</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
An appropriate warning message reinforces policy awareness during the logon | |
process and facilitates possible legal action against attackers. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27195-7</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:415" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it is not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To ensure a login warning banner is enabled, run the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ gconftool-2 -g /apps/gdm/simple-greeter/banner_message_enable</pre> | |
Search for the <xhtml:code>banner_message_enable</xhtml:code> schema. | |
If properly configured, the <xhtml:code>default</xhtml:code> value should be <xhtml:code>true</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="set_gdm_login_banner_text" selected="false" severity="medium"> | |
<title xml:lang="en-US">Set GUI Warning Banner Text</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the text shown by the GNOME Display Manager | |
in the login screen, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">sudo -u gdm gconftool-2 \ | |
--type string \ | |
--set /apps/gdm/simple-greeter/banner_message_text \ | |
"Text of the warning banner here"</pre> | |
When entering a warning banner that spans several lines, remember | |
to begin and end the string with <xhtml:code>"</xhtml:code>. This command writes | |
directly to the file <xhtml:code>/var/lib/gdm/.gconf/apps/gdm/simple-greeter/%gconf.xml</xhtml:code>, | |
and this file can later be edited directly if necessary. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(c)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">48</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1384</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1385</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1386</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1387</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1388</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
An appropriate warning message reinforces policy awareness during the logon | |
process and facilitates possible legal action against attackers. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27017-3</ident> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To ensure the login warning banner text is properly set, run the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ gconftool-2 -g /apps/gdm/simple-greeter/banner_message_text</pre> | |
If properly configured, the proper banner text will appear within this schema. | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Rule id="disable_user_list" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable the User List</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In the default graphical environment, users logging | |
directly into the system are greeted with a login screen that displays | |
all known users. This functionality should be disabled. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Run the following command to disable the user list: | |
<pre xmlns="http://www.w3.org/1999/xhtml">sudo -u gdm gconftool-2 \ | |
--type bool \ | |
--set /apps/gdm/simple-greeter/disable_user_list true</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-23</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Leaving the user list enabled is a security risk since it allows anyone | |
with physical access to the system to quickly enumerate known user accounts | |
without logging in.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27230-2</ident> | |
<check system="ocil-transitional"> | |
<check-export export-name="it is not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To ensure the user list is disabled, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ gconftool-2 -g /apps/gdm/simple-greeter/disable_user_list</pre> | |
The output should be <xhtml:code>true</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
</Group> | |
<Group id="network"> | |
<title xml:lang="en-US">Network Configuration and Firewalls</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Most machines must be connected to a network of some | |
sort, and this brings with it the substantial risk of network | |
attack. This section discusses the security impact of decisions | |
about networking which must be made when configuring a system. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
This section also discusses firewalls, network access | |
controls, and other network security frameworks, which allow | |
system-level rules to be written that can limit an attackers' ability | |
to connect to your system. These rules can specify that network | |
traffic should be allowed or denied from certain IP addresses, | |
hosts, and networks. The rules can also specify which of the | |
system's network services are available to particular hosts or | |
networks.</description> | |
<Group id="network_disable_unused_interfaces"> | |
<title xml:lang="en-US">Disable Unused Interfaces</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Network interfaces expand the attack surface of the | |
system. Unused interfaces are not monitored or controlled, and | |
should be disabled. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
If the system does not require network communications but still | |
needs to use the loopback interface, remove all files of the form | |
<xhtml:code>ifcfg-<i xmlns="http://www.w3.org/1999/xhtml">interface</i></xhtml:code> except for <xhtml:code>ifcfg-lo</xhtml:code> from | |
<xhtml:code>/etc/sysconfig/network-scripts</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># rm /etc/sysconfig/network-scripts/ifcfg-<i>interface</i></pre> | |
If the system is a standalone machine with no need for network access or even | |
communication over the loopback device, then disable this service. | |
The <xhtml:code>network</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig network off</xhtml:pre> | |
</description> | |
</Group> | |
<Rule id="network_disable_zeroconf" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Zeroconf Networking</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Zeroconf networking allows the system to assign itself an IP | |
address and engage in IP communication without a statically-assigned address or | |
even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not | |
recommended. To disable Zeroconf automatic route assignment in the 169.254.0.0 | |
subnet, add or correct the following line in <xhtml:code>/etc/sysconfig/network</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">NOZEROCONF=yes</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Zeroconf addresses are in the network 169.254.0.0. The networking | |
scripts add entries to the system's routing table for these addresses. Zeroconf | |
address assignment commonly occurs when the system is configured to use DHCP | |
but fails to receive an address assignment from the DHCP server. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27151-0</ident> | |
<fix system="urn:xccdf:fix:script:sh">echo "NOZEROCONF=yes" >> /etc/sysconfig/network | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:754" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="network_sniffer_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure System is Not Acting as a Network Sniffer</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The system should not be acting as a network sniffer, which can | |
capture all traffic on the network to which it is connected. Run the following | |
to determine if any interface is running in promiscuous mode: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ ip link | grep PROMISC</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MA-3</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If any results are returned, then a sniffing process (such as tcpdump | |
or Wireshark) is likely to be using the interface and this should be | |
investigated. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27152-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1013" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Group id="network-kernel"> | |
<title xml:lang="en-US">Kernel Parameters Which Affect Networking</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>sysctl</xhtml:code> utility is used to set | |
parameters which affect the operation of the Linux kernel. Kernel parameters | |
which affect networking and have security implications are described here. | |
</description> | |
<Group id="network_host_parameters"> | |
<title xml:lang="en-US">Network Parameters for Hosts Only</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the system is not going to be used as a router, then setting certain | |
kernel parameters ensure that the host will not perform routing | |
of network traffic.</description> | |
<Rule id="sysctl_net_ipv4_conf_default_send_redirects" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable Kernel Parameter for Sending ICMP Redirects by Default</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>net.ipv4.conf.default.send_redirects</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w net.ipv4.conf.default.send_redirects=0</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">net.ipv4.conf.default.send_redirects = 0</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-4</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-5</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1551</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Sending ICMP redirects permits the system to instruct other systems | |
to update their routing information. The ability to send ICMP redirects is | |
only appropriate for systems acting as routers.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27001-7</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Set runtime for net.ipv4.conf.default.send_redirects | |
# | |
sysctl -q -n -w net.ipv4.conf.default.send_redirects=0 | |
# | |
# If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to "0" | |
# else, add "net.ipv4.conf.default.send_redirects = 0" to /etc/sysctl.conf | |
# | |
if grep --silent ^net.ipv4.conf.default.send_redirects /etc/sysctl.conf ; then | |
sed -i 's/^net.ipv4.conf.default.send_redirects.*/net.ipv4.conf.default.send_redirects = 0/g' /etc/sysctl.conf | |
else | |
echo "" >> /etc/sysctl.conf | |
echo "# Set net.ipv4.conf.default.send_redirects to 0 per security requirements" >> /etc/sysctl.conf | |
echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:656" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>net.ipv4.conf.default.send_redirects</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl net.ipv4.conf.default.send_redirects</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>0</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sysctl_ipv4_all_send_redirects" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>net.ipv4.conf.all.send_redirects</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w net.ipv4.conf.all.send_redirects=0</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">net.ipv4.conf.all.send_redirects = 0</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1551</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Sending ICMP redirects permits the system to instruct other systems | |
to update their routing information. The ability to send ICMP redirects is | |
only appropriate for systems acting as routers.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27004-1</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:731" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>net.ipv4.conf.all.send_redirects</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl net.ipv4.conf.all.send_redirects</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>0</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sysctl_ipv4_ip_forward" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable Kernel Parameter for IP Forwarding</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>net.ipv4.ip_forward</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w net.ipv4.ip_forward=0</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">net.ipv4.ip_forward = 0</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">366</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">IP forwarding permits the kernel to forward packets from one network | |
interface to another. The ability to forward packets between two networks is | |
only appropriate for systems acting as routers.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26866-4</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1004" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>net.ipv4.ip_forward</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl net.ipv4.ip_forward</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>0</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
The ability to forward packets is only appropriate for routers. | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="network_host_and_router_parameters"> | |
<title xml:lang="en-US">Network Related Kernel Runtime Parameters for Hosts and Routers</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Certain kernel parameters should be set for systems which are | |
acting as either hosts or routers to improve the system's ability defend | |
against certain types of IPv4 protocol attacks.</description> | |
<Value id="sysctl_net_ipv4_conf_all_accept_source_route_value" operator="equals" type="string"> | |
<title xml:lang="en-US">net.ipv4.conf.all.accept_source_route</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Trackers could be using source-routed packets to | |
generate traffic that seems to be intra-net, but actually was | |
created outside and has been redirected.</description> | |
<value>0</value> | |
<value selector="enabled">1</value> | |
<value selector="disabled">0</value> | |
</Value> | |
<Value id="sysctl_net_ipv4_conf_all_accept_redirects_value" operator="equals" type="string"> | |
<title xml:lang="en-US">net.ipv4.conf.all.accept_redirects</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable ICMP Redirect Acceptance</description> | |
<value>0</value> | |
<value selector="enabled">1</value> | |
<value selector="disabled">0</value> | |
</Value> | |
<Value id="sysctl_net_ipv4_conf_all_secure_redirects_value" operator="equals" type="string"> | |
<title xml:lang="en-US">net.ipv4.conf.all.secure_redirects</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable to prevent hijacking of routing path by only | |
allowing redirects from gateways known in routing | |
table.</description> | |
<value>1</value> | |
<value selector="enabled">1</value> | |
<value selector="disabled">0</value> | |
</Value> | |
<Value id="sysctl_net_ipv4_conf_all_log_martians_value" operator="equals" type="string"> | |
<title xml:lang="en-US">net.ipv4.conf.all.log_martians</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable so you don't Log Spoofed Packets, Source | |
Routed Packets, Redirect Packets</description> | |
<value>0</value> | |
<value selector="enabled">1</value> | |
<value selector="disabled">0</value> | |
</Value> | |
<Value id="sysctl_net_ipv4_conf_default_accept_source_route_value" operator="equals" type="string"> | |
<title xml:lang="en-US">net.ipv4.conf.default.accept_source_route</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable IP source routing?</description> | |
<value>0</value> | |
<value selector="enabled">1</value> | |
<value selector="disabled">0</value> | |
</Value> | |
<Value id="sysctl_net_ipv4_conf_default_accept_redirects_value" operator="equals" type="string"> | |
<title xml:lang="en-US">net.ipv4.conf.default.accept_redirects</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable ICMP Redirect Acceptance?</description> | |
<value>0</value> | |
<value selector="enabled">1</value> | |
<value selector="disabled">0</value> | |
</Value> | |
<Value id="sysctl_net_ipv4_conf_default_secure_redirects_value" operator="equals" type="string"> | |
<title xml:lang="en-US">net.ipv4.conf.default.secure_redirects</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Log packets with impossible addresses to kernel | |
log?</description> | |
<value>1</value> | |
<value selector="enabled">1</value> | |
<value selector="disabled">0</value> | |
</Value> | |
<Value id="sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" operator="equals" type="string"> | |
<title xml:lang="en-US">net.ipv4.icmp_echo_ignore_broadcasts</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ignore all ICMP ECHO and TIMESTAMP requests sent to it | |
via broadcast/multicast</description> | |
<value>1</value> | |
<value selector="enabled">1</value> | |
<value selector="disabled">0</value> | |
</Value> | |
<Value id="sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" operator="equals" type="string"> | |
<title xml:lang="en-US">net.ipv4.icmp_ignore_bogus_error_responses</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable to prevent unnecessary logging</description> | |
<value>1</value> | |
<value selector="enabled">1</value> | |
<value selector="disabled">0</value> | |
</Value> | |
<Value id="sysctl_net_ipv4_tcp_syncookies_value" operator="equals" type="string"> | |
<title xml:lang="en-US">net.ipv4.tcp_syncookies</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable to turn on TCP SYN Cookie | |
Protection</description> | |
<value>1</value> | |
<value selector="enabled">1</value> | |
<value selector="disabled">0</value> | |
</Value> | |
<Value id="sysctl_net_ipv4_conf_all_rp_filter_value" operator="equals" type="string"> | |
<title xml:lang="en-US">net.ipv4.conf.all.rp_filter</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable to enforce sanity checking, also called ingress | |
filtering or egress filtering. The point is to drop a packet if the | |
source and destination IP addresses in the IP header do not make | |
sense when considered in light of the physical interface on which | |
it arrived.</description> | |
<value>1</value> | |
<value selector="enabled">1</value> | |
<value selector="disabled">0</value> | |
</Value> | |
<Value id="sysctl_net_ipv4_conf_default_rp_filter_value" operator="equals" type="string"> | |
<title xml:lang="en-US">net.ipv4.conf.default.rp_filter</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enables source route verification</description> | |
<value>1</value> | |
<value selector="enabled">1</value> | |
<value selector="disabled">0</value> | |
</Value> | |
<Rule id="sysctl_net_ipv4_conf_all_accept_source_route" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable Kernel Parameter for Accepting Source-Routed Packets for All Interfaces</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>net.ipv4.conf.all.accept_source_route</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w net.ipv4.conf.all.accept_source_route=0</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">net.ipv4.conf.all.accept_source_route = 0</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1551</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Accepting source-routed packets in the IPv4 protocol has few legitimate | |
uses. It should be disabled unless it is absolutely required.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27037-1</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Set runtime for net.ipv4.conf.all.accept_source_route | |
# | |
sysctl -q -n -w net.ipv4.conf.all.accept_source_route=0 | |
# | |
# If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to "0" | |
# else, add "net.ipv4.conf.all.accept_source_route = 0" to /etc/sysctl.conf | |
# | |
if grep --silent ^net.ipv4.conf.all.accept_source_route /etc/sysctl.conf ; then | |
sed -i 's/^net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route = 0/g' /etc/sysctl.conf | |
else | |
echo "" >> /etc/sysctl.conf | |
echo "# Set net.ipv4.conf.all.accept_source_route to 0 per security requirements" >> /etc/sysctl.conf | |
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2273" value-id="sysctl_net_ipv4_conf_all_accept_source_route_value"/> | |
<check-content-ref name="oval:ssg:def:234" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>net.ipv4.conf.all.accept_source_route</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl net.ipv4.conf.all.accept_source_route</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>0</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sysctl_net_ipv4_conf_all_accept_redirects" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable Kernel Parameter for Accepting ICMP Redirects for All Interfaces</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>net.ipv4.conf.all.accept_redirects</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w net.ipv4.conf.all.accept_redirects=0</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">net.ipv4.conf.all.accept_redirects = 0</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1503</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1551</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Accepting ICMP redirects has few legitimate | |
uses. It should be disabled unless it is absolutely required.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27027-2</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Set runtime for net.ipv4.conf.all.accept_redirects | |
# | |
sysctl -q -n -w net.ipv4.conf.all.accept_redirects=0 | |
# | |
# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to "0" | |
# else, add "net.ipv4.conf.all.accept_redirects = 0" to /etc/sysctl.conf | |
# | |
if grep --silent ^net.ipv4.conf.all.accept_redirects /etc/sysctl.conf ; then | |
sed -i 's/^net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = 0/g' /etc/sysctl.conf | |
else | |
echo "" >> /etc/sysctl.conf | |
echo "# Set net.ipv4.conf.all.accept_redirects to 0 per security requirements" >> /etc/sysctl.conf | |
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2274" value-id="sysctl_net_ipv4_conf_all_accept_redirects_value"/> | |
<check-content-ref name="oval:ssg:def:219" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>net.ipv4.conf.all.accept_redirects</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl net.ipv4.conf.all.accept_redirects</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>0</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sysctl_net_ipv4_conf_all_secure_redirects" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable Kernel Parameter for Accepting Secure Redirects for All Interfaces</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>net.ipv4.conf.all.secure_redirects</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w net.ipv4.conf.all.secure_redirects=0</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">net.ipv4.conf.all.secure_redirects = 0</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-4</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1503</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1551</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Accepting "secure" ICMP redirects (from those gateways listed as | |
default gateways) has few legitimate uses. It should be disabled unless it is | |
absolutely required.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26854-0</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Set runtime for net.ipv4.conf.all.secure_redirects | |
# | |
sysctl -q -n -w net.ipv4.conf.all.secure_redirects=0 | |
# | |
# If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to "0" | |
# else, add "net.ipv4.conf.all.secure_redirects = 0" to /etc/sysctl.conf | |
# | |
if grep --silent ^net.ipv4.conf.all.secure_redirects /etc/sysctl.conf ; then | |
sed -i 's/^net.ipv4.conf.all.secure_redirects.*/net.ipv4.conf.all.secure_redirects = 0/g' /etc/sysctl.conf | |
else | |
echo "" >> /etc/sysctl.conf | |
echo "# Set net.ipv4.conf.all.secure_redirects to 0 per security requirements" >> /etc/sysctl.conf | |
echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2275" value-id="sysctl_net_ipv4_conf_all_secure_redirects_value"/> | |
<check-content-ref name="oval:ssg:def:700" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>net.ipv4.conf.all.secure_redirects</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl net.ipv4.conf.all.secure_redirects</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>0</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sysctl_net_ipv4_conf_all_log_martians" selected="false" severity="low"> | |
<title xml:lang="en-US">Enable Kernel Parameter to Log Martian Packets</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>net.ipv4.conf.all.log_martians</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w net.ipv4.conf.all.log_martians=1</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">net.ipv4.conf.all.log_martians = 1</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">126</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The presence of "martian" packets (which have impossible addresses) | |
as well as spoofed packets, source-routed packets, and redirects could be a | |
sign of nefarious network activity. Logging these packets enables this activity | |
to be detected.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27066-0</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Set runtime for net.ipv4.conf.all.log_martians | |
# | |
sysctl -q -n -w net.ipv4.conf.all.log_martians=1 | |
# | |
# If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to "1" | |
# else, add "net.ipv4.conf.all.log_martians = 1" to /etc/sysctl.conf | |
# | |
if grep --silent ^net.ipv4.conf.all.log_martians /etc/sysctl.conf ; then | |
sed -i 's/^net.ipv4.conf.all.log_martians.*/net.ipv4.conf.all.log_martians = 1/g' /etc/sysctl.conf | |
else | |
echo "" >> /etc/sysctl.conf | |
echo "# Set net.ipv4.conf.all.log_martians to 1 per security requirements" >> /etc/sysctl.conf | |
echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2276" value-id="sysctl_net_ipv4_conf_all_log_martians_value"/> | |
<check-content-ref name="oval:ssg:def:371" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>net.ipv4.conf.all.log_martians</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl net.ipv4.conf.all.log_martians</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>1</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sysctl_net_ipv4_conf_default_accept_source_route" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable Kernel Parameter for Accepting Source-Routed Packets By Default</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>net.ipv4.conf.default.accept_source_route</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w net.ipv4.conf.default.accept_source_route=0</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">net.ipv4.conf.default.accept_source_route = 0</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-4</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-5</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1551</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Accepting source-routed packets in the IPv4 protocol has few legitimate | |
uses. It should be disabled unless it is absolutely required.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26983-7</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Set runtime for net.ipv4.conf.default.accept_source_route | |
# | |
sysctl -q -n -w net.ipv4.conf.default.accept_source_route=0 | |
# | |
# If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to "0" | |
# else, add "net.ipv4.conf.default.accept_source_route = 0" to /etc/sysctl.conf | |
# | |
if grep --silent ^net.ipv4.conf.default.accept_source_route /etc/sysctl.conf ; then | |
sed -i 's/^net.ipv4.conf.default.accept_source_route.*/net.ipv4.conf.default.accept_source_route = 0/g' /etc/sysctl.conf | |
else | |
echo "" >> /etc/sysctl.conf | |
echo "# Set net.ipv4.conf.default.accept_source_route to 0 per security requirements" >> /etc/sysctl.conf | |
echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2277" value-id="sysctl_net_ipv4_conf_default_accept_source_route_value"/> | |
<check-content-ref name="oval:ssg:def:1139" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>net.ipv4.conf.default.accept_source_route</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl net.ipv4.conf.default.accept_source_route</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>0</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sysctl_net_ipv4_conf_default_accept_redirects" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Kernel Parameter for Accepting ICMP Redirects By Default</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>net.ipv4.conf.default.accept_redirects</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w net.ipv4.conf.default.accept_redirects=0</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">net.ipv4.conf.default.accept_redirects = 0</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-4</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-5</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1551</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This feature of the IPv4 protocol has few legitimate | |
uses. It should be disabled unless it is absolutely required.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27015-7</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Set runtime for net.ipv4.conf.default.accept_redirects | |
# | |
sysctl -q -n -w net.ipv4.conf.default.accept_redirects=0 | |
# | |
# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to "0" | |
# else, add "net.ipv4.conf.default.accept_redirects = 0" to /etc/sysctl.conf | |
# | |
if grep --silent ^net.ipv4.conf.default.accept_redirects /etc/sysctl.conf ; then | |
sed -i 's/^net.ipv4.conf.default.accept_redirects.*/net.ipv4.conf.default.accept_redirects = 0/g' /etc/sysctl.conf | |
else | |
echo "" >> /etc/sysctl.conf | |
echo "# Set net.ipv4.conf.default.accept_redirects to 0 per security requirements" >> /etc/sysctl.conf | |
echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:616" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>net.ipv4.conf.default.accept_redirects</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl net.ipv4.conf.default.accept_redirects</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>0</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sysctl_net_ipv4_conf_default_secure_redirects" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable Kernel Parameter for Accepting Secure Redirects By Default</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>net.ipv4.conf.default.secure_redirects</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w net.ipv4.conf.default.secure_redirects=0</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">net.ipv4.conf.default.secure_redirects = 0</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-4</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-5</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1551</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Accepting "secure" ICMP redirects (from those gateways listed as | |
default gateways) has few legitimate uses. It should be disabled unless it is | |
absolutely required.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26831-8</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Set runtime for net.ipv4.conf.default.secure_redirects | |
# | |
sysctl -q -n -w net.ipv4.conf.default.secure_redirects=0 | |
# | |
# If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value to "0" | |
# else, add "net.ipv4.conf.default.secure_redirects = 0" to /etc/sysctl.conf | |
# | |
if grep --silent ^net.ipv4.conf.default.secure_redirects /etc/sysctl.conf ; then | |
sed -i 's/^net.ipv4.conf.default.secure_redirects.*/net.ipv4.conf.default.secure_redirects = 0/g' /etc/sysctl.conf | |
else | |
echo "" >> /etc/sysctl.conf | |
echo "# Set net.ipv4.conf.default.secure_redirects to 0 per security requirements" >> /etc/sysctl.conf | |
echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2278" value-id="sysctl_net_ipv4_conf_default_secure_redirects_value"/> | |
<check-content-ref name="oval:ssg:def:527" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>net.ipv4.conf.default.secure_redirects</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl net.ipv4.conf.default.secure_redirects</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>0</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="false" severity="low"> | |
<title xml:lang="en-US">Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>net.ipv4.icmp_echo_ignore_broadcasts</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">net.ipv4.icmp_echo_ignore_broadcasts = 1</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1551</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ignoring ICMP echo requests (pings) sent to broadcast or multicast | |
addresses makes the system slightly more difficult to enumerate on the network. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26883-9</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts | |
# | |
sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts=1 | |
# | |
# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to "1" | |
# else, add "net.ipv4.icmp_echo_ignore_broadcasts = 1" to /etc/sysctl.conf | |
# | |
if grep --silent ^net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf ; then | |
sed -i 's/^net.ipv4.icmp_echo_ignore_broadcasts.*/net.ipv4.icmp_echo_ignore_broadcasts = 1/g' /etc/sysctl.conf | |
else | |
echo "" >> /etc/sysctl.conf | |
echo "# Set net.ipv4.icmp_echo_ignore_broadcasts to 1 per security requirements" >> /etc/sysctl.conf | |
echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2279" value-id="sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value"/> | |
<check-content-ref name="oval:ssg:def:483" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>net.ipv4.icmp_echo_ignore_broadcasts</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl net.ipv4.icmp_echo_ignore_broadcasts</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>1</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="false" severity="low"> | |
<title xml:lang="en-US">Enable Kernel Parameter to Ignore Bogus ICMP Error Responses</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>net.ipv4.icmp_ignore_bogus_error_responses</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">net.ipv4.icmp_ignore_bogus_error_responses = 1</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-5</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ignoring bogus ICMP error responses reduces | |
log size, although some activity would not be logged.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26993-6</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Set runtime for net.ipv4.icmp_ignore_bogus_error_responses | |
# | |
sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses=1 | |
# | |
# If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change value to "1" | |
# else, add "net.ipv4.icmp_ignore_bogus_error_responses = 1" to /etc/sysctl.conf | |
# | |
if grep --silent ^net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf ; then | |
sed -i 's/^net.ipv4.icmp_ignore_bogus_error_responses.*/net.ipv4.icmp_ignore_bogus_error_responses = 1/g' /etc/sysctl.conf | |
else | |
echo "" >> /etc/sysctl.conf | |
echo "# Set net.ipv4.icmp_ignore_bogus_error_responses to 1 per security requirements" >> /etc/sysctl.conf | |
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.conf | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2280" value-id="sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value"/> | |
<check-content-ref name="oval:ssg:def:432" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>net.ipv4.icmp_ignore_bogus_error_responses</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl net.ipv4.icmp_ignore_bogus_error_responses</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>1</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sysctl_net_ipv4_tcp_syncookies" selected="false" severity="medium"> | |
<title xml:lang="en-US">Enable Kernel Parameter to Use TCP Syncookies</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>net.ipv4.tcp_syncookies</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w net.ipv4.tcp_syncookies=1</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">net.ipv4.tcp_syncookies = 1</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-4</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1092</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1095</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> A TCP SYN flood attack can cause a denial of service by filling a | |
system's TCP connection table with connections in the SYN_RCVD state. | |
Syncookies can be used to track a connection when a subsequent ACK is received, | |
verifying the initiator is attempting a valid connection and is not a flood | |
source. This feature is activated when a flood condition is detected, and | |
enables the system to continue servicing valid connection requests. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27053-8</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Set runtime for net.ipv4.tcp_syncookies | |
# | |
sysctl -q -n -w net.ipv4.tcp_syncookies=1 | |
# | |
# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to "1" | |
# else, add "net.ipv4.tcp_syncookies = 1" to /etc/sysctl.conf | |
# | |
if grep --silent ^net.ipv4.tcp_syncookies /etc/sysctl.conf ; then | |
sed -i 's/^net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies = 1/g' /etc/sysctl.conf | |
else | |
echo "" >> /etc/sysctl.conf | |
echo "# Set net.ipv4.tcp_syncookies to 1 per security requirements" >> /etc/sysctl.conf | |
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2281" value-id="sysctl_net_ipv4_tcp_syncookies_value"/> | |
<check-content-ref name="oval:ssg:def:171" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>net.ipv4.tcp_syncookies</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl net.ipv4.tcp_syncookies</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>1</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sysctl_net_ipv4_conf_all_rp_filter" selected="false" severity="medium"> | |
<title xml:lang="en-US">Enable Kernel Parameter to Use Reverse Path Filtering for All Interfaces</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>net.ipv4.conf.all.rp_filter</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w net.ipv4.conf.all.rp_filter=1</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">net.ipv4.conf.all.rp_filter = 1</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-4</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-5</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1551</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enabling reverse path filtering drops packets with source addresses | |
that should not have been able to be received on the interface they were | |
received on. It should not be used on systems which are routers for | |
complicated networks, but is helpful for end hosts and routers serving small | |
networks.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26979-5</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Set runtime for net.ipv4.conf.all.rp_filter | |
# | |
sysctl -q -n -w net.ipv4.conf.all.rp_filter=1 | |
# | |
# If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to "1" | |
# else, add "net.ipv4.conf.all.rp_filter = 1" to /etc/sysctl.conf | |
# | |
if grep --silent ^net.ipv4.conf.all.rp_filter /etc/sysctl.conf ; then | |
sed -i 's/^net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter = 1/g' /etc/sysctl.conf | |
else | |
echo "" >> /etc/sysctl.conf | |
echo "# Set net.ipv4.conf.all.rp_filter to 1 per security requirements" >> /etc/sysctl.conf | |
echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2282" value-id="sysctl_net_ipv4_conf_all_rp_filter_value"/> | |
<check-content-ref name="oval:ssg:def:341" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>net.ipv4.conf.all.rp_filter</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl net.ipv4.conf.all.rp_filter</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>1</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sysctl_net_ipv4_conf_default_rp_filter" selected="false" severity="medium"> | |
<title xml:lang="en-US">Enable Kernel Parameter to Use Reverse Path Filtering by Default</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>net.ipv4.conf.default.rp_filter</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w net.ipv4.conf.default.rp_filter=1</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">net.ipv4.conf.default.rp_filter = 1</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-4</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-5</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-7</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enabling reverse path filtering drops packets with source addresses | |
that should not have been able to be received on the interface they were | |
received on. It should not be used on systems which are routers for | |
complicated networks, but is helpful for end hosts and routers serving small | |
networks.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26915-9</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Set runtime for net.ipv4.conf.default.rp_filter | |
# | |
sysctl -q -n -w net.ipv4.conf.default.rp_filter=1 | |
# | |
# If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to "1" | |
# else, add "net.ipv4.conf.default.rp_filter = 1" to /etc/sysctl.conf | |
# | |
if grep --silent ^net.ipv4.conf.default.rp_filter /etc/sysctl.conf ; then | |
sed -i 's/^net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter = 1/g' /etc/sysctl.conf | |
else | |
echo "" >> /etc/sysctl.conf | |
echo "# Set net.ipv4.conf.default.rp_filter to 1 per security requirements" >> /etc/sysctl.conf | |
echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2283" value-id="sysctl_net_ipv4_conf_default_rp_filter_value"/> | |
<check-content-ref name="oval:ssg:def:304" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>net.ipv4.conf.default.rp_filter</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl net.ipv4.conf.default.rp_filter</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>1</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
</Group> | |
<Group id="network-wireless"> | |
<title xml:lang="en-US">Wireless Networking</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Wireless networking, such as 802.11 | |
(WiFi) and Bluetooth, can present a security risk to sensitive or | |
classified systems and networks. Wireless networking hardware is | |
much more likely to be included in laptop or portable systems than | |
desktops or servers. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Removal of hardware provides the greatest assurance that the wireless | |
capability remains disabled. Acquisition policies often include provisions to | |
prevent the purchase of equipment that will be used in sensitive spaces and | |
includes wireless capabilities. If it is impractical to remove the wireless | |
hardware, and policy permits the device to enter sensitive spaces as long | |
as wireless is disabled, efforts should instead focus on disabling wireless capability | |
via software.</description> | |
<Group id="wireless_software"> | |
<title xml:lang="en-US">Disable Wireless Through Software Configuration</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If it is impossible to remove the wireless hardware | |
from the device in question, disable as much of it as possible | |
through software. The following methods can disable software | |
support for wireless networking, but note that these methods do not | |
prevent malicious software or careless users from re-activating the | |
devices.</description> | |
<Rule id="wireless_disable_in_bios" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable WiFi or Bluetooth BIOS</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Some systems that include built-in wireless support offer the | |
ability to disable the device through the BIOS. This is system-specific; | |
consult your hardware manual or explore the BIOS setup during | |
boot.</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-18(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-18(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-18(3)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">85</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disabling wireless support in the BIOS prevents easy | |
activation of the wireless interface, generally requiring administrators | |
to reboot the system first. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26878-9</ident> | |
</Rule> | |
<Rule id="deactivate_wireless_interfaces" selected="false" severity="low"> | |
<title xml:lang="en-US">Deactivate Wireless Network Interfaces</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Deactivating wireless network interfaces should prevent | |
normal usage of the wireless capability. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
First, identify the interfaces available with the command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># ifconfig -a</pre> | |
Additionally,the following command may also be used to | |
determine whether wireless support ('extensions') is included for a | |
particular interface, though this may not always be a clear | |
indicator: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># iwconfig</pre> | |
After identifying any wireless interfaces (which may have | |
names like <xhtml:code>wlan0</xhtml:code>, <xhtml:code>ath0</xhtml:code>, <xhtml:code>wifi0</xhtml:code>, <xhtml:code>em1</xhtml:code> or | |
<xhtml:code>eth0</xhtml:code>), deactivate the interface with the command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># ifdown <i>interface</i></pre> | |
These changes will only last until the next reboot. To | |
disable the interface for future boots, remove the appropriate | |
interface file from <xhtml:code>/etc/sysconfig/network-scripts</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># rm /etc/sysconfig/network-scripts/ifcfg-<i>interface</i></pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-18(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-18(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-18(3)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">85</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121025</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Wireless networking allows attackers within physical proximity to | |
launch network-based attacks against systems, including those against local LAN | |
protocols which were not designed with security in mind. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27057-9</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1061" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="service_bluetooth_disabled" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable Bluetooth Service</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The <xhtml:code>bluetooth</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig bluetooth off</xhtml:pre> | |
<pre xmlns="http://www.w3.org/1999/xhtml"># service bluetooth stop</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-18(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-18(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-18(3)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">85</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1551</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121025</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disabling the <xhtml:code>bluetooth</xhtml:code> service prevents the system from attempting | |
connections to Bluetooth devices, which entails some security risk. | |
Nevertheless, variation in this risk decision may be expected due to the | |
utility of Bluetooth connectivity and its limited range.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27081-9</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable bluetooth for all run levels | |
# | |
chkconfig --level 0123456 bluetooth off | |
# | |
# Stop bluetooth if currently running | |
# | |
service bluetooth stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:275" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>bluetooth</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>bluetooth</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>bluetooth</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>bluetooth</xhtml:code> --list | |
<xhtml:code>bluetooth</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>bluetooth</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service bluetooth status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>bluetooth is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="kernel_module_bluetooth_disabled" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable Bluetooth Kernel Modules</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The kernel's module loading system can be configured to prevent | |
loading of the Bluetooth module. Add the following to | |
the appropriate <xhtml:code>/etc/modprobe.d</xhtml:code> configuration file | |
to prevent the loading of the Bluetooth module: | |
<pre xmlns="http://www.w3.org/1999/xhtml">install net-pf-31 /bin/false | |
install bluetooth /bin/false</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-18(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-18(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-18(3)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">85</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1551</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121025</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If Bluetooth functionality must be disabled, preventing the kernel | |
from loading the kernel module provides an additional safeguard against its | |
activation.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26763-3</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:449" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
If the system is configured to prevent the loading of the | |
<xhtml:code>bluetooth</xhtml:code> kernel module, | |
it will contain lines inside any file in <xhtml:code>/etc/modprobe.d</xhtml:code> or the deprecated<xhtml:code>/etc/modprobe.conf</xhtml:code>. | |
These lines instruct the module loading system to run another program (such as | |
<xhtml:code>/bin/false</xhtml:code>) upon a module <xhtml:code>install</xhtml:code> event. | |
Run the following command to search for such lines in all files in <xhtml:code>/etc/modprobe.d</xhtml:code> | |
and the deprecated <xhtml:code>/etc/modprobe.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d</xhtml:pre> | |
If the system is configured to prevent the loading of the | |
<xhtml:code>net-pf-31</xhtml:code> kernel module, | |
it will contain lines inside any file in <xhtml:code>/etc/modprobe.d</xhtml:code> or the deprecated<xhtml:code>/etc/modprobe.conf</xhtml:code>. | |
These lines instruct the module loading system to run another program (such as | |
<xhtml:code>/bin/false</xhtml:code>) upon a module <xhtml:code>install</xhtml:code> event. | |
Run the following command to search for such lines in all files in <xhtml:code>/etc/modprobe.d</xhtml:code> | |
and the deprecated <xhtml:code>/etc/modprobe.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">$ grep -r net-pf-31 /etc/modprobe.conf /etc/modprobe.d</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
</Group> | |
<Group id="network-ipv6"> | |
<title xml:lang="en-US">IPv6</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The system includes support for Internet Protocol | |
version 6. A major and often-mentioned improvement over IPv4 is its | |
enormous increase in the number of available addresses. Another | |
important feature is its support for automatic configuration of | |
many network settings.</description> | |
<Group id="disabling_ipv6"> | |
<title xml:lang="en-US">Disable Support for IPv6 Unless Needed</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Despite configuration that suggests support for IPv6 has | |
been disabled, link-local IPv6 address auto-configuration occurs | |
even when only an IPv4 address is assigned. The only way to | |
effectively prevent execution of the IPv6 networking stack is to | |
instruct the system not to activate the IPv6 kernel module. | |
</description> | |
<Rule id="kernel_module_ipv6_option_disabled" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable IPv6 Networking Support Automatic Loading</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To prevent the IPv6 kernel module (<xhtml:code>ipv6</xhtml:code>) from loading the | |
IPv6 networking stack, add the following line to | |
<xhtml:code>/etc/modprobe.d/disabled.conf</xhtml:code> (or another file in | |
<xhtml:code>/etc/modprobe.d</xhtml:code>): | |
<pre xmlns="http://www.w3.org/1999/xhtml">options ipv6 disable=1</pre> | |
This permits the IPv6 module to be loaded (and thus satisfy other modules that | |
depend on it), while disabling support for the IPv6 protocol. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1551</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Any unnecessary network stacks - including IPv6 - should be disabled, to reduce | |
the vulnerability to exploitation. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27153-6</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:354" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the ipv6 kernel module is loaded" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
If the system uses IPv6, this is not applicable. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
If the system is configured to prevent the loading of the | |
<xhtml:code>ipv6</xhtml:code> kernel module, it will contain a line | |
of the form: | |
<pre xmlns="http://www.w3.org/1999/xhtml">options ipv6 disable=1</pre> | |
Such lines may be inside any file in <xhtml:code>/etc/modprobe.d</xhtml:code> or the | |
deprecated<xhtml:code>/etc/modprobe.conf</xhtml:code>. This permits insertion of the IPv6 | |
kernel module (which other parts of the system expect to be present), but | |
otherwise keeps it inactive. Run the following command to search for such | |
lines in all files in <xhtml:code>/etc/modprobe.d</xhtml:code> and the deprecated | |
<xhtml:code>/etc/modprobe.conf</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml" xml:space="preserve">$ grep -r ipv6 /etc/modprobe.conf /etc/modprobe.d</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="network_ipv6_disable_interfaces" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Interface Usage of IPv6</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To disable interface usage of IPv6, add or correct the following lines in <xhtml:code>/etc/sysconfig/network</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">NETWORKING_IPV6=no | |
IPV6INIT=no</pre> | |
</description> | |
</Rule> | |
<Rule id="network_ipv6_disable_rpc" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Support for RPC IPv6</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">RPC services for NFSv4 try to load transport modules for | |
<xhtml:code>udp6</xhtml:code> and <xhtml:code>tcp6</xhtml:code> by default, even if IPv6 has been disabled in | |
<xhtml:code>/etc/modprobe.d</xhtml:code>. To prevent RPC services such as <xhtml:code>rpc.mountd</xhtml:code> | |
from attempting to start IPv6 network listeners, remove or comment out the | |
following two lines in <xhtml:code>/etc/netconfig</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">udp6 tpi_clts v inet6 udp - - | |
tcp6 tpi_cots_ord v inet6 tcp - -</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<ident system="http://cce.mitre.org">CCE-27232-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:640" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="configuring_ipv6"> | |
<title xml:lang="en-US">Configure IPv6 Settings if Necessary</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A major feature of IPv6 is the extent to which systems | |
implementing it can automatically configure their networking | |
devices using information from the network. From a security | |
perspective, manually configuring important configuration | |
information is preferable to accepting it from the network | |
in an unauthenticated fashion.</description> | |
<Group id="disabling_ipv6_autoconfig"> | |
<title xml:lang="en-US">Disable Automatic Configuration</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the system's acceptance of router | |
advertisements and redirects by adding or correcting the following | |
line in <xhtml:code>/etc/sysconfig/network</xhtml:code> (note that this does not disable | |
sending router solicitations): | |
<pre xmlns="http://www.w3.org/1999/xhtml">IPV6_AUTOCONF=no</pre> | |
</description> | |
<Value id="sysconfig_network_IPV6_AUTOCONF_value" operator="equals" type="string"> | |
<title xml:lang="en-US">IPV6_AUTOCONF</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Toggle global IPv6 auto-configuration (only, if global | |
forwarding is disabled)</description> | |
<value>no</value> | |
<value selector="enabled">yes</value> | |
<value selector="disabled">no</value> | |
</Value> | |
<Value id="sysctl_net_ipv6_conf_default_accept_ra_value" operator="equals" type="string"> | |
<title xml:lang="en-US">net.ipv6.conf.default.accept_ra</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Accept default router advertisements?</description> | |
<value>0</value> | |
<value selector="enabled">1</value> | |
<value selector="disabled">0</value> | |
</Value> | |
<Value id="sysctl_net_ipv6_conf_default_accept_redirects_value" operator="equals" type="string"> | |
<title xml:lang="en-US">net.ipv6.conf.default.accept_redirects</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Toggle ICMP Redirect Acceptance</description> | |
<value>0</value> | |
<value selector="enabled">1</value> | |
<value selector="disabled">0</value> | |
</Value> | |
<Rule id="sysctl_net_ipv6_conf_default_accept_ra" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Accepting IPv6 Router Advertisements</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>net.ipv6.conf.default.accept_ra</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w net.ipv6.conf.default.accept_ra=0</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">net.ipv6.conf.default.accept_ra = 0</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
An illicit router advertisement message could result in a man-in-the-middle attack. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27164-3</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Set runtime for net.ipv6.conf.default.accept_ra | |
# | |
sysctl -q -n -w net.ipv6.conf.default.accept_ra=0 | |
# | |
# If net.ipv6.conf.default.accept_ra present in /etc/sysctl.conf, change value to "0" | |
# else, add "net.ipv6.conf.default.accept_ra = 0" to /etc/sysctl.conf | |
# | |
if grep --silent ^net.ipv6.conf.default.accept_ra /etc/sysctl.conf ; then | |
sed -i 's/^net.ipv6.conf.default.accept_ra.*/net.ipv6.conf.default.accept_ra = 0/g' /etc/sysctl.conf | |
else | |
echo "" >> /etc/sysctl.conf | |
echo "# Set net.ipv6.conf.default.accept_ra to 0 per security requirements" >> /etc/sysctl.conf | |
echo "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.conf | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2284" value-id="sysctl_net_ipv6_conf_default_accept_ra_value"/> | |
<check-content-ref name="oval:ssg:def:1031" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>net.ipv6.conf.default.accept_ra</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl net.ipv6.conf.default.accept_ra</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>0</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sysctl_ipv6_default_accept_redirects" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable Accepting IPv6 Redirects</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To set the runtime status of the <xhtml:code>net.ipv6.conf.default.accept_redirects</xhtml:code> kernel parameter, | |
run the following command: | |
<xhtml:pre xml:space="preserve"># sysctl -w net.ipv6.conf.default.accept_redirects=0</xhtml:pre> | |
If this is not the system's default value, add the following line to <xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">net.ipv6.conf.default.accept_redirects = 0</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1551</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
An illicit ICMP redirect message could result in a man-in-the-middle attack. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27166-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2285" value-id="sysctl_net_ipv6_conf_default_accept_redirects_value"/> | |
<check-content-ref name="oval:ssg:def:486" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the correct value is not returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The status of the <xhtml:code>net.ipv6.conf.default.accept_redirects</xhtml:code> kernel parameter can be queried | |
by running the following command: | |
<xhtml:pre xml:space="preserve">$ sysctl net.ipv6.conf.default.accept_redirects</xhtml:pre> | |
The output of the command should indicate a value of <xhtml:code>0</xhtml:code>. | |
If this value is not the default value, investigate how it could have been | |
adjusted at runtime, and verify it is not set improperly in | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Rule id="network_ipv6_static_address" selected="false" severity="low"> | |
<title xml:lang="en-US">Manually Assign Global IPv6 Address</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To manually assign an IP address for an interface, edit the | |
file <xhtml:code>/etc/sysconfig/network-scripts/ifcfg-<i xmlns="http://www.w3.org/1999/xhtml">interface</i></xhtml:code>. Add or correct the | |
following line (substituting the correct IPv6 address): | |
<pre xmlns="http://www.w3.org/1999/xhtml">IPV6ADDR=2001:0DB8::ABCD/64</pre> | |
Manually assigning an IP address is preferable to accepting one from routers or | |
from the network otherwise. The example address here is an IPv6 address | |
reserved for documentation purposes, as defined by RFC3849. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<ident system="http://cce.mitre.org">CCE-27233-6</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:685" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="network_ipv6_privacy_extensions" selected="false" severity="low"> | |
<title xml:lang="en-US">Use Privacy Extensions for Address</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To introduce randomness into the automatic generation of IPv6 | |
addresses, add or correct the following line in | |
<xhtml:code>/etc/sysconfig/network-scripts/ifcfg-<i xmlns="http://www.w3.org/1999/xhtml">interface</i></xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">IPV6_PRIVACY=rfc3041</pre> | |
Automatically-generated IPv6 addresses are based on the underlying hardware | |
(e.g. Ethernet) address, and so it becomes possible to track a piece of | |
hardware over its lifetime using its traffic. If it is important for a system's | |
IP address to not trivially reveal its hardware address, this setting should be | |
applied. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<ident system="http://cce.mitre.org">CCE-27154-4</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:794" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="network_ipv6_default_gateway" selected="false" severity="low"> | |
<title xml:lang="en-US">Manually Assign IPv6 Router Address</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Edit the file | |
<xhtml:code>/etc/sysconfig/network-scripts/ifcfg-<i xmlns="http://www.w3.org/1999/xhtml">interface</i></xhtml:code>, and add or correct | |
the following line (substituting your gateway IP as appropriate): | |
<pre xmlns="http://www.w3.org/1999/xhtml">IPV6_DEFAULTGW=2001:0DB8::0001</pre> | |
Router addresses should be manually set and not accepted via any | |
auto-configuration or router advertisement. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<ident system="http://cce.mitre.org">CCE-27234-4</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:353" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Group id="network_ipv6_limit_requests"> | |
<title xml:lang="en-US">Limit Network-Transmitted Configuration if Using Static IPv6 Addresses</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To limit the configuration information requested from other | |
systems and accepted from the network on a system that uses | |
statically-configured IPv6 addresses, add the following lines to | |
<xhtml:code>/etc/sysctl.conf</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">net.ipv6.conf.default.router_solicitations = 0 | |
net.ipv6.conf.default.accept_ra_rtr_pref = 0 | |
net.ipv6.conf.default.accept_ra_pinfo = 0 | |
net.ipv6.conf.default.accept_ra_defrtr = 0 | |
net.ipv6.conf.default.autoconf = 0 | |
net.ipv6.conf.default.dad_transmits = 0 | |
net.ipv6.conf.default.max_addresses = 1</pre> | |
The <xhtml:code>router_solicitations</xhtml:code> setting determines how many router | |
solicitations are sent when bringing up the interface. If addresses are | |
statically assigned, there is no need to send any solicitations. | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
The <xhtml:code>accept_ra_pinfo</xhtml:code> setting controls whether the system will accept | |
prefix info from the router. | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
The <xhtml:code>accept_ra_defrtr</xhtml:code> setting controls whether the system will accept | |
Hop Limit settings from a router advertisement. Setting it to 0 prevents a | |
router from changing your default IPv6 Hop Limit for outgoing packets. | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
The <xhtml:code>autoconf</xhtml:code> setting controls whether router advertisements can cause | |
the system to assign a global unicast address to an interface. | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
The <xhtml:code>dad_transmits</xhtml:code> setting determines how many neighbor solicitations | |
to send out per address (global and link-local) when bringing up an interface | |
to ensure the desired address is unique on the network. | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
The <xhtml:code>max_addresses</xhtml:code> setting determines how many global unicast IPv6 | |
addresses can be assigned to each interface. The default is 16, but it should | |
be set to exactly the number of statically configured global addresses | |
required. | |
</description> | |
</Group> | |
</Group> | |
</Group> | |
<Group id="network-iptables"> | |
<title xml:lang="en-US">iptables and ip6tables</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A host-based firewall called Netfilter is included as | |
part of the Linux kernel distributed with the system. It is | |
activated by default. This firewall is controlled by the program | |
iptables, and the entire capability is frequently referred to by | |
this name. An analogous program called ip6tables handles filtering | |
for IPv6. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Unlike TCP Wrappers, which depends on the network server | |
program to support and respect the rules written, Netfilter | |
filtering occurs at the kernel level, before a program can even | |
process the data from the network packet. As such, any program on | |
the system is affected by the rules written. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
This section provides basic information about strengthening | |
the iptables and ip6tables configurations included with the system. | |
For more complete information that may allow the construction of a | |
sophisticated ruleset tailored to your environment, please consult | |
the references at the end of this section.</description> | |
<Group id="iptables_activation"> | |
<title xml:lang="en-US">Inspect and Activate Default Rules</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">View the currently-enforced iptables rules by running | |
the command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># iptables -nL --line-numbers</pre> | |
The command is analogous for the ip6tables program. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
If the firewall does not appear to be active (i.e., no rules | |
appear), activate it and ensure that it starts at boot by issuing | |
the following commands (and analogously for ip6tables): | |
<pre xmlns="http://www.w3.org/1999/xhtml"># service iptables restart</pre> | |
The default iptables rules are: | |
<pre xmlns="http://www.w3.org/1999/xhtml">Chain INPUT (policy ACCEPT) | |
num target prot opt source destination | |
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED | |
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 | |
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 | |
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 | |
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited | |
Chain FORWARD (policy ACCEPT) | |
num target prot opt source destination | |
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited | |
Chain OUTPUT (policy ACCEPT) | |
num target prot opt source destination</pre> | |
The <xhtml:code>ip6tables</xhtml:code> default rules are essentially the same.</description> | |
<Rule id="service_ip6tables_enabled" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify ip6tables Enabled if Using IPv6</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The <xhtml:code>ip6tables</xhtml:code> service can be enabled with the following command: | |
<xhtml:pre># chkconfig --level 2345 ip6tables on</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-4</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CA-3(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">32</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">66</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1115</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1118</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1092</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1117</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1098</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1100</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1097</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1414</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>ip6tables</xhtml:code> service provides the system's host-based firewalling | |
capability for IPv6 and ICMPv6. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27006-6</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Enable ip6tables for all run levels | |
# | |
chkconfig --level 0123456 ip6tables on | |
# | |
# Start ip6tables if not currently running | |
# | |
service ip6tables start | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:112" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is not running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
If IPv6 is disabled, this is not applicable. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Run the following command to determine the current status of the | |
<xhtml:code>ip6tables</xhtml:code> service: | |
<xhtml:pre># service ip6tables status</xhtml:pre> | |
If the service is enabled, it should return the following: <xhtml:pre>ip6tables is running...</xhtml:pre></check-content> | |
</check> | |
</Rule> | |
<Rule id="set_ip6tables_default_rule" selected="false" severity="medium"> | |
<title xml:lang="en-US">Set Default ip6tables Policy for Incoming Packets</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the default policy to DROP (instead of ACCEPT) for | |
the built-in INPUT chain which processes incoming packets, | |
add or correct the following line in | |
<xhtml:code>/etc/sysconfig/ip6tables</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">:INPUT DROP [0:0]</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">66</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1109</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1154</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1414</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In <xhtml:code>ip6tables</xhtml:code> the default policy is applied only after all | |
the applicable rules in the table are examined for a match. Setting the | |
default policy to <xhtml:code>DROP</xhtml:code> implements proper design for a firewall, i.e. | |
any packets which are not explicitly permitted should not be | |
accepted.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27317-7</ident> | |
<check system="ocil-transitional"> | |
<check-export export-name="the default policy for the INPUT chain is not set to DROP" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
If IPv6 is disabled, this is not applicable. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Inspect the file <xhtml:code>/etc/sysconfig/ip6tables</xhtml:code> to determine | |
the default policy for the INPUT chain. It should be set to DROP: | |
<pre xmlns="http://www.w3.org/1999/xhtml"> # grep ":INPUT" /etc/sysconfig/ip6tables</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_iptables_enabled" selected="false" severity="medium"> | |
<title xml:lang="en-US">Verify iptables Enabled</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The <xhtml:code>iptables</xhtml:code> service can be enabled with the following command: | |
<xhtml:pre># chkconfig --level 2345 iptables on</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-4</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CA-3(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">32</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">66</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1115</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1118</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1092</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1117</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1098</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1100</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1097</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1414</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The <xhtml:code>iptables</xhtml:code> service provides the system's host-based firewalling | |
capability for IPv4 and ICMP. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27018-1</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Enable iptables for all run levels | |
# | |
chkconfig --level 0123456 iptables on | |
# | |
# Start iptables if not currently running | |
# | |
service iptables start | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:819" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is not running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to determine the current status of the | |
<xhtml:code>iptables</xhtml:code> service: | |
<xhtml:pre># service iptables status</xhtml:pre> | |
If the service is enabled, it should return the following: <xhtml:pre>iptables is running...</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="ruleset_modifications"> | |
<title xml:lang="en-US">Strengthen the Default Ruleset</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The default rules can be strengthened. The system | |
scripts that activate the firewall rules expect them to be defined | |
in the configuration files iptables and ip6tables in the directory | |
<xhtml:code>/etc/sysconfig</xhtml:code>. Many of the lines in these files are similar | |
to the command line arguments that would be provided to the programs | |
<xhtml:code>/sbin/iptables</xhtml:code> or <xhtml:code>/sbin/ip6tables</xhtml:code> - but some are quite | |
different. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
The following recommendations describe how to strengthen the | |
default ruleset configuration file. An alternative to editing this | |
configuration file is to create a shell script that makes calls to | |
the iptables program to load in rules, and then invokes service | |
iptables save to write those loaded rules to | |
<xhtml:code>/etc/sysconfig/iptables.</xhtml:code> | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
The following alterations can be made directly to | |
<xhtml:code>/etc/sysconfig/iptables</xhtml:code> and <xhtml:code>/etc/sysconfig/ip6tables</xhtml:code>. | |
Instructions apply to both unless otherwise noted. Language and address | |
conventions for regular iptables are used throughout this section; | |
configuration for ip6tables will be either analogous or explicitly | |
covered.</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">The program <xhtml:code>system-config-securitylevel</xhtml:code> | |
allows additional services to penetrate the default firewall rules | |
and automatically adjusts <xhtml:code>/etc/sysconfig/iptables</xhtml:code>. This program | |
is only useful if the default ruleset meets your security | |
requirements. Otherwise, this program should not be used to make | |
changes to the firewall configuration because it re-writes the | |
saved configuration file.</warning> | |
<Rule id="set_iptables_default_rule" selected="false" severity="medium"> | |
<title xml:lang="en-US">Set Default iptables Policy for Incoming Packets</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the default policy to DROP (instead of ACCEPT) for | |
the built-in INPUT chain which processes incoming packets, | |
add or correct the following line in | |
<xhtml:code>/etc/sysconfig/iptables</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">:INPUT DROP [0:0]</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">66</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1109</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1154</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1414</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In <xhtml:code>iptables</xhtml:code> the default policy is applied only after all | |
the applicable rules in the table are examined for a match. Setting the | |
default policy to <xhtml:code>DROP</xhtml:code> implements proper design for a firewall, i.e. | |
any packets which are not explicitly permitted should not be | |
accepted.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26444-0</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1194" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the default policy for the INPUT chain is not set to DROP" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml">Inspect the file <xhtml:code>/etc/sysconfig/iptables</xhtml:code> to determine | |
the default policy for the INPUT chain. It should be set to DROP: | |
<pre xmlns="http://www.w3.org/1999/xhtml"> # grep ":INPUT" /etc/sysconfig/iptables</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="set_iptables_default_rule_forward" selected="false" severity="medium"> | |
<title xml:lang="en-US">Set Default iptables Policy for Forwarded Packets</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the default policy to DROP (instead of ACCEPT) for | |
the built-in FORWARD chain which processes packets that will be forwarded from | |
one interface to another, | |
add or correct the following line in | |
<xhtml:code>/etc/sysconfig/iptables</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">:FORWARD DROP [0:0]</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1109</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In <xhtml:code>iptables</xhtml:code> the default policy is applied only after all | |
the applicable rules in the table are examined for a match. Setting the | |
default policy to <xhtml:code>DROP</xhtml:code> implements proper design for a firewall, i.e. | |
any packets which are not explicitly permitted should not be | |
accepted.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27186-6</ident> | |
<check system="ocil-transitional"> | |
<check-export export-name="the default policy for the FORWARD chain is not set to DROP" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to ensure the default <xhtml:code>FORWARD</xhtml:code> policy is <xhtml:code>DROP</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">grep ":FORWARD" /etc/sysconfig/iptables</pre> | |
The output should be similar to the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep ":FORWARD" /etc/sysconfig/iptables | |
:FORWARD DROP [0:0</pre></check-content> | |
</check> | |
</Rule> | |
<Group id="iptables_icmp_disabled"> | |
<title xml:lang="en-US">Restrict ICMP Message Types</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In <xhtml:code>/etc/sysconfig/iptables</xhtml:code>, the accepted ICMP messages | |
types can be restricted. To accept only ICMP echo reply, destination | |
unreachable, and time exceeded messages, remove the line:<br xmlns="http://www.w3.org/1999/xhtml"/> | |
<pre xmlns="http://www.w3.org/1999/xhtml">-A INPUT -p icmp --icmp-type any -j ACCEPT</pre> | |
and insert the lines: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT | |
-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT</pre> | |
To allow the system to respond to pings, also insert the following line: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-A INPUT -p icmp --icmp-type echo-request -j ACCEPT</pre> | |
Ping responses can also be limited to certain networks or hosts by using the -s | |
option in the previous rule. Because IPv6 depends so heavily on ICMPv6, it is | |
preferable to deny the ICMPv6 packets you know you don't need (e.g. ping | |
requests) in <xhtml:code>/etc/sysconfig/ip6tables</xhtml:code>, while letting everything else | |
through: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP</pre> | |
If you are going to statically configure the machine's address, it should | |
ignore Router Advertisements which could add another IPv6 address to the | |
interface or alter important network settings: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP</pre> | |
Restricting ICMPv6 message types in <xhtml:code>/etc/sysconfig/ip6tables</xhtml:code> is not | |
recommended because the operation of IPv6 depends heavily on ICMPv6. Thus, great | |
care must be taken if any other ICMPv6 types are blocked. | |
</description> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restricting ICMP messages may make a system slightly less | |
discoverable to an unsophisticated attacker but is not appropriate for many | |
general-purpose use cases and can also make troubleshooting more difficult. | |
</rationale> | |
</Group> | |
<Group id="iptables_log_and_drop_suspicious"> | |
<title xml:lang="en-US">Log and Drop Packets with Suspicious Source Addresses</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Packets with non-routable source addresses should be rejected, as they may indicate spoofing. Because the | |
modified policy will reject non-matching packets, you only need to add these rules if you are interested in also | |
logging these spoofing or suspicious attempts before they are dropped. If you do choose to log various suspicious | |
traffic, add identical rules with a target of DROP after each LOG. | |
To log and then drop these IPv4 packets, insert the following rules in <xhtml:code>/etc/sysconfig/iptables</xhtml:code> (excepting | |
any that are intentionally used): | |
<pre xmlns="http://www.w3.org/1999/xhtml">-A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: " | |
-A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: " | |
-A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: " | |
-A INPUT -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: " | |
-A INPUT -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: " | |
-A INPUT -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: "</pre> | |
Similarly, you might wish to log packets containing some IPv6 reserved addresses if they are not expected | |
on your network: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-A INPUT -i eth0 -s ::1 -j LOG --log-prefix "IPv6 DROP LOOPBACK: " | |
-A INPUT -s 2002:E000::/20 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " | |
-A INPUT -s 2002:7F00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " | |
-A INPUT -s 2002:0000::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " | |
-A INPUT -s 2002:FF00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " | |
-A INPUT -s 2002:0A00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " | |
-A INPUT -s 2002:AC10::/28 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " | |
-A INPUT -s 2002:C0A8::/32 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "</pre> | |
If you are not expecting to see site-local multicast or auto-tunneled traffic, you can log those: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-A INPUT -s FF05::/16 -j LOG --log-prefix "IPv6 SITE-LOCAL MULTICAST: " | |
-A INPUT -s ::0.0.0.0/96 -j LOG --log-prefix "IPv4 COMPATIBLE IPv6 ADDR: "</pre> | |
If you wish to block multicasts to all link-local nodes (e.g. if you are not using router auto-configuration and | |
do not plan to have any services that multicast to the entire local network), you can block the link-local | |
all-nodes multicast address (before accepting incoming ICMPv6): | |
<pre xmlns="http://www.w3.org/1999/xhtml">-A INPUT -d FF02::1 -j LOG --log-prefix "Link-local All-Nodes Multicast: "</pre> | |
However, if you're going to allow IPv4 compatible IPv6 addresses (of the form ::0.0.0.0/96), you should | |
then consider logging the non-routable IPv4-compatible addresses: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-A INPUT -s ::0.0.0.0/104 -j LOG --log-prefix "IP NON-ROUTABLE ADDR: " | |
-A INPUT -s ::127.0.0.0/104 -j LOG --log-prefix "IP DROP LOOPBACK: " | |
-A INPUT -s ::224.0.0.0.0/100 -j LOG --log-prefix "IP DROP MULTICAST D: " | |
-A INPUT -s ::255.0.0.0/104 -j LOG --log-prefix "IP BROADCAST: "</pre> | |
If you are not expecting to see any IPv4 (or IPv4-compatible) traffic on your network, consider logging it before it gets dropped: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-A INPUT -s ::FFFF:0.0.0.0/96 -j LOG --log-prefix "IPv4 MAPPED IPv6 ADDR: " | |
-A INPUT -s 2002::/16 -j LOG --log-prefix "IPv6 6to4 ADDR: "</pre> | |
The following rule will log all traffic originating from a site-local address, which is deprecated address space: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-A INPUT -s FEC0::/10 -j LOG --log-prefix "SITE-LOCAL ADDRESS TRAFFIC: "</pre> | |
</description> | |
</Group> | |
</Group> | |
</Group> | |
<Group id="network_ssl"> | |
<title xml:lang="en-US">Transport Layer Security Support</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Support for Transport Layer Security (TLS), and its predecessor, the Secure | |
Sockets Layer (SSL), is included in RHEL in the OpenSSL software (RPM package | |
<xhtml:code>openssl</xhtml:code>). TLS provides encrypted and authenticated network | |
communications, and many network services include support for it. TLS or SSL | |
can be leveraged to avoid any plaintext transmission of sensitive data. | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
For information on how to use OpenSSL, see | |
<b xmlns="http://www.w3.org/1999/xhtml">http://www.openssl.org/docs/HOWTO/</b>. Information on FIPS validation | |
of OpenSSL is available at <b xmlns="http://www.w3.org/1999/xhtml">http://www.openssl.org/docs/fips/fipsvalidation.html</b> | |
and <b xmlns="http://www.w3.org/1999/xhtml">http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm</b>. | |
<!-- Does Red Hat offer any documentation on using OpenSSL? --> | |
</description> | |
</Group> | |
<Group id="network-uncommon"> | |
<title xml:lang="en-US">Uncommon Network Protocols</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The system includes support for several network | |
protocols which are not commonly used. Although security vulnerabilities | |
in kernel networking code are not frequently | |
discovered, the consequences can be dramatic. Ensuring uncommon | |
network protocols are disabled reduces the system's risk to attacks | |
targeted at its implementation of those protocols.</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Although these protocols are not commonly used, avoid disruption | |
in your network environment by ensuring they are not needed | |
prior to disabling them. | |
</warning> | |
<Rule id="kernel_module_dccp_disabled" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable DCCP Support</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The Datagram Congestion Control Protocol (DCCP) is a | |
relatively new transport layer protocol, designed to support | |
streaming media and telephony. | |
To configure the system to prevent the <xhtml:code>dccp</xhtml:code> | |
kernel module from being loaded, add the following line to a file in the directory <xhtml:code>/etc/modprobe.d</xhtml:code>: | |
<xhtml:pre xml:space="preserve">install dccp /bin/false</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">382</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Disabling DCCP protects | |
the system against exploitation of any flaws in its implementation. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26448-1</ident> | |
<fix system="urn:xccdf:fix:script:sh">echo "install dccp /bin/false" > /etc/modprobe.d/dccp.conf | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1209" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
If the system is configured to prevent the loading of the | |
<xhtml:code>dccp</xhtml:code> kernel module, | |
it will contain lines inside any file in <xhtml:code>/etc/modprobe.d</xhtml:code> or the deprecated<xhtml:code>/etc/modprobe.conf</xhtml:code>. | |
These lines instruct the module loading system to run another program (such as | |
<xhtml:code>/bin/false</xhtml:code>) upon a module <xhtml:code>install</xhtml:code> event. | |
Run the following command to search for such lines in all files in <xhtml:code>/etc/modprobe.d</xhtml:code> | |
and the deprecated <xhtml:code>/etc/modprobe.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">$ grep -r dccp /etc/modprobe.conf /etc/modprobe.d</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="kernel_module_sctp_disabled" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable SCTP Support</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The Stream Control Transmission Protocol (SCTP) is a | |
transport layer protocol, designed to support the idea of | |
message-oriented communication, with several streams of messages | |
within one connection. | |
To configure the system to prevent the <xhtml:code>sctp</xhtml:code> | |
kernel module from being loaded, add the following line to a file in the directory <xhtml:code>/etc/modprobe.d</xhtml:code>: | |
<xhtml:pre xml:space="preserve">install sctp /bin/false</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">382</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Disabling SCTP protects | |
the system against exploitation of any flaws in its implementation. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26410-1</ident> | |
<fix system="urn:xccdf:fix:script:sh">echo "install sctp /bin/false" > /etc/modprobe.d/sctp.conf | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1081" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
If the system is configured to prevent the loading of the | |
<xhtml:code>sctp</xhtml:code> kernel module, | |
it will contain lines inside any file in <xhtml:code>/etc/modprobe.d</xhtml:code> or the deprecated<xhtml:code>/etc/modprobe.conf</xhtml:code>. | |
These lines instruct the module loading system to run another program (such as | |
<xhtml:code>/bin/false</xhtml:code>) upon a module <xhtml:code>install</xhtml:code> event. | |
Run the following command to search for such lines in all files in <xhtml:code>/etc/modprobe.d</xhtml:code> | |
and the deprecated <xhtml:code>/etc/modprobe.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="kernel_module_rds_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable RDS Support</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The Reliable Datagram Sockets (RDS) protocol is a transport | |
layer protocol designed to provide reliable high- bandwidth, | |
low-latency communications between nodes in a cluster. | |
To configure the system to prevent the <xhtml:code>rds</xhtml:code> | |
kernel module from being loaded, add the following line to a file in the directory <xhtml:code>/etc/modprobe.d</xhtml:code>: | |
<xhtml:pre xml:space="preserve">install rds /bin/false</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">382</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Disabling RDS protects | |
the system against exploitation of any flaws in its implementation. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26239-4</ident> | |
<fix system="urn:xccdf:fix:script:sh">echo "install rds /bin/false" > /etc/modprobe.d/rds.conf | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:322" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
If the system is configured to prevent the loading of the | |
<xhtml:code>rds</xhtml:code> kernel module, | |
it will contain lines inside any file in <xhtml:code>/etc/modprobe.d</xhtml:code> or the deprecated<xhtml:code>/etc/modprobe.conf</xhtml:code>. | |
These lines instruct the module loading system to run another program (such as | |
<xhtml:code>/bin/false</xhtml:code>) upon a module <xhtml:code>install</xhtml:code> event. | |
Run the following command to search for such lines in all files in <xhtml:code>/etc/modprobe.d</xhtml:code> | |
and the deprecated <xhtml:code>/etc/modprobe.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">$ grep -r rds /etc/modprobe.conf /etc/modprobe.d</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="kernel_module_tipc_disabled" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable TIPC Support</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The Transparent Inter-Process Communication (TIPC) protocol | |
is designed to provide communications between nodes in a | |
cluster. | |
To configure the system to prevent the <xhtml:code>tipc</xhtml:code> | |
kernel module from being loaded, add the following line to a file in the directory <xhtml:code>/etc/modprobe.d</xhtml:code>: | |
<xhtml:pre xml:space="preserve">install tipc /bin/false</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">382</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Disabling TIPC protects | |
the system against exploitation of any flaws in its implementation. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26696-5</ident> | |
<fix system="urn:xccdf:fix:script:sh">echo "install tipc /bin/false" > /etc/modprobe.d/tipc.conf | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1130" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
If the system is configured to prevent the loading of the | |
<xhtml:code>tipc</xhtml:code> kernel module, | |
it will contain lines inside any file in <xhtml:code>/etc/modprobe.d</xhtml:code> or the deprecated<xhtml:code>/etc/modprobe.conf</xhtml:code>. | |
These lines instruct the module loading system to run another program (such as | |
<xhtml:code>/bin/false</xhtml:code>) upon a module <xhtml:code>install</xhtml:code> event. | |
Run the following command to search for such lines in all files in <xhtml:code>/etc/modprobe.d</xhtml:code> | |
and the deprecated <xhtml:code>/etc/modprobe.conf</xhtml:code>: | |
<xhtml:pre xml:space="preserve">$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="network-ipsec"> | |
<title xml:lang="en-US">IPSec Support</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Support for Internet Protocol Security (IPsec) | |
is provided in RHEL 6 with Openswan. | |
</description> | |
<Rule id="install_openswan" selected="false" severity="low"> | |
<title xml:lang="en-US">Install openswan Package</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Openswan package provides an implementation of IPsec | |
and IKE, which permits the creation of secure tunnels over | |
untrusted networks. | |
The <xhtml:code>openswan</xhtml:code> package can be installed with the following command: | |
<xhtml:pre># yum install openswan</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MA-4</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-9</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1130</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1131</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Providing the ability for remote users or systems | |
to initiate a secure VPN connection protects information when it is | |
transmitted over a wide area network. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27626-1</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:405" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the package is not installed" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to determine if the <xhtml:code>openswan</xhtml:code> package is installed: | |
<xhtml:pre># rpm -q openswan</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
</Group> | |
<Group id="logging"> | |
<title xml:lang="en-US">Configure Syslog</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The syslog service has been the default Unix logging mechanism for | |
many years. It has a number of downsides, including inconsistent log format, | |
lack of authentication for received messages, and lack of authentication, | |
encryption, or reliable transport for messages sent over a network. However, | |
due to its long history, syslog is a de facto standard which is supported by | |
almost all Unix applications. | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
In RHEL 6, rsyslog has replaced ksyslogd as the | |
syslog daemon of choice, and it includes some additional security features | |
such as reliable, connection-oriented (i.e. TCP) transmission of logs, the | |
option to log to database formats, and the encryption of log data en route to | |
a central logging server. | |
This section discusses how to configure rsyslog for | |
best effect, and how to use tools provided with the system to maintain and | |
monitor logs.</description> | |
<Rule id="package_rsyslog_installed" selected="false" severity="medium"> | |
<title xml:lang="en-US">Ensure rsyslog is Installed</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Rsyslog is installed by default. | |
The <xhtml:code>rsyslog</xhtml:code> package can be installed with the following command: | |
<xhtml:pre># yum install rsyslog</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-9(2)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1311</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1312</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The rsyslog package provides the rsyslog daemon, which provides | |
system logging services. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26809-4</ident> | |
<fix system="urn:xccdf:fix:script:sh">yum -y install rsyslog | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:490" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the package is not installed" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to determine if the <xhtml:code>rsyslog</xhtml:code> package is installed: | |
<xhtml:pre># rpm -q rsyslog</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_rsyslog_enabled" selected="false" severity="medium"> | |
<title xml:lang="en-US">Enable rsyslog Service</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>rsyslog</xhtml:code> service provides syslog-style logging by default on RHEL 6. | |
The <xhtml:code>rsyslog</xhtml:code> service can be enabled with the following command: | |
<xhtml:pre># chkconfig --level 2345 rsyslog on</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-12</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1557</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1312</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1311</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>rsyslog</xhtml:code> service must be running in order to provide | |
logging services, which are essential to system administration. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26807-8</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Enable rsyslog for all run levels | |
# | |
chkconfig --level 0123456 rsyslog on | |
# | |
# Start rsyslog if not currently running | |
# | |
service rsyslog start | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:835" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is not running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to determine the current status of the | |
<xhtml:code>rsyslog</xhtml:code> service: | |
<xhtml:pre># service rsyslog status</xhtml:pre> | |
If the service is enabled, it should return the following: <xhtml:pre>rsyslog is running...</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Group id="ensure_rsyslog_log_file_configuration"> | |
<title xml:lang="en-US">Ensure Proper Configuration of Log Files</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The file <xhtml:code>/etc/rsyslog.conf</xhtml:code> controls where log message are written. | |
These are controlled by lines called <i xmlns="http://www.w3.org/1999/xhtml">rules</i>, which consist of a | |
<i xmlns="http://www.w3.org/1999/xhtml">selector</i> and an <i xmlns="http://www.w3.org/1999/xhtml">action</i>. | |
These rules are often customized depending on the role of the system, the | |
requirements of the environment, and whatever may enable | |
the administrator to most effectively make use of log data. | |
The default rules in RHEL 6 are: | |
<pre xmlns="http://www.w3.org/1999/xhtml">*.info;mail.none;authpriv.none;cron.none /var/log/messages | |
authpriv.* /var/log/secure | |
mail.* -/var/log/maillog | |
cron.* /var/log/cron | |
*.emerg * | |
uucp,news.crit /var/log/spooler | |
local7.* /var/log/boot.log</pre> | |
See the man page <xhtml:code>rsyslog.conf(5)</xhtml:code> for more information. | |
<i xmlns="http://www.w3.org/1999/xhtml">Note that the <xhtml:code>rsyslog</xhtml:code> daemon can be configured to use a timestamp format that | |
some log processing programs may not understand. If this occurs, | |
edit the file <xhtml:code>/etc/rsyslog.conf</xhtml:code> and add or edit the following line:</i> | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat</pre> | |
</description> | |
<Value id="file_owner_logfiles_value" operator="equals" type="string"> | |
<title xml:lang="en-US">User who owns log files</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specify user owner of all logfiles specified in | |
<xhtml:code>/etc/rsyslog.conf</xhtml:code>.</description> | |
<value selector="root">root</value> | |
</Value> | |
<Value id="file_groupowner_logfiles_value" operator="equals" type="string"> | |
<title xml:lang="en-US">group who owns log files</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specify group owner of all logfiles specified in | |
<xhtml:code>/etc/rsyslog.conf.</xhtml:code></description> | |
<value selector="root">root</value> | |
</Value> | |
<Rule id="userowner_rsyslog_files" selected="false" severity="medium"> | |
<title xml:lang="en-US">Ensure Log Files Are Owned By Appropriate User</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The owner of all log files written by | |
<xhtml:code>rsyslog</xhtml:code> should be root. | |
These log files are determined by the second part of each Rule line in | |
<xhtml:code>/etc/rsyslog.conf</xhtml:code> and typically all appear in <xhtml:code>/var/log</xhtml:code>. | |
For each log file <i xmlns="http://www.w3.org/1999/xhtml">LOGFILE</i> referenced in <xhtml:code>/etc/rsyslog.conf</xhtml:code>, | |
run the following command to inspect the file's owner: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ ls -l <i>LOGFILE</i></pre> | |
If the owner is not <xhtml:code>root</xhtml:code>, run the following command to | |
correct this: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># chown root <i>LOGFILE</i></pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1314</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The log files generated by rsyslog contain valuable information regarding system | |
configuration, user authentication, and other such information. Log files should be | |
protected from unauthorized access.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26812-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:436" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the owner is not root" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The owner of all log files written by <xhtml:code>rsyslog</xhtml:code> should be root. | |
These log files are determined by the second part of each Rule line in | |
<xhtml:code>/etc/rsyslog.conf</xhtml:code> and typically all appear in <xhtml:code>/var/log</xhtml:code>. | |
To see the owner of a given log file, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ ls -l <i>LOGFILE</i></pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="groupowner_rsyslog_files" selected="false" severity="medium"> | |
<title xml:lang="en-US">Ensure Log Files Are Owned By Appropriate Group</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The group-owner of all log files written by | |
<xhtml:code>rsyslog</xhtml:code> should be root. | |
These log files are determined by the second part of each Rule line in | |
<xhtml:code>/etc/rsyslog.conf</xhtml:code> and typically all appear in <xhtml:code>/var/log</xhtml:code>. | |
For each log file <i xmlns="http://www.w3.org/1999/xhtml">LOGFILE</i> referenced in <xhtml:code>/etc/rsyslog.conf</xhtml:code>, | |
run the following command to inspect the file's group owner: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ ls -l <i>LOGFILE</i></pre> | |
If the owner is not <xhtml:code>root</xhtml:code>, run the following command to | |
correct this: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># chgrp root <i>LOGFILE</i></pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1314</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The log files generated by rsyslog contain valuable information regarding system | |
configuration, user authentication, and other such information. Log files should be | |
protected from unauthorized access.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26821-9</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:827" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the group-owner is not root" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The group-owner of all log files written by <xhtml:code>rsyslog</xhtml:code> should be root. | |
These log files are determined by the second part of each Rule line in | |
<xhtml:code>/etc/rsyslog.conf</xhtml:code> and typically all appear in <xhtml:code>/var/log</xhtml:code>. | |
To see the group-owner of a given log file, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ ls -l <i>LOGFILE</i></pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="rsyslog_file_permissions" selected="false" severity="medium"> | |
<title xml:lang="en-US">Ensure System Log Files Have Correct Permissions</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The file permissions for all log files written by | |
<xhtml:code>rsyslog</xhtml:code> should be set to 600, or more restrictive. | |
These log files are determined by the second part of each Rule line in | |
<xhtml:code>/etc/rsyslog.conf</xhtml:code> and typically all appear in <xhtml:code>/var/log</xhtml:code>. | |
For each log file <i xmlns="http://www.w3.org/1999/xhtml">LOGFILE</i> referenced in <xhtml:code>/etc/rsyslog.conf</xhtml:code>, | |
run the following command to inspect the file's permissions: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ ls -l <i>LOGFILE</i></pre> | |
If the permissions are not 600 or more restrictive, | |
run the following command to correct this: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># chmod 0600 <i>LOGFILE</i></pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/> | |
<reference href="http://iase.disa.mil/cci/index.html">1314</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Log files can contain valuable information regarding system | |
configuration. If the system log files are not protected unauthorized | |
users could change the logged data, eliminating their forensic value. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27190-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:539" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the permissions are not correct" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The file permissions for all log files written by <xhtml:code>rsyslog</xhtml:code> | |
should be set to 600, or more restrictive. | |
These log files are determined by the second part of each Rule line in | |
<xhtml:code>/etc/rsyslog.conf</xhtml:code> and typically all appear in <xhtml:code>/var/log</xhtml:code>. | |
To see the permissions of a given log file, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ ls -l <i>LOGFILE</i></pre> | |
The permissions should be 600, or more restrictive. | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="rsyslog_sending_messages"> | |
<title xml:lang="en-US">Rsyslog Logs Sent To Remote Host</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
If system logs are to be useful in detecting malicious | |
activities, it is necessary to send logs to a remote server. An | |
intruder who has compromised the root account on a machine may | |
delete the log entries which indicate that the system was attacked | |
before they are seen by an administrator. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
However, it is recommended that logs be stored on the local | |
host in addition to being sent to the loghost, especially if | |
<xhtml:code>rsyslog</xhtml:code> has been configured to use the UDP protocol to send | |
messages over a network. UDP does not guarantee reliable delivery, | |
and moderately busy sites will lose log messages occasionally, | |
especially in periods of high traffic which may be the result of an | |
attack. In addition, remote <xhtml:code>rsyslog</xhtml:code> messages are not | |
authenticated in any way by default, so it is easy for an attacker to | |
introduce spurious messages to the central log server. Also, some | |
problems cause loss of network connectivity, which will prevent the | |
sending of messages to the central server. For all of these reasons, it is | |
better to store log messages both centrally and on each host, so | |
that they can be correlated if necessary.</description> | |
<Rule id="rsyslog_send_messages_to_logserver" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure Logs Sent To Remote Host</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To configure rsyslog to send logs to a remote log server, | |
open <xhtml:code>/etc/rsyslog.conf</xhtml:code> and read and understand the last section of the file, | |
which describes the multiple directives necessary to activate remote | |
logging. | |
Along with these other directives, the system can be configured | |
to forward its logs to a particular log server by | |
adding or correcting one of the following lines, | |
substituting <xhtml:code><i xmlns="http://www.w3.org/1999/xhtml">loghost.example.com</i></xhtml:code> appropriately. | |
The choice of protocol depends on the environment of the system; | |
although TCP and RELP provide more reliable message delivery, | |
they may not be supported in all environments. | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
To use UDP for log message delivery: | |
<pre xmlns="http://www.w3.org/1999/xhtml">*.* @<i>loghost.example.com</i></pre> | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
To use TCP for log message delivery: | |
<pre xmlns="http://www.w3.org/1999/xhtml">*.* @@<i>loghost.example.com</i></pre> | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
To use RELP for log message delivery: | |
<pre xmlns="http://www.w3.org/1999/xhtml">*.* :omrelp:<i>loghost.example.com</i></pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-3(2)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-9</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1348</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">136</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A log server (loghost) receives syslog messages from one or more | |
systems. This data can be used as an additional log source in the event a | |
system is compromised and its local logs are suspect. Forwarding log messages | |
to a remote loghost also provides system administrators with a centralized | |
place to view the status of multiple hosts within the enterprise. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26801-1</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:893" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="none of these are present" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To ensure logs are sent to a remote host, examine the file | |
<xhtml:code>/etc/rsyslog.conf</xhtml:code>. | |
If using UDP, a line similar to the following should be present: | |
<pre xmlns="http://www.w3.org/1999/xhtml"> *.* @<i>loghost.example.com</i></pre> | |
If using TCP, a line similar to the following should be present: | |
<pre xmlns="http://www.w3.org/1999/xhtml"> *.* @@<i>loghost.example.com</i></pre> | |
If using RELP, a line similar to the following should be present: | |
<pre xmlns="http://www.w3.org/1999/xhtml"> *.* :omrelp:<i>loghost.example.com</i></pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="rsyslog_accepting_remote_messages"> | |
<title xml:lang="en-US">Configure rsyslogd to Accept Remote Messages If Acting as a Log Server</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
By default, <xhtml:code>rsyslog</xhtml:code> does not listen over the network | |
for log messages. If needed, modules can be enabled to allow | |
the rsyslog daemon to receive messages from other systems and for the system | |
thus to act as a log server. | |
If the machine is not a log server, then lines concerning these modules | |
should remain commented out. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
</description> | |
<Rule id="rsyslog_accept_remote_messages_none" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>rsyslog</xhtml:code> daemon should not accept remote messages | |
unless the system acts as a log server. | |
To ensure that it is not listening on the network, ensure the following lines are | |
<i xmlns="http://www.w3.org/1999/xhtml">not</i> found in <xhtml:code>/etc/rsyslog.conf</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ModLoad imtcp.so | |
$InputTCPServerRun <i>port</i> | |
$ModLoad imudp.so | |
$InputUDPServerRun <i>port</i> | |
$ModLoad imrelp.so | |
$InputRELPServerRun <i>port</i></pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-9(2)</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Any process which receives messages from the network incurs some risk | |
of receiving malicious messages. This risk can be eliminated for | |
rsyslog by configuring it not to listen on the network. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26803-7</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1136" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="rsyslog_accept_remote_messages_tcp" selected="false" severity="low"> | |
<title xml:lang="en-US">Enable rsyslog to Accept Messages via TCP, if Acting As Log Server</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>rsyslog</xhtml:code> daemon should not accept remote messages | |
unless the system acts as a log server. | |
If the system needs to act as a central log server, add the following lines to | |
<xhtml:code>/etc/rsyslog.conf</xhtml:code> to enable reception of messages over TCP: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ModLoad imtcp.so | |
$InputTCPServerRun 514</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-9</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
If the system needs to act as a log server, this ensures that it can receive | |
messages over a reliable TCP connection. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27235-1</ident> | |
</Rule> | |
<Rule id="rsyslog_accept_remote_messages_udp" selected="false" severity="low"> | |
<title xml:lang="en-US">Enable rsyslog to Accept Messages via UDP, if Acting As Log Server</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>rsyslog</xhtml:code> daemon should not accept remote messages | |
unless the system acts as a log server. | |
If the system needs to act as a central log server, add the following lines to | |
<xhtml:code>/etc/rsyslog.conf</xhtml:code> to enable reception of messages over UDP: | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ModLoad imudp.so | |
$InputUDPServerRun 514</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-9</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Many devices, such as switches, routers, and other Unix-like systems, may only support | |
the traditional syslog transmission over UDP. If the system must act as a log server, | |
this enables it to receive their messages as well. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27236-9</ident> | |
</Rule> | |
</Group> | |
<Group id="log_rotation"> | |
<title xml:lang="en-US">Ensure All Logs are Rotated by logrotate</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Edit the file <xhtml:code>/etc/logrotate.d/syslog</xhtml:code>. Find the first | |
line, which should look like this (wrapped for clarity): | |
<pre xmlns="http://www.w3.org/1999/xhtml">/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler \ | |
/var/log/boot.log /var/log/cron {</pre> | |
Edit this line so that it contains a one-space-separated | |
listing of each log file referenced in <xhtml:code>/etc/rsyslog.conf</xhtml:code>. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
All logs in use on a system must be rotated regularly, or the | |
log files will consume disk space over time, eventually interfering | |
with system operation. The file <xhtml:code>/etc/logrotate.d/syslog</xhtml:code> is the | |
configuration file used by the <xhtml:code>logrotate</xhtml:code> program to maintain all | |
log files written by <xhtml:code>syslog</xhtml:code>. By default, it rotates logs weekly and | |
stores four archival copies of each log. These settings can be | |
modified by editing <xhtml:code>/etc/logrotate.conf</xhtml:code>, but the defaults are | |
sufficient for purposes of this guide. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Note that <xhtml:code>logrotate</xhtml:code> is run nightly by the cron job | |
<xhtml:code>/etc/cron.daily/logrotate</xhtml:code>. If particularly active logs need to be | |
rotated more often than once a day, some other mechanism must be | |
used.</description> | |
<Rule id="ensure_logrotate_activated" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure Logrotate Runs Periodically</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>logrotate</xhtml:code> utility allows for the automatic rotation of | |
log files. The frequency of rotation is specified in <xhtml:code>/etc/logrotate.conf</xhtml:code>, | |
which triggers a cron task. To configure logrotate to run daily, add or correct | |
the following line in <xhtml:code>/etc/logrotate.conf</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># rotate log files <i>frequency</i> | |
daily</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-9</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">366</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Log files that are not properly rotated run the risk of growing so large | |
that they fill up the /var/log partition. Valuable logging information could be lost | |
if the /var/log partition becomes full.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27014-0</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:891" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="logrotate is not configured to run daily" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine the status and frequency of logrotate, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep logrotate /var/log/cron*</pre> | |
If logrotate is configured properly, output should include references to | |
<xhtml:code>/etc/cron.daily</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="configure_logwatch_on_logserver"> | |
<title xml:lang="en-US"> Configure Logwatch on the Central Log Server</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Is this machine the central log server? If so, edit the file <xhtml:code>/etc/logwatch/conf/logwatch.conf</xhtml:code> as shown below. | |
</description> | |
<Rule id="configure_logwatch_hostlimit" selected="false" severity="low"> | |
<title xml:lang="en-US">Configure Logwatch HostLimit Line</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate | |
on the logserver itself. The <xhtml:code>HostLimit</xhtml:code> setting tells Logwatch to report on all hosts, not just the one on which it | |
is running. | |
<pre xmlns="http://www.w3.org/1999/xhtml"> HostLimit = no </pre> </description> | |
<ident system="http://cce.mitre.org">CCE-27197-3</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:307" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="configure_logwatch_splithosts" selected="false" severity="low"> | |
<title xml:lang="en-US">Configure Logwatch SplitHosts Line</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
If <xhtml:code>SplitHosts</xhtml:code> is set, Logwatch will separate entries by hostname. This makes the report longer but significantly | |
more usable. If it is not set, then Logwatch will not report which host generated a given log entry, and that | |
information is almost always necessary | |
<pre xmlns="http://www.w3.org/1999/xhtml"> SplitHosts = yes </pre> </description> | |
<ident system="http://cce.mitre.org">CCE-27069-4</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:369" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
</Group> | |
<Rule id="disable_logwatch_for_logserver" selected="false" severity="low"> | |
<title xml:lang="en-US"> Disable Logwatch on Clients if a Logserver Exists</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Does your site have a central logserver which has been configured to report on logs received from all systems? | |
If so: | |
<pre xmlns="http://www.w3.org/1999/xhtml"> | |
# rm /etc/cron.daily/0logwatch | |
</pre> | |
If no logserver exists, it will be necessary for each machine to run Logwatch individually. Using a central | |
logserver provides the security and reliability benefits discussed earlier, and also makes monitoring logs easier | |
and less time-intensive for administrators.</description> | |
</Rule> | |
</Group> | |
<Group id="auditing"> | |
<title xml:lang="en-US">System Accounting with auditd</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The audit service provides substantial capabilities | |
for recording system activities. By default, the service audits about | |
SELinux AVC denials and certain types of security-relevant events | |
such as system logins, account modifications, and authentication | |
events performed by programs such as sudo. | |
Under its default configuration, <xhtml:code>auditd</xhtml:code> has modest disk space | |
requirements, and should not noticeably impact system performance. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Government networks often have substantial auditing | |
requirements and <xhtml:code>auditd</xhtml:code> can be configured to meet these | |
requirements. | |
Examining some example audit records demonstrates how the Linux audit system | |
satisfies common requirements. | |
The following example from Fedora Documentation available at | |
<xhtml:code>http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html</xhtml:code> | |
shows the substantial amount of information captured in a | |
two typical "raw" audit messages, followed by a breakdown of the most important | |
fields. In this example the message is SELinux-related and reports an AVC | |
denial (and the associated system call) that occurred when the Apache HTTP | |
Server attempted to access the <xhtml:code>/var/www/html/file1</xhtml:code> file (labeled with | |
the <xhtml:code>samba_share_t</xhtml:code> type): | |
<pre xmlns="http://www.w3.org/1999/xhtml">type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm="httpd" | |
path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 | |
tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file | |
type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13 | |
a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48 | |
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd" | |
exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) | |
</pre> | |
<ul xmlns="http://www.w3.org/1999/xhtml"><li><xhtml:code>msg=audit(1226874073.147:96)</xhtml:code><ul><li>The number in parentheses is the unformatted time stamp (Epoch time) | |
for the event, which can be converted to standard time by using the | |
<xhtml:code>date</xhtml:code> command. | |
</li></ul></li><li><xhtml:code>{ getattr }</xhtml:code><ul><li>The item in braces indicates the permission that was denied. <xhtml:code>getattr</xhtml:code> | |
indicates the source process was trying to read the target file's status information. | |
This occurs before reading files. This action is denied due to the file being | |
accessed having the wrong label. Commonly seen permissions include <xhtml:code>getattr</xhtml:code>, | |
<xhtml:code>read</xhtml:code>, and <xhtml:code>write</xhtml:code>.</li></ul></li><li><xhtml:code>comm="httpd"</xhtml:code><ul><li>The executable that launched the process. The full path of the executable is | |
found in the <xhtml:code>exe=</xhtml:code> section of the system call (<xhtml:code>SYSCALL</xhtml:code>) message, | |
which in this case, is <xhtml:code>exe="/usr/sbin/httpd"</xhtml:code>. | |
</li></ul></li><li><xhtml:code>path="/var/www/html/file1"</xhtml:code><ul><li>The path to the object (target) the process attempted to access. | |
</li></ul></li><li><xhtml:code>scontext="unconfined_u:system_r:httpd_t:s0"</xhtml:code><ul><li>The SELinux context of the process that attempted the denied action. In | |
this case, it is the SELinux context of the Apache HTTP Server, which is running | |
in the <xhtml:code>httpd_t</xhtml:code> domain. | |
</li></ul></li><li><xhtml:code>tcontext="unconfined_u:object_r:samba_share_t:s0"</xhtml:code><ul><li>The SELinux context of the object (target) the process attempted to access. | |
In this case, it is the SELinux context of <xhtml:code>file1</xhtml:code>. Note: the <xhtml:code>samba_share_t</xhtml:code> | |
type is not accessible to processes running in the <xhtml:code>httpd_t</xhtml:code> domain.</li></ul></li><li> From the system call (<xhtml:code>SYSCALL</xhtml:code>) message, two items are of interest: | |
<ul><li><xhtml:code>success=no</xhtml:code>: indicates whether the denial (AVC) was enforced or not. | |
<xhtml:code>success=no</xhtml:code> indicates the system call was not successful (SELinux denied | |
access). <xhtml:code>success=yes</xhtml:code> indicates the system call was successful - this can | |
be seen for permissive domains or unconfined domains, such as <xhtml:code>initrc_t</xhtml:code> | |
and <xhtml:code>kernel_t</xhtml:code>. | |
</li><li><xhtml:code>exe="/usr/sbin/httpd"</xhtml:code>: the full path to the executable that launched | |
the process, which in this case, is <xhtml:code>exe="/usr/sbin/httpd"</xhtml:code>. | |
</li></ul> | |
</li></ul> | |
</description> | |
<Rule id="service_auditd_enabled" selected="false" severity="medium"> | |
<title xml:lang="en-US">Enable auditd Service</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>auditd</xhtml:code> service is an essential userspace component of | |
the Linux Auditing System, as it is responsible for writing audit records to | |
disk. | |
The <xhtml:code>auditd</xhtml:code> service can be enabled with the following command: | |
<xhtml:pre># chkconfig --level 2345 auditd on</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(1)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-10</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-12(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-12(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">347</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">157</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">172</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">880</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1353</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1462</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1487</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1115</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1454</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">067</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">158</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">831</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1190</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1312</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1263</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">130</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">120</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1589</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensuring the <xhtml:code>auditd</xhtml:code> service is active ensures | |
audit records generated by the kernel can be written to disk, or that appropriate | |
actions will be taken if other obstacles exist. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27058-7</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Enable auditd for all run levels | |
# | |
chkconfig --level 0123456 auditd on | |
# | |
# Start auditd if not currently running | |
# | |
service auditd start | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:921" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is not running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to determine the current status of the | |
<xhtml:code>auditd</xhtml:code> service: | |
<xhtml:pre># service auditd status</xhtml:pre> | |
If the service is enabled, it should return the following: <xhtml:pre>auditd is running...</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="enable_auditd_bootloader" selected="false" severity="medium"> | |
<title xml:lang="en-US">Enable Auditing for Processes Which Start Prior to the Audit Daemon</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To ensure all processes can be audited, even | |
those which start prior to the audit daemon, add the argument | |
<xhtml:code>audit=1</xhtml:code> to the kernel line in <xhtml:code>/etc/grub.conf</xhtml:code>, in the manner below: | |
<pre xmlns="http://www.w3.org/1999/xhtml">kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(1)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-10</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1464</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">130</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Each process on the system carries an "auditable" flag which | |
indicates whether its activities can be audited. Although <xhtml:code>auditd</xhtml:code> | |
takes care of enabling this for all processes which launch after it | |
does, adding the kernel argument ensures it is set for every | |
process during boot. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26785-6</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:320" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="auditing is not enabled at boot time" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Inspect the kernel boot arguments (which follow the word <xhtml:code>kernel</xhtml:code>) in | |
<xhtml:code>/etc/grub.conf</xhtml:code>. If they include <xhtml:code>audit=1</xhtml:code>, then | |
auditing is enabled at boot time. | |
</check-content> | |
</check> | |
</Rule> | |
<Group id="configure_auditd_data_retention"> | |
<title xml:lang="en-US">Configure auditd Data Retention</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The audit system writes data to <xhtml:code>/var/log/audit/audit.log</xhtml:code>. By default, | |
<xhtml:code>auditd</xhtml:code> rotates 5 logs by size (6MB), retaining a maximum of 30MB of | |
data in total, and refuses to write entries when the disk is too | |
full. This minimizes the risk of audit data filling its partition | |
and impacting other services. This also minimizes the risk of the audit | |
daemon temporarily disabling the system if it cannot write audit log (which | |
it can be configured to do). | |
For a busy | |
system or a system which is thoroughly auditing system activity, the default settings | |
for data retention may be | |
insufficient. The log file size needed will depend heavily on what types | |
of events are being audited. First configure auditing to log all the events of | |
interest. Then monitor the log size manually for awhile to determine what file | |
size will allow you to keep the required data for the correct time period. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Using a dedicated partition for <xhtml:code>/var/log/audit</xhtml:code> prevents the | |
<xhtml:code>auditd</xhtml:code> logs from disrupting system functionality if they fill, and, | |
more importantly, prevents other activity in <xhtml:code>/var</xhtml:code> from filling the | |
partition and stopping the audit trail. (The audit logs are size-limited and | |
therefore unlikely to grow without bound unless configured to do so.) Some | |
machines may have requirements that no actions occur which cannot be audited. | |
If this is the case, then <xhtml:code>auditd</xhtml:code> can be configured to halt the machine | |
if it runs out of space. <b xmlns="http://www.w3.org/1999/xhtml">Note:</b> Since older logs are rotated, | |
configuring <xhtml:code>auditd</xhtml:code> this way does not prevent older logs from being | |
rotated away before they can be viewed. | |
<i xmlns="http://www.w3.org/1999/xhtml">If your system is configured to halt when logging cannot be performed, make | |
sure this can never happen under normal circumstances! Ensure that | |
<xhtml:code>/var/log/audit</xhtml:code> is on its own partition, and that this partition is | |
larger than the maximum amount of data <xhtml:code>auditd</xhtml:code> will retain | |
normally.</i> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-11</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">138</reference> | |
<Value id="var_auditd_num_logs" type="number"> | |
<title xml:lang="en-US">Number of log files for auditd to retain</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The setting for num_logs in /etc/audit/auditd.conf</description> | |
<value>5</value> | |
<value selector="5">5</value> | |
<value selector="4">4</value> | |
<value selector="3">3</value> | |
<value selector="2">2</value> | |
<value selector="1">1</value> | |
<value selector="0">0</value> | |
</Value> | |
<Value id="var_auditd_max_log_file" type="number"> | |
<title xml:lang="en-US">Maximum audit log file size for auditd</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The setting for max_log_size in /etc/audit/auditd.conf</description> | |
<value>6</value> | |
<value selector="20">20</value> | |
<value selector="10">10</value> | |
<value selector="6">6</value> | |
<value selector="5">5</value> | |
<value selector="1">1</value> | |
</Value> | |
<Value id="var_auditd_max_log_file_action" type="string"> | |
<title xml:lang="en-US">Action for auditd to take when log files reach their maximum size</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The setting for max_log_file_action in /etc/audit/auditd.conf</description> | |
<value>rotate</value> | |
<value selector="ignore">ignore</value> | |
<value selector="syslog">syslog</value> | |
<value selector="suspend">suspend</value> | |
<value selector="rotate">rotate</value> | |
<value selector="keep_logs">keep_logs</value> | |
</Value> | |
<Value id="var_auditd_space_left_action" type="string"> | |
<title xml:lang="en-US">Action for auditd to take when disk space just starts to run low</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The setting for space_left_action in /etc/audit/auditd.conf</description> | |
<value>email</value> | |
<value selector="ignore">ignore</value> | |
<value selector="syslog">syslog</value> | |
<value selector="email">email</value> | |
<value selector="exec">exec</value> | |
<value selector="suspend">suspend</value> | |
<value selector="single">single</value> | |
<value selector="halt">halt</value> | |
</Value> | |
<Value id="var_auditd_admin_space_left_action" type="string"> | |
<title xml:lang="en-US">Action for auditd to take when disk space just starts to run low</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The setting for space_left_action in /etc/audit/auditd.conf</description> | |
<value>single</value> | |
<value selector="ignore">ignore</value> | |
<value selector="syslog">syslog</value> | |
<value selector="email">email</value> | |
<value selector="exec">exec</value> | |
<value selector="suspend">suspend</value> | |
<value selector="single">single</value> | |
<value selector="halt">halt</value> | |
</Value> | |
<Value id="var_auditd_action_mail_acct" type="string"> | |
<title xml:lang="en-US">Account for auditd to send email when actions occurs</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The setting for action_mail_acct in /etc/audit/auditd.conf</description> | |
<value>root</value> | |
<value selector="root">root</value> | |
<value selector="admin">admin</value> | |
</Value> | |
<Rule id="configure_auditd_num_logs" selected="false" severity="medium"> | |
<title xml:lang="en-US">Configure auditd Number of Logs Retained</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Determine how many log files | |
<xhtml:code>auditd</xhtml:code> should retain when it rotates logs. | |
Edit the file <xhtml:code>/etc/audit/auditd.conf</xhtml:code>. Add or modify the following | |
line, substituting <i xmlns="http://www.w3.org/1999/xhtml">NUMLOGS</i> with the correct value: | |
<pre xmlns="http://www.w3.org/1999/xhtml">num_logs = <i>NUMLOGS</i></pre> | |
Set the value to 5 for general-purpose systems. | |
Note that values less than 2 result in no log rotation.</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-11</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The total storage for audit log files must be large enough to retain | |
log information over the period required. This is a function of the maximum log | |
file size and the number of logs retained.</rationale> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2270" value-id="var_auditd_num_logs"/> | |
<check-content-ref name="oval:ssg:def:1215" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the system log file retention has not been properly configured" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Inspect <xhtml:code>/etc/audit/auditd.conf</xhtml:code> and locate the following line to | |
determine how many logs the system is configured to retain after rotation: | |
<xhtml:code># grep num_logs /etc/audit/auditd.conf</xhtml:code> | |
<pre xmlns="http://www.w3.org/1999/xhtml">num_logs = 5</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="configure_auditd_max_log_file" selected="false" severity="medium"> | |
<title xml:lang="en-US">Configure auditd Max Log File Size</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Determine the amount of audit data (in megabytes) | |
which should be retained in each log file. Edit the file | |
<xhtml:code>/etc/audit/auditd.conf</xhtml:code>. Add or modify the following line, substituting | |
the correct value for <i xmlns="http://www.w3.org/1999/xhtml">STOREMB</i>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">max_log_file = <i>STOREMB</i></pre> | |
Set the value to <xhtml:code>6</xhtml:code> (MB) or higher for general-purpose systems. | |
Larger values, of course, | |
support retention of even more audit data.</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-11</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The total storage for audit log files must be large enough to retain | |
log information over the period required. This is a function of the maximum | |
log file size and the number of logs retained.</rationale> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2258" value-id="var_auditd_max_log_file"/> | |
<check-content-ref name="oval:ssg:def:628" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the system audit data threshold has not been properly configured" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Inspect <xhtml:code>/etc/audit/auditd.conf</xhtml:code> and locate the following line to | |
determine how much data the system will retain in each audit log file: | |
<xhtml:code># grep max_log_file /etc/audit/auditd.conf</xhtml:code> | |
<pre xmlns="http://www.w3.org/1999/xhtml">max_log_file = 6</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="configure_auditd_max_log_file_action" selected="false" severity="medium"> | |
<title xml:lang="en-US">Configure auditd max_log_file_action Upon Reaching Maximum Log Size</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> The default action to take when the logs reach their maximum size | |
is to rotate the log files, discarding the oldest one. To configure the action taken | |
by <xhtml:code>auditd</xhtml:code>, add or correct the line in <xhtml:code>/etc/audit/auditd.conf</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">max_log_file_action = <i>ACTION</i></pre> | |
Possible values for <i xmlns="http://www.w3.org/1999/xhtml">ACTION</i> are described in the <xhtml:code>auditd.conf</xhtml:code> man | |
page. These include: | |
<ul xmlns="http://www.w3.org/1999/xhtml"><li><xhtml:code>ignore</xhtml:code></li><li><xhtml:code>syslog</xhtml:code></li><li><xhtml:code>suspend</xhtml:code></li><li><xhtml:code>rotate</xhtml:code></li><li><xhtml:code>keep_logs</xhtml:code></li></ul> | |
Set the <xhtml:code><i xmlns="http://www.w3.org/1999/xhtml">ACTION</i></xhtml:code> to <xhtml:code>rotate</xhtml:code> to ensure log rotation | |
occurs. This is the default. The setting is case-insensitive. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-4</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-11</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Automatically rotating logs (by setting this to <xhtml:code>rotate</xhtml:code>) | |
minimizes the chances of the system unexpectedly running out of disk space by | |
being overwhelmed with log data. However, for systems that must never discard | |
log data, or which use external processes to transfer it and reclaim space, | |
<xhtml:code>keep_logs</xhtml:code> can be employed.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27237-7</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2268" value-id="var_auditd_max_log_file_action"/> | |
<check-content-ref name="oval:ssg:def:1108" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the system has not been properly configured to rotate audit logs" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Inspect <xhtml:code>/etc/audit/auditd.conf</xhtml:code> and locate the following line to | |
determine if the system is configured to rotate logs when they reach their | |
maximum size: | |
<xhtml:code># grep max_log_file_action /etc/audit/auditd.conf</xhtml:code> | |
<pre xmlns="http://www.w3.org/1999/xhtml">max_log_file_action <xhtml:code>rotate</xhtml:code></pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="auditd_data_retention_space_left_action" selected="false" severity="medium"> | |
<title xml:lang="en-US">Configure auditd space_left Action on Low Disk Space</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>auditd</xhtml:code> service can be configured to take an action | |
when disk space <i xmlns="http://www.w3.org/1999/xhtml">starts</i> to run low. | |
Edit the file <xhtml:code>/etc/audit/auditd.conf</xhtml:code>. Modify the following line, | |
substituting <i xmlns="http://www.w3.org/1999/xhtml">ACTION</i> appropriately: | |
<pre xmlns="http://www.w3.org/1999/xhtml">space_left_action = <i>ACTION</i></pre> | |
Possible values for <i xmlns="http://www.w3.org/1999/xhtml">ACTION</i> are described in the <xhtml:code>auditd.conf</xhtml:code> man page. | |
These include: | |
<ul xmlns="http://www.w3.org/1999/xhtml"><li><xhtml:code>ignore</xhtml:code></li><li><xhtml:code>syslog</xhtml:code></li><li><xhtml:code>email</xhtml:code></li><li><xhtml:code>exec</xhtml:code></li><li><xhtml:code>suspend</xhtml:code></li><li><xhtml:code>single</xhtml:code></li><li><xhtml:code>halt</xhtml:code></li></ul> | |
Set this to <xhtml:code>email</xhtml:code> (instead of the default, | |
which is <xhtml:code>suspend</xhtml:code>) as it is more likely to get prompt attention. Acceptable values | |
also include <xhtml:code>suspend</xhtml:code>, <xhtml:code>single</xhtml:code>, and <xhtml:code>halt</xhtml:code>. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-4</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-5(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">140</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">143</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Notifying administrators of an impending disk space problem may | |
allow them to take corrective action prior to any disruption.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27238-5</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2241" value-id="var_auditd_space_left_action"/> | |
<check-content-ref name="oval:ssg:def:156" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the system is not configured to send an email to the system administrator when disk space is starting to run low" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Inspect <xhtml:code>/etc/audit/auditd.conf</xhtml:code> and locate the following line to | |
determine if the system is configured to email the administrator when | |
disk space is starting to run low: | |
<xhtml:code># grep space_left_action /etc/audit/auditd.conf</xhtml:code> | |
<pre xmlns="http://www.w3.org/1999/xhtml">space_left_action</pre> | |
Acceptable values are <xhtml:code>email</xhtml:code>, <xhtml:code>suspend</xhtml:code>, <xhtml:code>single</xhtml:code>, and <xhtml:code>halt</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="auditd_data_retention_admin_space_left_action" selected="false" severity="medium"> | |
<title xml:lang="en-US">Configure auditd admin_space_left Action on Low Disk Space</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>auditd</xhtml:code> service can be configured to take an action | |
when disk space is running low but prior to running out of space completely. | |
Edit the file <xhtml:code>/etc/audit/auditd.conf</xhtml:code>. Add or modify the following line, | |
substituting <i xmlns="http://www.w3.org/1999/xhtml">ACTION</i> appropriately: | |
<pre xmlns="http://www.w3.org/1999/xhtml">admin_space_left_action = <i>ACTION</i></pre> | |
Set this value to <xhtml:code>single</xhtml:code> to cause the system to switch to single user | |
mode for corrective action. Acceptable values also include <xhtml:code>suspend</xhtml:code> and | |
<xhtml:code>halt</xhtml:code>. For certain systems, the need for availability | |
outweighs the need to log all actions, and a different setting should be | |
determined. Details regarding all possible values for <i xmlns="http://www.w3.org/1999/xhtml">ACTION</i> are described in the | |
<xhtml:code>auditd.conf</xhtml:code> man page. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-4</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-5(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">140</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1343</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Administrators should be made aware of an inability to record | |
audit records. If a separate partition or logical volume of adequate size | |
is used, running low on space for audit records should never occur. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27239-3</ident> | |
<fix system="urn:xccdf:fix:script:sh">var_auditd_admin_space_left_action="<sub idref="var_auditd_admin_space_left_action"/>" | |
grep -q ^admin_space_left_action /etc/audit/auditd.conf && \ | |
sed -i "s/admin_space_left_action.*/admin_space_left_action = $var_auditd_space_left_action/g" /etc/audit/auditd.conf | |
if ! [ $? -eq 0 ]; then | |
echo "admin_space_left_action = $var_auditd_space_left_action" >> /etc/audit/auditd.conf | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2249" value-id="var_auditd_admin_space_left_action"/> | |
<check-content-ref name="oval:ssg:def:419" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the system is not configured to switch to single user mode for corrective action" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Inspect <xhtml:code>/etc/audit/auditd.conf</xhtml:code> and locate the following line to | |
determine if the system is configured to either suspend, switch to single user mode, | |
or halt when disk space has run low: | |
<pre xmlns="http://www.w3.org/1999/xhtml">admin_space_left_action single</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="auditd_data_retention_action_mail_acct" selected="false" severity="medium"> | |
<title xml:lang="en-US">Configure auditd mail_acct Action on Low Disk Space</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>auditd</xhtml:code> service can be configured to send email to | |
a designated account in certain situations. Add or correct the following line | |
in <xhtml:code>/etc/audit/auditd.conf</xhtml:code> to ensure that administrators are notified | |
via email for those situations: | |
<pre xmlns="http://www.w3.org/1999/xhtml">action_mail_acct = root</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-4</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-5(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">139</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">144</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Email sent to the root account is typically aliased to the | |
administrators of the system, who can take appropriate action.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27241-9</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2246" value-id="var_auditd_action_mail_acct"/> | |
<check-content-ref name="oval:ssg:def:393" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="auditd is not configured to send emails per identified actions" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Inspect <xhtml:code>/etc/audit/auditd.conf</xhtml:code> and locate the following line to | |
determine if the system is configured to send email to an | |
account when it needs to notify an administrator: | |
<pre xmlns="http://www.w3.org/1999/xhtml">action_mail_acct = root</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="configure_auditd_audispd" selected="false" severity="medium"> | |
<title xml:lang="en-US">Configure auditd to use audispd plugin</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To configure the <xhtml:code>auditd</xhtml:code> service to use the | |
<xhtml:code>audispd</xhtml:code> plugin, set the <xhtml:code>active</xhtml:code> line in | |
<xhtml:code>/etc/audisp/plugins.d/syslog.conf</xhtml:code> to <xhtml:code>yes</xhtml:code>. | |
Restart the <xhtml:code>auditd</xhtml:code>service: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># service auditd restart</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-3(2)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">136</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The auditd service does not include the ability to send audit | |
records to a centralized server for management directly. It does, however, | |
include an audit event multiplexor plugin (audispd) to pass audit records | |
to the local syslog server</rationale> | |
<check system="ocil-transitional"> | |
<check-export export-name="it is not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To verify the audispd plugin is active, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep active /etc/audisp/plugins.d/syslog.conf</pre> | |
If the plugin is active, the output will show <xhtml:code>yes</xhtml:code>. | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="auditd_configure_rules"> | |
<title xml:lang="en-US">Configure auditd Rules for Comprehensive Auditing</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>auditd</xhtml:code> program can perform comprehensive | |
monitoring of system activity. This section describes recommended | |
configuration settings for comprehensive auditing, but a full | |
description of the auditing system's capabilities is beyond the | |
scope of this guide. The mailing list <i xmlns="http://www.w3.org/1999/xhtml">linux-audit@redhat.com</i> exists | |
to facilitate community discussion of the auditing system. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
The audit subsystem supports extensive collection of events, including: | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
<ul xmlns="http://www.w3.org/1999/xhtml"><li>Tracing of arbitrary system calls (identified by name or number) | |
on entry or exit.</li><li>Filtering by PID, UID, call success, system call argument (with | |
some limitations), etc.</li><li>Monitoring of specific files for modifications to the file's | |
contents or metadata.</li></ul> | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
Auditing rules at startup are controlled by the file <xhtml:code>/etc/audit/audit.rules</xhtml:code>. | |
Add rules to it to meet the auditing requirements for your organization. | |
Each line in <xhtml:code>/etc/audit/audit.rules</xhtml:code> represents a series of arguments | |
that can be passed to <xhtml:code>auditctl</xhtml:code> and can be individually tested | |
during runtime. See documentation in <xhtml:code>/usr/share/doc/audit-<i xmlns="http://www.w3.org/1999/xhtml">VERSION</i></xhtml:code> and | |
in the related man pages for more details. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
If copying any example audit rulesets from <xhtml:code>/usr/share/doc/audit-VERSION</xhtml:code>, | |
be sure to comment out the | |
lines containing <xhtml:code>arch=</xhtml:code> which are not appropriate for your system's | |
architecture. Then review and understand the following rules, | |
ensuring rules are activated as needed for the appropriate | |
architecture. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
After reviewing all the rules, reading the following sections, and | |
editing as needed, the new rules can be activated as follows: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># service auditd restart</pre> | |
</description> | |
<Group id="audit_time_rules"> | |
<title xml:lang="en-US">Records Events that Modify Date and Time Information</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Arbitrary changes to the system time can be used to obfuscate | |
nefarious activities in log files, as well as to confuse network services that | |
are highly dependent upon an accurate system time. All changes to the system | |
time should be audited.</description> | |
<Rule id="audit_rules_time_adjtimex" selected="false" severity="low"> | |
<title xml:lang="en-US">Record attempts to alter time through adjtimex</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">On a 32-bit system, add the following to <xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># audit_time_rules | |
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules</pre> | |
On a 64-bit system, add the following to <xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># audit_time_rules | |
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules</pre> | |
The -k option allows for the specification of a key in string form that can | |
be used for better reporting capability through ausearch and aureport. | |
Multiple system calls can be defined on the same line to save space if | |
desired, but is not required. See an example of multiple combined syscalls: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime | |
-k audit_time_rules</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1487</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">169</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Arbitrary changes to the system time can be used to obfuscate | |
nefarious activities in log files, as well as to confuse network services that | |
are highly dependent upon an accurate system time (such as sshd). All changes | |
to the system time should be audited.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26242-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:865" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the system is not configured to audit time changes" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>adjtimex</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep adjtimex</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_rules_time_settimeofday" selected="false" severity="low"> | |
<title xml:lang="en-US">Record attempts to alter time through settimeofday</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">On a 32-bit system, add the following to <xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># audit_time_rules | |
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules</pre> | |
On a 64-bit system, add the following to <xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># audit_time_rules | |
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules</pre> | |
The -k option allows for the specification of a key in string form that can | |
be used for better reporting capability through ausearch and aureport. | |
Multiple system calls can be defined on the same line to save space if | |
desired, but is not required. See an example of multiple combined syscalls: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime | |
-k audit_time_rules</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1487</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">169</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Arbitrary changes to the system time can be used to obfuscate | |
nefarious activities in log files, as well as to confuse network services that | |
are highly dependent upon an accurate system time (such as sshd). All changes | |
to the system time should be audited.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27203-9</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1212" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the system is not configured to audit time changes" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>settimeofday</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep settimeofday</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_rules_time_stime" selected="false" severity="low"> | |
<title xml:lang="en-US">Record Attempts to Alter Time Through stime</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">On a 32-bit system, add the following to <xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># audit_time_rules | |
-a always,exit -F arch=b32 -S stime -k audit_time_rules</pre> | |
On a 64-bit system, the "-S stime" is not necessary. The -k option allows for | |
the specification of a key in string form that can be used for better | |
reporting capability through ausearch and aureport. Multiple system calls | |
can be defined on the same line to save space if desired, but is not required. | |
See an example of multiple combined syscalls: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime | |
-k audit_time_rules</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1487</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">169</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Arbitrary changes to the system time can be used to obfuscate | |
nefarious activities in log files, as well as to confuse network services that | |
are highly dependent upon an accurate system time (such as sshd). All changes | |
to the system time should be audited.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27169-2</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:309" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the system is not configured to audit time changes" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>stime</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep stime</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_rules_time_clock_settime" selected="false" severity="low"> | |
<title xml:lang="en-US">Record Attempts to Alter Time Through clock_settime</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">On a 32-bit system, add the following to <xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># audit_time_rules | |
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules</pre> | |
On a 64-bit system, add the following to <xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># audit_time_rules | |
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules</pre> | |
The -k option allows for the specification of a key in string form that can | |
be used for better reporting capability through ausearch and aureport. | |
Multiple system calls can be defined on the same line to save space if | |
desired, but is not required. See an example of multiple combined syscalls: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime | |
-k audit_time_rules</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1487</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">169</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Arbitrary changes to the system time can be used to obfuscate | |
nefarious activities in log files, as well as to confuse network services that | |
are highly dependent upon an accurate system time (such as sshd). All changes | |
to the system time should be audited.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27170-0</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:452" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the system is not configured to audit time changes" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>clock_settime</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep clock_settime</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_rules_time_watch_localtime" selected="false" severity="low"> | |
<title xml:lang="en-US">Record Attempts to Alter the localtime File</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add the following to <xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-w /etc/localtime -p wa -k audit_time_rules</pre> | |
The -k option allows for the specification of a key in string form that can | |
be used for better reporting capability through ausearch and aureport and | |
should always be used. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1487</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">169</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Arbitrary changes to the system time can be used to obfuscate | |
nefarious activities in log files, as well as to confuse network services that | |
are highly dependent upon an accurate system time (such as sshd). All changes | |
to the system time should be audited.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27172-6</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:758" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the system is not configured to audit time changes" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit attempts to | |
alter time via the /etc/localtime file, run the following | |
command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># auditctl -l | grep "watch=/etc/localtime"</pre> | |
If the system is configured to audit this activity, it will return a line. | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Rule id="audit_account_changes" selected="false" severity="low"> | |
<title xml:lang="en-US">Record Events that Modify User/Group Information</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add the following to <xhtml:code>/etc/audit/audit.rules</xhtml:code>, in order | |
to capture events that modify account changes: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># audit_account_changes | |
-w /etc/group -p wa -k audit_account_changes | |
-w /etc/passwd -p wa -k audit_account_changes | |
-w /etc/gshadow -p wa -k audit_account_changes | |
-w /etc/shadow -p wa -k audit_account_changes | |
-w /etc/security/opasswd -p wa -k audit_account_changes</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-2(4)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">18</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1403</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1404</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1405</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1684</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1683</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1685</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1686</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In addition to auditing new user and group accounts, these watches | |
will alert the system administrator(s) to any modifications. Any | |
unexpected users, groups, or modifications should be investigated for | |
legitimacy.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26664-3</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1052" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the system is not configured to audit account changes" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit account changes, | |
run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'</pre> | |
If the system is configured to watch for account changes, lines should be returned for | |
each file specified (and with <xhtml:code>perm=wa</xhtml:code> for each). | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_network_modifications" selected="false" severity="low"> | |
<title xml:lang="en-US">Record Events that Modify the System's Network Environment</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add the following to <xhtml:code>/etc/audit/audit.rules</xhtml:code>, setting | |
ARCH to either b32 or b64 as appropriate for your system: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># audit_network_modifications | |
-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_network_modifications | |
-w /etc/issue -p wa -k audit_network_modifications | |
-w /etc/issue.net -p wa -k audit_network_modifications | |
-w /etc/hosts -p wa -k audit_network_modifications | |
-w /etc/sysconfig/network -p wa -k audit_network_modifications</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The network environment should not be modified by anything other | |
than administrator action. Any change to network parameters should be | |
audited.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26648-6</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1063" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the system is not configured to audit changes of the network configuration" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit changes to its network configuration, | |
run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">auditctl -l | egrep '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)'</pre> | |
If the system is configured to watch for network configuration changes, a line should be returned for | |
each file specified (and <xhtml:code>perm=wa</xhtml:code> should be indicated for each). | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_logs_permissions" selected="false" severity="low"> | |
<title xml:lang="en-US">System Audit Logs Must Have Mode 0640 or Less Permissive</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Change the mode of the audit log files with the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># chmod 0640 <i>audit_file</i></pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-9</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">166</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
If users can write to audit logs, audit trails can be modified or destroyed. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27243-5</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:953" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="any are more permissive" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to check the mode of the system audit logs: | |
<pre xmlns="http://www.w3.org/1999/xhtml">ls -l /var/log/audit</pre> | |
Audit logs must be mode 0640 or less permissive. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_logs_rootowner" selected="false" severity="low"> | |
<title xml:lang="en-US">System Audit Logs Must Be Owned By Root</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To properly set the owner of <xhtml:code>/var/log</xhtml:code>, run the command: | |
<xhtml:pre xml:space="preserve"># chown root /var/log </xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-9</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">166</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Failure to give ownership of the audit log files to root allows the designated | |
owner, and unauthorized users, potential access to sensitive information.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27244-3</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:194" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it does not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check the ownership of <xhtml:code>/var/log</xhtml:code>, run the command: | |
<xhtml:pre>$ ls -lL /var/log</xhtml:pre> | |
If properly configured, the output should indicate the following owner: | |
<xhtml:code>root</xhtml:code> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_mac_changes" selected="false" severity="low"> | |
<title xml:lang="en-US">Record Events that Modify the System's Mandatory Access Controls</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add the following to <xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-w /etc/selinux/ -p wa -k MAC-policy</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The system's mandatory access policy (SELinux) should not be | |
arbitrarily changed by anything other than administrator action. All changes to | |
MAC policy should be audited.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26657-7</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1007" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the system is not configured to audit attempts to change the MAC policy" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit changes to its SELinux | |
configuration files, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># auditctl -l | grep "dir=/etc/selinux"</pre> | |
If the system is configured to watch for changes to its SELinux | |
configuration, a line should be returned (including | |
<xhtml:code>perm=wa</xhtml:code> indicating permissions that are watched). | |
</check-content> | |
</check> | |
</Rule> | |
<Group id="audit_dac_actions"> | |
<title xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file permission | |
changes for all users and root. Note that the "-F arch=b32" lines should be | |
present even on a 64 bit system. These commands identify system calls for | |
auditing. Even if the system is 64 bit it can still execute 32 bit system | |
calls. Additionally, these rules can be configured in a number of ways while | |
still achieving the desired effect. An example of this is that the "-S" calls | |
could be split up and placed on separate lines, however, this is less efficient. | |
Add the following to <xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
If your system is 64 bit then these lines should be duplicated and the | |
arch=b32 replaced with arch=b64 as follows: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
</description> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is | |
attempting to gain access to information that would otherwise be disallowed. | |
Auditing DAC modifications can facilitate the identification of patterns of | |
abuse among both authorized and unauthorized users.</rationale> | |
<Rule id="audit_rules_dac_modification_chmod" selected="false" severity="low"> | |
<title xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - chmod</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file | |
permission changes for all users and root. Add the following to | |
<xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
If the system is 64 bit then also add the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">Note that these rules can be configured in a | |
number of ways while still achieving the desired effect. Here the system calls | |
have been placed independent of other system calls. Grouping these system | |
calls with others as identifying earlier in this guide is more efficient. | |
</warning> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">126</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to | |
gain access to information that would otherwise be disallowed. Auditing DAC modifications | |
can facilitate the identification of patterns of abuse among both authorized and | |
unauthorized users.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26280-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:480" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the system is not configured to audit permission changes" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>chmod</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep chmod</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_rules_dac_modification_chown" selected="false" severity="low"> | |
<title xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - chown</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file | |
permission changes for all users and root. Add the following to | |
<xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
If the system is 64 bit then also add the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">Note that these rules can be configured in a | |
number of ways while still achieving the desired effect. Here the system calls | |
have been placed independent of other system calls. Grouping these system | |
calls with others as identifying earlier in this guide is more efficient. | |
</warning> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">126</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to | |
gain access to information that would otherwise be disallowed. Auditing DAC modifications | |
can facilitate the identification of patterns of abuse among both authorized and | |
unauthorized users.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27173-4</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:438" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>chown</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep chown</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_rules_dac_modification_fchmod" selected="false" severity="low"> | |
<title xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - fchmod</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file | |
permission changes for all users and root. Add the following to | |
<xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
If the system is 64 bit then also add the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">Note that these rules can be configured in a | |
number of ways while still achieving the desired effect. Here the system calls | |
have been placed independent of other system calls. Grouping these system | |
calls with others as identifying earlier in this guide is more efficient. | |
</warning> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">126</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to | |
gain access to information that would otherwise be disallowed. Auditing DAC modifications | |
can facilitate the identification of patterns of abuse among both authorized and | |
unauthorized users.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27174-2</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:555" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>fchmod</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep fchmod</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_rules_dac_modification_fchmodat" selected="false" severity="low"> | |
<title xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - fchmodat</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file | |
permission changes for all users and root. Add the following to | |
<xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
If the system is 64 bit then also add the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">Note that these rules can be configured in a | |
number of ways while still achieving the desired effect. Here the system calls | |
have been placed independent of other system calls. Grouping these system | |
calls with others as identifying earlier in this guide is more efficient. | |
</warning> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">126</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to | |
gain access to information that would otherwise be disallowed. Auditing DAC modifications | |
can facilitate the identification of patterns of abuse among both authorized and | |
unauthorized users.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27175-9</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:197" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>fchmodat</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep fchmodat</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_rules_dac_modification_fchown" selected="false" severity="low"> | |
<title xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - fchown</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file | |
permission changes for all users and root. Add the following to | |
<xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
If the system is 64 bit then also add the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">Note that these rules can be configured in a | |
number of ways while still achieving the desired effect. Here the system calls | |
have been placed independent of other system calls. Grouping these system | |
calls with others as identifying earlier in this guide is more efficient. | |
</warning> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">126</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to | |
gain access to information that would otherwise be disallowed. Auditing DAC modifications | |
can facilitate the identification of patterns of abuse among both authorized and | |
unauthorized users.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27177-5</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:558" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>fchown</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep fchown</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_rules_dac_modification_fchownat" selected="false" severity="low"> | |
<title xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - fchownat</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file | |
permission changes for all users and root. Add the following to | |
<xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
If the system is 64 bit then also add the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">Note that these rules can be configured in a | |
number of ways while still achieving the desired effect. Here the system calls | |
have been placed independent of other system calls. Grouping these system | |
calls with others as identifying earlier in this guide is more efficient. | |
</warning> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">126</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to | |
gain access to information that would otherwise be disallowed. Auditing DAC modifications | |
can facilitate the identification of patterns of abuse among both authorized and | |
unauthorized users.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27178-3</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:212" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>fchownat</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep fchownat</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_rules_dac_modification_fremovexattr" selected="false" severity="low"> | |
<title xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - fremovexattr</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file | |
permission changes for all users and root. Add the following to | |
<xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
If the system is 64 bit then also add the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">Note that these rules can be configured in a | |
number of ways while still achieving the desired effect. Here the system calls | |
have been placed independent of other system calls. Grouping these system | |
calls with others as identifying earlier in this guide is more efficient. | |
</warning> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">126</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to | |
gain access to information that would otherwise be disallowed. Auditing DAC modifications | |
can facilitate the identification of patterns of abuse among both authorized and | |
unauthorized users.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27179-1</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:425" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>fremovexattr</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep fremovexattr</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_rules_dac_modification_fsetxattr" selected="false" severity="low"> | |
<title xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - fsetxattr</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file | |
permission changes for all users and root. Add the following to | |
<xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
If the system is 64 bit then also add the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">Note that these rules can be configured in a | |
number of ways while still achieving the desired effect. Here the system calls | |
have been placed independent of other system calls. Grouping these system | |
calls with others as identifying earlier in this guide is more efficient. | |
</warning> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">126</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to | |
gain access to information that would otherwise be disallowed. Auditing DAC modifications | |
can facilitate the identification of patterns of abuse among both authorized and | |
unauthorized users.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27180-9</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1105" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>fsetxattr</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep fsetxattr</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_rules_dac_modification_lchown" selected="false" severity="low"> | |
<title xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - lchown</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file | |
permission changes for all users and root. Add the following to | |
<xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
If the system is 64 bit then also add the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">Note that these rules can be configured in a | |
number of ways while still achieving the desired effect. Here the system calls | |
have been placed independent of other system calls. Grouping these system | |
calls with others as identifying earlier in this guide is more efficient. | |
</warning> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">126</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to | |
gain access to information that would otherwise be disallowed. Auditing DAC modifications | |
can facilitate the identification of patterns of abuse among both authorized and | |
unauthorized users.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27181-7</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:749" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>lchown</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep lchown</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_rules_dac_modification_lremovexattr" selected="false" severity="low"> | |
<title xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - lremovexattr</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file | |
permission changes for all users and root. Add the following to | |
<xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
If the system is 64 bit then also add the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">Note that these rules can be configured in a | |
number of ways while still achieving the desired effect. Here the system calls | |
have been placed independent of other system calls. Grouping these system | |
calls with others as identifying earlier in this guide is more efficient. | |
</warning> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">126</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to | |
gain access to information that would otherwise be disallowed. Auditing DAC modifications | |
can facilitate the identification of patterns of abuse among both authorized and | |
unauthorized users.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27182-5</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:938" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>lremovexattr</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep lremovexattr</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_rules_dac_modification_lsetxattr" selected="false" severity="low"> | |
<title xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - lsetxattr</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file | |
permission changes for all users and root. Add the following to | |
<xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
If the system is 64 bit then also add the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">Note that these rules can be configured in a | |
number of ways while still achieving the desired effect. Here the system calls | |
have been placed independent of other system calls. Grouping these system | |
calls with others as identifying earlier in this guide is more efficient. | |
</warning> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">126</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to | |
gain access to information that would otherwise be disallowed. Auditing DAC modifications | |
can facilitate the identification of patterns of abuse among both authorized and | |
unauthorized users.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27183-3</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1024" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>lsetxattr</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep lsetxattr</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_rules_dac_modification_removexattr" selected="false" severity="low"> | |
<title xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - removexattr</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file | |
permission changes for all users and root. Add the following to | |
<xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
If the system is 64 bit then also add the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">Note that these rules can be configured in a | |
number of ways while still achieving the desired effect. Here the system calls | |
have been placed independent of other system calls. Grouping these system | |
calls with others as identifying earlier in this guide is more efficient. | |
</warning> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">126</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to | |
gain access to information that would otherwise be disallowed. Auditing DAC modifications | |
can facilitate the identification of patterns of abuse among both authorized and | |
unauthorized users.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27184-1</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:885" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>removexattr</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep removexattr</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_rules_dac_modification_setxattr" selected="false" severity="low"> | |
<title xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - setxattr</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file | |
permission changes for all users and root. Add the following to | |
<xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
If the system is 64 bit then also add the following: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> | |
</description> | |
<warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="false" category="general">Note that these rules can be configured in a | |
number of ways while still achieving the desired effect. Here the system calls | |
have been placed independent of other system calls. Grouping these system | |
calls with others as identifying earlier in this guide is more efficient. | |
</warning> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">126</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to | |
gain access to information that would otherwise be disallowed. Auditing DAC modifications | |
can facilitate the identification of patterns of abuse among both authorized and | |
unauthorized users.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27185-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:888" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>setxattr</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep setxattr</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Rule id="audit_manual_logon_edits" selected="false" severity="low"> | |
<title xml:lang="en-US">Record Attempts to Alter Logon and Logout Events</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The audit system already collects login info for all users and root. To watch for attempted manual edits of | |
files involved in storing logon events, add the following to <xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-w /var/log/faillog -p wa -k logins | |
-w /var/log/lastlog -p wa -k logins</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Manual editing of these files may indicate nefarious activity, such | |
as an attacker attempting to remove evidence of an intrusion.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26691-6</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:935" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="audit_manual_session_edits" selected="false" severity="low"> | |
<title xml:lang="en-US"> Record Attempts to Alter Process and Session Initiation Information</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> The audit system already collects process information for all | |
users and root. To watch for attempted manual edits of files involved in | |
storing such process information, add the following to | |
<xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-w /var/run/utmp -p wa -k session | |
-w /var/log/btmp -p wa -k session | |
-w /var/log/wtmp -p wa -k session</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Manual editing of these files may indicate nefarious activity, such | |
as an attacker attempting to remove evidence of an intrusion.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26610-6</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1077" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="audit_file_access" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect | |
unauthorized file accesses for all users and root. Add the following | |
to <xhtml:code>/etc/audit/audit.rules</xhtml:code>, setting ARCH to either b32 or b64 as | |
appropriate for your system: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access | |
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">126</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing | |
these events could serve as evidence of potential system compromise.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26712-0</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:705" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="either command lacks output" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To verify that the audit system collects unauthorized file accesses, run the following commands: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep EACCES /etc/audit/audit.rules</pre> | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep EPERM /etc/audit/audit.rules</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_privileged_commands" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure auditd Collects Information on the Use of Privileged Commands</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect the | |
execution of privileged commands for all users and root. | |
To find the relevant setuid programs: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null</pre> | |
Then, for each setuid program on the system, add a line of the following form to | |
<xhtml:code>/etc/audit/audit.rules</xhtml:code>, where <i xmlns="http://www.w3.org/1999/xhtml">SETUID_PROG_PATH</i> is the full path to each setuid program | |
in the list: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F path=<i>SETUID_PROG_PATH</i> -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(4)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">40</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Privileged programs are subject to escalation-of-privilege attacks, | |
which attempt to subvert their normal role of providing some necessary but | |
limited capability. As such, motivation exists to monitor these programs for | |
unusual activity. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26457-2</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:293" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it is not the case" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To verify that auditing of privileged command use is configured, run the following command to find relevant setuid programs: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null</pre> | |
Run the following command to verify entries in the audit rules for all programs found with the previous command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep path /etc/audit/audit.rules</pre> | |
It should be the case that all relevant setuid programs have a line in the audit rules. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_media_exports" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure auditd Collects Information on Exporting to Media (successful)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect media | |
exportation events for all users and root. Add the following to | |
<xhtml:code>/etc/audit/audit.rules</xhtml:code>, setting ARCH to either b32 or b64 as | |
appropriate for your system: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">126</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The unauthorized exportation of data to external media could result in an information leak | |
where classified information, Privacy Act information, and intellectual property could be lost. An audit | |
trail should be created each time a filesystem is mounted to help identify and guard against information | |
loss.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26573-6</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:391" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="there is not output" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To verify that auditing is configured for all media exportation events, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># auditctl -l | grep syscall | grep mount</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_file_deletions" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure auditd Collects File Deletion Events by User</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file | |
deletion events for all users and root. Add the following to | |
<xhtml:code>/etc/audit/audit.rules</xhtml:code>, setting ARCH to either b32 or b64 as | |
appropriate for your system: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">126</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Auditing file deletions will create an audit trail for files that are removed | |
from the system. The audit trail could aid in system troubleshooting, as well as, detecting | |
malicious processes that attempt to delete log files to conceal their presence.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26651-0</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:444" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>unlink</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep unlink</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>rename</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep rename</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_sysadmin_actions" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure auditd Collects System Administrator Actions</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect | |
administrator actions for all users and root. Add the following to | |
<xhtml:code>/etc/audit/audit.rules</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-w /etc/sudoers -p wa -k actions</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-2(7)(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">126</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The actions taken by system administrators should be audited to keep a record | |
of what was executed on the system, as well as, for accountability purposes.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26662-7</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:243" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="there is not output" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To verify that auditing is configured for system administrator actions, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># auditctl -l | grep "watch=/etc/sudoers"</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_kernel_module_loading" selected="false" severity="low"> | |
<title xml:lang="en-US">Ensure auditd Collects Information on Kernel Module Loading and Unloading</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add the following to <xhtml:code>/etc/audit/audit.rules</xhtml:code> in order | |
to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-w /sbin/insmod -p x -k modules | |
-w /sbin/rmmod -p x -k modules | |
-w /sbin/modprobe -p x -k modules | |
-a always,exit -F arch=<i>ARCH</i> -S init_module -S delete_module -k modules</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">126</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The addition/removal of kernel modules can be used to alter the behavior of | |
the kernel and potentially introduce malicious code into kernel space. It is important | |
to have an audit trail of modules that have been introduced into the kernel.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26611-4</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:993" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="no line is returned" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>init_module</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep init_module</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
To determine if the system is configured to audit calls to | |
the <xhtml:code>delete_module</xhtml:code> | |
system call, run the following command: | |
<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep delete_module</xhtml:pre> | |
If the system is configured to audit this activity, it will return a line. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="audit_config_immutable" selected="false" severity="low"> | |
<title xml:lang="en-US">Make the auditd Configuration Immutable</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add the following to <xhtml:code>/etc/audit/audit.rules</xhtml:code> in order | |
to make the configuration immutable: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-e 2</pre> | |
With this setting, a reboot will be required to change any | |
audit rules.</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-1(b)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(a)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-2(d)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IR-5</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Making the audit configuration immutable prevents accidental as | |
well as malicious modification of the audit rules, although it may be | |
problematic if legitimate changes are needed during system | |
operation</rationale> | |
<ident system="http://cce.mitre.org">CCE-26612-2</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1048" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
</Group> | |
</Group> | |
</Group> | |
<Group id="services"> | |
<title xml:lang="en-US">Services</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The best protection against vulnerable software is running less software. This section describes how to review | |
the software which Red Hat Enterprise Linux 6 installs on a system and disable software which is not needed. It | |
then enumerates the software packages installed on a default RHEL 6 system and provides guidance about which | |
ones can be safely disabled. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
RHEL 6 provides a convenient minimal install option that essentially installs the bare necessities for a functional | |
system. When building RHEL 6 servers, it is highly recommended to select the minimal packages and then build up | |
the system from there. | |
</description> | |
<Group id="obsolete"> | |
<title xml:lang="en-US">Obsolete Services</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This section discusses a number of network-visible | |
services which have historically caused problems for system | |
security, and for which disabling or severely limiting the service | |
has been the best available guidance for some time. As a result of | |
this, many of these services are not installed as part of RHEL 6 | |
by default. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Organizations which are running these services should | |
switch to more secure equivalents as soon as possible. | |
If it remains absolutely necessary to run one of | |
these services for legacy reasons, care should be taken to restrict | |
the service as much as possible, for instance by configuring host | |
firewall software such as <xhtml:code>iptables</xhtml:code> to restrict access to the | |
vulnerable service to only those remote hosts which have a known | |
need to use it.</description> | |
<Group id="inetd_and_xinetd"> | |
<title xml:lang="en-US">Xinetd</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>xinetd</xhtml:code> service acts as a dedicated listener for some | |
network services (mostly, obsolete ones) and can be used to provide access | |
controls and perform some logging. It has been largely obsoleted by other | |
features, and it is not installed by default. The older Inetd service | |
is not even available as part of RHEL 6.</description> | |
<Rule id="disable_xinetd" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable xinetd Service</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The <xhtml:code>xinetd</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig xinetd off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">305</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The xinetd service provides a dedicated listener service for some programs, | |
which is no longer necessary for commonly-used network services. Disabling | |
it ensures that these uncommon services are not running, and also prevents | |
attacks against xinetd itself. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27046-2</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:256" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
If network services are using the xinetd service, this is not applicable. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
To check that the <xhtml:code>xinetd</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>xinetd</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>xinetd</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>xinetd</xhtml:code> --list | |
<xhtml:code>xinetd</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>xinetd</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service xinetd status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>xinetd is stopped</xhtml:pre></check-content> | |
</check> | |
</Rule> | |
<Rule id="uninstall_xinetd" selected="false" severity="low"> | |
<title xml:lang="en-US">Uninstall xinetd Package</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>xinetd</xhtml:code> package can be uninstalled with the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># yum erase xinetd</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">305</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Removing the <xhtml:code>xinetd</xhtml:code> package decreases the risk of the | |
xinetd service's accidental (or intentional) activation. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27005-8</ident> | |
<fix system="urn:xccdf:fix:script:sh">if rpm -qa | grep -q xinetd; then | |
yum -y remove xinetd | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:257" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the package is installed" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
If network services are using the xinetd service, this is not applicable. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Run the following command to determine if the <xhtml:code>xinetd</xhtml:code> package is installed: | |
<xhtml:pre># rpm -q xinetd</xhtml:pre> </check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="telnet"> | |
<title xml:lang="en-US">Telnet</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The telnet protocol does not provide confidentiality or integrity | |
for information transmitted on the network. This includes authentication | |
information such as passwords. Organizations which use telnet should be | |
actively working to migrate to a more secure protocol.</description> | |
<Rule id="disable_telnet_service" selected="false" severity="high"> | |
<title xml:lang="en-US">Disable telnet Service</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The <xhtml:code>telnet</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig telnet off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(c)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">68</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1436</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">197</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">877</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">888</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The telnet protocol uses unencrypted network communication, which | |
means that data from the login session, including passwords and | |
all other information transmitted during the session, can be | |
stolen by eavesdroppers on the network. The telnet protocol is also | |
subject to man-in-the-middle attacks. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26836-7</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1029" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>telnet</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>telnet</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>telnet</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>telnet</xhtml:code> --list | |
<xhtml:code>telnet</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>telnet</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service telnet status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>telnet is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="uninstall_telnet_server" selected="false" severity="high"> | |
<title xml:lang="en-US">Uninstall telnet-server Package</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>telnet-server</xhtml:code> package can be uninstalled with | |
the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># yum erase telnet-server</pre></description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">305</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">381</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Removing the <xhtml:code>telnet-server</xhtml:code> package decreases the risk of the | |
telnet service's accidental (or intentional) activation. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27073-6</ident> | |
<fix system="urn:xccdf:fix:script:sh">if rpm -qa | grep -q telnet-server; then | |
yum -y remove telnet-server | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:638" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the package is installed" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to determine if the <xhtml:code>telnet-server</xhtml:code> package is installed: | |
<xhtml:pre># rpm -q telnet-server</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="r_services"> | |
<title xml:lang="en-US">Rlogin, Rsh, and Rexec</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Berkeley r-commands are legacy services which | |
allow cleartext remote access and have an insecure trust | |
model.</description> | |
<Rule id="uninstall_rsh-server" selected="false" severity="high"> | |
<title xml:lang="en-US">Uninstall rsh-server Package</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>rsh-server</xhtml:code> package can be uninstalled with | |
the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># yum erase rsh-server</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">305</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">381</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>rsh-server</xhtml:code> package provides several obsolete and insecure | |
network services. Removing it | |
decreases the risk of those services' accidental (or intentional) | |
activation. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27062-9</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:535" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the package is installed" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to determine if the <xhtml:code>rsh-server</xhtml:code> package is installed: | |
<xhtml:pre># rpm -q rsh-server</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="disable_rexec" selected="false" severity="high"> | |
<title xml:lang="en-US">Disable rexec Service</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>rexec</xhtml:code> service, which is available with | |
the <xhtml:code>rsh-server</xhtml:code> package and runs as a service through xinetd, | |
should be disabled. | |
The <xhtml:code>rexec</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig rexec off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">68</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1436</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The rexec service uses unencrypted network communications, which | |
means that data from the login session, including passwords and | |
all other information transmitted during the session, can be | |
stolen by eavesdroppers on the network. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27208-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:845" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>rexec</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>rexec</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>rexec</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>rexec</xhtml:code> --list | |
<xhtml:code>rexec</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>rexec</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service rexec status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>rexec is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="disable_rsh" selected="false" severity="high"> | |
<title xml:lang="en-US">Disable rsh Service</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>rsh</xhtml:code> service, which is available with | |
the <xhtml:code>rsh-server</xhtml:code> package and runs as a service through xinetd, | |
should be disabled. | |
The <xhtml:code>rsh</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig rsh off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(c)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">68</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1436</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The rsh service uses unencrypted network communications, which | |
means that data from the login session, including passwords and | |
all other information transmitted during the session, can be | |
stolen by eavesdroppers on the network. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26994-4</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:534" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>rsh</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>rsh</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>rsh</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>rsh</xhtml:code> --list | |
<xhtml:code>rsh</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>rsh</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service rsh status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>rsh is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="disable_rlogin" selected="false" severity="high"> | |
<title xml:lang="en-US">Disable rlogin Service</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>rlogin</xhtml:code> service, which is available with | |
the <xhtml:code>rsh-server</xhtml:code> package and runs as a service through xinetd, | |
should be disabled. | |
The <xhtml:code>rlogin</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig rlogin off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(c)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1436</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The rlogin service uses unencrypted network communications, which | |
means that data from the login session, including passwords and | |
all other information transmitted during the session, can be | |
stolen by eavesdroppers on the network. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26865-6</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:545" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>rlogin</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>rlogin</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>rlogin</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>rlogin</xhtml:code> --list | |
<xhtml:code>rlogin</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>rlogin</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service rlogin status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>rlogin is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="no_rsh_trust_files" selected="false" severity="high"> | |
<title xml:lang="en-US">Remove Rsh Trust Files</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The files <xhtml:code>/etc/hosts.equiv</xhtml:code> and <xhtml:code>~/.rhosts</xhtml:code> (in | |
each user's home directory) list remote hosts and users that are trusted by the | |
local system when using the rshd daemon. | |
To remove these files, run the following command to delete them from any | |
location: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># rm /etc/hosts.equiv</pre> | |
<pre xmlns="http://www.w3.org/1999/xhtml">$ rm ~/.rhosts</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1436</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Trust files are convenient, but when | |
used in conjunction with the R-services, they can allow | |
unauthenticated access to a system.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27270-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:632" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="these files exist" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
The existence of the file <xhtml:code>/etc/hosts.equiv</xhtml:code> or a file named | |
<xhtml:code>.rhosts</xhtml:code> inside a user home directory indicates the presence | |
of an Rsh trust relationship. | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="nis"> | |
<title xml:lang="en-US">NIS</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Network Information Service (NIS), also known as 'Yellow | |
Pages' (YP), and its successor NIS+ have been made obsolete by | |
Kerberos, LDAP, and other modern centralized authentication | |
services. NIS should not be used because it suffers from security | |
problems inherent in its design, such as inadequate protection of | |
important authentication information.</description> | |
<Rule id="uninstall_ypserv" selected="false" severity="medium"> | |
<title xml:lang="en-US">Uninstall ypserv Package</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>ypserv</xhtml:code> package can be uninstalled with | |
the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># yum erase ypserv</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">305</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">381</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Removing the <xhtml:code>ypserv</xhtml:code> package decreases the risk of the | |
accidental (or intentional) activation of NIS or NIS+ services. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27079-3</ident> | |
<fix system="urn:xccdf:fix:script:sh">if rpm -qa | grep -q ypserv; then | |
yum -y remove ypserv | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:861" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the package is installed" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to determine if the <xhtml:code>ypserv</xhtml:code> package is installed: | |
<xhtml:pre># rpm -q ypserv</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="disable_ypbind" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable ypbind Service</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>ypbind</xhtml:code> service, which allows the system to act as a client in | |
a NIS or NIS+ domain, should be disabled. | |
The <xhtml:code>ypbind</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig ypbind off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">305</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Disabling the <xhtml:code>ypbind</xhtml:code> service ensures the system is not acting | |
as a client in a NIS or NIS+ domain. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26894-6</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:955" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>ypbind</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>ypbind</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>ypbind</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>ypbind</xhtml:code> --list | |
<xhtml:code>ypbind</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>ypbind</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service ypbind status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>ypbind is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="tftp"> | |
<title xml:lang="en-US">TFTP Server</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
TFTP is a lightweight version of the FTP protocol which has | |
traditionally been used to configure networking equipment. However, | |
TFTP provides little security, and modern versions of networking | |
operating systems frequently support configuration via SSH or other | |
more secure protocols. A TFTP server should be run only if no more | |
secure method of supporting existing equipment can be | |
found.</description> | |
<Rule id="disable_tftp" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable tftp Service</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>tftp</xhtml:code> service should be disabled. | |
The <xhtml:code>tftp</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig tftp off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1436</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Disabling the <xhtml:code>tftp</xhtml:code> service ensures the system is not acting | |
as a TFTP server, which does not provide encryption or authentication. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27055-3</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:247" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>tftp</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>tftp</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>tftp</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>tftp</xhtml:code> --list | |
<xhtml:code>tftp</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>tftp</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service tftp status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>tftp is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="uninstall_tftp-server" selected="false" severity="medium"> | |
<title xml:lang="en-US">Uninstall tftp-server Package</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The <xhtml:code>tftp-server</xhtml:code> package can be removed with the following command: | |
<xhtml:pre># yum erase tftp-server</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">305</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121026</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Removing the <xhtml:code>tftp-server</xhtml:code> package decreases the risk of the | |
accidental (or intentional) activation of tftp services. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26946-4</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:248" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the package is installed" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to determine if the <xhtml:code>tftp-server</xhtml:code> package is installed: | |
<xhtml:pre># rpm -q tftp-server</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="tftpd_uses_secure_mode" selected="false" severity="high"> | |
<title xml:lang="en-US">Ensure tftp Daemon Uses Secure Mode</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If running the <xhtml:code>tftp</xhtml:code> service is necessary, it should be configured | |
to change its root directory at startup. To do so, ensure | |
<xhtml:code>/etc/xinetd.d/tftp</xhtml:code> includes <xhtml:code>-s</xhtml:code> as a command line argument, as shown in | |
the following example (which is also the default): | |
<pre xmlns="http://www.w3.org/1999/xhtml">server_args = -s /var/lib/tftpboot</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">366</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Using the <xhtml:code>-s</xhtml:code> option causes the TFTP service to only serve files from the | |
given directory. Serving files from an intentionally-specified directory | |
reduces the risk of sharing files which should remain private. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27272-4</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:998" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="this flag is missing" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
If TFTP is not installed, this is not applicable. To determine if TFTP is installed, | |
run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -qa | grep tftp</pre> | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Verify <xhtml:code>tftp</xhtml:code> is configured by with the <xhtml:code>-s</xhtml:code> option by running the | |
following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml">grep "server_args" /etc/xinetd.d/tftp</pre> | |
The output should indicate the <xhtml:code>server_args</xhtml:code> variable is configured with the <xhtml:code>-s</xhtml:code> | |
flag, matching the example below: | |
<pre xmlns="http://www.w3.org/1999/xhtml"> # grep "server_args" /etc/xinetd.d/tftp | |
server_args = -s /var/lib/tftpboot</pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
</Group> | |
<Group id="base"> | |
<title xml:lang="en-US">Base Services</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This section addresses the base services that are installed on a | |
RHEL 6 default installation which are not covered in other | |
sections. Some of these services listen on the network and | |
should be treated with particular discretion. Other services are local | |
system utilities that may or may not be extraneous. In general, system services | |
should be disabled if not required.</description> | |
<Rule id="service_abrtd_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Automatic Bug Reporting Tool (abrtd)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Automatic Bug Reporting Tool (<xhtml:code>abrtd</xhtml:code>) daemon collects | |
and reports crash data when an application crash is detected. Using a variety | |
of plugins, abrtd can email crash reports to system administrators, log crash | |
reports to files, or forward crash reports to a centralized issue tracking | |
system such as RHTSupport. | |
The <xhtml:code>abrtd</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig abrtd off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">381</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> Mishandling crash data could expose sensitive information about | |
vulnerabilities in software executing on the local machine, as well as sensitive | |
information from within a process's address space or registers.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27247-6</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable abrtd for all run levels | |
# | |
chkconfig --level 0123456 abrtd off | |
# | |
# Stop abrtd if currently running | |
# | |
service abrtd stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:222" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>abrtd</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>abrtd</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>abrtd</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>abrtd</xhtml:code> --list | |
<xhtml:code>abrtd</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>abrtd</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service abrtd status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>abrtd is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_acpid_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Advanced Configuration and Power Interface (acpid)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Advanced Configuration and Power Interface Daemon (<xhtml:code>acpid</xhtml:code>) | |
dispatches ACPI events (such as power/reset button depressed) to userspace | |
programs. | |
The <xhtml:code>acpid</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig acpid off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ACPI support is highly desirable for systems in some network roles, | |
such as laptops or desktops. For other systems, such as servers, it may permit | |
accidental or trivially achievable denial of service situations and disabling | |
it is appropriate.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27061-1</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable acpid for all run levels | |
# | |
chkconfig --level 0123456 acpid off | |
# | |
# Stop acpid if currently running | |
# | |
service acpid stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:719" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>acpid</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>acpid</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>acpid</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>acpid</xhtml:code> --list | |
<xhtml:code>acpid</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>acpid</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service acpid status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>acpid is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_certmonger_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Certmonger Service (certmonger)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Certmonger is a D-Bus based service that attempts to simplify interaction | |
with certifying authorities on networks which use public-key infrastructure. It is often | |
combined with Red Hat's IPA (Identity Policy Audit) security information management | |
solution to aid in the management of certificates. | |
The <xhtml:code>certmonger</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig certmonger off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The services provided by certmonger may be essential for systems | |
fulfilling some roles a PKI infrastructure, but its functionality is not necessary | |
for many other use cases.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27267-4</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable certmonger for all run levels | |
# | |
chkconfig --level 0123456 certmonger off | |
# | |
# Stop certmonger if currently running | |
# | |
service certmonger stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1122" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>certmonger</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>certmonger</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>certmonger</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>certmonger</xhtml:code> --list | |
<xhtml:code>certmonger</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>certmonger</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service certmonger status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>certmonger is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_cgconfig_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Control Group Config (cgconfig)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Control groups allow an administrator to allocate system resources (such as CPU, | |
memory, network bandwidth, etc) among a defined group (or groups) of processes executing on | |
a system. The <xhtml:code>cgconfig</xhtml:code> daemon starts at boot and establishes the predefined control groups. | |
The <xhtml:code>cgconfig</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig cgconfig off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unless control groups are used to manage system resources, running the cgconfig | |
service is not necessary. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27250-0</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable cgconfig for all run levels | |
# | |
chkconfig --level 0123456 cgconfig off | |
# | |
# Stop cgconfig if currently running | |
# | |
service cgconfig stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:944" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>cgconfig</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>cgconfig</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>cgconfig</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>cgconfig</xhtml:code> --list | |
<xhtml:code>cgconfig</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>cgconfig</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service cgconfig status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>cgconfig is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_cgred_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Control Group Rules Engine (cgred)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>cgred</xhtml:code> service moves tasks into control groups according to | |
parameters set in the <xhtml:code>/etc/cgrules.conf</xhtml:code> configuration file. | |
The <xhtml:code>cgred</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig cgred off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unless control groups are used to manage system resources, running the cgred service | |
service is not necessary. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27252-6</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable cgred for all run levels | |
# | |
chkconfig --level 0123456 cgred off | |
# | |
# Stop cgred if currently running | |
# | |
service cgred stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:312" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>cgred</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>cgred</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>cgred</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>cgred</xhtml:code> --list | |
<xhtml:code>cgred</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>cgred</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service cgred status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>cgred is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_cpuspeed_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable CPU Speed (cpuspeed)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>cpuspeed</xhtml:code> service can adjust the clock speed of supported CPUs based upon | |
the current processing load thereby conserving power and reducing heat. | |
The <xhtml:code>cpuspeed</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig cpuspeed off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>cpuspeed</xhtml:code> service is only necessary if adjusting the CPU clock speed | |
provides benefit. Traditionally this has included laptops (to enhance battery life), | |
but may also apply to server or desktop environments where conserving power is | |
highly desirable or necessary. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26973-8</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable cpuspeed for all run levels | |
# | |
chkconfig --level 0123456 cpuspeed off | |
# | |
# Stop cpuspeed if currently running | |
# | |
service cpuspeed stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:595" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>cpuspeed</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>cpuspeed</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>cpuspeed</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>cpuspeed</xhtml:code> --list | |
<xhtml:code>cpuspeed</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>cpuspeed</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service cpuspeed status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>cpuspeed is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_haldaemon_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Hardware Abstraction Layer Service (haldaemon)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Hardware Abstraction Layer Daemon (<xhtml:code>haldaemon</xhtml:code>) collects | |
and maintains information about the system's hardware configuration. | |
This service is required on a workstation | |
running a desktop environment, and may be necessary on any system which | |
deals with removable media or devices. | |
The <xhtml:code>haldaemon</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig haldaemon off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The haldaemon provides essential functionality on systems | |
that use removable media or devices, but can be disabled for systems | |
that do not require these. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27086-8</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable haldaemon for all run levels | |
# | |
chkconfig --level 0123456 haldaemon off | |
# | |
# Stop haldaemon if currently running | |
# | |
service haldaemon stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:877" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>haldaemon</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>haldaemon</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>haldaemon</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>haldaemon</xhtml:code> --list | |
<xhtml:code>haldaemon</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>haldaemon</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service haldaemon status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>haldaemon is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_irqbalance_enabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Enable IRQ Balance (irqbalance)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>irqbalance</xhtml:code> service optimizes the balance between | |
power savings and performance through distribution of hardware interrupts across | |
multiple processors. | |
The <xhtml:code>irqbalance</xhtml:code> service can be enabled with the following command: | |
<xhtml:pre># chkconfig --level 2345 irqbalance on</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In an environment with multiple processors (now common), the irqbalance service | |
provides potential speedups for handling interrupt requests.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26990-2</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Enable irqbalance for all run levels | |
# | |
chkconfig --level 0123456 irqbalance on | |
# | |
# Start irqbalance if not currently running | |
# | |
service irqbalance start | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:561" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>irqbalance</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>irqbalance</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>irqbalance</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>irqbalance</xhtml:code> --list | |
<xhtml:code>irqbalance</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>irqbalance</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service irqbalance status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>irqbalance is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_kdump_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable KDump Kernel Crash Analyzer (kdump)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>kdump</xhtml:code> service provides a kernel crash dump analyzer. It uses the <xhtml:code>kexec</xhtml:code> | |
system call to boot a secondary kernel ("capture" kernel) following a system | |
crash, which can load information from the crashed kernel for analysis. | |
The <xhtml:code>kdump</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig kdump off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unless the system is used for kernel development or testing, there | |
is little need to run the kdump service.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26850-8</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable kdump for all run levels | |
# | |
chkconfig --level 0123456 kdump off | |
# | |
# Stop kdump if currently running | |
# | |
service kdump stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:201" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>kdump</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>kdump</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>kdump</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>kdump</xhtml:code> --list | |
<xhtml:code>kdump</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>kdump</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service kdump status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>kdump is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_mdmonitor_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Software RAID Monitor (mdmonitor)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>mdmonitor</xhtml:code> service is used for monitoring a software RAID array; hardware | |
RAID setups do not use this service. | |
The <xhtml:code>mdmonitor</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig mdmonitor off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If software RAID monitoring is not required, | |
there is no need to run this service.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27193-2</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable mdmonitor for all run levels | |
# | |
chkconfig --level 0123456 mdmonitor off | |
# | |
# Stop mdmonitor if currently running | |
# | |
service mdmonitor stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1185" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>mdmonitor</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>mdmonitor</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>mdmonitor</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>mdmonitor</xhtml:code> --list | |
<xhtml:code>mdmonitor</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>mdmonitor</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service mdmonitor status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>mdmonitor is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_messagebus_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable D-Bus IPC Service (messagebus)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">D-Bus provides an IPC mechanism used by | |
a growing list of programs, such as those used for Gnome, Bluetooth, and Avahi. | |
Due to these dependencies, disabling D-Bus may not be practical for | |
many systems. | |
The <xhtml:code>messagebus</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig messagebus off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If no services which require D-Bus are needed, then it | |
can be disabled. As a broker for IPC between processes of different privilege levels, | |
it could be a target for attack. However, disabling D-Bus is likely to be | |
impractical for any system which needs to provide | |
a graphical login session. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26913-4</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable messagebus for all run levels | |
# | |
chkconfig --level 0123456 messagebus off | |
# | |
# Stop messagebus if currently running | |
# | |
service messagebus stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:327" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>messagebus</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>messagebus</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>messagebus</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>messagebus</xhtml:code> --list | |
<xhtml:code>messagebus</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>messagebus</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service messagebus status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>messagebus is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_netconsole_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Network Console (netconsole)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>netconsole</xhtml:code> service is responsible for loading the | |
netconsole kernel module, which logs kernel printk messages over UDP to a | |
syslog server. This allows debugging of problems where disk logging fails and | |
serial consoles are impractical. | |
The <xhtml:code>netconsole</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig netconsole off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">381</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>netconsole</xhtml:code> service is not necessary unless there is a need to debug | |
kernel panics, which is not common. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27254-2</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable netconsole for all run levels | |
# | |
chkconfig --level 0123456 netconsole off | |
# | |
# Stop netconsole if currently running | |
# | |
service netconsole stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:604" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>netconsole</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>netconsole</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>netconsole</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>netconsole</xhtml:code> --list | |
<xhtml:code>netconsole</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>netconsole</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service netconsole status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>netconsole is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_ntpdate_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable ntpdate Service (ntpdate)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>ntpdate</xhtml:code> service sets the local hardware clock by polling NTP servers | |
when the system boots. It synchronizes to the NTP servers listed in | |
<xhtml:code>/etc/ntp/step-tickers</xhtml:code> or <xhtml:code>/etc/ntp.conf</xhtml:code> | |
and then sets the local hardware clock to the newly synchronized | |
system time. | |
The <xhtml:code>ntpdate</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig ntpdate off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">382</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>ntpdate</xhtml:code> service may only be suitable for systems which | |
are rebooted frequently enough that clock drift does not cause problems between | |
reboots. In any event, the functionality of the ntpdate service is now | |
available in the ntpd program and should be considered deprecated.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27256-7</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:619" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>ntpdate</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>ntpdate</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>ntpdate</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>ntpdate</xhtml:code> --list | |
<xhtml:code>ntpdate</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>ntpdate</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service ntpdate status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>ntpdate is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_oddjobd_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Odd Job Daemon (oddjobd)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>oddjobd</xhtml:code> service exists to provide an interface and | |
access control mechanism through which | |
specified privileged tasks can run tasks for unprivileged client | |
applications. Communication with <xhtml:code>oddjobd</xhtml:code> through the system message bus. | |
The <xhtml:code>oddjobd</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig oddjobd off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">381</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>oddjobd</xhtml:code> service may provide necessary functionality in | |
some environments, and can be disabled if it is not needed. Execution of | |
tasks by privileged programs, on behalf of unprivileged ones, has traditionally | |
been a source of privilege escalation security issues.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27257-5</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable oddjobd for all run levels | |
# | |
chkconfig --level 0123456 oddjobd off | |
# | |
# Stop oddjobd if currently running | |
# | |
service oddjobd stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:774" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>oddjobd</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>oddjobd</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>oddjobd</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>oddjobd</xhtml:code> --list | |
<xhtml:code>oddjobd</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>oddjobd</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service oddjobd status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>oddjobd is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_portreserve_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Portreserve (portreserve)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>portreserve</xhtml:code> service is a TCP port reservation utility that can | |
be used to prevent portmap from binding to well known TCP ports that are | |
required for other services. | |
The <xhtml:code>portreserve</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig portreserve off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>portreserve</xhtml:code> service provides helpful functionality by | |
preventing conflicting usage of ports in the reserved port range, but it can be | |
disabled if not needed.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27258-3</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable portreserve for all run levels | |
# | |
chkconfig --level 0123456 portreserve off | |
# | |
# Stop portreserve if currently running | |
# | |
service portreserve stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:799" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>portreserve</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>portreserve</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>portreserve</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>portreserve</xhtml:code> --list | |
<xhtml:code>portreserve</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>portreserve</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service portreserve status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>portreserve is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_psacct_enabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Enable Process Accounting (psacct)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The process accounting service, <xhtml:code>psacct</xhtml:code>, works with programs | |
including <xhtml:code>acct</xhtml:code> and <xhtml:code>ac</xhtml:code> to allow system administrators to view | |
user activity, such as commands issued by users of the system. | |
The <xhtml:code>psacct</xhtml:code> service can be enabled with the following command: | |
<xhtml:pre># chkconfig --level 2345 psacct on</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-12</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>psacct</xhtml:code> service can provide administrators a convenient | |
view into some user activities. However, it should be noted that the auditing | |
system and its audit records provide more authoritative and comprehensive | |
records.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27259-1</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Enable psacct for all run levels | |
# | |
chkconfig --level 0123456 psacct on | |
# | |
# Start psacct if not currently running | |
# | |
service psacct start | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:121" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>psacct</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>psacct</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>psacct</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>psacct</xhtml:code> --list | |
<xhtml:code>psacct</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>psacct</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service psacct status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>psacct is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_qpidd_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Apache Qpid (qpidd)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>qpidd</xhtml:code> service provides high speed, secure, | |
guaranteed delivery services. It is an implementation of the Advanced Message | |
Queuing Protocol. By default the qpidd service will bind to port 5672 and | |
listen for connection attempts. | |
The <xhtml:code>qpidd</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig qpidd off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">382</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The qpidd service is automatically installed when the "base" | |
package selection is selected during installation. The qpidd service listens | |
for network connections, which increases the attack surface of the system. If | |
the system is not intended to receive AMQP traffic, then the <xhtml:code>qpidd</xhtml:code> | |
service is not needed and should be disabled or removed.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26928-2</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable qpidd for all run levels | |
# | |
chkconfig --level 0123456 qpidd off | |
# | |
# Stop qpidd if currently running | |
# | |
service qpidd stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:458" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>qpidd</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>qpidd</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>qpidd</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>qpidd</xhtml:code> --list | |
<xhtml:code>qpidd</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>qpidd</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service qpidd status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>qpidd is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_quota_nld_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Quota Netlink (quota_nld)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>quota_nld</xhtml:code> service provides notifications to | |
users of disk space quota violations. It listens to the kernel via a netlink | |
socket for disk quota violations and notifies the appropriate user of the | |
violation using D-Bus or by sending a message to the terminal that the user has | |
last accessed. | |
The <xhtml:code>quota_nld</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig quota_nld off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If disk quotas are enforced on the local system, then the | |
<xhtml:code>quota_nld</xhtml:code> service likely provides useful functionality and should | |
remain enabled. However, if disk quotas are not used or user notification of | |
disk quota violation is not desired then there is no need to run this | |
service.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27260-9</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable quota_nld for all run levels | |
# | |
chkconfig --level 0123456 quota_nld off | |
# | |
# Stop quota_nld if currently running | |
# | |
service quota_nld stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:659" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>quota_nld</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>quota_nld</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>quota_nld</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>quota_nld</xhtml:code> --list | |
<xhtml:code>quota_nld</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>quota_nld</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service quota_nld status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>quota_nld is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_rdisc_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Network Router Discovery Daemon (rdisc)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>rdisc</xhtml:code> service implements the client side of the ICMP | |
Internet Router Discovery Protocol (IRDP), which allows discovery of routers on | |
the local subnet. If a router is discovered then the local routing table is | |
updated with a corresponding default route. By default this daemon is disabled. | |
The <xhtml:code>rdisc</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig rdisc off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-4</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">382</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">General-purpose systems typically have their network and routing | |
information configured statically by a system administrator. Workstations or | |
some special-purpose systems often use DHCP (instead of IRDP) to retrieve | |
dynamic network configuration information.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27261-7</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable rdisc for all run levels | |
# | |
chkconfig --level 0123456 rdisc off | |
# | |
# Stop rdisc if currently running | |
# | |
service rdisc stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:379" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>rdisc</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>rdisc</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>rdisc</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>rdisc</xhtml:code> --list | |
<xhtml:code>rdisc</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>rdisc</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service rdisc status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>rdisc is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_rhnsd_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Red Hat Network Service (rhnsd)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Red Hat Network service automatically queries Red Hat Network | |
servers to determine whether there are any actions that should be executed, | |
such as package updates. This only occurs if the system was registered to an | |
RHN server or satellite and managed as such. | |
The <xhtml:code>rhnsd</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig rhnsd off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">382</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Although systems management and patching is extremely important to | |
system security, management by a system outside the enterprise enclave is not | |
desirable for some environments. However, if the system is being managed by RHN or | |
RHN Satellite Server the <xhtml:code>rhnsd</xhtml:code> daemon can remain on. </rationale> | |
<ident system="http://cce.mitre.org">CCE-26846-6</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable rhnsd for all run levels | |
# | |
chkconfig --level 0123456 rhnsd off | |
# | |
# Stop rhnsd if currently running | |
# | |
service rhnsd stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1240" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>rhnsd</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>rhnsd</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>rhnsd</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>rhnsd</xhtml:code> --list | |
<xhtml:code>rhnsd</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>rhnsd</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service rhnsd status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>rhnsd is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_rhsmcertd_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Red Hat Subscription Manager Daemon (rhsmcertd)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Red Hat Subscription Manager (rhsmcertd) periodically checks for | |
changes in the entitlement certificates for a registered system and updates it | |
accordingly. | |
The <xhtml:code>rhsmcertd</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig rhsmcertd off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>rhsmcertd</xhtml:code> service can provide administrators with some | |
additional control over which of their systems are entitled to particular | |
subscriptions. However, for systems that are managed locally or which are not | |
expected to require remote changes to their subscription status, it is | |
unnecessary and can be disabled.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27262-5</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable rhsmcertd for all run levels | |
# | |
chkconfig --level 0123456 rhsmcertd off | |
# | |
# Stop rhsmcertd if currently running | |
# | |
service rhsmcertd stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:851" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>rhsmcertd</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>rhsmcertd</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>rhsmcertd</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>rhsmcertd</xhtml:code> --list | |
<xhtml:code>rhsmcertd</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>rhsmcertd</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service rhsmcertd status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>rhsmcertd is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_saslauthd_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable Cyrus SASL Authentication Daemon (saslauthd)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>saslauthd</xhtml:code> service handles plaintext authentication requests on | |
behalf of the SASL library. The service isolates all code requiring superuser | |
privileges for SASL authentication into a single process, and can also be used | |
to provide proxy authentication services to clients that do not understand SASL | |
based authentication. | |
The <xhtml:code>saslauthd</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig saslauthd off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(8)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>saslauthd</xhtml:code> service provides essential functionality for | |
performing authentication in some directory environments, such as those which | |
use Kerberos and LDAP. For others, however, in which only local files may be | |
consulted, it is not necessary and should be disabled.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27263-3</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable saslauthd for all run levels | |
# | |
chkconfig --level 0123456 saslauthd off | |
# | |
# Stop saslauthd if currently running | |
# | |
service saslauthd stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:811" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>saslauthd</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>saslauthd</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>saslauthd</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>saslauthd</xhtml:code> --list | |
<xhtml:code>saslauthd</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>saslauthd</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service saslauthd status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>saslauthd is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_smartd_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable SMART Disk Monitoring Service (smartd)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SMART (Self-Monitoring, Analysis, and Reporting Technology) is a | |
feature of hard drives that allows them to detect symptoms of disk failure and | |
relay an appropriate warning. | |
The <xhtml:code>smartd</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig smartd off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SMART can help protect against denial of | |
service due to failing hardware. Nevertheless, if it is not needed or the | |
system's drives are not SMART-capable (such as solid state drives), it can be | |
disabled.</rationale> | |
<ident system="http://cce.mitre.org">CCE-26853-2</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable smartd for all run levels | |
# | |
chkconfig --level 0123456 smartd off | |
# | |
# Stop smartd if currently running | |
# | |
service smartd stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:762" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>smartd</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>smartd</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>smartd</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>smartd</xhtml:code> --list | |
<xhtml:code>smartd</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>smartd</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service smartd status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>smartd is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="service_sysstat_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable System Statistics Reset Service (sysstat)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>sysstat</xhtml:code> service resets various I/O and CPU | |
performance statistics to zero in order to begin counting from a fresh state | |
at boot time. | |
The <xhtml:code>sysstat</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig sysstat off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default the <xhtml:code>sysstat</xhtml:code> service merely runs a program at | |
boot to reset the statistics, which can be retrieved using programs such as | |
<xhtml:code>sar</xhtml:code> and <xhtml:code>sadc</xhtml:code>. These may provide useful insight into system | |
operation, but unless used this service can be disabled.</rationale> | |
<ident system="http://cce.mitre.org">CCE-27265-8</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable sysstat for all run levels | |
# | |
chkconfig --level 0123456 sysstat off | |
# | |
# Stop sysstat if currently running | |
# | |
service sysstat stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1110" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>sysstat</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>sysstat</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>sysstat</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>sysstat</xhtml:code> --list | |
<xhtml:code>sysstat</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>sysstat</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service sysstat status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>sysstat is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
</Group> | |
<Group id="cron_and_at"> | |
<title xml:lang="en-US">Cron and At Daemons</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The cron and at services are used to allow commands to | |
be executed at a later time. The cron service is required by almost | |
all systems to perform necessary maintenance tasks, while at may or | |
may not be required on a given system. Both daemons should be | |
configured defensively.</description> | |
<Rule id="service_crond_enabled" selected="false" severity="medium"> | |
<title xml:lang="en-US">Enable cron Service</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>crond</xhtml:code> service is used to execute commands at | |
preconfigured times. It is required by almost all systems to perform necessary | |
maintenance tasks, such as notifying root of system activity. | |
The <xhtml:code>crond</xhtml:code> service can be enabled with the following command: | |
<xhtml:pre># chkconfig --level 2345 crond on</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Due to its usage for maintenance and security-supporting tasks, | |
enabling the cron daemon is essential. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27070-2</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Enable crond for all run levels | |
# | |
chkconfig --level 0123456 crond on | |
# | |
# Start crond if not currently running | |
# | |
service crond start | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:913" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is not running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to determine the current status of the | |
<xhtml:code>crond</xhtml:code> service: | |
<xhtml:pre># service crond status</xhtml:pre> | |
If the service is enabled, it should return the following: <xhtml:pre>crond is running...</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="disable_anacron" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable anacron Service</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>cronie-anacron</xhtml:code> package which provides anacron | |
functionality is installed by default. To disable <xhtml:code>anacron</xhtml:code> support, | |
run the following commands: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># yum install cronie-noanacron | |
# yum erase cronie-anacron</pre> | |
The <xhtml:code>anacron</xhtml:code> service provides <xhtml:code>cron</xhtml:code> functionality for systems | |
such as laptops and workstations that may be shut down during the normal times | |
that <xhtml:code>cron</xhtml:code> jobs are scheduled to run. On systems which do not require this | |
additional functionality, <xhtml:code>anacron</xhtml:code> could needlessly increase the possible | |
attack surface for an intruder.</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
</Rule> | |
<Rule id="service_atd_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable At Service (atd)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <xhtml:code>at</xhtml:code> and <xhtml:code>batch</xhtml:code> commands can be used to | |
schedule tasks that are meant to be executed only once. This allows delayed | |
execution in a manner similar to cron, except that it is not | |
recurring. The daemon <xhtml:code>atd</xhtml:code> keeps track of tasks scheduled via | |
<xhtml:code>at</xhtml:code> and <xhtml:code>batch</xhtml:code>, and executes them at the specified time. | |
The <xhtml:code>atd</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig atd off</xhtml:pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">381</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The <xhtml:code>atd</xhtml:code> service could be used by an unsophisticated insider to carry | |
out activities outside of a normal login session, which could complicate | |
accountability. Furthermore, the need to schedule tasks with <xhtml:code>at</xhtml:code> or | |
<xhtml:code>batch</xhtml:code> is not common. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27249-2</ident> | |
<fix system="urn:xccdf:fix:script:sh"># | |
# Disable atd for all run levels | |
# | |
chkconfig --level 0123456 atd off | |
# | |
# Stop atd if currently running | |
# | |
service atd stop | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:295" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the service is running" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check that the <xhtml:code>atd</xhtml:code> service is disabled in system boot configuration, run the following command: | |
<xhtml:pre># chkconfig <xhtml:code>atd</xhtml:code> --list</xhtml:pre> | |
Output should indicate the <xhtml:code>atd</xhtml:code> service has either not been installed, | |
or has been disabled at all runlevels, as shown in the example below: | |
<xhtml:pre># chkconfig <xhtml:code>atd</xhtml:code> --list | |
<xhtml:code>atd</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre> | |
Run the following command to verify <xhtml:code>atd</xhtml:code> is disabled through current runtime configuration: | |
<xhtml:pre># service atd status</xhtml:pre> | |
If the service is disabled the command will return the following output: | |
<xhtml:pre>atd is stopped</xhtml:pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Group id="restrict_at_cron_users"> | |
<title xml:lang="en-US">Restrict at and cron to Authorized Users if Necessary</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The <xhtml:code>/etc/cron.allow</xhtml:code> and <xhtml:code>/etc/at.allow</xhtml:code> files contain lists of users who are allowed | |
to use cron and at to delay execution of processes. If these files exist and | |
if the corresponding files <xhtml:code>/etc/cron.deny</xhtml:code> and <xhtml:code>/etc/at.deny</xhtml:code> do not exist, | |
then only users listed in the relevant allow files can run the crontab and at | |
commands to submit jobs to be run at scheduled intervals. | |
On many systems, only the system administrator needs the ability to schedule | |
jobs. Note that even if a given user is not listed in <xhtml:code>cron.allow</xhtml:code>, cron jobs can | |
still be run as that user. The <xhtml:code>cron.allow</xhtml:code> file controls only administrative access | |
to the crontab command for scheduling and modifying cron jobs. | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
<br xmlns="http://www.w3.org/1999/xhtml"/> | |
To restrict at and cron to only authorized users: | |
<ul xmlns="http://www.w3.org/1999/xhtml"><li>Remove the cron.deny file:<pre># rm /etc/cron.deny</pre></li><li>Edit <xhtml:code>/etc/cron.allow</xhtml:code>, adding one line for each user allowed to use the crontab command to create cron jobs.</li><li>Remove the <xhtml:code>at.deny</xhtml:code> file:<pre># rm /etc/at.deny</pre></li><li>Edit <xhtml:code>/etc/at.allow</xhtml:code>, adding one line for each user allowed to use the at command to create at jobs.</li></ul> | |
</description> | |
</Group> | |
</Group> | |
<Group id="ssh"> | |
<title xml:lang="en-US">SSH Server</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The SSH protocol is recommended for remote login and | |
remote file transfer. SSH provides confidentiality and integrity | |
for data exchanged between two systems, as well as server | |
authentication, through the use of public key cryptography. The | |
implementation included with the system is called OpenSSH, and more | |
detailed documentation is available from its website, | |
http://www.openssh.org. Its server program is called <xhtml:code>sshd</xhtml:code> and | |
provided by the RPM package <xhtml:code>openssh-server</xhtml:code>.</description> | |
<Value id="sshd_idle_timeout_value" operator="equals" type="number"> | |
<title xml:lang="en-US">SSH session Idle time</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specify duration of allowed idle time.</description> | |
<value>300</value> | |
<value selector="5_minutes">300</value> | |
<value selector="10_minutes">600</value> | |
<value selector="15_minutes">900</value> | |
</Value> | |
<Rule id="ssh_server_disabled" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable SSH Server If Possible (Unusual)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The SSH server service, sshd, is commonly needed. | |
However, if it can be disabled, do so. | |
The <xhtml:code>sshd</xhtml:code> service can be disabled with the following command: | |
<xhtml:pre># chkconfig sshd off</xhtml:pre> | |
This is unusual, as SSH is a common method for encrypted and authenticated | |
remote access. | |
</description> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<ident system="http://cce.mitre.org">CCE-27054-6</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:139" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Rule id="ssh_server_iptables_exception" selected="false" severity="low"> | |
<title xml:lang="en-US">Remove SSH Server iptables Firewall exception (Unusual)</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, inbound connections to SSH's port are allowed. If | |
the SSH server is not being used, this exception should be removed from the | |
firewall configuration. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Edit the files <xhtml:code>/etc/sysconfig/iptables</xhtml:code> and <xhtml:code>/etc/sysconfig/ip6tables</xhtml:code> | |
(if IPv6 is in use). In each file, locate and delete the line: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT</pre> | |
This is unusual, as SSH is a common method for encrypted and authenticated | |
remote access. | |
</description> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
If inbound SSH connections are not expected, disallowing access to the SSH port will | |
avoid possible exploitation of the port by an attacker. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27060-3</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:356" href="ssg-rhel6-oval.xml"/> | |
</check> | |
</Rule> | |
<Group id="ssh_server"> | |
<title xml:lang="en-US">Configure OpenSSH Server if Necessary</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the system needs to act as an SSH server, then | |
certain changes should be made to the OpenSSH daemon configuration | |
file <xhtml:code>/etc/ssh/sshd_config</xhtml:code>. The following recommendations can be | |
applied to this file. See the <xhtml:code>sshd_config(5)</xhtml:code> man page for more | |
detailed information.</description> | |
<Rule id="sshd_allow_only_protocol2" selected="false" severity="high"> | |
<title xml:lang="en-US">Allow Only SSH Protocol 2</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Only SSH protocol version 2 connections should be | |
permitted. The default setting in | |
<xhtml:code>/etc/ssh/sshd_config</xhtml:code> is correct, and can be | |
verified by ensuring that the following | |
line appears: | |
<pre xmlns="http://www.w3.org/1999/xhtml">Protocol 2</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(7)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(c)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">776</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">774</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1436</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
SSH protocol version 1 suffers from design flaws that | |
result in security vulnerabilities and | |
should not be used. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27072-8</ident> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:1002" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it is not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To check which SSH protocol version is allowed, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep Protocol /etc/ssh/sshd_config</pre> | |
If configured properly, output should be <pre xmlns="http://www.w3.org/1999/xhtml">Protocol 2</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sshd_limit_user_access" selected="false" severity="low"> | |
<title xml:lang="en-US">Limit Users' SSH Access</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SSH configuration allows any user with an account | |
to access the system. In order to specify the users that are allowed to login | |
via SSH and deny all other users, add or correct the following line in the | |
<xhtml:code>/etc/ssh/sshd_config</xhtml:code> file: | |
<pre xmlns="http://www.w3.org/1999/xhtml">DenyUsers USER1 USER2</pre> | |
Where <xhtml:code>USER1</xhtml:code> and <xhtml:code>USER2</xhtml:code> are valid user names. | |
</description> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Specifying which accounts are allowed SSH access into the system reduces the | |
possibility of unauthorized access to the system. | |
</rationale> | |
</Rule> | |
<Rule id="sshd_set_idle_timeout" selected="false" severity="low"> | |
<title xml:lang="en-US">Set SSH Idle Timeout Interval</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH allows administrators to set an idle timeout | |
interval. | |
After this interval has passed, the idle user will be | |
automatically logged out. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
To set an idle timeout interval, edit the following line in <xhtml:code>/etc/ssh/sshd_config</xhtml:code> as | |
follows: | |
<pre xmlns="http://www.w3.org/1999/xhtml">ClientAliveInterval <b>interval</b></pre> | |
The timeout <b xmlns="http://www.w3.org/1999/xhtml">interval</b> is given in seconds. To have a timeout | |
of 15 minutes, set <b xmlns="http://www.w3.org/1999/xhtml">interval</b> to 900. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
If a shorter timeout has already been set for the login | |
shell, that value will preempt any SSH | |
setting made here. Keep in mind that some processes may stop SSH | |
from correctly detecting that the user is idle. | |
</description> | |
<reference href="http://iase.disa.mil/cci/index.html">879</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1133</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Causing idle users to be automatically logged out | |
guards against compromises one system leading trivially | |
to compromises on another. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26919-1</ident> | |
<fix system="urn:xccdf:fix:script:sh">sshd_idle_timeout_value="<sub idref="sshd_idle_timeout_value"/>" | |
grep -q ^ClientAliveInterval /etc/ssh/sshd_config && \ | |
sed -i "s/ClientAliveInterval.*/ClientAliveInterval $sshd_idle_timeout_value/g" /etc/ssh/sshd_config | |
if ! [ $? -eq 0 ]; then | |
echo "ClientAliveInterval $sshd_idle_timeout_value" >> /etc/ssh/sshd_config | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-export export-name="oval:ssg:var:2252" value-id="sshd_idle_timeout_value"/> | |
<check-content-ref name="oval:ssg:def:474" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it is not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Run the following command to see what the timeout interval is: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep ClientAliveInterval /etc/ssh/sshd_config</pre> | |
If properly configured, the output should be: | |
<pre xmlns="http://www.w3.org/1999/xhtml">ClientAliveInterval 900</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sshd_set_keepalive" selected="false" severity="low"> | |
<title xml:lang="en-US">Set SSH Client Alive Count</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To ensure the SSH idle timeout occurs precisely when the <xhtml:code>ClientAliveCountMax</xhtml:code> is set, | |
edit <xhtml:code>/etc/ssh/sshd_config</xhtml:code> as | |
follows: | |
<pre xmlns="http://www.w3.org/1999/xhtml">ClientAliveCountMax 0</pre> | |
</description> | |
<reference href="http://iase.disa.mil/cci/index.html">879</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1133</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
This ensures a user login will be terminated as soon as the <xhtml:code>ClientAliveCountMax</xhtml:code> | |
is reached. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26282-4</ident> | |
<fix system="urn:xccdf:fix:script:sh">grep -q ^ClientAliveCountMax /etc/ssh/sshd_config && \ | |
sed -i "s/ClientAliveCountMax.*/ClientAliveCountMax 0/g" /etc/ssh/sshd_config | |
if ! [ $? -eq 0 ]; then | |
echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:650" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it is not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To ensure the SSH idle timeout will occur when the <xhtml:code>ClientAliveCountMax</xhtml:code> is set, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep ClientAliveCountMax /etc/ssh/sshd_config</pre> | |
If properly configured, output should be: | |
<pre xmlns="http://www.w3.org/1999/xhtml">ClientAliveCountMax 0</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sshd_disable_rhosts" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable SSH Support for .rhosts Files</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH can emulate the behavior of the obsolete rsh | |
command in allowing users to enable insecure access to their | |
accounts via <xhtml:code>.rhosts</xhtml:code> files. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
To ensure this behavior is disabled, add or correct the | |
following line in <xhtml:code>/etc/ssh/sshd_config</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">IgnoreRhosts yes</pre> | |
</description> | |
<reference href="http://iase.disa.mil/cci/index.html">765</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">766</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
SSH trust relationships mean a compromise on one host | |
can allow an attacker to move trivially to other hosts. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27124-7</ident> | |
<fix system="urn:xccdf:fix:script:sh">grep -q ^IgnoreRhosts /etc/ssh/sshd_config && \ | |
sed -i "s/IgnoreRhosts.*/IgnoreRhosts yes/g" /etc/ssh/sshd_config | |
if ! [ $? -eq 0 ]; then | |
echo "IgnoreRhosts yes" >> /etc/ssh/sshd_config | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:930" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the required value is not set" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine how the SSH daemon's | |
<xhtml:code>IgnoreRhosts</xhtml:code> | |
option is set, run the following command: | |
<xhtml:pre xml:space="preserve"># grep -i IgnoreRhosts /etc/ssh/sshd_config</xhtml:pre> | |
If no line, a commented line, or a line indicating the value | |
<xhtml:code>yes</xhtml:code> is returned, then the required value is set. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="disable_host_auth" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable Host-Based Authentication</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH's cryptographic host-based authentication is | |
more secure than <xhtml:code>.rhosts</xhtml:code> authentication. However, it is | |
not recommended that hosts unilaterally trust one another, even | |
within an organization. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
To disable host-based authentication, add or correct the | |
following line in <xhtml:code>/etc/ssh/sshd_config</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">HostbasedAuthentication no</pre> | |
</description> | |
<reference href="http://iase.disa.mil/cci/index.html">765</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">766</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
SSH trust relationships mean a compromise on one host | |
can allow an attacker to move trivially to other hosts. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27091-8</ident> | |
<fix system="urn:xccdf:fix:script:sh">grep -q ^HostbasedAuthentication /etc/ssh/sshd_config && \ | |
sed -i "s/HostbasedAuthentication.*/HostbasedAuthentication no/g" /etc/ssh/sshd_config | |
if ! [ $? -eq 0 ]; then | |
echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:905" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the required value is not set" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine how the SSH daemon's | |
<xhtml:code>HostbasedAuthentication</xhtml:code> | |
option is set, run the following command: | |
<xhtml:pre xml:space="preserve"># grep -i HostbasedAuthentication /etc/ssh/sshd_config</xhtml:pre> | |
If no line, a commented line, or a line indicating the value | |
<xhtml:code>no</xhtml:code> is returned, then the required value is set. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sshd_disable_root_login" selected="false" severity="medium"> | |
<title xml:lang="en-US">Disable SSH Root Login</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The root user should never be allowed to login to a | |
system directly over a network. | |
To disable root login via SSH, add or correct the following line | |
in <xhtml:code>/etc/ssh/sshd_config</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">PermitRootLogin no</pre> | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6(2)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-2(1)</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">770</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Permitting direct root login reduces auditable information about who ran | |
privileged commands on the system | |
and also allows direct attack attempts on root's password. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27100-7</ident> | |
<fix system="urn:xccdf:fix:script:sh">grep -q ^PermitRootLogin /etc/ssh/sshd_config && \ | |
sed -i "s/PermitRootLogin.*/PermitRootLogin no/g" /etc/ssh/sshd_config | |
if ! [ $? -eq 0 ]; then | |
echo "PermitRootLogin "no >> /etc/ssh/sshd_config | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:344" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the required value is not set" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine how the SSH daemon's | |
<xhtml:code>PermitRootLogin</xhtml:code> | |
option is set, run the following command: | |
<xhtml:pre xml:space="preserve"># grep -i PermitRootLogin /etc/ssh/sshd_config</xhtml:pre> | |
If a line indicating no is returned, then the required value is set. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sshd_disable_empty_passwords" selected="false" severity="high"> | |
<title xml:lang="en-US">Disable SSH Access via Empty Passwords</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To explicitly disallow remote login from accounts with | |
empty passwords, add or correct the following line in | |
<xhtml:code>/etc/ssh/sshd_config</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">PermitEmptyPasswords no</pre> | |
Any accounts with empty passwords should be disabled immediately, and PAM configuration | |
should prevent users from being able to assign themselves empty passwords. | |
</description> | |
<reference href="http://iase.disa.mil/cci/index.html">765</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">766</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Configuring this setting for the SSH daemon provides additional assurance that | |
remote login via SSH will require a password, | |
even in the event of misconfiguration elsewhere. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26887-0</ident> | |
<fix system="urn:xccdf:fix:script:sh">grep -q ^PermitEmptyPasswords /etc/ssh/sshd_config && \ | |
sed -i "s/PermitEmptyPasswords.*/PermitEmptyPasswords no/g" /etc/ssh/sshd_config | |
if ! [ $? -eq 0 ]; then | |
echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:984" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the required value is not set" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine how the SSH daemon's | |
<xhtml:code>PermitEmptyPasswords</xhtml:code> | |
option is set, run the following command: | |
<xhtml:pre xml:space="preserve"># grep -i PermitEmptyPasswords /etc/ssh/sshd_config</xhtml:pre> | |
If no line, a commented line, or a line indicating the value | |
<xhtml:code>no</xhtml:code> is returned, then the required value is set. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sshd_enable_warning_banner" selected="false" severity="medium"> | |
<title xml:lang="en-US">Enable SSH Warning Banner</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
To enable the warning banner and ensure it is consistent | |
across the system, add or correct the following line in <xhtml:code>/etc/ssh/sshd_config</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">Banner /etc/issue</pre> | |
Another section contains information on how to create an | |
appropriate system-wide warning banner. | |
</description> | |
<reference href="http://iase.disa.mil/cci/index.html">48</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
The warning message reinforces policy awareness during the logon process and | |
facilitates possible legal action against attackers. Alternatively, systems | |
whose ownership should not be obvious should ensure usage of a banner that does | |
not provide easy attribution. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27112-2</ident> | |
<fix system="urn:xccdf:fix:script:sh">grep -q ^Banner /etc/ssh/sshd_config && \ | |
sed -i "s/Banner.*/Banner \/etc\/issue/g" /etc/ssh/sshd_config | |
if ! [ $? -eq 0 ]; then | |
echo "Banner /etc/issue" >> /etc/ssh/sshd_config | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:614" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="the required value is not set" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To determine how the SSH daemon's | |
<xhtml:code>Banner</xhtml:code> | |
option is set, run the following command: | |
<xhtml:pre xml:space="preserve"># grep -i Banner /etc/ssh/sshd_config</xhtml:pre> | |
If a line indicating /etc/issue is returned, then the required value is set. | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sshd_do_not_permit_user_env" selected="false" severity="low"> | |
<title xml:lang="en-US">Do Not Allow SSH Environment Options</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To ensure users are not able to present | |
environment options to the SSH daemon, add or correct the following line | |
in <xhtml:code>/etc/ssh/sshd_config</xhtml:code>: | |
<pre xmlns="http://www.w3.org/1999/xhtml">PermitUserEnvironment no</pre> | |
</description> | |
<reference href="http://iase.disa.mil/cci/index.html">1414</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
SSH environment options potentially allow users to bypass | |
access restriction in some configurations. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-27201-3</ident> | |
<fix system="urn:xccdf:fix:script:sh">grep -q ^PermitUserEnvironment /etc/ssh/sshd_config && \ | |
sed -i "s/PermitUserEnvironment.*/PermitUserEnvironment no/g" /etc/ssh/sshd_config | |
if ! [ $? -eq 0 ]; then | |
echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:612" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="it is not" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
To ensure users are not able to present environment daemons, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep PermitUserEnvironment /etc/ssh/sshd_config</pre> | |
If properly configured, output should be: | |
<pre xmlns="http://www.w3.org/1999/xhtml">PermitUserEnvironment no</pre> | |
</check-content> | |
</check> | |
</Rule> | |
<Rule id="sshd_use_approved_ciphers" selected="false" severity="medium"> | |
<title xml:lang="en-US">Use Only Approved Ciphers</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Limit the ciphers to those algorithms which are FIPS-approved. | |
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. | |
The following line in <xhtml:code>/etc/ssh/sshd_config</xhtml:code> | |
demonstrates use of FIPS-approved ciphers: | |
<pre xmlns="http://www.w3.org/1999/xhtml">Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc</pre> | |
The man page <xhtml:code>sshd_config(5)</xhtml:code> contains a list of supported ciphers. | |
</description> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-3</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-17(2)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-10(5)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(c)</reference> | |
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-7</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">803</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1144</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1145</reference> | |
<reference href="http://iase.disa.mil/cci/index.html">1146</reference> | |
<reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="test_attestation"> | |
<dc:contributor>DS</dc:contributor> | |
<dc:date>20121024</dc:date> | |
</reference> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Approved algorithms should impart some level of confidence in their | |
implementation. These are also required for compliance. | |
</rationale> | |
<ident system="http://cce.mitre.org">CCE-26555-3</ident> | |
<fix system="urn:xccdf:fix:script:sh">grep -q ^Ciphers /etc/ssh/sshd_config && \ | |
sed -i "s/Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc/g" /etc/ssh/sshd_config | |
if ! [ $? -eq 0 ]; then | |
echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc" >> /etc/ssh/sshd_config | |
fi | |
</fix> | |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
<check-content-ref name="oval:ssg:def:687" href="ssg-rhel6-oval.xml"/> | |
</check> | |
<check system="ocil-transitional"> | |
<check-export export-name="that is not the case" value-id="conditional_clause"/> | |
<check-content xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
Only FIPS-approved ciphers should be used. To verify that only FIPS-approved | |
ciphers are in use, run the following command: | |
<pre xmlns="http://www.w3.org/1999/xhtml"># grep Ciphers /etc/ssh/sshd_config</pre> | |
The output should contain only those ciphers which are FIPS-approved, namely, the | |
AES and 3DES ciphers. | |
</check-content> | |
</check> | |
</Rule> | |
<Group id="sshd_strengthen_firewall"> | |
<title xml:lang="en-US">Strengthen Firewall Configuration if Possible</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the SSH server is expected to only receive connections from | |
the local network, then strengthen the default firewall rule for the SSH service | |
to only accept connections from the appropriate network segment(s). | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Determine an appropriate network block, <xhtml:code>netwk</xhtml:code>, and network mask, <xhtml:code>mask</xhtml:code>, | |
representing the machines on your network which will be allowed to access this SSH server. | |
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/> | |
Edit the files <xhtml:code>etc/sysconfig/iptables</xhtml:code> and <xhtml:code>/etc/sysconfig/ip6tables</xhtml:code> | |
(if IPv6 is in use). In each file, locate the line: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT</pre> | |
and replace it with: | |
<pre xmlns="http://www.w3.org/1999/xhtml">-A INPUT -s netwk/mask -m state --state NEW -p tcp --dport 22 -j ACCEPT</pre> | |
</description> | |
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> | |
Restricting SSH access to only trusted network segments reduces exposure of the SSH | |
server to attacks from unauthorized networks.</rationale> | |
</Group> | |
</Group> | |
</Group> | |
<Group id="xwindows"> | |
<title xml:lang="en-US">X Window System</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The X Window System implementation included with the | |
system is called X.org.</description> | |
<Group id="disabling_xwindows"> | |
<title xml:lang="en-US">Disable X Windows</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unless there is a mission-critical reason for the | |
system to run a graphical user interface, ensure X is not set to start | |
automatically at boot and remove the X Windows software packages. | |
There is usually no reason to run X Windows | |
on a dedicated server machine, as it increases the system's attack surface and consumes | |
system resources. Administrators of server systems should instead login via | |
SSH or on the text console.</description> | |
<Rule id="disable_xwindows_with_runlevel" selected="false" severity="low"> | |
<title xml:lang="en-US">Disable X Windows Startup By Setting Runlevel</title> | |
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Setting the system's runlevel to 3 will prevent automatic startup | |
of the X server. To do so, ensure the following line in <xhtml:code>/etc/inittab</xhtml:code> | |
features a <xhtml:code>3</xhtml:code> as shown: | |
<pre xmlns="http://www.w3.org/1999/xhtml">id:3:initdefault:</pre> | |
</description> | |
<reference href="http://iase.disa.mil/cci/index.html">366</reference> | |
<reference xmlns:dc="h |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment