[prev in list] [next in list] [prev in thread] [next in thread]
List: scap-security-guide
Subject: Fwd: Kickstart with SSG/fixes and More
From: Shawn Wells <shawn () redhat ! com>
Date: 2013-09-27 19:33:31
Message-ID: 5245DD8B.5070100 () redhat ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
For those who don't know Ted Brunell, he works at RHT as a Solution
Architect handling USMC and some Army elements. He created a kickstart
script against SSG, sharing here with his permission.
Thanks, Ted!
-------- Original Message --------
Subject: Kickstart with SSG/fixes and More
Date: Fri, 27 Sep 2013 15:24:15 -0400 (EDT)
From: Ted Brunell <tbrunell@redhat.com>
To: Shawn Wells <swells@redhat.com>
I thought you'd like to see this. I used SSG inside of a kickstart and found that I \
had a way to go to get close to 100%. I did a bunch of sed scripting but am still \
only hitting 86.67%. Lots of false hits particularly with /etc/audit/audit.rules \
settings. Somethings like GNOME settings fail even though GNOME is not installed. \
Seems like it should detect GNOME and pass if the setting cannot be set.
Kickstart and before/after SSG reports are attached.
R/
Ted
Ted Brunell - RHCDS, RHCE, RHCVA
Senior Solution Architect
Red Hat, Inc.
(c) 760-712-6837
tbrunell@redhat.com
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
For those who don't know Ted Brunell, he works at RHT as a Solution
Architect handling USMC and some Army elements. He created a
kickstart script against SSG, sharing here with his permission.<br>
<br>
<br>
Thanks, Ted!<br>
<div class="moz-forward-container"><br>
<br>
-------- Original Message --------
<table class="moz-email-headers-table" border="0" cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Subject:
</th>
<td>Kickstart with SSG/fixes and More</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Date: </th>
<td>Fri, 27 Sep 2013 15:24:15 -0400 (EDT)</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">From: </th>
<td>Ted Brunell <a class="moz-txt-link-rfc2396E" \
href="mailto:tbrunell@redhat.com"><tbrunell@redhat.com></a></td> </tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">To: </th>
<td>Shawn Wells <a class="moz-txt-link-rfc2396E" \
href="mailto:swells@redhat.com"><swells@redhat.com></a></td> </tr>
</tbody>
</table>
<br>
<br>
<pre>I thought you'd like to see this. I used SSG inside of a kickstart and \
found that I had a way to go to get close to 100%. I did a bunch of sed scripting \
but am still only hitting 86.67%. Lots of false hits particularly with \
/etc/audit/audit.rules settings. Somethings like GNOME settings fail even though \
GNOME is not installed. Seems like it should detect GNOME and pass if the setting \
cannot be set.
Kickstart and before/after SSG reports are attached.
R/
Ted
Ted Brunell - RHCDS, RHCE, RHCVA
Senior Solution Architect
Red Hat, Inc.
(c) 760-712-6837
<a class="moz-txt-link-abbreviated" \
href="mailto:tbrunell@redhat.com">tbrunell@redhat.com</a>
</pre>
<br>
</div>
<br>
</body>
</html>
["ks.cfg" (application/octet-stream)]
["AfterFix-ssg-results.html" (text/html)]
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" \
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html \
xmlns="http://www.w3.org/1999/xhtml" xmlns:xlink="http://www.w3.org/1999/xlink" \
xmlns:svg="http://www.w3.org/2000/svg"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>XCCDF test result</title>
<meta name="generator" content="" />
<meta name="Content-Type" content="text/html;charset=utf-8" />
<style type="text/css" media="all">
html, body { background-color: black; font-family:sans-serif; margin:0; \
padding:0; } abbr { text-transform:none; border:none; font-variant:normal; }
div.score-outer { height: .8em; width:100%; min-width:100px; background-color: \
red; } div.score-inner { height: 100%; background-color: green; }
.score-max, .score-val, .score-percent { text-align:right; }
.score-percent { font-weight: bold; }
th, td { padding-left:.5em; padding-right:.5em; }
.rule-selected, .result-pass strong, .result-fixed strong { color:green; }
.rule-inactive, .unknown, .result-notselected strong, .result-notchecked strong, \
.result-notapplicable strong, .result-informational strong, .result-unknown strong { \
color:#555; }
.rule-notselected, .result-error strong, .result-fail strong { color:red; }
table { border-collapse: collapse; border: 1px black solid; width:100%; }
table th, thead tr { background-color:black; color:white; }
table td { border-right: 1px black solid; }
table td.result, table td.link { text-align:center; }
table td.num { text-align:right; }
div#rule-results-summary { margin-bottom: 1em; }
table tr.result-legend td { width: 10%; }
div#content p { text-align:justify; }
div.result-detail { border: 1px solid black; margin: 2em 0; padding: 0 1em; }
div#content h2 { border-bottom:2px dashed; margin-top:1em; margin-bottom:0.5em; \
text-align:center; } div#content h2#summary { margin-top:0; }
h1 { margin:1em 0; }
div.raw table, div.raw table td { border:none; width:auto; padding:0; }
div.raw table { margin-left: 2em; }
div.raw table td { padding: .1em .7em; }
table tr { border-bottom: 1px dotted #000; }
dir.raw table tr { border-bottom: 0 !important; }
pre.code { background: #ccc; padding:.2em; }
ul.toc-struct li { list-style-type: none; }
div.xccdf-rule { margin-left: 10%; }
div#footer, p.remark, .link { font-size:.8em; }
thead tr td { font-weight:bold; text-align:center; }
.hidden { display:none; }
td.score-bar { text-align:center; }
td.score-bar span.media { width:100%; min-width:7em; height:.8em; display:block; \
margin:0; padding:0; }
.oval-results { font-size:.8em; overflow:auto; }
div#guide-top-table table { width: 100%; }
td#common-info { min-width: 25.0em; border-right: 1px solid #000; }
td#versions-revisions { width: 25.0em; }
</style>
<style type="text/css" media="screen">
div#content, div#header, div#footer { margin-left:1em; margin-right:1em; }
div#content { background-color: white; padding:2em; }
div#footer, div#header { color:white; text-align:center; }
a, a:visited { color:blue; text-decoration:underline; }
div#content p.link { text-align:right; font-size:.8em; }
div#footer a { color:white; }
div.xccdf-group, div.xccdf-rule { border-left: 3px solid white; \
padding-left:.3em; } div.xccdf-group:target, div.xccdf-rule:target { \
border-left-color:#ccc; }
.toc-struct li:target { background:#ddd; }
abbr { border-bottom: 1px black dotted; }
abbr.date { border-bottom:none; }
pre.code { overflow:auto; }
table tbody tr:hover { background: #ccc; }
div.raw table tbody tr:hover { background: transparent !important; }
</style>
<style type="text/css" media="print">
@page { margin:3cm; }
html, body { background-color:white; font-family:serif; }
.link { display:none; }
a, a:visited { color:black; text-decoration:none; }
div#header, div#footer { text-align:center; }
div#header { padding-top:36%; }
h1 { vertical-align:center; }
h2 { page-break-before:always; }
h3, h4, h5 { page-break-after:avoid; }
pre.code { background: #ccc; }
div#footer { margin-top:auto; }
.toc-struct { page-break-after:always; }
</style>
</head>
<body>
<div id="xccdf_org.open-scap_testresult_stig-rhel6-server">
<div id="header">
<h1>XCCDF test result</h1>
</div>
<div id="content">
<div id="intro">
<h2>Introduction</h2>
<div>
<h3>Test Result</h3>
<div id="test-result-summary">
<table>
<thead>
<tr>
<td>Result ID</td>
<td>Profile</td>
<td>Start time</td>
<td>End time</td>
<td>Benchmark</td>
<td>Benchmark version</td>
</tr>
</thead>
<tbody>
<tr>
<td \
align="center">xccdf_org.open-scap_testresult_stig-rhel6-server</td> <td \
align="center">stig-rhel6-server</td> <td align="center">
<abbr title="2013-09-27T19:03:46" class="date">2013-09-27 \
19:03</abbr> </td>
<td align="center">
<abbr title="2013-09-27T19:04:03" class="date">2013-09-27 \
19:04</abbr> </td>
<td align="center">
<span>embedded</span>
</td>
<td align="center">0.9</td>
</tr>
</tbody>
</table>
</div>
</div>
<div>
<h3>Target info</h3>
<div class="raw">
<table>
<tbody>
<tr>
<td valign="top">
<h4>Targets</h4>
<ul class="itemizedlist">
<li>localhost.localdomain</li>
</ul>
</td>
<td valign="top">
<h4>Addresses</h4>
<ul class="itemizedlist">
<li>127.0.0.1</li>
<li>192.168.122.90</li>
<li>::1</li>
<li>fe80::5054:ff:fe59:eba4</li>
</ul>
</td>
<td></td>
<td valign="top">
<h4>Platforms</h4>
<ul class="itemizedlist">
<li>cpe:/o:redhat:enterprise_linux:6</li>
<li>cpe:/o:redhat:enterprise_linux:6::client</li>
</ul>
</td>
<td valign="top"></td>
</tr>
</tbody>
</table>
</div>
</div>
<div>
<h3>Score</h3>
<div>
<table>
<thead>
<tr>
<td>system</td>
<td>score</td>
<td>max</td>
<td>%</td>
<td>bar</td>
</tr>
</thead>
<tbody>
<tr id="score-urn-xccdf-scoring-default">
<td class="score-sys">urn:xccdf:scoring:default</td>
<td class="score-val">86.67</td>
<td class="score-max">100.00</td>
<td class="score-percent">86.67%</td>
<td class="score-bar">
<span class="media">
<svg xmlns="http://www.w3.org/2000/svg" \
xmlns:ovalres="http://oval.mitre.org/XMLSchema/oval-results-5" \
xmlns:sceres="http://open-scap.org/page/SCE_result_file" width="100%" height="100%" \
version="1.1" baseProfile="full">
<rect width="100%" height="100%" fill="red"></rect>
<rect height="100%" width="86.67%" fill="green"></rect>
<rect height="100%" x="86.67%" width="2" \
fill="black"></rect> </svg>
</span>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div id="results-overview">
<h2>Results overview</h2>
<div id="rule-results-summary">
<h4>Rule Results Summary</h4>
<table>
<thead>
<tr>
<td>pass</td>
<td>fixed</td>
<td>fail</td>
<td>error</td>
<td>not selected</td>
<td>not checked</td>
<td>not applicable</td>
<td>informational</td>
<td>unknown</td>
<td>total</td>
</tr>
</thead>
<tbody>
<tr class="result-legend">
<td align="center" class="result-pass">
<strong class="strong">163</strong>
</td>
<td align="center" class="result-fixed">
<strong class="strong">0</strong>
</td>
<td align="center" class="result-fail">
<strong class="strong">32</strong>
</td>
<td align="center" class="result-error">
<strong class="strong">1</strong>
</td>
<td align="center" class="result-notselected">
<strong class="strong">162</strong>
</td>
<td align="center" class="result-notchecked">
<strong class="strong">24</strong>
</td>
<td align="center" class="result-notapplicable">
<strong class="strong">0</strong>
</td>
<td align="center" class="result-informational">
<strong class="strong">0</strong>
</td>
<td align="center" class="result-unknown">
<strong class="strong">3</strong>
</td>
<td align="center">
<strong class="strong">385</strong>
</td>
</tr>
</tbody>
</table>
</div>
<div>
<h4 class="hidden">Rule results summary</h4>
<table>
<thead>
<tr>
<td>Title</td>
<td>Result</td>
</tr>
</thead>
<tbody>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26515280">Ensure /tmp Located On Separate \
Partition</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26519984">Ensure /var Located On Separate \
Partition</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26524624">Ensure /var/log Located On \
Separate Partition</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26529264">Ensure /var/log/audit Located \
On Separate Partition</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26533920">Ensure /home Located On \
Separate Partition</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26538560">Encrypt Partitions</a>
</td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26541520">Ensure Red Hat GPG Key \
Installed</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26546176">Ensure gpgcheck Enabled In Main \
Yum Configuration</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26550832">Ensure gpgcheck Enabled For All \
Yum Package Repositories</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26555488">Ensure Software Patches \
Installed</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26558464">Install AIDE</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26569120">Configure Periodic Execution of \
AIDE</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26572880">Verify File Permissions with \
RPM</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26577520">Verify File Hashes with RPM</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26582160">Install Intrusion Detection \
Software</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26585120">Install Virus Scanning \
Software</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26593664">Add noexec Option to Removable \
Media Partitions</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26622960">Disable Modprobe Loading of USB \
Storage Driver</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26632704">Disable the Automounter</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26663776">Verify User Who Owns shadow \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26668416">Verify Group Who Owns shadow \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26673056">Verify Permissions on shadow \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26677696">Verify User Who Owns group \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26682336">Verify Group Who Owns group \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26686976">Verify Permissions on group \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26691616">Verify User Who Owns gshadow \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26696256">Verify Group Who Owns gshadow \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26700912">Verify Permissions on gshadow \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26705552">Verify User Who Owns passwd \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26710192">Verify Group Who Owns passwd \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26714832">Verify Permissions on passwd \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26719488">Verify that Shared Library \
Files Have Restrictive Permissions</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26723360">Verify that Shared Library \
Files Have Root Ownership</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26727200">Verify that System Executables \
Have Restrictive Permissions</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26730128">Verify that System Executables \
Have Root Ownership</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26733104">Verify that All World-Writable \
Directories Have Sticky Bits Set</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26737856">Ensure No World-Writable Files \
Exist</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26747488">Ensure All Files Are Owned by a \
User</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26752144">Ensure All Files Are Owned by a \
Group</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26756800">Ensure All World-Writable \
Directories Are Owned by a System Account</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26761456">Set Daemon Umask</a>
</td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26766992">Disable Core Dumps for All \
Users</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26774592">Enable ExecShield</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26779232">Enable Randomized Layout of \
Virtual Address Space</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26788992">Ensure SELinux Not Disabled in \
/etc/grub.conf</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26793648">Ensure SELinux State is \
Enforcing</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26799184">Configure SELinux Policy</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-error">
<td class="id">
<a href="#ruleresult-idp26809840">Ensure No Device Files are \
Unlabeled by SELinux</a> </td>
<td class="result">
<strong class="strong">error</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26816640">Restrict Virtual Console Root \
Logins</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26821296">Restrict Serial Port Root \
Logins</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26828096">Ensure that System Accounts Do \
Not Run a Shell Upon Login</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26833568">Verify Only Root Has UID 0</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26840352">Prevent Log In to Accounts With \
Empty Password</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26844992">Verify All Account Password \
Hashes are Shadowed</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26849648">All GIDs referenced in \
/etc/passwd must be defined in /etc/group</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26852608">Verify No netrc Files Exist</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26857248">Set Password Minimum Length in \
login.defs</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26862720">Set Password Minimum Age</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26868320">Set Password Maximum Age</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26873856">Set Password Warning Age</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26879392">Set Account Expiration \
Following Inactivity</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26884960">Ensure All Accounts on the \
System Have Unique Names</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26888704">Assign Expiration Date to \
Temporary Accounts</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26891680">Set Last Logon/Access \
Notification</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26896320">Set Password Retry Prompts \
Permitted Per-Session</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26901872">Set Password to Maximum of \
Three Consecutive Repeating Characters</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26905632">Set Password Strength Minimum \
Digit Characters</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26911200">Set Password Strength Minimum \
Uppercase Characters</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26916768">Set Password Strength Minimum \
Special Characters</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26922336">Set Password Strength Minimum \
Lowercase Characters</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26927904">Set Password Strength Minimum \
Different Characters</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26933472">Set Deny For Failed Password \
Attempts</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26939040">Set Lockout Time For Failed \
Password Attempts</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26945440">Set Interval For Counting \
Failed Password Attempts</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26951840">Limit Password Reuse</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26957408">Set Password Hashing Algorithm \
in /etc/pam.d/system-auth</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26962080">Set Password Hashing Algorithm \
in /etc/login.defs</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26966752">Set Password Hashing Algorithm \
in /etc/libuser.conf</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26971424">Limit the Number of Concurrent \
Login Sessions Allowed Per User</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26985808">Ensure the Default Bash Umask \
is Set Correctly</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26991360">Ensure the Default C Shell \
Umask is Set Correctly</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26996912">Ensure the Default Umask is Set \
Correctly in /etc/profile</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27002464">Ensure the Default Umask is Set \
Correctly in login.defs</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27008016">Verify /etc/grub.conf User \
Ownership</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27012656">Verify /etc/grub.conf Group \
Ownership</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27017296">Verify /boot/grub/grub.conf \
Permissions</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27021936">Set Boot Loader Password</a>
</td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27026576">Require Authentication for \
Single User Mode</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp27031232">Disable Ctrl-Alt-Del Reboot \
Activation</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27034208">Disable Interactive Boot</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27038864">Set GNOME Login Inactivity \
Timeout</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27044432">GNOME Desktop Screensaver \
Mandatory Use</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27049088">Enable Screen Lock Activation \
After Idle Period</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27053744">Implement Blank Screen \
Saver</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27058384">Install the screen Package</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp27063984">Enable Smart Card Login</a>
</td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27066944">Modify the System Login \
Banner</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27100032">Enable GUI Warning Banner</a>
</td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp27104256">Set GUI Warning Banner Text</a>
</td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27118480">Disable Kernel Parameter for \
Sending ICMP Redirects by Default</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27122864">Disable Kernel Parameter for \
Sending ICMP Redirects for All Interfaces</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27127232">Disable Kernel Parameter for IP \
Forwarding</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27131600">Disable Kernel Parameter for \
Accepting Source-Routed Packets for All Interfaces</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27138432">Disable Kernel Parameter for \
Accepting ICMP Redirects for All Interfaces</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27145376">Disable Kernel Parameter for \
Accepting Secure Redirects for All Interfaces</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27152416">Enable Kernel Parameter to Log \
Martian Packets</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27159616">Disable Kernel Parameter for \
Accepting Source-Routed Packets By Default</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27166880">Disable Kernel Parameter for \
Accepting ICMP Redirects By Default</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27173264">Disable Kernel Parameter for \
Accepting Secure Redirects By Default</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27180624">Enable Kernel Parameter to \
Ignore ICMP Broadcast Echo Requests</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27187840">Enable Kernel Parameter to \
Ignore Bogus ICMP Error Responses</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27195248">Enable Kernel Parameter to Use \
TCP Syncookies</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27202272">Enable Kernel Parameter to Use \
Reverse Path Filtering for All Interfaces</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27075136">Enable Kernel Parameter to Use \
Reverse Path Filtering by Default</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27092672">Disable Bluetooth Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27210512">Disable Bluetooth Kernel \
Modules</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27214576">Disable IPv6 Networking Support \
Automatic Loading</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27223792">Disable Accepting IPv6 \
Redirects</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27237456">Verify ip6tables Enabled if \
Using IPv6</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27245040">Verify iptables Enabled</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27249680">Set Default iptables Policy for \
Incoming Packets</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp27254336">Set Default iptables Policy for \
Forwarded Packets</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27258096">Disable DCCP Support</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27262736">Disable SCTP Support</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27267376">Disable RDS Support</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27272016">Disable TIPC Support</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27276656">Install openswan Package</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27281296">Ensure rsyslog is Installed</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27285952">Enable rsyslog Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27290608">Ensure Log Files Are Owned By \
Appropriate User</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-unknown">
<td class="id">
<a href="#ruleresult-idp27295264">Ensure Log Files Are Owned By \
Appropriate Group</a> </td>
<td class="result">
<strong class="strong">unknown</strong>
</td>
</tr>
<tr class="result-unknown">
<td class="id">
<a href="#ruleresult-idp27299920">Ensure System Log Files Have \
Correct Permissions</a> </td>
<td class="result">
<strong class="strong">unknown</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27304576">Ensure Logs Sent To Remote \
Host</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-unknown">
<td class="id">
<a href="#ruleresult-idp27318064">Ensure Logrotate Runs \
Periodically</a> </td>
<td class="result">
<strong class="strong">unknown</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27330768">Enable auditd Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27335408">Enable Auditing for Processes \
Which Start Prior to the Audit Daemon</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27340064">Configure auditd Number of Logs \
Retained</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27344512">Configure auditd Max Log File \
Size</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27349344">Configure auditd \
max_log_file_action Upon Reaching Maximum Log Size</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27354912">Configure auditd space_left \
Action on Low Disk Space</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27360480">Configure auditd \
admin_space_left Action on Low Disk Space</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27366064">Configure auditd mail_acct \
Action on Low Disk Space</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27373792">Record attempts to alter time \
through adjtimex</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27378448">Record attempts to alter time \
through settimeofday</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27383104">Record Attempts to Alter Time \
Through stime</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27387744">Record Attempts to Alter Time \
Through clock_settime</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27392400">Record Attempts to Alter the \
localtime File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27397056">Record Events that Modify \
User/Group Information</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27401696">Record Events that Modify the \
System's Network Environment</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27406352">System Audit Logs Must Have \
Mode 0640 or Less Permissive</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27413920">Record Events that Modify the \
System's Mandatory Access Controls</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27418560">Record Events that Modify the \
System's Discretionary Access Controls - chmod</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27423216">Record Events that Modify the \
System's Discretionary Access Controls - chown</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27427872">Record Events that Modify the \
System's Discretionary Access Controls - fchmod</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27432528">Record Events that Modify the \
System's Discretionary Access Controls - fchmodat</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27437184">Record Events that Modify the \
System's Discretionary Access Controls - fchown</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27441840">Record Events that Modify the \
System's Discretionary Access Controls - fchownat</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27446496">Record Events that Modify the \
System's Discretionary Access Controls - fremovexattr</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27451168">Record Events that Modify the \
System's Discretionary Access Controls - fsetxattr</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27455824">Record Events that Modify the \
System's Discretionary Access Controls - lchown</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27460480">Record Events that Modify the \
System's Discretionary Access Controls - lremovexattr</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27465152">Record Events that Modify the \
System's Discretionary Access Controls - lsetxattr</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27469808">Record Events that Modify the \
System's Discretionary Access Controls - removexattr</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27474480">Record Events that Modify the \
System's Discretionary Access Controls - setxattr</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27484928">Ensure auditd Collects \
Unauthorized Access Attempts to Files (unsuccessful)</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27489568">Ensure auditd Collects \
Information on the Use of Privileged Commands</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27494224">Ensure auditd Collects \
Information on Exporting to Media (successful)</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27498864">Ensure auditd Collects File \
Deletion Events by User</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27503504">Ensure auditd Collects System \
Administrator Actions</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27508144">Ensure auditd Collects \
Information on Kernel Module Loading and Unloading</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27515728">Disable xinetd Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27520368">Uninstall xinetd Package</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27526080">Disable telnet Service</a>
</td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27530720">Uninstall telnet-server \
Package</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27536384">Uninstall rsh-server \
Package</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27541024">Disable rexec Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27545664">Disable rsh Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27550304">Disable rlogin Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27554944">Remove Rsh Trust Files</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27559584">Uninstall ypserv Package</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27565216">Disable ypbind Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27569856">Disable tftp Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27574496">Uninstall tftp-server \
Package</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27579136">Ensure tftp Daemon Uses Secure \
Mode</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27583776">Disable Automatic Bug Reporting \
Tool (abrtd)</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27617568">Disable Network Console \
(netconsole)</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27622384">Disable ntpdate Service \
(ntpdate)</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27627040">Disable Odd Job Daemon \
(oddjobd)</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27637568">Disable Apache Qpid (qpidd)</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27645152">Disable Network Router \
Discovery Daemon (rdisc)</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27649792">Disable Red Hat Network Service \
(rhnsd)</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27666208">Enable cron Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27681792">Allow Only SSH Protocol 2</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27688592">Set SSH Idle Timeout \
Interval</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27694144">Set SSH Client Alive Count</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27698784">Disable SSH Support for .rhosts \
Files</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27703424">Disable Host-Based \
Authentication</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27708064">Disable SSH Root Login</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27712720">Disable SSH Access via Empty \
Passwords</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27717376">Enable SSH Warning Banner</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27722032">Do Not Allow SSH Environment \
Options</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27726688">Use Only Approved Ciphers</a>
</td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27731344">Disable X Windows Startup By \
Setting Runlevel</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27736000">Remove the X Windows Package \
Group</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27740656">Disable Avahi Server \
Software</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27780064">Disable DHCP Client</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27784864">Enable the NTP Daemon</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27789504">Specify a Remote NTP Server</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27796320">Enable Postfix Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27800960">Uninstall Sendmail Package</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27805616">Disable Postfix Network \
Listening</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27812416">Configure LDAP Client to Use \
TLS For All Transactions</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27817056">Configure Certificate \
Directives for LDAP Use of TLS</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27821712">Uninstall openldap-servers \
Package</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27855744">Mount Remote Filesystems with \
nodev</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27860400">Mount Remote Filesystems with \
nosuid</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp27870960">Ensure Insecure File Locking is \
Not Allowed</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp27897440">Enable Logging of All FTP \
Transactions</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp27901248">Create Warning Banners for All \
FTP Users</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27993424">Require Client SMB Packet \
Signing, if using smbclient</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27998176">Require Client SMB Packet \
Signing, if using mount.cifs</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp28014544">Configure SNMP Service to Use \
Only SNMPv3 or Newer </a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp28017392">Ensure Default Password Is Not \
Used</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div id="results-details">
<h2>Results details</h2>
<div class="result-detail" id="ruleresult-idp26515280">
<h3>Result for Ensure /tmp Located On Separate Partition</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">partition_for_tmp</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:47" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
The <code>/tmp</code> directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM.
</p>
<p>
The <code>/tmp</code> partition is used as temporary storage by many programs.
Placing <code>/tmp</code> in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26435-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26519984">
<h3>Result for Ensure /var Located On Separate Partition</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">partition_for_var</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:47" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The <code>/var</code> directory is used by daemons and other system
services to store frequently-changing data. Ensure that <code>/var</code> has its own \
partition or logical volume at installation time, or migrate it using LVM.
</p>
<p>
Ensuring that <code>/var</code> is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
system services such as daemons or other programs which use it.
It is not uncommon for the <code>/var</code> directory to contain
world-writable directories, installed by other software packages.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26639-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26524624">
<h3>Result for Ensure /var/log Located On Separate Partition</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">partition_for_var_log</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:47" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
System logs are stored in the <code>/var/log</code> directory.
Ensure that it has its own partition or logical
volume at installation time, or migrate it using LVM.
</p>
<p>
Placing <code>/var/log</code> in its own partition
enables better separation between log files
and other files in <code>/var/</code>.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26215-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26529264">
<h3>Result for Ensure /var/log/audit Located On Separate Partition</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">partition_for_var_log_audit</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:47" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
Audit logs are stored in the <code>/var/log/audit</code> directory. Ensure that it
has its own partition or logical volume at installation time, or migrate it
later using LVM. Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon.
</p>
<p>
Placing <code>/var/log/audit</code> in its own partition
enables better separation between audit files
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26436-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26533920">
<h3>Result for Ensure /home Located On Separate Partition</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">partition_for_home</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:47" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
If user home directories will be stored locally, create a separate partition
for <code>/home</code> at installation time (or migrate it later using LVM). If
<code>/home</code> will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later.
</p>
<p>
Ensuring that <code>/home</code> is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26557-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26538560">
<h3>Result for Encrypt Partitions</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong class="strong">encrypt_partitions</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:47" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
Red Hat Enterprise Linux 6 natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.
<br /><br />
For manual installations, select the <code>Encrypt</code> checkbox during
partition creation to encrypt the partition. When this
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered \
manually every time the system boots.
<br /><br />
For automated/unattended installations, it is possible to use Kickstart by adding
the <code>--encrypted</code> and <code>--passphrase=</code> options to the definition \
of each partition to be encrypted. For example, the following line would encrypt the \
root partition: <pre class="code"><code>part / --fstype=ext3 --size=100 --onpart=hda1 \
--encrypted --passphrase=<em>PASSPHRASE</em></code></pre> Any <em>PASSPHRASE</em> is \
stored in the Kickstart in plaintext, and the Kickstart must then be protected \
accordingly. Omitting the <code>--passphrase=</code> option from the partition \
definition will cause the installer to pause and interactively ask for the passphrase \
during installation. <br /><br />
Detailed information on encrypting partitions using LUKS can be found on
the Red Had Documentation web site:<br />
https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html
</p>
<p>
The risk of a system's physical compromise, particularly mobile systems such as
laptops, places its data at risk of compromise. Encrypting this data mitigates
the risk of its loss if the system is lost.
</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26541520">
<h3>Result for Ensure Red Hat GPG Key Installed</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">ensure_redhat_gpgkey_installed</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:47" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p> <p>
To ensure the system can cryptographically verify base software
packages come from Red Hat (and to connect to the Red Hat Network to
receive them if desired), the Red Hat GPG key must properly be installed.
To ensure the GPG key is installed, run:
<pre class="code"><code># rhn_register</code></pre>
If the system is not connected to the internet, or a local RHN Satellite,
then install the Red Hat GPG key from a secure, static location, such as
the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted
in /mnt/cdrom, use the following command as the root user to import
it into the keyring:
<pre class="code"><code># rpm --import /mnt/cdrom/RPM-GPG-KEY</code></pre></p>
<p>
This key is necessary to cryptographically verify packages
are from Red Hat.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26506-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26546176">
<h3>Result for Ensure gpgcheck Enabled In Main Yum Configuration</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">ensure_gpgcheck_globally_activated</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:47" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p> <p>The <code>gpgcheck</code> option should be used \
to ensure checking of an RPM package's signature always occurs prior to its
installation. To configure yum to check package signatures before installing
them, ensure the following line appears in <code>/etc/yum.conf</code> in
the <code>[main]</code> section:
<pre class="code"><code>gpgcheck=1</code></pre></p>
<p>
Ensuring the validity of packages' cryptographic signatures prior to
installation ensures the provenance of the software and
protects against malicious tampering.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26709-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26550832">
<h3>Result for Ensure gpgcheck Enabled For All Yum Package \
Repositories</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">ensure_gpgcheck_never_disabled</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:47" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p> <p>To ensure signature checking is not disabled for
any repos, remove any lines from files in <code>/etc/yum.repos.d</code> of the form:
<pre class="code"><code>gpgcheck=0</code></pre></p>
<p>
Ensuring all packages' cryptographic signatures are valid prior to
installation ensures the provenance of the software and
protects against malicious tampering.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26647-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26555488">
<h3>Result for Ensure Software Patches Installed</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">security_patches_up_to_date</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:47" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p>
<p>If the system is joined to the Red Hat Network, a Red Hat Satellite \
Server, or a yum server, run the following command to install updates:
<pre class="code"><code># yum update</code></pre>
If the system is not configured to use one of these sources, updates (in the form of \
RPM packages) can be manually downloaded from the Red Hat Network and installed using \
<code>rpm</code>. </p>
<p>
Installing software updates is a fundamental mitigation against
the exploitation of publicly-known vulnerabilities.
</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26558464">
<h3>Result for Install AIDE</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">package_aide_installed</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:47" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
Install the AIDE package with the command:
<pre class="code"><code># yum install aide</code></pre></p>
<p>
The AIDE package must be installed if it is to be available for integrity checking.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27024-9</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>yum -y install aide
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26569120">
<h3>Result for Configure Periodic Execution of AIDE</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">aide_periodic_cron_checking</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:47" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
AIDE should be executed on a periodic basis to check for changes.
To implement a daily execution of AIDE at 4:05am using cron, add the following line \
to <code>/etc/crontab</code>: <pre class="code"><code>05 4 * * * root /usr/sbin/aide \
--check</code></pre> AIDE can be executed periodically through other means; this is \
merely one example. </p>
<p>
By default, AIDE does not install itself for periodic execution. Periodically
running AIDE may reveal unexpected changes in installed files.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27222-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26572880">
<h3>Result for Verify File Permissions with RPM</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">rpm_verify_permissions</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:59" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>The RPM package management system can check file \
access permissions of installed software packages, including many that are
important to system security. The following command will reset permissions to
their expected values:
<pre class="code"><code># rpm --setperms <em>package</em></code></pre></p>
<p>
Permissions on system binaries and configuration files that are too generous
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26731-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26577520">
<h3>Result for Verify File Hashes with RPM</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">rpm_verify_hashes</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:00" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>The RPM package management system can check the \
hashes of installed software packages, including many that are important to system
security. Run the following command to list which files on the system
have hashes that differ from what is expected by the RPM database:
<pre class="code"><code># rpm -Va | grep '^..5'</code></pre>
A "c" in the second column indicates that a file is a configuration file,
which may appropriately be expected to change.
If the file that has changed was not expected to then refresh from distribution media \
or online repositories. <pre class="code"><code>rpm -Uvh \
<em>affected_package</em></code></pre> OR
<pre class="code"><code>yum reinstall <em>affected_package</em></code></pre></p>
<p>
The hash on important files like system executables should match the information \
given by the RPM database. Executables with erroneous hashes could be a sign of \
nefarious activity on the system.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27223-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26582160">
<h3>Result for Install Intrusion Detection Software</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p> <p>Rule ID: <strong \
class="strong">install_hids</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:00" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p> <p>
The base Red Hat platform already includes a sophisticated auditing system that
can detect intruder activity, as well as SELinux, which provides host-based
intrusion prevention capabilities by confining privileged programs and user
sessions which may become compromised.
<br /><br />
Install an additional intrusion detection tool to provide complementary or
duplicative monitoring, reporting, and reaction capabilities to those of the base
platform. For DoD systems, the McAfee Host Based Security System is provided
to fulfill this role.
</p>
<p>
Adding host-based intrusion detection tools can provide the capability to
automatically take actions in response to malicious behavior, which can provide
additional agility in reacting to network threats. These tools also often
include a reporting capability to provide network awareness of system, which
may not otherwise exist in an organization's systems management regime.
</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26585120">
<h3>Result for Install Virus Scanning Software</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong class="strong">install_antivirus</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:00" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
Install virus scanning software, which uses signatures to search for the
presence of viruses on the filesystem.
The McAfee uvscan virus scanning tool is provided for DoD systems.
Ensure virus definition files are no older than 7 days, or their last release.
Configure the virus scanning software to perform scans dynamically on all
accessed files. If this is not possible, configure the
system to scan all altered files on the system on a daily
basis. If the system processes inbound SMTP mail, configure the virus scanner
to scan all received mail.
</p>
<p>
Virus scanning software can be used to detect if a system has been compromised by
computer viruses, as well as to limit their spread to other systems.
</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26593664">
<h3>Result for Add noexec Option to Removable Media Partitions</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">mountopt_noexec_on_removable_partitions</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:00" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>The <code>noexec</code> mount option prevents the \
direct execution of binaries on the mounted filesystem. Users should not
be allowed to execute binaries that exist on partitions mounted
from removable media (such as a USB key). The <code>noexec</code>
option prevents code from being executed directly from the media
itself, and may therefore provide a line of defense against
certain types of worms or malicious code.
Add the <code>noexec</code> option to the fourth column of
<code>/etc/fstab</code> for the line which controls mounting of
any removable media partitions.
</p>
<p>Allowing users to execute binaries from removable media such as USB \
keys exposes the system to potential compromise.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27196-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26622960">
<h3>Result for Disable Modprobe Loading of USB Storage Driver</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">kernel_module_usb-storage_disabled</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:00" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To prevent USB storage devices from being used, configure the kernel module loading \
system to prevent automatic loading of the USB storage driver.
To configure the system to prevent the <code>usb-storage</code>
kernel module from being loaded, add the following line to a file in the directory \
<code>/etc/modprobe.d</code>: <pre class="code"><code>install usb-storage \
/bin/false</code></pre> This will prevent the <code>modprobe</code> program from \
loading the <code>usb-storage</code> module, but will not prevent an administrator \
(or another program) from using the <code>insmod</code> program to load the module \
manually.</p>
<p>USB storage devices such as thumb drives can be used to introduce \
unauthorized software and other vulnerabilities. Support for these devices should be \
disabled and the devices themselves should be tightly controlled.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27016-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26632704">
<h3>Result for Disable the Automounter</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">service_autofs_disabled</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:00" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The <code>autofs</code> daemon mounts and unmounts filesystems, such \
as user home directories shared via NFS, on demand. In addition, autofs can be used \
to handle removable media, and the default configuration provides the cdrom device as \
<code>/misc/cd</code>. However, this method of providing access to removable media is \
not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS \
is required, it is almost always possible to configure filesystem mounts statically \
by editing <code>/etc/fstab</code> rather than relying on the automounter.
<br /><br />
If the <code>autofs</code> service is not needed to dynamically mount NFS filesystems
or removable media, disable the service for all runlevels:
<pre class="code"><code># chkconfig --level 0123456 autofs off</code></pre>
Stop the service if it is already running:
<pre class="code"><code># service autofs stop</code></pre></p>
<p>All filesystems that are required for the successful operation of the \
system should be explicitly listed in <code>/etc/fstab</code> by and administrator. \
New filesystems should not be arbitrarily introduced via the automounter.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26976-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26663776">
<h3>Result for Verify User Who Owns shadow File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">userowner_shadow_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:00" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the owner of <code>/etc/shadow</code>, run the command:
<pre class="code"><code># chown root /etc/shadow </code></pre></p>
<p>The <code>/etc/shadow</code> file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26947-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26668416">
<h3>Result for Verify Group Who Owns shadow File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">groupowner_shadow_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:00" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the group owner of <code>/etc/shadow</code>, run the command:
<pre class="code"><code># chgrp root /etc/shadow </code></pre></p>
<p>The <code>/etc/shadow</code> file stores password hashes. Protection \
of this file is critical for system security.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26967-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26673056">
<h3>Result for Verify Permissions on shadow File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">perms_shadow_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:00" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the permissions of <code>/etc/shadow</code>, run the command:
<pre class="code"><code># chmod 0000 /etc/shadow</code></pre></p>
<p>The <code>/etc/shadow</code> file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26992-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26677696">
<h3>Result for Verify User Who Owns group File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">userowner_group_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:00" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the owner of <code>/etc/group</code>, run the command:
<pre class="code"><code># chown root /etc/group </code></pre></p>
<p>The <code>/etc/group</code> file contains information regarding groups \
that are configured on the system. Protection of this file is important for system \
security.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26822-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26682336">
<h3>Result for Verify Group Who Owns group File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">groupowner_group_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:00" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the group owner of <code>/etc/group</code>, run the command:
<pre class="code"><code># chgrp root /etc/group </code></pre></p>
<p>The <code>/etc/group</code> file contains information regarding groups \
that are configured on the system. Protection of this file is important for system \
security.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26930-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26686976">
<h3>Result for Verify Permissions on group File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">perms_group_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:00" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the permissions of <code>/etc/group</code>, run the command:
<pre class="code"><code># chmod 644 /etc/group</code></pre></p>
<p>The <code>/etc/group</code> file contains information regarding groups \
that are configured on the system. Protection of this file is important for system \
security.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26954-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26691616">
<h3>Result for Verify User Who Owns gshadow File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">userowner_gshadow_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:00" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the owner of <code>/etc/gshadow</code>, run the command:
<pre class="code"><code># chown root /etc/gshadow </code></pre></p>
<p>The <code>/etc/gshadow</code> file contains group password hashes. \
Protection of this file is critical for system security.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27026-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26696256">
<h3>Result for Verify Group Who Owns gshadow File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">groupowner_gshadow_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:00" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the group owner of <code>/etc/gshadow</code>, run the command:
<pre class="code"><code># chgrp root /etc/gshadow </code></pre></p>
<p>The <code>/etc/gshadow</code> file contains group password hashes. \
Protection of this file is critical for system security.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26975-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26700912">
<h3>Result for Verify Permissions on gshadow File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">perms_gshadow_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:01" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the permissions of <code>/etc/gshadow</code>, run the command:
<pre class="code"><code># chmod 0000 /etc/gshadow</code></pre></p>
<p>The <code>/etc/gshadow</code> file contains group password hashes. \
Protection of this file is critical for system security.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26951-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26705552">
<h3>Result for Verify User Who Owns passwd File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">userowner_passwd_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:01" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the owner of <code>/etc/passwd</code>, run the command:
<pre class="code"><code># chown root /etc/passwd </code></pre></p>
<p>The <code>/etc/passwd</code> file contains information about the users \
that are configured on the system. Protection of this file is critical for system \
security.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26953-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26710192">
<h3>Result for Verify Group Who Owns passwd File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">groupowner_passwd_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:01" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the group owner of <code>/etc/passwd</code>, run the command:
<pre class="code"><code># chgrp root /etc/passwd </code></pre></p>
<p>The <code>/etc/passwd</code> file contains information about the users \
that are configured on the system. Protection of this file is critical for system \
security.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26856-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26714832">
<h3>Result for Verify Permissions on passwd File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">file_permissions_etc_passwd</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:01" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the permissions of <code>/etc/passwd</code>, run the command:
<pre class="code"><code># chmod 0644 /etc/passwd</code></pre></p>
<p>If the <code>/etc/passwd</code> file is writable by a group-owner or \
the world the risk of its compromise is increased. The file contains the list of
accounts on the system and associated information, and protection of this file
is critical for system security.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26868-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26719488">
<h3>Result for Verify that Shared Library Files Have Restrictive \
Permissions</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">file_permissions_library_dirs</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:01" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
<pre class="code"><code>/lib
/lib64
/usr/lib
/usr/lib64
</code></pre>
Kernel modules, which can be added to the kernel during runtime, are
stored in <code>/lib/modules</code>. All files in these directories
should not be group-writable or world-writable. If any file in these
directories is found to be group-writable or world-writable, correct
its permission with the following command:
<pre class="code"><code># chmod go-w <em>FILE</em></code></pre></p>
<p>Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Restrictive permissions are necessary to protect the integrity of the \
system. </p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26723360">
<h3>Result for Verify that Shared Library Files Have Root Ownership</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">file_ownership_library_dirs</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:02" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
<pre class="code"><code>/lib
/lib64
/usr/lib
/usr/lib64
</code></pre>
Kernel modules, which can be added to the kernel during runtime, are also
stored in <code>/lib/modules</code>. All files in these directories should be
owned by the <code>root</code> user. If any file in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
<pre class="code"><code># chown root <em>FILE</em></code></pre></p>
<p>Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership is necessary to protect the integrity of the system.
</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26727200">
<h3>Result for Verify that System Executables Have Restrictive \
Permissions</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">file_permissions_binary_dirs</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:02" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
System executables are stored in the following directories by default:
<pre class="code"><code>/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin</code></pre>
All files in these directories should not be group-writable or world-writable.
If any file <em>FILE</em> in these directories is found
to be group-writable or world-writable, correct its permission with the
following command:
<pre class="code"><code># chmod go-w <em>FILE</em></code></pre></p>
<p>System binaries are executed by privileged users, as well as system \
services, and restrictive permissions are necessary to ensure execution of these \
programs cannot be co-opted.
</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26730128">
<h3>Result for Verify that System Executables Have Root Ownership</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">file_ownership_binary_dirs</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:02" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
System executables are stored in the following directories by default:
<pre class="code"><code>/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin</code></pre>
All files in these directories should be owned by the <code>root</code> user.
If any file <em>FILE</em> in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
<pre class="code"><code># chown root <em>FILE</em></code></pre></p>
<p>System binaries are executed by privileged users as well as system \
services, and restrictive permissions are necessary to ensure that their
execution of these programs cannot be co-opted.
</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26733104">
<h3>Result for Verify that All World-Writable Directories Have Sticky \
Bits Set</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">sticky_world_writable_dirs</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:02" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>When the so-called 'sticky bit' is set on a \
directory, only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky
bit prevents users from removing each other's files. In cases where
there is no reason for a directory to be world-writable, a better
solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application,
consult that application's documentation instead of blindly
changing modes.
<br />
To set the sticky bit on a world-writable directory <em>DIR</em>, run the
following command:
<pre class="code"><code># chmod +t <em>DIR</em></code></pre></p>
<p>
Failing to set the sticky bit on public directories allows unauthorized users to \
delete files in the directory structure. <br /><br />
The only authorized public directories are those temporary directories supplied with \
the system, or those designed to be temporary file repositories. The setting is \
normally reserved for directories used by the system, by users for temporary file \
storage (such as <code>/tmp</code>), and for directories requiring global read/write \
access. </p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26840-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26737856">
<h3>Result for Ensure No World-Writable Files Exist</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong class="strong">world_writeable_files</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:02" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>It is generally a good idea to remove global \
(other) write access to a file when it is discovered. However, check with
documentation for specific applications before making changes.
Also, monitor for recurring world-writable files, as these may be
symptoms of a misconfigured application or user
account.</p>
<p>
Data in world-writable files can be modified by any
user on the system. In almost all circumstances, files can be
configured using a combination of user and group permissions to
support whatever legitimate access is needed without the risk
caused by world-writable files.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26910-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26747488">
<h3>Result for Ensure All Files Are Owned by a User</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">no_files_unowned_by_user</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:02" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>If any files are not owned by a user, then the
cause of their lack of ownership should be investigated.
Following this, the files should be deleted or assigned to an
appropriate user.
</p>
<p>
Unowned files do not directly imply a security problem, but they are generally
a sign that something is amiss. They may
be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging
to a deleted account. The files should be repaired so they
will not cause problems when accounts are created in the future,
and the cause should be discovered and addressed.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27032-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26752144">
<h3>Result for Ensure All Files Are Owned by a Group</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">no_files_unowned_by_group</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:02" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>If any files are not owned by a group, then the
cause of their lack of group-ownership should be investigated.
Following this, the files should be deleted or assigned to an
appropriate group.
</p>
<p>
Unowned files do not directly imply a security problem, but they are generally
a sign that something is amiss. They may
be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging
to a deleted account. The files should be repaired so they
will not cause problems when accounts are created in the future,
and the cause should be discovered and addressed.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26872-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26756800">
<h3>Result for Ensure All World-Writable Directories Are Owned by a \
System Account</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">world_writable_files_system_ownership</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>All directories in local partitions which are
world-writable should be owned by root or another
system account. If any world-writable directories are not
owned by a system account, this should be investigated.
Following this, the files should be deleted or assigned to an
appropriate group.
</p>
<p>
Allowing a user account to own a world-writable directory is
undesirable because it allows the owner of that directory to remove
or replace any files that may be placed in the directory by other
users.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26642-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26761456">
<h3>Result for Set Daemon Umask</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">set_daemon_umask</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The file <code>/etc/init.d/functions</code> includes initialization
parameters for most or all daemons started at boot time. The default umask of
022 prevents creation of group- or world-writable files. To set the default
umask for daemons, edit the following line, inserting 022 or 027 for
<em>UMASK</em> appropriately:
<pre class="code"><code>umask <em>UMASK</em></code></pre>
Setting the umask to too restrictive a setting can cause serious errors at
runtime. Many daemons on the system already individually restrict themselves to
a umask of 077 in their own init scripts.
</p>
<p>The umask influences the permissions assigned to files created by a
process at run time. An unnecessarily permissive umask could result in files
being created with insecure permissions.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27031-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26766992">
<h3>Result for Disable Core Dumps for All Users</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">disable_users_coredumps</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>To disable core dumps for all users, add the following line to
<code>/etc/security/limits.conf</code>:
<pre class="code"><code>* hard core 0</code></pre></p>
<p>A core dump includes a memory image taken at the time the operating \
system terminates an application. The memory image could contain sensitive data and \
is generally useful only for developers trying to debug problems.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27033-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26774592">
<h3>Result for Enable ExecShield</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">enable_execshield</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the <code>kernel.exec-shield</code> kernel \
parameter, run the following command:
<pre class="code"><code># sysctl -w kernel.exec-shield=1</code></pre>
If this is not the system's default value, add the following line to \
<code>/etc/sysctl.conf</code>: <pre class="code"><code>kernel.exec-shield = \
1</code></pre></p> <p>ExecShield uses the segmentation feature on all x86 systems
to prevent execution in memory higher than a certain address. It
writes an address as a limit in the code segment descriptor, to
control where code can be executed, on a per-process basis. When
the kernel places a process's memory regions such as the stack and
heap higher than this address, the hardware prevents execution in that
address range.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27007-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26779232">
<h3>Result for Enable Randomized Layout of Virtual Address Space</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">enable_randomize_va_space</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the <code>kernel.randomize_va_space</code> kernel \
parameter, run the following command:
<pre class="code"><code># sysctl -w kernel.randomize_va_space=2</code></pre>
If this is not the system's default value, add the following line to \
<code>/etc/sysctl.conf</code>: <pre class="code"><code>kernel.randomize_va_space = \
2</code></pre></p>
<p> Address space layout randomization (ASLR) makes it more difficult
for an attacker to predict the location of attack code they have introduced
into a process's address space during an attempt at exploitation. Additionally, ASLR \
makes it more difficult for an attacker to know the location of existing code
in order to re-purpose it using return oriented programming (ROP) techniques.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26999-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26788992">
<h3>Result for Ensure SELinux Not Disabled in /etc/grub.conf</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">enable_selinux_bootloader</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>SELinux can be disabled at boot time by an \
argument in <code>/etc/grub.conf</code>.
Remove any instances of <code>selinux=0</code> from the kernel arguments in that
file to prevent SELinux from being disabled at boot.
</p>
<p>
Disabling a major host protection feature, such as SELinux, at boot time prevents
it from confining system services at boot time. Further, it increases
the chances that it will remain off during system operation.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26956-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26793648">
<h3>Result for Ensure SELinux State is Enforcing</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">set_selinux_state</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>The SELinux state should be set to <code>enforcing</code> at
system boot time. In the file <code>/etc/selinux/config</code>, add or correct the
following line to configure the system to boot into enforcing mode:
<pre class="code"><code>SELINUX=enforcing</code></pre></p>
<p>
Setting the SELinux state to enforcing ensures SELinux is able to confine
potentially compromised processes to the security policy, which is designed to
prevent them from causing damage to the system or further elevating their
privileges.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26969-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26799184">
<h3>Result for Configure SELinux Policy</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">set_selinux_policy</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>The SELinux <code>targeted</code> policy is \
appropriate for general-purpose desktops and servers, as well as systems in many \
other roles. To configure the system to use this policy, add or correct the following \
line in <code>/etc/selinux/config</code>:
<pre class="code"><code>SELINUXTYPE=targeted</code></pre>
Other policies, such as <code>mls</code>, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases.
</p>
<p>
Setting the SELinux policy to <code>targeted</code> or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26875-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26809840">
<h3>Result for Ensure No Device Files are Unlabeled by SELinux</h3>
<p class="result-error">Result: <strong class="strong">error</strong></p>
<p>Rule ID: <strong \
class="strong">selinux_unlabeled_device_files</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>Device files, which are used for communication with important
system resources, should be labeled with proper SELinux types. If any device
files carry the SELinux type <code>unlabeled_t</code>, investigate the cause and
correct the file's context.
</p>
<p>
If a device file carries the SELinux type <code>unlabeled_t</code>, then SELinux
cannot properly restrict access to the device file.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26774-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26816640">
<h3>Result for Restrict Virtual Console Root Logins</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">restrict_root_console_logins</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in <code>/etc/securetty</code>:
<pre class="code"><code>vc/1
vc/2
vc/3
vc/4</code></pre></p>
<p>
Preventing direct root login to virtual console devices
helps ensure accountability for actions taken on the system
using the root account.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26855-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26821296">
<h3>Result for Restrict Serial Port Root Logins</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">restrict_serial_port_logins</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>To restrict root logins on serial ports,
ensure lines of this form do not appear in <code>/etc/securetty</code>:
<pre class="code"><code>ttyS0
ttyS1</code></pre></p>
<p>
Preventing direct root login to serial port interfaces
helps ensure accountability for actions taken on the systems
using the root account.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27047-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26828096">
<h3>Result for Ensure that System Accounts Do Not Run a Shell Upon \
Login</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">no_shelllogin_for_systemaccounts</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
Some accounts are not associated with a human
user of the system, and exist to perform some administrative
function. Should an attacker be able to log into these accounts,
they should not be granted access to a shell.
<br /><br />
The login shell for each local account is stored in the last field of each line
in <code>/etc/passwd</code>. System accounts are those user accounts with a user ID \
less than 500. The user ID is stored in the third field.
If any system account <em>SYSACCT</em> (other than root) has a login shell,
disable it with the command:
<pre class="code"><code># usermod -s /sbin/nologin <em>SYSACCT</em></code></pre></p>
<div class="xccdf-warning">
<p>
Do not perform the steps in this
section on the root account. Doing so might cause the system to
become inaccessible.
</p>
</div>
<p>
Ensuring shells are not given to system accounts upon login
makes it more difficult for attackers to make use of
system accounts.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26966-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26833568">
<h3>Result for Verify Only Root Has UID 0</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">no_uidzero_except_root</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
If any account other than root has a UID of 0,
this misconfiguration should be investigated and the
accounts other than root should be removed or have their UID changed.
</p>
<p>
An account has root authority if it has a UID of 0. Multiple accounts
with a UID of 0 afford more opportunity for potential intruders to
guess a password for a privileged account. Proper configuration of
sudo is recommended to afford multiple system administrators
access to root privileges in an accountable manner.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26971-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26840352">
<h3>Result for Prevent Log In to Accounts With Empty Password</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">no_empty_passwords</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p> <p>If an account is configured for password \
authentication but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the \
<code>nullok</code> option in <code>/etc/pam.d/system-auth</code> to
prevent logins with empty passwords.
</p>
<p>
If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational
environments.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27038-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26844992">
<h3>Result for Verify All Account Password Hashes are Shadowed</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">no_hashes_outside_shadow</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
If any password hashes are stored in <code>/etc/passwd</code> (in the second field,
instead of an <code>x</code>), the cause of this misconfiguration should be
investigated. The account should have its password reset and the hash should be
properly stored, or the account should be deleted entirely.
</p>
<p>
The hashes for all user account passwords should be stored in
the file <code>/etc/shadow</code> and never in <code>/etc/passwd</code>,
which is readable by all users.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26476-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26849648">
<h3>Result for All GIDs referenced in /etc/passwd must be defined in \
/etc/group</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong class="strong">gid_passwd_group_same</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
Add a group to the system for each GID referenced without a corresponding group.
</p>
<p>
Inconsistency in GIDs between <code>/etc/passwd</code> and <code>/etc/group</code> \
could lead to a user having unintended rights. </p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26852608">
<h3>Result for Verify No netrc Files Exist</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">no_netrc_files</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>The <code>.netrc</code> files contain login \
information used to auto-login into FTP servers and reside in the user's home
directory. These files may contain unencrypted passwords to
remote FTP servers making them susceptible to access by unauthorized
users and should not be used. Any <code>.netrc</code> files should be removed.
</p>
<p>
Unencrypted passwords for remote FTP servers may be stored in <code>.netrc</code>
files. DoD policy requires passwords be encrypted in storage and not used
in access scripts.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27225-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26857248">
<h3>Result for Set Password Minimum Length in login.defs</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">password_min_len</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>To specify password length requirements for \
new accounts, edit the file <code>/etc/login.defs</code> and add or correct the \
following lines:
<pre class="code"><code>PASS_MIN_LEN 14</code></pre><br /><br />
The DoD requirement is <code>14</code>.
The FISMA requirement is <code>12</code>.
If a program consults <code>/etc/login.defs</code> and also another PAM module
(such as <code>pam_cracklib</code>) during a password change operation,
then the most restrictive must be satisfied. See PAM section
for more information about enforcing password quality requirements.
</p>
<p>
Requiring a minimum password length makes password
cracking attacks more difficult by ensuring a larger
search space. However, any security benefit from an onerous requirement
must be carefully weighed against usability problems, support costs, or \
counterproductive behavior that may result.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27002-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26862720">
<h3>Result for Set Password Minimum Age</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">password_min_age</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>To specify password minimum age for new \
accounts, edit the file <code>/etc/login.defs</code>
and add or correct the following line, replacing <em>DAYS</em> appropriately:
<pre class="code"><code>PASS_MIN_DAYS <em>DAYS</em></code></pre>
A value of 1 day is considered for sufficient for many
environments.
The DoD requirement is 1.
</p>
<p>
Setting the minimum password age protects against
users cycling back to a favorite password
after satisfying the password reuse requirement.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27013-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26868320">
<h3>Result for Set Password Maximum Age</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">password_max_age</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>To specify password maximum age for new \
accounts, edit the file <code>/etc/login.defs</code>
and add or correct the following line, replacing <em>DAYS</em> appropriately:
<pre class="code"><code>PASS_MAX_DAYS <em>DAYS</em></code></pre>
A value of 180 days is sufficient for many environments.
The DoD requirement is 60.
</p>
<p>
Setting the password maximum age ensures users are required to
periodically change their passwords. This could possibly decrease
the utility of a stolen password. Requiring shorter password lifetimes
increases the risk of users writing down the password in a convenient
location subject to physical compromise.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26985-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26873856">
<h3>Result for Set Password Warning Age</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">password_warn_age</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file <code>/etc/login.defs</code> and add or correct
the following line, replacing <em>DAYS</em> appropriately:
<pre class="code"><code>PASS_WARN_AGE <em>DAYS</em></code></pre>
The DoD requirement is 7.
</p>
<p>
Setting the password warning age enables users to
make the change at a practical time.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26988-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26879392">
<h3>Result for Set Account Expiration Following Inactivity</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">account_disable_post_pw_expiration</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following lines in <code>/etc/default/useradd</code>, substituting
<code><em>NUM_DAYS</em></code> appropriately:
<pre class="code"><code>INACTIVE=<em>NUM_DAYS</em></code></pre>
A value of 35 is recommended.
If a password is currently on the
verge of expiration, then 35 days remain until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 95
days could elapse until the account would be automatically disabled. See the
<code>useradd</code> man page for more information. Determining the inactivity
timeout must be done with careful consideration of the length of a "normal"
period of inactivity for users in the particular environment. Setting
the timeout too low incurs support costs and also has the potential to impact
availability of the system to legitimate users.
</p>
<p>
Disabling inactive accounts ensures that accounts which may not
have been responsibly removed are not available to attackers
who may have compromised their credentials.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27283-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26884960">
<h3>Result for Ensure All Accounts on the System Have Unique Names</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong class="strong">account_unique_name</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
Change usernames, or delete accounts, so each has a unique name.
</p>
<p>
Unique usernames allow for accountability on the system.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27609-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26888704">
<h3>Result for Assign Expiration Date to Temporary Accounts</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong class="strong">account_temp_expire_date</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
In the event temporary or emergency accounts are required, configure the system
to terminate them after a documented time period. For every temporary and
emergency account, run the following command to set an expiration date on it,
substituting <code><em>USER</em></code> and <code><em>YYYY-MM-DD</em></code> \
appropriately: <pre class="code"><code># chage -E <em>YYYY-MM-DD \
USER</em></code></pre><code><em>YYYY-MM-DD</em></code> indicates the documented \
expiration date for the account. </p>
<p>
When temporary and emergency accounts are created, there is a risk they may
remain in place and active after the need for them no longer exists. Account
expiration greatly reduces the risk of accounts being misused or hijacked.
<br /></p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26891680">
<h3>Result for Set Last Logon/Access Notification</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">display_login_attempts</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>To configure the system to notify users of last logon/access
using <code>pam_lastlog</code>, add the following line immediately after \
<code>session required pam_limits.so</code>: <pre class="code"><code>session \
required pam_lastlog.so showfailed</code></pre></p> <p>
Users need to be aware of activity that occurs regarding
their account. Providing users with information regarding the number
of unsuccessful attempts that were made to login to their account
allows the user to determine if any unauthorized activity has occurred
and gives them an opportunity to notify administrators.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27291-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26896320">
<h3>Result for Set Password Retry Prompts Permitted Per-Session</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">password_retry</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>To configure the number of retry prompts that are permitted \
per-session: <br /><br />
Edit the <code>pam_cracklib.so</code> statement in \
<code>/etc/pam.d/system-auth</code> to show <code>retry=3</code>, or a lower value \
if site policy is more restrictive. <br /><br />
The DoD requirement is a maximum of 3 prompts per session.
</p>
<p>
Setting the password retry prompts that are permitted on a per-session basis to a low \
value requires some software, such as SSH, to re-connect. This can slow down and
draw additional attention to some types of password-guessing attacks. Note that this
is different from account lockout, which is provided by the pam_faillock module.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27123-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26901872">
<h3>Result for Set Password to Maximum of Three Consecutive Repeating \
Characters</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">password_require_consecrepeat</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The pam_cracklib module's <code>maxrepeat</code> parameter controls \
requirements for consecutive repeating characters. When set to a positive number, it \
will reject passwords which contain more than that number of consecutive characters. \
Add <code>maxrepeat=3</code> after pam_cracklib.so to prevent a run of four or more \
identical characters. </p>
<p>
Passwords with excessive repeating characters may be more vulnerable to \
password-guessing attacks. </p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27227-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26905632">
<h3>Result for Set Password Strength Minimum Digit Characters</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">password_require_digits</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The pam_cracklib module's <code>dcredit</code> parameter controls \
requirements for usage of digits in a password. When set to a negative number, any \
password will be required to contain that many digits. When set to a positive number, \
pam_cracklib will grant +1 additional length credit for each digit.
Add <code>dcredit=-1</code> after pam_cracklib.so to require use of a digit in \
passwords. </p>
<p>
Requiring digits makes password guessing attacks more difficult by ensuring a larger
search space.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26374-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26911200">
<h3>Result for Set Password Strength Minimum Uppercase Characters</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">password_require_uppercases</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The pam_cracklib module's <code>ucredit=</code> parameter controls \
requirements for usage of uppercase letters in a password. When set to a negative \
number, any password will be required to contain that many uppercase characters. When \
set to a positive number, pam_cracklib will grant +1 additional length credit for \
each uppercase character. Add <code>ucredit=-1</code> after pam_cracklib.so to \
require use of an upper case character in passwords. </p>
<p>
Requiring a minimum number of uppercase characters makes password guessing attacks
more difficult by ensuring a larger search space.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26601-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26916768">
<h3>Result for Set Password Strength Minimum Special Characters</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">password_require_specials</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The pam_cracklib module's <code>ocredit=</code> parameter controls \
requirements for usage of special (or ``other'') characters in a password. When set \
to a negative number, any password will be required to contain that many special \
characters. When set to a positive number, pam_cracklib will grant +1 additional \
length credit for each special character. Add <code>ocredit=-1</code> after \
pam_cracklib.so to require use of a special character in passwords. </p>
<p>
Requiring a minimum number of special characters makes password guessing attacks
more difficult by ensuring a larger search space.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26409-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26922336">
<h3>Result for Set Password Strength Minimum Lowercase Characters</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">password_require_lowercases</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The pam_cracklib module's <code>lcredit=</code> parameter controls \
requirements for usage of lowercase letters in a password. When set to a negative \
number, any password will be required to contain that many lowercase characters. When \
set to a positive number, pam_cracklib will grant +1 additional length credit for \
each lowercase character. Add <code>lcredit=-1</code> after pam_cracklib.so to \
require use of a lowercase character in passwords. </p>
<p>
Requiring a minimum number of lowercase characters makes password guessing attacks
more difficult by ensuring a larger search space.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26631-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26927904">
<h3>Result for Set Password Strength Minimum Different Characters</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">password_require_diffchars</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The pam_cracklib module's <code>difok</code> parameter controls \
requirements for usage of different characters during a password change.
Add <code>difok=<em>NUM</em></code> after pam_cracklib.so to require differing
characters when changing passwords, substituting <em>NUM</em> appropriately.
The DoD requirement is <code>4</code>.
</p>
<p>
Requiring a minimum number of different characters during password changes ensures \
that newly changed passwords should not resemble previously compromised ones.
Note that passwords which are changed on compromised systems will still be \
compromised, however. </p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26615-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26933472">
<h3>Result for Set Deny For Failed Password Attempts</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">deny_password_attempts</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To configure the system to lock out accounts after a number of incorrect login
attempts using <code>pam_faillock.so</code>:
<br /><br />
Add the following lines immediately below the <code>pam_unix.so</code> statement in \
<code>AUTH</code> section of <code>/etc/pam.d/system-auth</code>:
<pre class="code"><code>auth [default=die] pam_faillock.so authfail deny=3 \
unlock_time=604800 fail_interval=900</code></pre><pre class="code"><code>auth \
required pam_faillock.so authsucc deny=3 unlock_time=604800 \
fail_interval=900</code></pre></p> <p>
Locking out user accounts after a number of incorrect attempts
prevents direct password guessing attacks.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26844-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26939040">
<h3>Result for Set Lockout Time For Failed Password Attempts</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">deny_password_attempts_unlock_time</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To configure the system to lock out accounts after a number of incorrect login
attempts and require an administrator to unlock the account using \
<code>pam_faillock.so</code>: <br /><br />
Add the following lines immediately below the <code>pam_env.so</code> statement in \
<code>/etc/pam.d/system-auth</code>: <pre class="code"><code>auth [default=die] \
pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900</code></pre><pre \
class="code"><code>auth required pam_faillock.so authsucc deny=3 unlock_time=604800 \
fail_interval=900</code></pre></p> <p>
Locking out user accounts after a number of incorrect attempts
prevents direct password guessing attacks. Ensuring that an administrator is
involved in unlocking locked accounts draws appropriate attention to such
situations.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27110-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26945440">
<h3>Result for Set Interval For Counting Failed Password Attempts</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">deny_password_attempts_fail_interval</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To configure the system to lock out accounts after a number of incorrect login
attempts within a 15 minute interval using <code>pam_faillock.so</code>:
<br /><br />
Add the following lines immediately below the <code>pam_env.so</code> statement in \
<code>/etc/pam.d/system-auth</code>: <pre class="code"><code>auth [default=die] \
pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900</code></pre><pre \
class="code"><code>auth required pam_faillock.so authsucc deny=3 unlock_time=604800 \
fail_interval=900</code></pre></p> <p>
Locking out user accounts after a number of incorrect attempts within a
specific period of time prevents direct password guessing attacks.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27215-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26951840">
<h3>Result for Limit Password Reuse</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">limiting_password_reuse</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>Do not allow users to reuse recent passwords. \
This can be accomplished by using the <code>remember</code> option for the \
<code>pam_unix</code> PAM module. In the file <code>/etc/pam.d/system-auth</code>, \
append <code>remember=24</code> to the line which refers to the \
<code>pam_unix.so</code> module, as shown: <pre class="code"><code>password \
sufficient pam_unix.so <em>existing_options</em> remember=24</code></pre> The DoD and \
FISMA requirement is 24 passwords.</p> <p>
Preventing re-use of previous passwords helps ensure that a compromised password is \
not re-used by a user. </p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26741-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26957408">
<h3>Result for Set Password Hashing Algorithm in \
/etc/pam.d/system-auth</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">set_password_hashing_algorithm_systemauth</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
In <code>/etc/pam.d/system-auth</code>, the <code>password</code> section of
the file controls which PAM modules execute during a password change.
Set the <code>pam_unix.so</code> module in the
<code>password</code> section to include the argument <code>sha512</code>, as shown \
below: <pre class="code"><code>password sufficient pam_unix.so sha512 <em>other \
arguments...</em></code></pre> This will help ensure when local users change their \
passwords, hashes for the new passwords will be generated using the SHA-512 \
algorithm. This is the default.
</p>
<p>
Using a stronger hashing algorithm makes password cracking attacks more difficult.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26303-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26962080">
<h3>Result for Set Password Hashing Algorithm in /etc/login.defs</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">set_password_hashing_algorithm_logindefs</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
In <code>/etc/login.defs</code>, add or correct the following line to ensure
the system will use SHA-512 as the hashing algorithm:
<pre class="code"><code>ENCRYPT_METHOD SHA512</code></pre></p>
<p>
Using a stronger hashing algorithm makes password cracking attacks more difficult.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27228-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26966752">
<h3>Result for Set Password Hashing Algorithm in /etc/libuser.conf</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">set_password_hashing_algorithm_libuserconf</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
In <code>/etc/libuser.conf</code>, add or correct the following line in its
<code>[defaults]</code> section to ensure the system will use the SHA-512
algorithm for password hashing:
<pre class="code"><code>crypt_style = sha512</code></pre></p>
<p>
Using a stronger hashing algorithm makes password cracking attacks more difficult.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27229-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26971424">
<h3>Result for Limit the Number of Concurrent Login Sessions Allowed Per \
User</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">max_concurrent_login_sessions</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
Limiting the number of allowed users and sessions per user can limit risks related to \
Denial of Service attacks. This addresses concurrent sessions for a single account \
and does not address concurrent sessions by a single user via multiple accounts. \
The DoD requirement is 10. To set the number of concurrent sessions per user add \
the following line in <code>/etc/security/limits.conf</code>: <pre \
class="code"><code>* hard maxlogins 10</code></pre></p>
<p>Limiting simultaneous user logins can insulate the system from denial \
of service problems caused by excessive logins. Automated login processes operating \
improperly or maliciously may result in an exceptional number of simultaneous login \
sessions. </p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27457-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26985808">
<h3>Result for Ensure the Default Bash Umask is Set Correctly</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">user_umask_bashrc</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To ensure the default umask for users of the Bash shell is set properly,
add or correct the <code>umask</code> setting in <code>/etc/bashrc</code> to read
as follows:
<pre class="code"><code>umask 077</code></pre></p>
<p>The umask value influences the permissions assigned to files when they \
are created. A misconfigured umask value could result in files with excessive \
permissions that can be read or written to by unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26917-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26991360">
<h3>Result for Ensure the Default C Shell Umask is Set Correctly</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">user_umask_cshrc</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To ensure the default umask for users of the C shell is set properly,
add or correct the <code>umask</code> setting in <code>/etc/csh.cshrc</code> to read \
as follows: <pre class="code"><code>umask 077</code></pre></p>
<p>The umask value influences the permissions assigned to files when they \
are created. A misconfigured umask value could result in files with excessive \
permissions that can be read or written to by unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27034-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26996912">
<h3>Result for Ensure the Default Umask is Set Correctly in \
/etc/profile</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">user_umask_profile</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To ensure the default umask controlled by <code>/etc/profile</code> is set properly,
add or correct the <code>umask</code> setting in <code>/etc/profile</code> to read as \
follows: <pre class="code"><code>umask 077</code></pre></p>
<p>The umask value influences the permissions assigned to files when they \
are created. A misconfigured umask value could result in files with excessive \
permissions that can be read or written to by unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26669-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27002464">
<h3>Result for Ensure the Default Umask is Set Correctly in \
login.defs</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">user_umask_logindefs</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To ensure the default umask controlled by <code>/etc/login.defs</code> is set \
properly, add or correct the <code>UMASK</code> setting in \
<code>/etc/login.defs</code> to read as follows: <pre class="code"><code>UMASK \
077</code></pre></p>
<p>The umask value influences the permissions assigned to files when they \
are created. A misconfigured umask value could result in files with excessive \
permissions that can be read and written to by unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26371-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27008016">
<h3>Result for Verify /etc/grub.conf User Ownership</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">user_owner_grub_conf</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>The file <code>/etc/grub.conf</code> should
be owned by the <code>root</code> user to prevent destruction
or modification of the file.
To properly set the owner of <code>/etc/grub.conf</code>, run the command:
<pre class="code"><code># chown root /etc/grub.conf </code></pre></p>
<p>
Only root should be able to modify important boot parameters.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26995-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27012656">
<h3>Result for Verify /etc/grub.conf Group Ownership</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">group_owner_grub_conf</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>The file <code>/etc/grub.conf</code> should
be group-owned by the <code>root</code> group to prevent
destruction or modification of the file.
To properly set the group owner of <code>/etc/grub.conf</code>, run the command:
<pre class="code"><code># chgrp root /etc/grub.conf </code></pre></p>
<p>
The <code>root</code> group is a highly-privileged group. Furthermore, the \
group-owner of this file should not have any access privileges anyway.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27022-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27017296">
<h3>Result for Verify /boot/grub/grub.conf Permissions</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">permissions_grub_conf</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>File permissions for <code>/boot/grub/grub.conf</code> should be set \
to 600, which is the default.
To properly set the permissions of <code>/boot/grub/grub.conf</code>, run the \
command: <pre class="code"><code># chmod 600 /boot/grub/grub.conf</code></pre></p>
<p>
Proper permissions ensure that only the root user can modify important boot
parameters.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26949-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27021936">
<h3>Result for Set Boot Loader Password</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">bootloader_password</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>The grub boot loader should have password \
protection enabled to protect boot-time settings.
To do so, select a password and then generate a hash from it by running the following \
command: <pre class="code"><code># grub-crypt --sha-512</code></pre>
When prompted to enter a password, insert the following line into \
<code>/etc/grub.conf</code> immediately after the header comments. (Use the output \
from <code>grub-crypt</code> as the value of <strong \
class="bold">password-hash</strong>): <pre class="code"><code>password --encrypted \
<strong class="bold">password-hash</strong></code></pre>
NOTE: To meet FISMA Moderate, the bootloader password MUST differ from the root \
password. </p>
<p>
Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26911-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27026576">
<h3>Result for Require Authentication for Single User Mode</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">require_singleuser_auth</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>Single-user mode is intended as a system \
recovery method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
<br /><br />
To require entry of the root password even if the system is
started in single-user mode, add or correct the following line in the
file <code>/etc/sysconfig/init</code>:
<pre class="code"><code>SINGLE=/sbin/sulogin</code></pre></p>
<p>
This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27040-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27031232">
<h3>Result for Disable Ctrl-Alt-Del Reboot Activation</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong class="strong">disable_ctrlaltdel_reboot</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p> <p>
By default, the system includes the following line in
<code>/etc/init/control-alt-delete.conf</code>
to reboot the system when the Ctrl-Alt-Del key sequence is pressed:
<pre class="code"><code>exec /sbin/shutdown -r now "Control-Alt-Delete \
pressed"</code></pre><br /> To configure the system to log a message instead of
rebooting the system, alter that line to read as follows:
<pre class="code"><code>exec /usr/bin/logger -p security.info "Control-Alt-Delete \
pressed"</code></pre></p> <p>
A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.
In the GNOME graphical environment, risk of unintentional reboot from the
Ctrl-Alt-Del sequence is reduced because the user will be
prompted before any action is taken.
</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27034208">
<h3>Result for Disable Interactive Boot</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">disable_interactive_boot</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To disable the ability for users to perform interactive startups,
edit the file <code>/etc/sysconfig/init</code>.
Add or correct the line:
<pre class="code"><code>PROMPT=no</code></pre>
The <code>PROMPT</code> option allows the console user to perform an
interactive system startup, in which it is possible to select the
set of services which are started on boot.
</p>
<p>
Using interactive boot,
the console user could disable auditing, firewalls, or other
services, weakening system security.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27043-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27038864">
<h3>Result for Set GNOME Login Inactivity Timeout</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">set_screensaver_inactivity_timeout</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
Run the following command to set the idle time-out value for
inactivity in the GNOME desktop to 15 minutes:
<pre class="code"><code># gconftool-2 \
--direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type int \
--set /apps/gnome-screensaver/idle_delay 15</code></pre></p>
<p>
Setting the idle delay controls when the
screensaver will start, and can be combined with
screen locking to prevent access from passersby.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26828-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27044432">
<h3>Result for GNOME Desktop Screensaver Mandatory Use</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">enable_screensaver_after_idle</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
Run the following command to activate the screensaver
in the GNOME desktop after a period of inactivity:
<pre class="code"><code># gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/idle_activation_enabled true</code></pre></p>
<p>
Enabling idle activation of the screen saver ensures the screensaver will
be activated after the idle delay. Applications requiring continuous,
real-time screen display (such as network management products) require the
login session does not have administrator rights and the display station is located \
in a controlled-access area.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26600-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27049088">
<h3>Result for Enable Screen Lock Activation After Idle Period</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">enable_screensaver_password_lock</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
Run the following command to activate locking of the screensaver
in the GNOME desktop when it is activated:
<pre class="code"><code># gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/lock_enabled true</code></pre></p>
<p>
Enabling the activation of the screen lock after an idle period
ensures password entry will be required in order to
access the system, preventing access by passersby.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26235-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27053744">
<h3>Result for Implement Blank Screen Saver</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">set_blank_screensaver</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
Run the following command to set the screensaver mode
in the GNOME desktop to a blank screen:
<pre class="code"><code># gconftool-2
--direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type string \
--set /apps/gnome-screensaver/mode blank-only</code></pre></p>
<p>
Setting the screensaver mode to blank-only conceals the
contents of the display from passersby.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26638-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27058384">
<h3>Result for Install the screen Package</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">package_screen_installed</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To enable console screen locking, install the <code>screen</code> package:
<pre class="code"><code># yum install screen</code></pre>
Instruct users to begin new terminal sessions with the following command:
<pre class="code"><code>$ screen</code></pre>
The console can now be locked with the following key combination:
<pre class="code"><code>ctrl+a x</code></pre></p>
<p>
Installing <code>screen</code> ensures a console locking capability is available
for users who may need to suspend console logins.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26940-7</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>yum -y install screen
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27063984">
<h3>Result for Enable Smart Card Login</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p> <p>Rule ID: <strong \
class="strong">smartcard_auth</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To enable smart card authentication, consult the documentation at:
</p>
<ul class="itemizedlist">
<li>
<p>https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html</p>
</li>
</ul>
<p>Smart card login provides two-factor authentication stronger than
that provided by a username/password combination. Smart cards leverage a PKI
(public key infrastructure) in order to provide and verify credentials.
</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27066944">
<h3>Result for Modify the System Login Banner</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">set_system_login_banner</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To configure the system login banner:
<br /><br />
Edit <code>/etc/issue</code>. Replace the default text with a message
compliant with the local site policy or a legal disclaimer.
The DoD required text is either:
<br /><br /><code>You are accessing a U.S. Government (USG) Information System (IS) \
that is provided for USG-authorized use only. By using this IS (which includes any
device attached to this IS), you consent to the following conditions:
<br />-The USG routinely intercepts and monitors communications on this IS for \
purposes including, but not limited to, penetration testing, COMSEC monitoring, \
network operations and defense, personnel misconduct (PM), law enforcement (LE), and
counterintelligence (CI) investigations.
<br />-At any time, the USG may inspect and seize data stored on this IS.
<br />-Communications using, or data stored on, this IS are not private, are subject
to routine monitoring, interception, and search, and may be disclosed or used
for any USG-authorized purpose.
<br />-This IS includes security measures (e.g., authentication and access controls)
to protect USG interests -- not for your personal benefit or privacy.
<br />-Notwithstanding the above, using this IS does not constitute consent to PM, LE \
or CI investigative searching or monitoring of the content of privileged \
communications, or work product, related to personal representation or services by \
attorneys, psychotherapists, or clergy, and their assistants. Such communications and \
work product are private and confidential. See User Agreement for details.</code><br \
/><br /> OR:
<br /><br /><code>I've read & consent to terms in IS user agreem't.</code></p>
<p>
An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26974-6</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>login_banner_text="<abbr title="value: login_banner_text (Login \
Banner Verbiage)">You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s \
\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+prov \
ided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+t \
his[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+ \
to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\ \
s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+a \
nd[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+pu \
rposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[ \
\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and \
[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforce \
ment[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigatio \
ns.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect \
[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\ \
s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this \
[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+ro \
utine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+ma \
y[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorize \
d[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measu \
res[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+t \
o[\s\n]+protect[\s\n]+USG[\s\n]+interests[\s\n]+--[\s\n]+not[\s\n]+for[\s\n]+your[\s\n \
]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+t \
he[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[ \
\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+ \
searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+pr \
ivileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+ \
to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorney \
s,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistan \
ts.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n] \
+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.</abbr>"
cat <<EOF >/etc/issue
$login_banner_text
EOF
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27100032">
<h3>Result for Enable GUI Warning Banner</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">enable_gdm_login_banner</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To enable displaying a login warning banner in the GNOME
Display Manager's login screen, run the following command:
<pre class="code"><code>sudo -u gdm gconftool-2 \
--type bool \
--set /apps/gdm/simple-greeter/banner_message_enable true</code></pre>
To display a banner, this setting must be enabled and then
banner text must also be set.
</p>
<p>
An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27195-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27104256">
<h3>Result for Set GUI Warning Banner Text</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong class="strong">set_gdm_login_banner_text</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the text shown by the GNOME Display Manager
in the login screen, run the following command:
<pre class="code"><code>sudo -u gdm gconftool-2 \
--type string \
--set /apps/gdm/simple-greeter/banner_message_text \
"Text of the warning banner here"</code></pre>
When entering a warning banner that spans several lines, remember
to begin and end the string with <code>"</code>. This command writes
directly to the file \
<code>/var/lib/gdm/.gconf/apps/gdm/simple-greeter/%gconf.xml</code>, and this file \
can later be edited directly if necessary. </p>
<p>
An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27017-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27118480">
<h3>Result for Disable Kernel Parameter for Sending ICMP Redirects by \
Default</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">disable_sysctl_ipv4_default_send_redirects</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the \
<code>net.ipv4.conf.default.send_redirects</code> kernel parameter, run the \
following command: <pre class="code"><code># sysctl -w \
net.ipv4.conf.default.send_redirects=0</code></pre> If this is not the system's \
default value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.conf.default.send_redirects = \
0</code></pre></p>
<p>Sending ICMP redirects permits the system to instruct other systems
to update their routing information. The ability to send ICMP redirects is
only appropriate for systems acting as routers.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27001-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27122864">
<h3>Result for Disable Kernel Parameter for Sending ICMP Redirects for \
All Interfaces</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">disable_sysctl_ipv4_all_send_redirects</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the <code>net.ipv4.conf.all.send_redirects</code> \
kernel parameter, run the following command:
<pre class="code"><code># sysctl -w \
net.ipv4.conf.all.send_redirects=0</code></pre> If this is not the system's default \
value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.conf.all.send_redirects = \
0</code></pre></p>
<p>Sending ICMP redirects permits the system to instruct other systems
to update their routing information. The ability to send ICMP redirects is
only appropriate for systems acting as routers.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27004-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27127232">
<h3>Result for Disable Kernel Parameter for IP Forwarding</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">disable_sysctl_ipv4_ip_forward</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the <code>net.ipv4.ip_forward</code> kernel \
parameter, run the following command:
<pre class="code"><code># sysctl -w net.ipv4.ip_forward=0</code></pre>
If this is not the system's default value, add the following line to \
<code>/etc/sysctl.conf</code>: <pre class="code"><code>net.ipv4.ip_forward = \
0</code></pre></p>
<p>IP forwarding permits the kernel to forward packets from one network
interface to another. The ability to forward packets between two networks is
only appropriate for systems acting as routers.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26866-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27131600">
<h3>Result for Disable Kernel Parameter for Accepting Source-Routed \
Packets for All Interfaces</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_conf_all_accept_source_route</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the \
<code>net.ipv4.conf.all.accept_source_route</code> kernel parameter, run the \
following command: <pre class="code"><code># sysctl -w \
net.ipv4.conf.all.accept_source_route=0</code></pre> If this is not the system's \
default value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.conf.all.accept_source_route = \
0</code></pre></p>
<p>Accepting source-routed packets in the IPv4 protocol has few \
legitimate uses. It should be disabled unless it is absolutely required.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27037-1</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.conf.all.accept_source_route
#
sysctl -q -n -w net.ipv4.conf.all.accept_source_route=0
#
# If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value \
to "0" # else, add "net.ipv4.conf.all.accept_source_route = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.accept_source_route /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route \
= 0/g' /etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.all.accept_source_route to 0 per security requirements" \
>> /etc/sysctl.conf echo "net.ipv4.conf.all.accept_source_route = 0" >> \
/etc/sysctl.conf fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27138432">
<h3>Result for Disable Kernel Parameter for Accepting ICMP Redirects for \
All Interfaces</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_conf_all_accept_redirects</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the <code>net.ipv4.conf.all.accept_redirects</code> \
kernel parameter, run the following command:
<pre class="code"><code># sysctl -w \
net.ipv4.conf.all.accept_redirects=0</code></pre> If this is not the system's \
default value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.conf.all.accept_redirects = 0</code></pre></p> \
<p>Accepting ICMP redirects has few legitimate uses. It should be disabled unless it \
is absolutely required.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27027-2</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.conf.all.accept_redirects
#
sysctl -q -n -w net.ipv4.conf.all.accept_redirects=0
#
# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to \
"0" # else, add "net.ipv4.conf.all.accept_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.accept_redirects /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = \
0/g' /etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.all.accept_redirects to 0 per security requirements" \
>> /etc/sysctl.conf echo "net.ipv4.conf.all.accept_redirects = 0" >> \
/etc/sysctl.conf fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27145376">
<h3>Result for Disable Kernel Parameter for Accepting Secure Redirects \
for All Interfaces</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_conf_all_secure_redirects</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the <code>net.ipv4.conf.all.secure_redirects</code> \
kernel parameter, run the following command:
<pre class="code"><code># sysctl -w \
net.ipv4.conf.all.secure_redirects=0</code></pre> If this is not the system's \
default value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.conf.all.secure_redirects = \
0</code></pre></p>
<p>Accepting "secure" ICMP redirects (from those gateways listed as
default gateways) has few legitimate uses. It should be disabled unless it is
absolutely required.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26854-0</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.conf.all.secure_redirects
#
sysctl -q -n -w net.ipv4.conf.all.secure_redirects=0
#
# If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to \
"0" # else, add "net.ipv4.conf.all.secure_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.secure_redirects /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.all.secure_redirects.*/net.ipv4.conf.all.secure_redirects = \
0/g' /etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.all.secure_redirects to 0 per security requirements" \
>> /etc/sysctl.conf echo "net.ipv4.conf.all.secure_redirects = 0" >> \
/etc/sysctl.conf fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27152416">
<h3>Result for Enable Kernel Parameter to Log Martian Packets</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_conf_all_log_martians</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To set the runtime status of the <code>net.ipv4.conf.all.log_martians</code> \
kernel parameter, run the following command:
<pre class="code"><code># sysctl -w net.ipv4.conf.all.log_martians=1</code></pre>
If this is not the system's default value, add the following line to \
<code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.conf.all.log_martians = \
1</code></pre></p>
<p>The presence of "martian" packets (which have impossible addresses)
as well as spoofed packets, source-routed packets, and redirects could be a
sign of nefarious network activity. Logging these packets enables this activity
to be detected.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27066-0</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.conf.all.log_martians
#
sysctl -q -n -w net.ipv4.conf.all.log_martians=1
#
# If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to "1"
# else, add "net.ipv4.conf.all.log_martians = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.log_martians /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.all.log_martians.*/net.ipv4.conf.all.log_martians = 1/g' \
/etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.all.log_martians to 1 per security requirements" >> \
/etc/sysctl.conf echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf
fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27159616">
<h3>Result for Disable Kernel Parameter for Accepting Source-Routed \
Packets By Default</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_conf_default_accept_source_route</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the \
<code>net.ipv4.conf.default.accept_source_route</code> kernel parameter, run the \
following command: <pre class="code"><code># sysctl -w \
net.ipv4.conf.default.accept_source_route=0</code></pre> If this is not the system's \
default value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.conf.default.accept_source_route = \
0</code></pre></p>
<p>Accepting source-routed packets in the IPv4 protocol has few \
legitimate uses. It should be disabled unless it is absolutely required.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26983-7</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.conf.default.accept_source_route
#
sysctl -q -n -w net.ipv4.conf.default.accept_source_route=0
#
# If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change \
value to "0" # else, add "net.ipv4.conf.default.accept_source_route = 0" to \
/etc/sysctl.conf #
if grep --silent ^net.ipv4.conf.default.accept_source_route /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.default.accept_source_route.*/net.ipv4.conf.default.accept_source_route \
= 0/g' /etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.default.accept_source_route to 0 per security \
requirements" >> /etc/sysctl.conf echo \
"net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27166880">
<h3>Result for Disable Kernel Parameter for Accepting ICMP Redirects By \
Default</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_conf_default_accept_redirects</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To set the runtime status of the \
<code>net.ipv4.conf.default.accept_redirects</code> kernel parameter, run the \
following command: <pre class="code"><code># sysctl -w \
net.ipv4.conf.default.accept_redirects=0</code></pre> If this is not the system's \
default value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.conf.default.accept_redirects = 0</code></pre></p> \
<p>This feature of the IPv4 protocol has few legitimate uses. It should be disabled \
unless it is absolutely required.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27015-7</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.conf.default.accept_redirects
#
sysctl -q -n -w net.ipv4.conf.default.accept_redirects=0
#
# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value \
to "0" # else, add "net.ipv4.conf.default.accept_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.accept_redirects /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.default.accept_redirects.*/net.ipv4.conf.default.accept_redirects \
= 0/g' /etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.default.accept_redirects to 0 per security requirements" \
>> /etc/sysctl.conf echo "net.ipv4.conf.default.accept_redirects = 0" >> \
/etc/sysctl.conf fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27173264">
<h3>Result for Disable Kernel Parameter for Accepting Secure Redirects By \
Default</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_conf_default_secure_redirects</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the \
<code>net.ipv4.conf.default.secure_redirects</code> kernel parameter, run the \
following command: <pre class="code"><code># sysctl -w \
net.ipv4.conf.default.secure_redirects=0</code></pre> If this is not the system's \
default value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.conf.default.secure_redirects = \
0</code></pre></p>
<p>Accepting "secure" ICMP redirects (from those gateways listed as
default gateways) has few legitimate uses. It should be disabled unless it is
absolutely required.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26831-8</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.conf.default.secure_redirects
#
sysctl -q -n -w net.ipv4.conf.default.secure_redirects=0
#
# If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value \
to "0" # else, add "net.ipv4.conf.default.secure_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.secure_redirects /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.default.secure_redirects.*/net.ipv4.conf.default.secure_redirects \
= 0/g' /etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.default.secure_redirects to 0 per security requirements" \
>> /etc/sysctl.conf echo "net.ipv4.conf.default.secure_redirects = 0" >> \
/etc/sysctl.conf fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27180624">
<h3>Result for Enable Kernel Parameter to Ignore ICMP Broadcast Echo \
Requests</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_icmp_echo_ignore_broadcasts</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To set the runtime status of the \
<code>net.ipv4.icmp_echo_ignore_broadcasts</code> kernel parameter, run the \
following command: <pre class="code"><code># sysctl -w \
net.ipv4.icmp_echo_ignore_broadcasts=1</code></pre> If this is not the system's \
default value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.icmp_echo_ignore_broadcasts = \
1</code></pre></p>
<p>Ignoring ICMP echo requests (pings) sent to broadcast or multicast
addresses makes the system slightly more difficult to enumerate on the network.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26883-9</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts
#
sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts=1
#
# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value \
to "1" # else, add "net.ipv4.icmp_echo_ignore_broadcasts = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.icmp_echo_ignore_broadcasts.*/net.ipv4.icmp_echo_ignore_broadcasts \
= 1/g' /etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.icmp_echo_ignore_broadcasts to 1 per security requirements" \
>> /etc/sysctl.conf echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> \
/etc/sysctl.conf fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27187840">
<h3>Result for Enable Kernel Parameter to Ignore Bogus ICMP Error \
Responses</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_icmp_ignore_bogus_error_responses</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To set the runtime status of the \
<code>net.ipv4.icmp_ignore_bogus_error_responses</code> kernel parameter, run the \
following command: <pre class="code"><code># sysctl -w \
net.ipv4.icmp_ignore_bogus_error_responses=1</code></pre> If this is not the \
system's default value, add the following line to <code>/etc/sysctl.conf</code>: \
<pre class="code"><code>net.ipv4.icmp_ignore_bogus_error_responses = \
1</code></pre></p> <p>Ignoring bogus ICMP error responses reduces
log size, although some activity would not be logged.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26993-6</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.icmp_ignore_bogus_error_responses
#
sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses=1
#
# If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change \
value to "1" # else, add "net.ipv4.icmp_ignore_bogus_error_responses = 1" to \
/etc/sysctl.conf #
if grep --silent ^net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.icmp_ignore_bogus_error_responses.*/net.ipv4.icmp_ignore_bogus_error_responses \
= 1/g' /etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.icmp_ignore_bogus_error_responses to 1 per security \
requirements" >> /etc/sysctl.conf echo \
"net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.conf fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27195248">
<h3>Result for Enable Kernel Parameter to Use TCP Syncookies</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_tcp_syncookies</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the <code>net.ipv4.tcp_syncookies</code> kernel \
parameter, run the following command:
<pre class="code"><code># sysctl -w net.ipv4.tcp_syncookies=1</code></pre>
If this is not the system's default value, add the following line to \
<code>/etc/sysctl.conf</code>: <pre class="code"><code>net.ipv4.tcp_syncookies = \
1</code></pre></p>
<p> A TCP SYN flood attack can cause a denial of service by filling a
system's TCP connection table with connections in the SYN_RCVD state.
Syncookies can be used to track a connection when a subsequent ACK is received,
verifying the initiator is attempting a valid connection and is not a flood
source. This feature is activated when a flood condition is detected, and
enables the system to continue servicing valid connection requests.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27053-8</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.tcp_syncookies
#
sysctl -q -n -w net.ipv4.tcp_syncookies=1
#
# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to "1"
# else, add "net.ipv4.tcp_syncookies = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.tcp_syncookies /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies = 1/g' /etc/sysctl.conf
else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.tcp_syncookies to 1 per security requirements" >> \
/etc/sysctl.conf echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27202272">
<h3>Result for Enable Kernel Parameter to Use Reverse Path Filtering for \
All Interfaces</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_conf_all_rp_filter</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the <code>net.ipv4.conf.all.rp_filter</code> kernel \
parameter, run the following command:
<pre class="code"><code># sysctl -w net.ipv4.conf.all.rp_filter=1</code></pre>
If this is not the system's default value, add the following line to \
<code>/etc/sysctl.conf</code>: <pre class="code"><code>net.ipv4.conf.all.rp_filter = \
1</code></pre></p>
<p>Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26979-5</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.conf.all.rp_filter
#
sysctl -q -n -w net.ipv4.conf.all.rp_filter=1
#
# If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to "1"
# else, add "net.ipv4.conf.all.rp_filter = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.rp_filter /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter = 1/g' \
/etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.all.rp_filter to 1 per security requirements" >> \
/etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27075136">
<h3>Result for Enable Kernel Parameter to Use Reverse Path Filtering by \
Default</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_conf_default_rp_filter</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the <code>net.ipv4.conf.default.rp_filter</code> \
kernel parameter, run the following command:
<pre class="code"><code># sysctl -w \
net.ipv4.conf.default.rp_filter=1</code></pre> If this is not the system's default \
value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.conf.default.rp_filter = \
1</code></pre></p>
<p>Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26915-9</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.conf.default.rp_filter
#
sysctl -q -n -w net.ipv4.conf.default.rp_filter=1
#
# If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to "1"
# else, add "net.ipv4.conf.default.rp_filter = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.rp_filter /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter = 1/g' \
/etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.default.rp_filter to 1 per security requirements" >> \
/etc/sysctl.conf echo "net.ipv4.conf.default.rp_filter = 1" >> \
/etc/sysctl.conf fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27092672">
<h3>Result for Disable Bluetooth Service</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">service_bluetooth_disabled</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
The <code>bluetooth</code> service can be disabled with the following command:
<pre class="code"><code># chkconfig bluetooth off</code></pre><pre \
class="code"><code># service bluetooth stop</code></pre></p>
<p>Disabling the <code>bluetooth</code> service prevents the system from \
attempting connections to Bluetooth devices, which entails some security risk.
Nevertheless, variation in this risk decision may be expected due to the
utility of Bluetooth connectivity and its limited range.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27081-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27210512">
<h3>Result for Disable Bluetooth Kernel Modules</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">kernel_module_bluetooth_disabled</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>The kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate <code>/etc/modprobe.d</code> configuration file
to prevent the loading of the Bluetooth module:
<pre class="code"><code>install net-pf-31 /bin/false
install bluetooth /bin/false</code></pre></p>
<p>If Bluetooth functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
activation.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26763-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27214576">
<h3>Result for Disable IPv6 Networking Support Automatic Loading</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">disable_ipv6_module_loading</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>To prevent the IPv6 kernel module (<code>ipv6</code>) from loading the
IPv6 networking stack, add the following line to
<code>/etc/modprobe.d/disabled.conf</code> (or another file in
<code>/etc/modprobe.d</code>):
<pre class="code"><code>options ipv6 disable=1</code></pre>
This permits the IPv6 module to be loaded (and thus satisfy other modules that
depend on it), while disabling support for the IPv6 protocol.
</p>
<p>
Any unnecessary network stacks - including IPv6 - should be disabled, to reduce
the vulnerability to exploitation.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27153-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27223792">
<h3>Result for Disable Accepting IPv6 Redirects</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_ipv6_default_accept_redirects</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the \
<code>net.ipv6.conf.default.accept_redirects</code> kernel parameter, run the \
following command: <pre class="code"><code># sysctl -w \
net.ipv6.conf.default.accept_redirects=0</code></pre> If this is not the system's \
default value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv6.conf.default.accept_redirects = 0</code></pre></p> <p>
An illicit ICMP redirect message could result in a man-in-the-middle attack.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27166-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27237456">
<h3>Result for Verify ip6tables Enabled if Using IPv6</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">enable_ip6tables</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
The <code>ip6tables</code> service can be enabled with the following command:
<pre class="code"><code># chkconfig --level 2345 ip6tables on</code></pre></p>
<p>The <code>ip6tables</code> service provides the system's host-based \
firewalling capability for IPv6 and ICMPv6.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27006-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27245040">
<h3>Result for Verify iptables Enabled</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">enable_iptables</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
The <code>iptables</code> service can be enabled with the following command:
<pre class="code"><code># chkconfig --level 2345 iptables on</code></pre></p>
<p>
The <code>iptables</code> service provides the system's host-based firewalling
capability for IPv4 and ICMP.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27018-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27249680">
<h3>Result for Set Default iptables Policy for Incoming Packets</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">set_iptables_default_rule</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>To set the default policy to DROP (instead of \
ACCEPT) for the built-in INPUT chain which processes incoming packets,
add or correct the following line in
<code>/etc/sysconfig/iptables</code>:
<pre class="code"><code>:INPUT DROP [0:0]</code></pre></p>
<p>In <code>iptables</code> the default policy is applied only after all
the applicable rules in the table are examined for a match. Setting the
default policy to <code>DROP</code> implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26444-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27254336">
<h3>Result for Set Default iptables Policy for Forwarded Packets</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">set_iptables_default_rule_forward</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>To set the default policy to DROP (instead of \
ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded \
from one interface to another,
add or correct the following line in
<code>/etc/sysconfig/iptables</code>:
<pre class="code"><code>:FORWARD DROP [0:0]</code></pre></p>
<p>In <code>iptables</code> the default policy is applied only after all
the applicable rules in the table are examined for a match. Setting the
default policy to <code>DROP</code> implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27186-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27258096">
<h3>Result for Disable DCCP Support</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">disable_protocol_dccp</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.
To configure the system to prevent the <code>dccp</code>
kernel module from being loaded, add the following line to a file in the directory \
<code>/etc/modprobe.d</code>: <pre class="code"><code>install dccp \
/bin/false</code></pre></p> <p>
Disabling DCCP protects
the system against exploitation of any flaws in its implementation.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26448-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27262736">
<h3>Result for Disable SCTP Support</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">disable_protocol_sctp</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the <code>sctp</code>
kernel module from being loaded, add the following line to a file in the directory \
<code>/etc/modprobe.d</code>: <pre class="code"><code>install sctp \
/bin/false</code></pre></p> <p>
Disabling SCTP protects
the system against exploitation of any flaws in its implementation.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26410-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27267376">
<h3>Result for Disable RDS Support</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">disable_protocol_rds</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
The Reliable Datagram Sockets (RDS) protocol is a transport
layer protocol designed to provide reliable high- bandwidth,
low-latency communications between nodes in a cluster.
To configure the system to prevent the <code>rds</code>
kernel module from being loaded, add the following line to a file in the directory \
<code>/etc/modprobe.d</code>: <pre class="code"><code>install rds \
/bin/false</code></pre></p> <p>
Disabling RDS protects
the system against exploitation of any flaws in its implementation.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26239-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27272016">
<h3>Result for Disable TIPC Support</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">disable_protocol_tipc</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
The Transparent Inter-Process Communication (TIPC) protocol
is designed to provide communications between nodes in a
cluster.
To configure the system to prevent the <code>tipc</code>
kernel module from being loaded, add the following line to a file in the directory \
<code>/etc/modprobe.d</code>: <pre class="code"><code>install tipc \
/bin/false</code></pre></p> <p>
Disabling TIPC protects
the system against exploitation of any flaws in its implementation.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26696-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27276656">
<h3>Result for Install openswan Package</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">install_openswan</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>The Openswan package provides an implementation \
of IPsec and IKE, which permits the creation of secure tunnels over
untrusted networks.
The <code>openswan</code> package can be installed with the following command:
<pre class="code"><code># yum install openswan</code></pre></p>
<p>Providing the ability for remote users or systems
to initiate a secure VPN connection protects information when it is
transmitted over a wide area network.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27626-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27281296">
<h3>Result for Ensure rsyslog is Installed</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">package_rsyslog_installed</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
Rsyslog is installed by default.
The <code>rsyslog</code> package can be installed with the following command:
<pre class="code"><code># yum install rsyslog</code></pre></p>
<p>
The rsyslog package provides the rsyslog daemon, which provides
system logging services.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26809-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27285952">
<h3>Result for Enable rsyslog Service</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">service_rsyslog_enabled</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>The <code>rsyslog</code> service provides syslog-style logging by \
default on RHEL 6.
The <code>rsyslog</code> service can be enabled with the following command:
<pre class="code"><code># chkconfig --level 2345 rsyslog on</code></pre></p>
<p>The <code>rsyslog</code> service must be running in order to provide
logging services, which are essential to system administration.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26807-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27290608">
<h3>Result for Ensure Log Files Are Owned By Appropriate User</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">userowner_rsyslog_files</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>The owner of all log files written by
<code>rsyslog</code> should be root.
These log files are determined by the second part of each Rule line in
<code>/etc/rsyslog.conf</code> and typically all appear in <code>/var/log</code>.
For each log file <em>LOGFILE</em> referenced in <code>/etc/rsyslog.conf</code>,
run the following command to inspect the file's owner:
<pre class="code"><code>$ ls -l <em>LOGFILE</em></code></pre>
If the owner is not <code>root</code>, run the following command to
correct this:
<pre class="code"><code># chown root <em>LOGFILE</em></code></pre></p>
<p>The log files generated by rsyslog contain valuable information \
regarding system configuration, user authentication, and other such information. Log \
files should be protected from unauthorized access.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26812-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27295264">
<h3>Result for Ensure Log Files Are Owned By Appropriate Group</h3>
<p class="result-unknown">Result: <strong \
class="strong">unknown</strong></p>
<p>Rule ID: <strong class="strong">groupowner_rsyslog_files</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>The group-owner of all log files written by
<code>rsyslog</code> should be root.
These log files are determined by the second part of each Rule line in
<code>/etc/rsyslog.conf</code> and typically all appear in <code>/var/log</code>.
For each log file <em>LOGFILE</em> referenced in <code>/etc/rsyslog.conf</code>,
run the following command to inspect the file's group owner:
<pre class="code"><code>$ ls -l <em>LOGFILE</em></code></pre>
If the owner is not <code>root</code>, run the following command to
correct this:
<pre class="code"><code># chgrp root <em>LOGFILE</em></code></pre></p>
<p>The log files generated by rsyslog contain valuable information \
regarding system configuration, user authentication, and other such information. Log \
files should be protected from unauthorized access.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26821-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27299920">
<h3>Result for Ensure System Log Files Have Correct Permissions</h3>
<p class="result-unknown">Result: <strong \
class="strong">unknown</strong></p>
<p>Rule ID: <strong class="strong">rsyslog_file_permissions</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>The file permissions for all log files written \
by <code>rsyslog</code> should be set to 600, or more restrictive.
These log files are determined by the second part of each Rule line in
<code>/etc/rsyslog.conf</code> and typically all appear in <code>/var/log</code>.
For each log file <em>LOGFILE</em> referenced in <code>/etc/rsyslog.conf</code>,
run the following command to inspect the file's permissions:
<pre class="code"><code>$ ls -l <em>LOGFILE</em></code></pre>
If the permissions are not 600 or more restrictive,
run the following command to correct this:
<pre class="code"><code># chmod 0600 <em>LOGFILE</em></code></pre></p>
<p>Log files can contain valuable information regarding system
configuration. If the system log files are not protected unauthorized
users could change the logged data, eliminating their forensic value.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27190-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27304576">
<h3>Result for Ensure Logs Sent To Remote Host</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">rsyslog_send_messages_to_logserver</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To configure rsyslog to send logs to a remote log server,
open <code>/etc/rsyslog.conf</code> and read and understand the last section of the \
file, which describes the multiple directives necessary to activate remote
logging.
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
substituting <code><em>loghost.example.com</em></code> appropriately.
The choice of protocol depends on the environment of the system;
although TCP and RELP provide more reliable message delivery,
they may not be supported in all environments.
<br />
To use UDP for log message delivery:
<pre class="code"><code>*.* @<em>loghost.example.com</em></code></pre><br />
To use TCP for log message delivery:
<pre class="code"><code>*.* @@<em>loghost.example.com</em></code></pre><br />
To use RELP for log message delivery:
<pre class="code"><code>*.* :omrelp:<em>loghost.example.com</em></code></pre></p>
<p>A log server (loghost) receives syslog messages from one or more
systems. This data can be used as an additional log source in the event a
system is compromised and its local logs are suspect. Forwarding log messages
to a remote loghost also provides system administrators with a centralized
place to view the status of multiple hosts within the enterprise.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26801-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27318064">
<h3>Result for Ensure Logrotate Runs Periodically</h3>
<p class="result-unknown">Result: <strong \
class="strong">unknown</strong></p>
<p>Rule ID: <strong \
class="strong">ensure_logrotate_activated</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>The <code>logrotate</code> service should be
enabled.</p>
<p>Log files that are not properly rotated run the risk of growing so \
large that they fill up the /var/log partition. Valuable logging information could be \
lost if the /var/log partition becomes full.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27014-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27330768">
<h3>Result for Enable auditd Service</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">enable_auditd_service</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>The <code>auditd</code> service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The <code>auditd</code> service can be enabled with the following command:
<pre class="code"><code># chkconfig --level 2345 auditd on</code></pre></p>
<p>Ensuring the <code>auditd</code> service is active ensures
audit records generated by the kernel can be written to disk, or that appropriate
actions will be taken if other obstacles exist.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27058-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27335408">
<h3>Result for Enable Auditing for Processes Which Start Prior to the \
Audit Daemon</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">enable_auditd_bootloader</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>To ensure all processes can be audited, even
those which start prior to the audit daemon, add the argument
<code>audit=1</code> to the kernel line in <code>/etc/grub.conf</code>, in the manner \
below: <pre class="code"><code>kernel /vmlinuz-version ro vga=ext \
root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1</code></pre></p> <p>
Each process on the system carries an "auditable" flag which
indicates whether its activities can be audited. Although <code>auditd</code>
takes care of enabling this for all processes which launch after it
does, adding the kernel argument ensures it is set for every
process during boot.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26785-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27340064">
<h3>Result for Configure auditd Number of Logs Retained</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">configure_auditd_num_logs</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>Determine how many log files
<code>auditd</code> should retain when it rotates logs.
Edit the file <code>/etc/audit/auditd.conf</code>. Add or modify the following
line, substituting <em>NUMLOGS</em> with the correct value:
<pre class="code"><code>num_logs = <em>NUMLOGS</em></code></pre>
Set the value to 5 for general-purpose systems.
Note that values less than 2 result in no log rotation.</p>
<p>The total storage for audit log files must be large enough to retain
log information over the period required. This is a function of the maximum log
file size and the number of logs retained.</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27344512">
<h3>Result for Configure auditd Max Log File Size</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">configure_auditd_max_log_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>Determine the amount of audit data (in \
megabytes) which should be retained in each log file. Edit the file
<code>/etc/audit/auditd.conf</code>. Add or modify the following line, substituting
the correct value for <em>STOREMB</em>:
<pre class="code"><code>max_log_file = <em>STOREMB</em></code></pre>
Set the value to <code>6</code> (MB) or higher for general-purpose systems.
Larger values, of course,
support retention of even more audit data.</p>
<p>The total storage for audit log files must be large enough to retain
log information over the period required. This is a function of the maximum
log file size and the number of logs retained.</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27349344">
<h3>Result for Configure auditd max_log_file_action Upon Reaching Maximum \
Log Size</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">configure_auditd_max_log_file_action</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p> The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by <code>auditd</code>, add or correct the line in \
<code>/etc/audit/auditd.conf</code>: <pre class="code"><code>max_log_file_action = \
<em>ACTION</em></code></pre> Possible values for <em>ACTION</em> are described in the \
<code>auditd.conf</code> man page. These include:
</p>
<ul class="itemizedlist">
<li>
<p>
<code>ignore</code>
</p>
</li>
<li>
<p>
<code>syslog</code>
</p>
</li>
<li>
<p>
<code>suspend</code>
</p>
</li>
<li>
<p>
<code>rotate</code>
</p>
</li>
<li>
<p>
<code>keep_logs</code>
</p>
</li>
</ul>
<p>
Set the <code><em>ACTION</em></code> to <code>rotate</code> to ensure log rotation
occurs. This is the default. The setting is case-insensitive.
</p>
<p>Automatically rotating logs (by setting this to <code>rotate</code>)
minimizes the chances of the system unexpectedly running out of disk space by
being overwhelmed with log data. However, for systems that must never discard
log data, or which use external processes to transfer it and reclaim space,
<code>keep_logs</code> can be employed.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27237-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27354912">
<h3>Result for Configure auditd space_left Action on Low Disk Space</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">configure_auditd_space_left_action</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>The <code>auditd</code> service can be configured to take an action
when disk space <em>starts</em> to run low.
Edit the file <code>/etc/audit/auditd.conf</code>. Modify the following line,
substituting <em>ACTION</em> appropriately:
<pre class="code"><code>space_left_action = <em>ACTION</em></code></pre>
Possible values for <em>ACTION</em> are described in the <code>auditd.conf</code> man \
page. These include:
</p>
<ul class="itemizedlist">
<li>
<p>
<code>ignore</code>
</p>
</li>
<li>
<p>
<code>syslog</code>
</p>
</li>
<li>
<p>
<code>email</code>
</p>
</li>
<li>
<p>
<code>exec</code>
</p>
</li>
<li>
<p>
<code>suspend</code>
</p>
</li>
<li>
<p>
<code>single</code>
</p>
</li>
<li>
<p>
<code>halt</code>
</p>
</li>
</ul>
<p>
Set this to <code>email</code> (instead of the default,
which is <code>suspend</code>) as it is more likely to get prompt attention. \
Acceptable values also include <code>suspend</code>, <code>single</code>, and \
<code>halt</code>. </p>
<p>Notifying administrators of an impending disk space problem may
allow them to take corrective action prior to any disruption.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27238-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27360480">
<h3>Result for Configure auditd admin_space_left Action on Low Disk \
Space</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">configure_auditd_admin_space_left_action</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>The <code>auditd</code> service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file <code>/etc/audit/auditd.conf</code>. Add or modify the following line,
substituting <em>ACTION</em> appropriately:
<pre class="code"><code>admin_space_left_action = <em>ACTION</em></code></pre>
Possible values for <em>ACTION</em> are described in the <code>auditd.conf</code> man \
page. These include:
</p>
<ul class="itemizedlist">
<li>
<p>
<code>ignore</code>
</p>
</li>
<li>
<p>
<code>syslog</code>
</p>
</li>
<li>
<p>
<code>email</code>
</p>
</li>
<li>
<p>
<code>exec</code>
</p>
</li>
<li>
<p>
<code>suspend</code>
</p>
</li>
<li>
<p>
<code>single</code>
</p>
</li>
<li>
<p>
<code>halt</code>
</p>
</li>
</ul>
<p>
Set this value to <code>single</code> to cause the system to switch to single user
mode for corrective action. Acceptable values also include <code>suspend</code> and
<code>halt</code>. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined.
</p>
<p>Administrators should be made aware of an inability to record
audit records. If a separate partition or logical volume of adequate size
is used, running low on space for audit records should never occur.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27239-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27366064">
<h3>Result for Configure auditd mail_acct Action on Low Disk Space</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">configure_auditd_action_mail_acct</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>The <code>auditd</code> service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in <code>/etc/audit/auditd.conf</code> to ensure that administrators are notified
via email for those situations:
<pre class="code"><code>action_mail_acct = root</code></pre></p>
<p>Email sent to the root account is typically aliased to the
administrators of the system, who can take appropriate action.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27241-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27373792">
<h3>Result for Record attempts to alter time through adjtimex</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">audit_rules_time_adjtimex</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>On a 32-bit system, add the following to \
<code>/etc/audit/audit.rules</code>: <pre class="code"><code># audit_time_rules
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules</code></pre>
On a 64-bit system, add the following to <code>/etc/audit/audit.rules</code>:
<pre class="code"><code># audit_time_rules
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules</code></pre>
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
<pre class="code"><code>-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S \
clock_settime
-k audit_time_rules</code></pre></p>
<p>Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26242-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27378448">
<h3>Result for Record attempts to alter time through settimeofday</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">audit_rules_time_settimeofday</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>On a 32-bit system, add the following to \
<code>/etc/audit/audit.rules</code>: <pre class="code"><code># audit_time_rules
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules</code></pre>
On a 64-bit system, add the following to <code>/etc/audit/audit.rules</code>:
<pre class="code"><code># audit_time_rules
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules</code></pre>
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
<pre class="code"><code>-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S \
clock_settime
-k audit_time_rules</code></pre></p>
<p>Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27203-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27383104">
<h3>Result for Record Attempts to Alter Time Through stime</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">audit_rules_time_stime</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>On a 32-bit system, add the following to \
<code>/etc/audit/audit.rules</code>: <pre class="code"><code># audit_time_rules
-a always,exit -F arch=b32 -S stime -k audit_time_rules</code></pre>
On a 64-bit system, the "-S time" is not necessary. The -k option allows for
the specification of a key in string form that can be used for better
reporting capability through ausearch and aureport. Multiple system calls
can be defined on the same line to save space if desired, but is not required.
See an example of multiple combined syscalls:
<pre class="code"><code>-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S \
clock_settime
-k audit_time_rules</code></pre></p>
<p>Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27169-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27387744">
<h3>Result for Record Attempts to Alter Time Through clock_settime</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">audit_rules_time_clock_settime</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>On a 32-bit system, add the following to \
<code>/etc/audit/audit.rules</code>: <pre class="code"><code># audit_time_rules
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules</code></pre>
On a 64-bit system, add the following to <code>/etc/audit/audit.rules</code>:
<pre class="code"><code># audit_time_rules
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules</code></pre>
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
<pre class="code"><code>-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S \
clock_settime
-k audit_time_rules</code></pre></p>
<p>Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27170-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27392400">
<h3>Result for Record Attempts to Alter the localtime File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">audit_rules_time_watch_localtime</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>Add the following to \
<code>/etc/audit/audit.rules</code>: <pre class="code"><code>-w /etc/localtime -p wa \
-k audit_time_rules</code></pre> The -k option allows for the specification of a key \
in string form that can be used for better reporting capability through ausearch and \
aureport and should always be used.
</p>
<p>Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27172-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27397056">
<h3>Result for Record Events that Modify User/Group Information</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">audit_account_changes</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>Add the following to <code>/etc/audit/audit.rules</code>, in order
to capture events that modify account changes:
<pre class="code"><code># audit_account_changes
-w /etc/group -p wa -k audit_account_changes
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes</code></pre></p>
<p>In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any
unexpected users, groups, or modifications should be investigated for
legitimacy.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26664-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27401696">
<h3>Result for Record Events that Modify the System's Network \
Environment</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">audit_network_modifications</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>Add the following to <code>/etc/audit/audit.rules</code>, setting
ARCH to either b32 or b64 as appropriate for your system:
<pre class="code"><code># audit_network_modifications
-a exit,always -F arch=ARCH -S sethostname -S setdomainname -k \
audit_network_modifications
-w /etc/issue -p wa -k audit_network_modifications
-w /etc/issue.net -p wa -k audit_network_modifications
-w /etc/hosts -p wa -k audit_network_modifications
-w /etc/sysconfig/network -p wa -k audit_network_modifications</code></pre></p>
<p>The network environment should not be modified by anything other
than administrator action. Any change to network parameters should be
audited.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26648-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27406352">
<h3>Result for System Audit Logs Must Have Mode 0640 or Less \
Permissive</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">audit_logs_permissions</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
Change the mode of the audit log files with the following command:
<pre class="code"><code># chmod 0640 <em>audit_file</em></code></pre></p>
<p>
If users can write to audit logs, audit trails can be modified or destroyed.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27243-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27413920">
<h3>Result for Record Events that Modify the System's Mandatory Access \
Controls</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">audit_mac_changes</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>Add the following to \
<code>/etc/audit/audit.rules</code>: <pre class="code"><code>-w /etc/selinux/ -p wa \
-k MAC-policy</code></pre></p>
<p>The system's mandatory access policy (SELinux) should not be
arbitrarily changed by anything other than administrator action. All changes to
MAC policy should be audited.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26657-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27418560">
<h3>Result for Record Events that Modify the System's Discretionary \
Access Controls - chmod</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">audit_rules_dac_modification_chmod</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<code>/etc/audit/audit.rules</code>:
<pre class="code"><code>-a always,exit -F arch=b32 -S chmod -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre>
If the system is 64 bit then also add the following:
<pre class="code"><code>-a always,exit -F arch=b64 -S chmod -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre></p>
<div class="xccdf-warning">
<p>Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</p>
</div>
<p>The changing of file permissions could indicate that a user is \
attempting to gain access to information that would otherwise be disallowed. Auditing \
DAC modifications can facilitate the identification of patterns of abuse among both \
authorized and unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26280-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27423216">
<h3>Result for Record Events that Modify the System's Discretionary \
Access Controls - chown</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">audit_rules_dac_modification_chown</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<code>/etc/audit/audit.rules</code>:
<pre class="code"><code>-a always,exit -F arch=b32 -S chown -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre>
If the system is 64 bit then also add the following:
<pre class="code"><code>-a always,exit -F arch=b64 -S chown -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre></p>
<div class="xccdf-warning">
<p>Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</p>
</div>
<p>The changing of file permissions could indicate that a user is \
attempting to gain access to information that would otherwise be disallowed. Auditing \
DAC modifications can facilitate the identification of patterns of abuse among both \
authorized and unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27173-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27427872">
<h3>Result for Record Events that Modify the System's Discretionary \
Access Controls - fchmod</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">audit_rules_dac_modification_fchmod</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<code>/etc/audit/audit.rules</code>:
<pre class="code"><code>-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre>
If the system is 64 bit then also add the following:
<pre class="code"><code>-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre></p>
<div class="xccdf-warning">
<p>Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</p>
</div>
<p>The changing of file permissions could indicate that a user is \
attempting to gain access to information that would otherwise be disallowed. Auditing \
DAC modifications can facilitate the identification of patterns of abuse among both \
authorized and unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27174-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27432528">
<h3>Result for Record Events that Modify the System's Discretionary \
Access Controls - fchmodat</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">audit_rules_dac_modification_fchmodat</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<code>/etc/audit/audit.rules</code>:
<pre class="code"><code>-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre>
If the system is 64 bit then also add the following:
<pre class="code"><code>-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre></p>
<div class="xccdf-warning">
<p>Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</p>
</div>
<p>The changing of file permissions could indicate that a user is \
attempting to gain access to information that would otherwise be disallowed. Auditing \
DAC modifications can facilitate the identification of patterns of abuse among both \
authorized and unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27175-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27437184">
<h3>Result for Record Events that Modify the System's Discretionary \
Access Controls - fchown</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">audit_rules_dac_modification_fchown</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<code>/etc/audit/audit.rules</code>:
<pre class="code"><code>-a always,exit -F arch=b32 -S fchown -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre>
If the system is 64 bit then also add the following:
<pre class="code"><code>-a always,exit -F arch=b64 -S fchown -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre></p>
<div class="xccdf-warning">
<p>Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</p>
</div>
<p>The changing of file permissions could indicate that a user is \
attempting to gain access to information that would otherwise be disallowed. Auditing \
DAC modifications can facilitate the identification of patterns of abuse among both \
authorized and unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27177-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27441840">
<h3>Result for Record Events that Modify the System's Discretionary \
Access Controls - fchownat</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">audit_rules_dac_modification_fchownat</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<code>/etc/audit/audit.rules</code>:
<pre class="code"><code>-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre>
If the system is 64 bit then also add the following:
<pre class="code"><code>-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre></p>
<div class="xccdf-warning">
<p>Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</p>
</div>
<p>The changing of file permissions could indicate that a user is \
attempting to gain access to information that would otherwise be disallowed. Auditing \
DAC modifications can facilitate the identification of patterns of abuse among both \
authorized and unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27178-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27446496">
<h3>Result for Record Events that Modify the System's Discretionary \
Access Controls - fremovexattr</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">audit_rules_dac_modification_fremovexattr</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<code>/etc/audit/audit.rules</code>:
<pre class="code"><code>-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre>
If the system is 64 bit then also add the following:
<pre class="code"><code>-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre></p>
<div class="xccdf-warning">
<p>Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</p>
</div>
<p>The changing of file permissions could indicate that a user is \
attempting to gain access to information that would otherwise be disallowed. Auditing \
DAC modifications can facilitate the identification of patterns of abuse among both \
authorized and unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27179-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27451168">
<h3>Result for Record Events that Modify the System's Discretionary \
Access Controls - fsetxattr</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">audit_rules_dac_modification_fsetxattr</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<code>/etc/audit/audit.rules</code>:
<pre class="code"><code>-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre>
If the system is 64 bit then also add the following:
<pre class="code"><code>-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre></p>
<div class="xccdf-warning">
<p>Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</p>
</div>
<p>The changing of file permissions could indicate that a user is \
attempting to gain access to information that would otherwise be disallowed. Auditing \
DAC modifications can facilitate the identification of patterns of abuse among both \
authorized and unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27180-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27455824">
<h3>Result for Record Events that Modify the System's Discretionary \
Access Controls - lchown</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">audit_rules_dac_modification_lchown</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>At a minimum the audit system should collect file \
permission changes for all users and root. Add the following to
<code>/etc/audit/audit.rules</code>:
<pre class="code"><code>-a always,exit -F arch=b32 -S lchown -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre>
If the system is 64 bit then also add the following:
<pre class="code"><code>-a always,exit -F arch=b64 -S lchown -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre></p>
<div class="xccdf-warning">
<p>Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</p>
</div>
<p>The changing of file permissions could indicate that a user is \
attempting to gain access to information that would otherwise be disallowed. Auditing \
DAC modifications can facilitate the identification of patterns of abuse among both \
authorized and unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27181-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27460480">
<h3>Result for Record Events that Modify the System's Discretionary \
Access Controls - lremovexattr</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">audit_rules_dac_modification_lremovexattr</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<code>/etc/audit/audit.rules</code>:
<pre class="code"><code>-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre>
If the system is 64 bit then also add the following:
<pre class="code"><code>-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre></p>
<div class="xccdf-warning">
<p>Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</p>
</div>
<p>The changing of file permissions could indicate that a user is \
attempting to gain access to information that would otherwise be disallowed. Auditing \
DAC modifications can facilitate the identification of patterns of abuse among both \
authorized and unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27182-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27465152">
<h3>Result for Record Events that Modify the System's Discretionary \
Access Controls - lsetxattr</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">audit_rules_dac_modification_lsetxattr</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<code>/etc/audit/audit.rules</code>:
<pre class="code"><code>-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre>
If the system is 64 bit then also add the following:
<pre class="code"><code>-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre></p>
<div class="xccdf-warning">
<p>Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</p>
</div>
<p>The changing of file permissions could indicate that a user is \
attempting to gain access to information that would otherwise be disallowed. Auditing \
DAC modifications can facilitate the identification of patterns of abuse among both \
authorized and unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27183-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27469808">
<h3>Result for Record Events that Modify the System's Discretionary \
Access Controls - removexattr</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">audit_rules_dac_modification_removexattr</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<code>/etc/audit/audit.rules</code>:
<pre class="code"><code>-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre>
If the system is 64 bit then also add the following:
<pre class="code"><code>-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre></p>
<div class="xccdf-warning">
<p>Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</p>
</div>
<p>The changing of file permissions could indicate that a user is \
attempting to gain access to information that would otherwise be disallowed. Auditing \
DAC modifications can facilitate the identification of patterns of abuse among both \
authorized and unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27184-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27474480">
<h3>Result for Record Events that Modify the System's Discretionary \
Access Controls - setxattr</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">audit_rules_dac_modification_setxattr</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<code>/etc/audit/audit.rules</code>:
<pre class="code"><code>-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre>
If the system is 64 bit then also add the following:
<pre class="code"><code>-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F \
auid!=4294967295 \
-k perm_mod</code></pre></p>
<div class="xccdf-warning">
<p>Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</p>
</div>
<p>The changing of file permissions could indicate that a user is \
attempting to gain access to information that would otherwise be disallowed. Auditing \
DAC modifications can facilitate the identification of patterns of abuse among both \
authorized and unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27185-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27484928">
<h3>Result for Ensure auditd Collects Unauthorized Access Attempts to \
Files (unsuccessful)</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">audit_file_access</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>At a minimum the audit system should collect
unauthorized file accesses for all users and root. Add the following
to <code>/etc/audit/audit.rules</code>, setting ARCH to either b32 or b64 as
appropriate for your system:
<pre class="code"><code>-a always,exit -F arch=ARCH -S creat -S open -S openat -S \
truncate \
-S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
-S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k \
access</code></pre></p>
<p>Unsuccessful attempts to access files could be an indicator of \
malicious activity on a system. Auditing these events could serve as evidence of \
potential system compromise.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26712-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27489568">
<h3>Result for Ensure auditd Collects Information on the Use of \
Privileged Commands</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">audit_privileged_commands</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>At a minimum the audit system should collect the
execution of privileged commands for all users and root.
To find the relevant setuid programs:
<pre class="code"><code># find / -xdev -type f -perm -4000 -o -perm -2000 \
2>/dev/null</code></pre> Then, for each setuid program on the system, add a line \
of the following form to <code>/etc/audit/audit.rules</code>, where \
<em>SETUID_PROG_PATH</em> is the full path to each setuid program in the list:
<pre class="code"><code>-a always,exit -F path=<em>SETUID_PROG_PATH</em> -F perm=x -F \
auid>=500 -F auid!=4294967295 -k privileged</code></pre></p>
<p>Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26457-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27494224">
<h3>Result for Ensure auditd Collects Information on Exporting to Media \
(successful)</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">audit_media_exports</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>At a minimum the audit system should collect \
media exportation events for all users and root. Add the following to
<code>/etc/audit/audit.rules</code>, setting ARCH to either b32 or b64 as
appropriate for your system:
<pre class="code"><code>-a always,exit -F arch=ARCH -S mount -F auid>=500 -F \
auid!=4294967295 -k export</code></pre></p>
<p>The unauthorized exportation of data to external media could result in \
an information leak where classified information, Privacy Act information, and \
intellectual property could be lost. An audit trail should be created each time a \
filesystem is mounted to help identify and guard against information loss.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26573-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27498864">
<h3>Result for Ensure auditd Collects File Deletion Events by User</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">audit_file_deletions</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>At a minimum the audit system should collect file
deletion events for all users and root. Add the following to
<code>/etc/audit/audit.rules</code>, setting ARCH to either b32 or b64 as
appropriate for your system:
<pre class="code"><code>-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename \
-S renameat \
-F auid>=500 -F auid!=4294967295 -k delete</code></pre></p>
<p>Auditing file deletions will create an audit trail for files that are \
removed from the system. The audit trail could aid in system troubleshooting, as well \
as, detecting malicious processes that attempt to delete log files to conceal their \
presence.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26651-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27503504">
<h3>Result for Ensure auditd Collects System Administrator Actions</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">audit_sysadmin_actions</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>At a minimum the audit system should collect
administrator actions for all users and root. Add the following to
<code>/etc/audit/audit.rules</code>:
<pre class="code"><code>-w /etc/sudoers -p wa -k actions</code></pre></p>
<p>The actions taken by system administrators should be audited to keep a \
record of what was executed on the system, as well as, for accountability \
purposes.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26662-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27508144">
<h3>Result for Ensure auditd Collects Information on Kernel Module \
Loading and Unloading</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">audit_kernel_module_loading</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>Add the following to <code>/etc/audit/audit.rules</code> in order
to capture kernel module loading and unloading events, setting ARCH to either b32 or \
b64 as appropriate for your system: <pre class="code"><code>-w /sbin/insmod -p x -k \
modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=<em>ARCH</em> -S init_module -S delete_module -k \
modules</code></pre></p>
<p>The addition/removal of kernel modules can be used to alter the \
behavior of the kernel and potentially introduce malicious code into kernel space. It \
is important to have an audit trail of modules that have been introduced into the \
kernel.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26611-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27515728">
<h3>Result for Disable xinetd Service</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">disable_xinetd</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
The <code>xinetd</code> service can be disabled with the following command:
<pre class="code"><code># chkconfig xinetd off</code></pre></p>
<p>
The xinetd service provides a dedicated listener service for some programs,
which is no longer necessary for commonly-used network services. Disabling
it ensures that these uncommon services are not running, and also prevents
attacks against xinetd itself.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27046-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27520368">
<h3>Result for Uninstall xinetd Package</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">uninstall_xinetd</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The <code>xinetd</code> package can be uninstalled with the following \
command: <pre class="code"><code># yum erase xinetd</code></pre></p>
<p>
Removing the <code>xinetd</code> package decreases the risk of the
xinetd service's accidental (or intentional) activation.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27005-8</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>if rpm -qa | grep -q xinetd; then
yum -y remove xinetd
fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27526080">
<h3>Result for Disable telnet Service</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">disable_telnet_service</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p> <p>
The <code>telnet</code> service can be disabled with the following command:
<pre class="code"><code># chkconfig telnet off</code></pre></p>
<p>
The telnet protocol uses unencrypted network communication, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network. The telnet protocol is also
subject to man-in-the-middle attacks.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26836-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27530720">
<h3>Result for Uninstall telnet-server Package</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">uninstall_telnet_server</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p>
<p>The <code>telnet-server</code> package can be uninstalled with
the following command:
<pre class="code"><code># yum erase telnet-server</code></pre></p>
<p>
Removing the <code>telnet-server</code> package decreases the risk of the
telnet service's accidental (or intentional) activation.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27073-6</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>if rpm -qa | grep -q telnet-server; then
yum -y remove telnet-server
fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27536384">
<h3>Result for Uninstall rsh-server Package</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">uninstall_rsh-server</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p> <p>The <code>rsh-server</code> package can be \
uninstalled with the following command:
<pre class="code"><code># yum erase rsh-server</code></pre></p>
<p>The <code>rsh-server</code> package provides several obsolete and \
insecure network services. Removing it
decreases the risk of those services' accidental (or intentional)
activation.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27062-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27541024">
<h3>Result for Disable rexec Service</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">disable_rexec</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p> <p>The <code>rexec</code> service, which is \
available with the <code>rsh-server</code> package and runs as a service through \
xinetd, should be disabled.
The <code>rexec</code> service can be disabled with the following command:
<pre class="code"><code># chkconfig rexec off</code></pre></p>
<p>The rexec service uses unencrypted network communications, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27208-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27545664">
<h3>Result for Disable rsh Service</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">disable_rsh</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p> <p>The <code>rsh</code> service, which is available \
with the <code>rsh-server</code> package and runs as a service through xinetd,
should be disabled.
The <code>rsh</code> service can be disabled with the following command:
<pre class="code"><code># chkconfig rsh off</code></pre></p>
<p>The rsh service uses unencrypted network communications, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26994-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27550304">
<h3>Result for Disable rlogin Service</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">disable_rlogin</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p> <p>The <code>rlogin</code> service, which is \
available with the <code>rsh-server</code> package and runs as a service through \
xinetd, should be disabled.
The <code>rlogin</code> service can be disabled with the following command:
<pre class="code"><code># chkconfig rlogin off</code></pre></p>
<p>The rlogin service uses unencrypted network communications, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26865-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27554944">
<h3>Result for Remove Rsh Trust Files</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">no_rsh_trust_files</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p>
<p>The files <code>/etc/hosts.equiv</code> and <code>~/.rhosts</code> (in
each user's home directory) list remote hosts and users that are trusted by the
local system when using the rshd daemon.
To remove these files, run the following command to delete them from any
location:
<pre class="code"><code># rm /etc/hosts.equiv</code></pre><pre class="code"><code>$ \
rm ~/.rhosts</code></pre></p> <p>Trust files are convenient, but when
used in conjunction with the R-services, they can allow
unauthenticated access to a system.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27270-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27559584">
<h3>Result for Uninstall ypserv Package</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">uninstall_ypserv</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>The <code>ypserv</code> package can be \
uninstalled with the following command:
<pre class="code"><code># yum erase ypserv</code></pre></p>
<p>Removing the <code>ypserv</code> package decreases the risk of the
accidental (or intentional) activation of NIS or NIS+ services.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27079-3</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>if rpm -qa | grep -q ypserv; then
yum -y remove ypserv
fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27565216">
<h3>Result for Disable ypbind Service</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">disable_ypbind</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>The <code>ypbind</code> service, which allows the system to act as a \
client in a NIS or NIS+ domain, should be disabled.
The <code>ypbind</code> service can be disabled with the following command:
<pre class="code"><code># chkconfig ypbind off</code></pre></p>
<p>
Disabling the <code>ypbind</code> service ensures the system is not acting
as a client in a NIS or NIS+ domain.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26894-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27569856">
<h3>Result for Disable tftp Service</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">disable_tftp</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>The <code>tftp</code> service should be \
disabled.
The <code>tftp</code> service can be disabled with the following command:
<pre class="code"><code># chkconfig tftp off</code></pre></p>
<p>
Disabling the <code>tftp</code> service ensures the system is not acting
as a tftp server, which does not provide encryption or authentication.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27055-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27574496">
<h3>Result for Uninstall tftp-server Package</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">uninstall_tftp-server</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
The <code>tftp-server</code> package can be removed with the following command:
<pre class="code"><code># yum erase tftp-server</code></pre></p>
<p>
Removing the <code>tftp-server</code> package decreases the risk of the
accidental (or intentional) activation of tftp services.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26946-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27579136">
<h3>Result for Ensure tftp Daemon Uses Secure Mode</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">tftpd_uses_secure_mode</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p>
<p>If running the <code>tftp</code> service is necessary, it should be \
configured to change its root directory at startup. To do so, ensure
<code>/etc/xinetd.d/tftp</code> includes <code>-s</code> as a command line argument, \
as shown in the following example (which is also the default):
<pre class="code"><code>server_args = -s /var/lib/tftpboot</code></pre></p>
<p>Using the <code>-s</code> option causes the TFTP service to only serve \
files from the given directory. Serving files from an intentionally-specified \
directory reduces the risk of sharing files which should remain private.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27272-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27583776">
<h3>Result for Disable Automatic Bug Reporting Tool (abrtd)</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">service_abrtd_disabled</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The Automatic Bug Reporting Tool (<code>abrtd</code>) daemon collects
and reports crash data when an application crash is detected. Using a variety
of plugins, abrtd can email crash reports to system administrators, log crash
reports to files, or forward crash reports to a centralized issue tracking
system such as RHTSupport.
The <code>abrtd</code> service can be disabled with the following command:
<pre class="code"><code># chkconfig abrtd off</code></pre></p>
<p> Mishandling crash data could expose sensitive information about
vulnerabilities in software executing on the local machine, as well as sensitive
information from within a process's address space or registers.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27247-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27617568">
<h3>Result for Disable Network Console (netconsole)</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">service_netconsole_disabled</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The <code>netconsole</code> service is responsible for loading the
netconsole kernel module, which logs kernel printk messages over UDP to a
syslog server. This allows debugging of problems where disk logging fails and
serial consoles are impractical.
The <code>netconsole</code> service can be disabled with the following command:
<pre class="code"><code># chkconfig netconsole off</code></pre></p>
<p>The <code>netconsole</code> service is not necessary unless there is a \
need to debug kernel panics, which is not common.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27254-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27622384">
<h3>Result for Disable ntpdate Service (ntpdate)</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">service_ntpdate_disabled</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The ntpdate service sets the local hardware clock by polling NTP \
servers when the system boots. It synchronizes to the NTP servers listed in
<code>/etc/ntp/step-tickers</code> or <code>/etc/ntp.conf</code>
and then sets the local hardware clock to the newly synchronized
system time.
The <code>ntpdate</code> service can be disabled with the following command:
<pre class="code"><code># chkconfig ntpdate off</code></pre></p>
<p>The <code>ntpdate</code> service may only be suitable for systems \
which are rebooted frequently enough that clock drift does not cause problems between
reboots. In any event, the functionality of the ntpdate service is now
available in the ntpd program and should be considered deprecated.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27256-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27627040">
<h3>Result for Disable Odd Job Daemon (oddjobd)</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">service_oddjobd_disabled</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The <code>oddjobd</code> service exists to provide an interface and
access control mechanism through which
specified privileged tasks can run tasks for unprivileged client
applications. Communication with <code>oddjobd</code> through the system message bus.
The <code>oddjobd</code> service can be disabled with the following command:
<pre class="code"><code># chkconfig oddjobd off</code></pre></p>
<p>The <code>oddjobd</code> service may provide necessary functionality \
in some environments but it can be disabled if it is not needed. Execution of
tasks by privileged programs, on behalf of unprivileged ones, has traditionally
been a source of privilege escalation security issues.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27257-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27637568">
<h3>Result for Disable Apache Qpid (qpidd)</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">service_qpidd_disabled</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>The <code>qpidd</code> service provides high \
speed, secure, guaranteed delivery services. It is an implementation of the Advanced \
Message Queuing Protocol. By default the qpidd service will bind to port 5672 and
listen for connection attempts.
The <code>qpidd</code> service can be disabled with the following command:
<pre class="code"><code># chkconfig qpidd off</code></pre></p>
<p>The qpidd service is automatically installed when the "base"
package selection is selected during installation. The qpidd service listens
for network connections which increases the attack surface of the system. If
the system is not intended to receive AMQP traffic then the <code>qpidd</code>
service is not needed and should be disabled or removed.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26928-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27645152">
<h3>Result for Disable Network Router Discovery Daemon (rdisc)</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">service_rdisc_disabled</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The <code>rdisc</code> service implements the client side of the ICMP
Internet Router Discovery Protocol (IRDP), which allows discovery of routers on
the local subnet. If a router is discovered then the local routing table is
updated with a corresponding default route. By default this daemon is disabled.
The <code>rdisc</code> service can be disabled with the following command:
<pre class="code"><code># chkconfig rdisc off</code></pre></p>
<p>General-purpose systems typically have their network and routing
information configured statically by a system administrator. Workstations or
some special-purpose systems often use DHCP (instead of IRDP) to retrieve
dynamic network configuration information.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27261-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27649792">
<h3>Result for Disable Red Hat Network Service (rhnsd)</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">service_rhnsd_disabled</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The Red Hat Network service automatically queries Red Hat Network
servers to determine whether there are any actions that should be executed,
such as package updates. This only occurs if the system was registered to an
RHN server or satellite and managed as such.
The <code>rhnsd</code> service can be disabled with the following command:
<pre class="code"><code># chkconfig rhnsd off</code></pre></p>
<p>Although systems management and patching is extremely important to
system security, management by a system outside the enterprise enclave is not
desirable for some environments. However, if the system is being managed by RHN or
RHN Satellite Server the <code>rhnsd</code> daemon can remain on. </p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26846-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27666208">
<h3>Result for Enable cron Service</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">enable_cron</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>The <code>crond</code> service is used to execute commands at
preconfigured times. It is required by almost all systems to perform necessary
maintenance tasks, such as notifying root of system activity.
The <code>crond</code> service can be enabled with the following command:
<pre class="code"><code># chkconfig --level 2345 crond on</code></pre></p>
<p>Due to its usage for maintenance and security-supporting tasks,
enabling the cron daemon is essential.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27070-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27681792">
<h3>Result for Allow Only SSH Protocol 2</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">sshd_allow_only_protocol2</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p> <p>Only SSH protocol version 2 connections should \
be permitted. The default setting in
<code>/etc/ssh/sshd_config</code> is correct, and can be
verified by ensuring that the following
line appears:
<pre class="code"><code>Protocol 2</code></pre></p>
<p>
SSH protocol version 1 suffers from design flaws that
result in security vulnerabilities and
should not be used.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27072-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27688592">
<h3>Result for Set SSH Idle Timeout Interval</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">sshd_set_idle_timeout</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>SSH allows administrators to set an idle timeout
interval.
After this interval has passed, the idle user will be
automatically logged out.
<br /><br />
To set an idle timeout interval, edit the following line in \
<code>/etc/ssh/sshd_config</code> as follows:
<pre class="code"><code>ClientAliveInterval <strong \
class="bold">interval</strong></code></pre> The timeout <strong \
class="bold">interval</strong> is given in seconds. To have a timeout of 15 minutes, \
set <strong class="bold">interval</strong> to 900. <br /><br />
If a shorter timeout has already been set for the login
shell, that value will preempt any SSH
setting made here. Keep in mind that some processes may stop SSH
from correctly detecting that the user is idle.
</p>
<p>
Causing idle users to be automatically logged out
guards against compromises one system leading trivially
to compromises on another.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26919-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27694144">
<h3>Result for Set SSH Client Alive Count</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">sshd_set_keepalive</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>To ensure the SSH idle timeout occurs precisely when the \
<code>ClientAliveCountMax</code> is set, edit <code>/etc/ssh/sshd_config</code> as
follows:
<pre class="code"><code>ClientAliveCountMax 0</code></pre></p>
<p>
This ensures a user login will be terminated as soon as the \
<code>ClientAliveCountMax</code> is reached.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26282-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27698784">
<h3>Result for Disable SSH Support for .rhosts Files</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">sshd_disable_rhosts</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>SSH can emulate the behavior of the obsolete \
rsh command in allowing users to enable insecure access to their
accounts via <code>.rhosts</code> files.
<br /><br />
To ensure this behavior is disabled, add or correct the
following line in <code>/etc/ssh/sshd_config</code>:
<pre class="code"><code>IgnoreRhosts yes</code></pre></p>
<p>
SSH trust relationships mean a compromise on one host
can allow an attacker to move trivially to other hosts.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27124-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27703424">
<h3>Result for Disable Host-Based Authentication</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">disable_host_auth</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>SSH's cryptographic host-based authentication \
is more secure than <code>.rhosts</code> authentication,
since hosts are cryptographically authenticated. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.
<br /><br />
To disable host-based authentication, add or correct the
following line in <code>/etc/ssh/sshd_config</code>:
<pre class="code"><code>HostbasedAuthentication no</code></pre></p>
<p>
SSH trust relationships mean a compromise on one host
can allow an attacker to move trivially to other hosts.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27091-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27708064">
<h3>Result for Disable SSH Root Login</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">sshd_disable_root_login</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>The root user should never be allowed to login \
to a system directly over a network.
To disable root login via SSH, add or correct the following line
in <code>/etc/ssh/sshd_config</code>:
<pre class="code"><code>PermitRootLogin no</code></pre></p>
<p>
Permitting direct root login reduces auditable information about who ran
privileged commands on the system
and also allows direct attack attempts on root's password.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27100-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27712720">
<h3>Result for Disable SSH Access via Empty Passwords</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">sshd_disable_empty_passwords</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p> <p>To explicitly disallow remote login from \
accounts with empty passwords, add or correct the following line in
<code>/etc/ssh/sshd_config</code>:
<pre class="code"><code>PermitEmptyPasswords no</code></pre>
Any accounts with empty passwords should be disabled immediately, and PAM \
configuration should prevent users from being able to assign themselves empty \
passwords. </p>
<p>
Configuring this setting for the SSH daemon provides additional assurance that
remote login via SSH will require a password,
even in the event of misconfiguration elsewhere.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26887-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27717376">
<h3>Result for Enable SSH Warning Banner</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">sshd_enable_warning_banner</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in \
<code>/etc/ssh/sshd_config</code>: <pre class="code"><code>Banner \
/etc/issue</code></pre> Another section contains information on how to create an
appropriate system-wide warning banner.
</p>
<p>
The warning message reinforces policy awareness during the logon process and
facilitates possible legal action against attackers. Alternatively, systems
whose ownership should not be obvious should ensure usage of a banner that does
not provide easy attribution.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27112-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27722032">
<h3>Result for Do Not Allow SSH Environment Options</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">sshd_do_not_permit_user_env</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>To ensure users are not able to present
environment options to the SSH daemon, add or correct the following line
in <code>/etc/ssh/sshd_config</code>:
<pre class="code"><code>PermitUserEnvironment no</code></pre></p>
<p>
SSH environment options potentially allow users to bypass
access restriction in some configurations.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27201-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27726688">
<h3>Result for Use Only Approved Ciphers</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">sshd_use_approved_ciphers</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in <code>/etc/ssh/sshd_config</code>
demonstrates use of FIPS-approved ciphers:
<pre class="code"><code>Ciphers \
aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc</code></pre>
The man page <code>sshd_config(5)</code> contains a list of supported ciphers.
</p>
<p>
Approved algorithms should impart some level of confidence in their
implementation. These are also required for compliance.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26555-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27731344">
<h3>Result for Disable X Windows Startup By Setting Runlevel</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">disable_xwindows_with_runlevel</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>Setting the system's runlevel to 3 will prevent automatic startup
of the X server. To do so, ensure the following line in <code>/etc/inittab</code>
features a <code>3</code> as shown:
<pre class="code"><code>id:3:initdefault:</code></pre></p>
<p>Unnecessary services should be disabled to decrease the attack surface \
of the system.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27119-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27736000">
<h3>Result for Remove the X Windows Package Group</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">packagegroup_xwindows_remove</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>Removing all packages which constitute the X \
Window System ensures users or malicious software cannot start X.
To do so, run the following command:
<pre class="code"><code># yum groupremove "X Window System"</code></pre></p>
<p>Unnecessary packages should not be installed to decrease the attack \
surface of the system.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27198-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27740656">
<h3>Result for Disable Avahi Server Software</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">disable_avahi</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
The <code>avahi-daemon</code> service can be disabled with the following command:
<pre class="code"><code># chkconfig avahi-daemon off</code></pre></p>
<p>
Because the Avahi daemon service keeps an open network
port, it is subject to network attacks. Its functionality
is convenient but is only appropriate if the local network
can be trusted.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27087-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27780064">
<h3>Result for Disable DHCP Client</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">disable_dhcp_client</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
For each interface on the system (e.g. eth0), edit
<code>/etc/sysconfig/network-scripts/ifcfg-<em>interface</em></code> and make the
following changes:
</p>
<ul class="itemizedlist">
<li>
<p> Correct the BOOTPROTO line to read:
<pre class="code"><code>BOOTPROTO=static</code></pre></p>
</li>
<li>
<p> Add or correct the following lines, substituting the appropriate
values based on your site's addressing scheme:
<pre class="code"><code>NETMASK=255.255.255.0
IPADDR=192.168.1.2
GATEWAY=192.168.1.1</code></pre></p>
</li>
</ul>
<p>
DHCP relies on trusting the local network. If the local network is not trusted,
then it should not be used. However, the automatic configuration provided by
DHCP is commonly used and the alternative, manual configuration, presents an
unacceptable burden in many circumstances.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27021-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27784864">
<h3>Result for Enable the NTP Daemon</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">enable_ntpd</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
The <code>ntpd</code> service can be enabled with the following command:
<pre class="code"><code># chkconfig --level 2345 ntpd on</code></pre></p>
<p>Enabling the <code>ntpd</code> service ensures that the \
<code>ntpd</code> service will be running and that the system will synchronize its \
time to any servers specified. This is important whether the system is configured to \
be a client (and synchronize only its own clock) or it is also acting as an NTP
server to other systems. Synchronizing time is essential for authentication
services such as Kerberos, but it is also important for maintaining accurate
logs and auditing possible security breaches.
<br /><br />
The NTP daemon offers all of the functionality of <code>ntpdate</code>, which is now
deprecated. Additional information on this is available at
http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27093-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27789504">
<h3>Result for Specify a Remote NTP Server</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">ntpd_specify_remote_server</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>To specify a remote NTP server for time synchronization, edit
the file <code>/etc/ntp.conf</code>. Add or correct the following lines,
substituting the IP or hostname of a remote NTP server for <em>ntpserver</em>:
<pre class="code"><code>server <em>ntpserver</em></code></pre>
This instructs the NTP software to contact that remote server to obtain time
data.
</p>
<p> Synchronizing with an NTP server makes it possible
to collate system logs from multiple sources or correlate computer events with
real time events. Using a trusted NTP server provided by your organization is
recommended.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27098-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27796320">
<h3>Result for Enable Postfix Service</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">service_postfix_enable</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The Postfix mail transfer agent is used for local mail delivery
within the system. The default configuration only listens for connections to
the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is
recommended to leave this service enabled for local mail delivery.
The <code>postfix</code> service can be enabled with the following command:
<pre class="code"><code># chkconfig --level 2345 postfix on</code></pre></p>
<p>Local mail delivery is essential to some system maintenance and
notification tasks.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26325-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27800960">
<h3>Result for Uninstall Sendmail Package</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">package_sendmail_removed</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>Sendmail is not the default mail transfer \
agent and is not installed by default.
The <code>sendmail</code> package can be removed with the following command:
<pre class="code"><code># yum erase sendmail</code></pre></p>
<p>The sendmail software was not developed with security in mind and
its design prevents it from being effectively contained by SELinux. Postfix
should be used instead.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27515-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27805616">
<h3>Result for Disable Postfix Network Listening</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">postfix_network_listening</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following
<code>inet_interfaces</code> line appears:
<pre class="code"><code>inet_interfaces = localhost</code></pre></p>
<p>
This ensures <code>postfix</code> accepts mail messages
(such as cron job reports) from the local system only,
and not from the network, which protects it from network attack.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26780-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27812416">
<h3>Result for Configure LDAP Client to Use TLS For All Transactions</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">ldap_client_start_tls</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>Configure LDAP to enforce TLS use. First, edit \
the file <code>/etc/pam_ldap.conf</code>, and add or correct the following lines:
<pre class="code"><code>ssl start_tls</code></pre>
Then review the LDAP server and ensure TLS has been configured.
</p>
<p>The ssl directive specifies whether to use ssl or not. If
not specified it will default to no. It should be set to start_tls rather
than doing LDAP over SSL.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26690-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27817056">
<h3>Result for Configure Certificate Directives for LDAP Use of TLS</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">ldap_client_tls_cacertpath</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>Ensure a copy of a trusted CA certificate has been placed in
the file <code>/etc/pki/tls/CA/cacert.pem</code>. Configure LDAP to enforce TLS
use and to trust certificates signed by that CA. First, edit the file
<code>/etc/pam_ldap.conf</code>, and add or correct either of the following lines:
<pre class="code"><code>tls_cacertdir /etc/pki/tls/CA</code></pre>
or
<pre class="code"><code>tls_cacertfile /etc/pki/tls/CA/cacert.pem</code></pre>
Then review the LDAP server and ensure TLS has been configured.
</p>
<p>The tls_cacertdir or tls_cacertfile directives are required when
tls_checkpeer is configured (which is the default for openldap versions 2.1 and
up). These directives define the path to the trust certificates signed by the
site CA.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27189-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27821712">
<h3>Result for Uninstall openldap-servers Package</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">package_openldap-servers_removed</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The <code>openldap-servers</code> package should be removed if not in \
use. Is this machine the OpenLDAP server? If not, remove the package.
<pre class="code"><code># yum erase openldap-servers</code></pre>
The openldap-servers RPM is not installed by default on RHEL 6
machines. It is needed only by the OpenLDAP server, not by the
clients which use LDAP for authentication. If the system is not
intended for use as an LDAP Server it should be removed.
</p>
<p>Unnecessary packages should not be installed to decrease the attack
surface of the system. While this software is clearly essential on an LDAP
server, it is not necessary on typical desktop or workstation systems.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26858-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27855744">
<h3>Result for Mount Remote Filesystems with nodev</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">use_nodev_option_on_nfs_mounts</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
Add the <code>nodev</code> option to the fourth column of
<code>/etc/fstab</code> for the line which controls mounting of
any NFS mounts.
</p>
<p>Legitimate device files should only exist in the /dev directory. NFS \
mounts should not present device files to users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27090-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27860400">
<h3>Result for Mount Remote Filesystems with nosuid</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">use_nosuid_option_on_nfs_mounts</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
Add the <code>nosuid</code> option to the fourth column of
<code>/etc/fstab</code> for the line which controls mounting of
any NFS mounts.
</p>
<p>NFS mounts should not present suid binaries to users. Only \
vendor-supplied suid executables should be installed to their default location on the \
local filesystem.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26972-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27870960">
<h3>Result for Ensure Insecure File Locking is Not Allowed</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong class="strong">no_insecure_locks_exports</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>By default the NFS server requires secure file-lock requests,
which require credentials from the client in order to lock a file. Most NFS
clients send credentials with file lock requests, however, there are a few
clients that do not send credentials when requesting a file-lock, allowing the
client to only be able to lock world-readable files. To get around this, the
<code>insecure_locks</code> option can be used so these clients can access the
desired export. This poses a security risk by potentially allowing the client
access to data for which it does not have authorization.
Remove any instances of the
<code>insecure_locks</code> option from the file <code>/etc/exports</code>.
</p>
<p>Allowing insecure file locking could allow for sensitive data to be
viewed or edited by an unauthorized user.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27167-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27897440">
<h3>Result for Enable Logging of All FTP Transactions</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong class="strong">ftp_log_transactions</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>Add or correct the following configuration options within the \
<code>vsftpd</code> configuration file, located at \
<code>/etc/vsftpd/vsftpd.conf</code>: <pre class="code"><code>xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES</code></pre></p>
<div class="xccdf-warning">
<p>If verbose logging to <code>vsftpd.log</code> is done, sparse \
logging of downloads to <code>/var/log/xferlog</code> will not also occur. However, \
the information about what files were downloaded is included in the information \
logged to <code>vsftpd.log</code></p> </div>
<p>To trace malicious activity facilitated by the FTP service, it must be \
configured to ensure that all commands sent to the FTP server are logged using the \
verbose vsftpd log format. The default vsftpd log file is \
<code>/var/log/vsftpd.log</code>.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27142-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27901248">
<h3>Result for Create Warning Banners for All FTP Users</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong class="strong">ftp_present_banner</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>Edit the vsftpd configuration file, which resides at \
<code>/etc/vsftpd/vsftpd.conf</code> by default. Add or correct the following \
configuration options: <pre \
class="code"><code>banner_file=/etc/issue</code></pre></p>
<p>This setting will cause the system greeting banner to be used for FTP \
connections as well.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27145-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27993424">
<h3>Result for Require Client SMB Packet Signing, if using smbclient</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">require_smb_client_signing</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To require samba clients running <code>smbclient</code> to use
packet signing, add the following to the <code>[global]</code> section
of the Samba configuration file, <code>/etc/samba/smb.conf</code>:
<pre class="code"><code>client signing = mandatory</code></pre>
Requiring samba clients such as <code>smbclient</code> to use packet
signing ensures they can
only communicate with servers that support packet signing.
</p>
<p>
Packet signing can prevent
man-in-the-middle attacks which modify SMB packets in
transit.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26328-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27998176">
<h3>Result for Require Client SMB Packet Signing, if using \
mount.cifs</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">require_smb_client_signing_mount.cifs</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>Require packet signing of clients who mount Samba
shares using the <code>mount.cifs</code> program (e.g., those who specify shares
in <code>/etc/fstab</code>). To do so, ensure signing options (either
<code>sec=krb5i</code> or <code>sec=ntlmv2i</code>) are used.
<br /><br />
See the <code>mount.cifs(8)</code> man page for more information. A Samba
client should only communicate with servers who can support SMB
packet signing.
</p>
<p>
Packet signing can prevent man-in-the-middle
attacks which modify SMB packets in transit.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26792-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp28014544">
<h3>Result for Configure SNMP Service to Use Only SNMPv3 or Newer </h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong class="strong">snmpd_use_newer_protocol</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
Edit <code>/etc/snmp/snmpd.conf</code>, removing any references to <code>v1</code>, \
<code>v2c</code>, or <code>com2sec</code>. Upon doing that, restart the SNMP \
service: <pre class="code"><code># service snmpd restart</code></pre></p>
<p>
Earlier versions of SNMP are considered insecure, as they potentially allow
unauthorized access to detailed system management information.
</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp28017392">
<h3>Result for Ensure Default Password Is Not Used</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">snmpd_not_default_password</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:04:03" \
class="date">2013-09-27 19:04</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
Edit <code>/etc/snmp/snmpd.conf</code>, remove default community string \
<code>public</code>. Upon doing that, restart the SNMP service:
<pre class="code"><code># service snmpd restart</code></pre></p>
<p>
Presence of the default SNMP password enables querying of different system
aspects and could result in unauthorized knowledge of the system.
</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
</div>
</div>
<div id="footer">
<p> Generated by <a href="http://open-scap.org">OpenSCAP</a> on <abbr \
title="2013-09-27T19:04:04-04:00" class="date">2013-09-27 19:04</abbr>.</p> </div>
</div>
</body>
</html>
["BeforeFix-ssg-results.html" (text/html)]
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" \
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html \
xmlns="http://www.w3.org/1999/xhtml" xmlns:xlink="http://www.w3.org/1999/xlink" \
xmlns:svg="http://www.w3.org/2000/svg"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>XCCDF test result</title>
<meta name="generator" content="" />
<meta name="Content-Type" content="text/html;charset=utf-8" />
<style type="text/css" media="all">
html, body { background-color: black; font-family:sans-serif; margin:0; \
padding:0; } abbr { text-transform:none; border:none; font-variant:normal; }
div.score-outer { height: .8em; width:100%; min-width:100px; background-color: \
red; } div.score-inner { height: 100%; background-color: green; }
.score-max, .score-val, .score-percent { text-align:right; }
.score-percent { font-weight: bold; }
th, td { padding-left:.5em; padding-right:.5em; }
.rule-selected, .result-pass strong, .result-fixed strong { color:green; }
.rule-inactive, .unknown, .result-notselected strong, .result-notchecked strong, \
.result-notapplicable strong, .result-informational strong, .result-unknown strong { \
color:#555; }
.rule-notselected, .result-error strong, .result-fail strong { color:red; }
table { border-collapse: collapse; border: 1px black solid; width:100%; }
table th, thead tr { background-color:black; color:white; }
table td { border-right: 1px black solid; }
table td.result, table td.link { text-align:center; }
table td.num { text-align:right; }
div#rule-results-summary { margin-bottom: 1em; }
table tr.result-legend td { width: 10%; }
div#content p { text-align:justify; }
div.result-detail { border: 1px solid black; margin: 2em 0; padding: 0 1em; }
div#content h2 { border-bottom:2px dashed; margin-top:1em; margin-bottom:0.5em; \
text-align:center; } div#content h2#summary { margin-top:0; }
h1 { margin:1em 0; }
div.raw table, div.raw table td { border:none; width:auto; padding:0; }
div.raw table { margin-left: 2em; }
div.raw table td { padding: .1em .7em; }
table tr { border-bottom: 1px dotted #000; }
dir.raw table tr { border-bottom: 0 !important; }
pre.code { background: #ccc; padding:.2em; }
ul.toc-struct li { list-style-type: none; }
div.xccdf-rule { margin-left: 10%; }
div#footer, p.remark, .link { font-size:.8em; }
thead tr td { font-weight:bold; text-align:center; }
.hidden { display:none; }
td.score-bar { text-align:center; }
td.score-bar span.media { width:100%; min-width:7em; height:.8em; display:block; \
margin:0; padding:0; }
.oval-results { font-size:.8em; overflow:auto; }
div#guide-top-table table { width: 100%; }
td#common-info { min-width: 25.0em; border-right: 1px solid #000; }
td#versions-revisions { width: 25.0em; }
</style>
<style type="text/css" media="screen">
div#content, div#header, div#footer { margin-left:1em; margin-right:1em; }
div#content { background-color: white; padding:2em; }
div#footer, div#header { color:white; text-align:center; }
a, a:visited { color:blue; text-decoration:underline; }
div#content p.link { text-align:right; font-size:.8em; }
div#footer a { color:white; }
div.xccdf-group, div.xccdf-rule { border-left: 3px solid white; \
padding-left:.3em; } div.xccdf-group:target, div.xccdf-rule:target { \
border-left-color:#ccc; }
.toc-struct li:target { background:#ddd; }
abbr { border-bottom: 1px black dotted; }
abbr.date { border-bottom:none; }
pre.code { overflow:auto; }
table tbody tr:hover { background: #ccc; }
div.raw table tbody tr:hover { background: transparent !important; }
</style>
<style type="text/css" media="print">
@page { margin:3cm; }
html, body { background-color:white; font-family:serif; }
.link { display:none; }
a, a:visited { color:black; text-decoration:none; }
div#header, div#footer { text-align:center; }
div#header { padding-top:36%; }
h1 { vertical-align:center; }
h2 { page-break-before:always; }
h3, h4, h5 { page-break-after:avoid; }
pre.code { background: #ccc; }
div#footer { margin-top:auto; }
.toc-struct { page-break-after:always; }
</style>
</head>
<body>
<div id="xccdf_org.open-scap_testresult_stig-rhel6-server">
<div id="header">
<h1>XCCDF test result</h1>
</div>
<div id="content">
<div id="intro">
<h2>Introduction</h2>
<div>
<h3>Test Result</h3>
<div id="test-result-summary">
<table>
<thead>
<tr>
<td>Result ID</td>
<td>Profile</td>
<td>Start time</td>
<td>End time</td>
<td>Benchmark</td>
<td>Benchmark version</td>
</tr>
</thead>
<tbody>
<tr>
<td \
align="center">xccdf_org.open-scap_testresult_stig-rhel6-server</td> <td \
align="center">stig-rhel6-server</td> <td align="center">
<abbr title="2013-09-27T19:03:24" class="date">2013-09-27 \
19:03</abbr> </td>
<td align="center">
<abbr title="2013-09-27T19:03:44" class="date">2013-09-27 \
19:03</abbr> </td>
<td align="center">
<span>embedded</span>
</td>
<td align="center">0.9</td>
</tr>
</tbody>
</table>
</div>
</div>
<div>
<h3>Target info</h3>
<div class="raw">
<table>
<tbody>
<tr>
<td valign="top">
<h4>Targets</h4>
<ul class="itemizedlist">
<li>localhost.localdomain</li>
</ul>
</td>
<td valign="top">
<h4>Addresses</h4>
<ul class="itemizedlist">
<li>127.0.0.1</li>
<li>192.168.122.90</li>
<li>::1</li>
<li>fe80::5054:ff:fe59:eba4</li>
</ul>
</td>
<td></td>
<td valign="top">
<h4>Platforms</h4>
<ul class="itemizedlist">
<li>cpe:/o:redhat:enterprise_linux:6</li>
<li>cpe:/o:redhat:enterprise_linux:6::client</li>
</ul>
</td>
<td valign="top"></td>
</tr>
</tbody>
</table>
</div>
</div>
<div>
<h3>Score</h3>
<div>
<table>
<thead>
<tr>
<td>system</td>
<td>score</td>
<td>max</td>
<td>%</td>
<td>bar</td>
</tr>
</thead>
<tbody>
<tr id="score-urn-xccdf-scoring-default">
<td class="score-sys">urn:xccdf:scoring:default</td>
<td class="score-val">70.35</td>
<td class="score-max">100.00</td>
<td class="score-percent">70.35%</td>
<td class="score-bar">
<span class="media">
<svg xmlns="http://www.w3.org/2000/svg" \
xmlns:ovalres="http://oval.mitre.org/XMLSchema/oval-results-5" \
xmlns:sceres="http://open-scap.org/page/SCE_result_file" width="100%" height="100%" \
version="1.1" baseProfile="full">
<rect width="100%" height="100%" fill="red"></rect>
<rect height="100%" width="70.35%" fill="green"></rect>
<rect height="100%" x="70.35%" width="2" \
fill="black"></rect> </svg>
</span>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div id="results-overview">
<h2>Results overview</h2>
<div id="rule-results-summary">
<h4>Rule Results Summary</h4>
<table>
<thead>
<tr>
<td>pass</td>
<td>fixed</td>
<td>fail</td>
<td>error</td>
<td>not selected</td>
<td>not checked</td>
<td>not applicable</td>
<td>informational</td>
<td>unknown</td>
<td>total</td>
</tr>
</thead>
<tbody>
<tr class="result-legend">
<td align="center" class="result-pass">
<strong class="strong">103</strong>
</td>
<td align="center" class="result-fixed">
<strong class="strong">0</strong>
</td>
<td align="center" class="result-fail">
<strong class="strong">92</strong>
</td>
<td align="center" class="result-error">
<strong class="strong">1</strong>
</td>
<td align="center" class="result-notselected">
<strong class="strong">162</strong>
</td>
<td align="center" class="result-notchecked">
<strong class="strong">24</strong>
</td>
<td align="center" class="result-notapplicable">
<strong class="strong">0</strong>
</td>
<td align="center" class="result-informational">
<strong class="strong">0</strong>
</td>
<td align="center" class="result-unknown">
<strong class="strong">3</strong>
</td>
<td align="center">
<strong class="strong">385</strong>
</td>
</tr>
</tbody>
</table>
</div>
<div>
<h4 class="hidden">Rule results summary</h4>
<table>
<thead>
<tr>
<td>Title</td>
<td>Result</td>
</tr>
</thead>
<tbody>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26514576">Ensure /tmp Located On Separate \
Partition</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26519280">Ensure /var Located On Separate \
Partition</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26523920">Ensure /var/log Located On \
Separate Partition</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26528560">Ensure /var/log/audit Located \
On Separate Partition</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26533216">Ensure /home Located On \
Separate Partition</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26537856">Encrypt Partitions</a>
</td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26540816">Ensure Red Hat GPG Key \
Installed</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26545472">Ensure gpgcheck Enabled In Main \
Yum Configuration</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26550128">Ensure gpgcheck Enabled For All \
Yum Package Repositories</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26554784">Ensure Software Patches \
Installed</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26557760">Install AIDE</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26568416">Configure Periodic Execution of \
AIDE</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26572176">Verify File Permissions with \
RPM</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26576816">Verify File Hashes with RPM</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26581456">Install Intrusion Detection \
Software</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26584416">Install Virus Scanning \
Software</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26593024">Add noexec Option to Removable \
Media Partitions</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26622320">Disable Modprobe Loading of USB \
Storage Driver</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26632064">Disable the Automounter</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26663136">Verify User Who Owns shadow \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26667776">Verify Group Who Owns shadow \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26672416">Verify Permissions on shadow \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26677056">Verify User Who Owns group \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26681696">Verify Group Who Owns group \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26686336">Verify Permissions on group \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26690976">Verify User Who Owns gshadow \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26695616">Verify Group Who Owns gshadow \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26700272">Verify Permissions on gshadow \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26704912">Verify User Who Owns passwd \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26709552">Verify Group Who Owns passwd \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26714192">Verify Permissions on passwd \
File</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26718848">Verify that Shared Library \
Files Have Restrictive Permissions</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26722592">Verify that Shared Library \
Files Have Root Ownership</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26726576">Verify that System Executables \
Have Restrictive Permissions</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26729504">Verify that System Executables \
Have Root Ownership</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26732480">Verify that All World-Writable \
Directories Have Sticky Bits Set</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26737136">Ensure No World-Writable Files \
Exist</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26746768">Ensure All Files Are Owned by a \
User</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26751424">Ensure All Files Are Owned by a \
Group</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26756080">Ensure All World-Writable \
Directories Are Owned by a System Account</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26760736">Set Daemon Umask</a>
</td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26766272">Disable Core Dumps for All \
Users</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26773872">Enable ExecShield</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26778512">Enable Randomized Layout of \
Virtual Address Space</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26788272">Ensure SELinux Not Disabled in \
/etc/grub.conf</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26792928">Ensure SELinux State is \
Enforcing</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26798464">Configure SELinux Policy</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-error">
<td class="id">
<a href="#ruleresult-idp26809120">Ensure No Device Files are \
Unlabeled by SELinux</a> </td>
<td class="result">
<strong class="strong">error</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26815920">Restrict Virtual Console Root \
Logins</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26820576">Restrict Serial Port Root \
Logins</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26827376">Ensure that System Accounts Do \
Not Run a Shell Upon Login</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26832848">Verify Only Root Has UID 0</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26839632">Prevent Log In to Accounts With \
Empty Password</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26844272">Verify All Account Password \
Hashes are Shadowed</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26848928">All GIDs referenced in \
/etc/passwd must be defined in /etc/group</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26851888">Verify No netrc Files Exist</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26856528">Set Password Minimum Length in \
login.defs</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26862032">Set Password Minimum Age</a>
</td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26867568">Set Password Maximum Age</a>
</td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26873104">Set Password Warning Age</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26878640">Set Account Expiration \
Following Inactivity</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26884256">Ensure All Accounts on the \
System Have Unique Names</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26888000">Assign Expiration Date to \
Temporary Accounts</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26890976">Set Last Logon/Access \
Notification</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp26895616">Set Password Retry Prompts \
Permitted Per-Session</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26901168">Set Password to Maximum of \
Three Consecutive Repeating Characters</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26904928">Set Password Strength Minimum \
Digit Characters</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26910496">Set Password Strength Minimum \
Uppercase Characters</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26916064">Set Password Strength Minimum \
Special Characters</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26921632">Set Password Strength Minimum \
Lowercase Characters</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26927200">Set Password Strength Minimum \
Different Characters</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26932768">Set Deny For Failed Password \
Attempts</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26938336">Set Lockout Time For Failed \
Password Attempts</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp26944736">Set Interval For Counting \
Failed Password Attempts</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26951136">Limit Password Reuse</a>
</td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26956704">Set Password Hashing Algorithm \
in /etc/pam.d/system-auth</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26961376">Set Password Hashing Algorithm \
in /etc/login.defs</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26966048">Set Password Hashing Algorithm \
in /etc/libuser.conf</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26970720">Limit the Number of Concurrent \
Login Sessions Allowed Per User</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26985104">Ensure the Default Bash Umask \
is Set Correctly</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26990656">Ensure the Default C Shell \
Umask is Set Correctly</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp26996224">Ensure the Default Umask is Set \
Correctly in /etc/profile</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27001776">Ensure the Default Umask is Set \
Correctly in login.defs</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27007328">Verify /etc/grub.conf User \
Ownership</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27011968">Verify /etc/grub.conf Group \
Ownership</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27016608">Verify /boot/grub/grub.conf \
Permissions</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27021248">Set Boot Loader Password</a>
</td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27025888">Require Authentication for \
Single User Mode</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp27030544">Disable Ctrl-Alt-Del Reboot \
Activation</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27033520">Disable Interactive Boot</a>
</td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27038176">Set GNOME Login Inactivity \
Timeout</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27043744">GNOME Desktop Screensaver \
Mandatory Use</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27048400">Enable Screen Lock Activation \
After Idle Period</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27053056">Implement Blank Screen \
Saver</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27057696">Install the screen Package</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp27063296">Enable Smart Card Login</a>
</td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27066256">Modify the System Login \
Banner</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27099344">Enable GUI Warning Banner</a>
</td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp27103568">Set GUI Warning Banner Text</a>
</td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27117792">Disable Kernel Parameter for \
Sending ICMP Redirects by Default</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27122176">Disable Kernel Parameter for \
Sending ICMP Redirects for All Interfaces</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27126544">Disable Kernel Parameter for IP \
Forwarding</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27130912">Disable Kernel Parameter for \
Accepting Source-Routed Packets for All Interfaces</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27137744">Disable Kernel Parameter for \
Accepting ICMP Redirects for All Interfaces</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27144688">Disable Kernel Parameter for \
Accepting Secure Redirects for All Interfaces</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27151728">Enable Kernel Parameter to Log \
Martian Packets</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27158928">Disable Kernel Parameter for \
Accepting Source-Routed Packets By Default</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27166192">Disable Kernel Parameter for \
Accepting ICMP Redirects By Default</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27172576">Disable Kernel Parameter for \
Accepting Secure Redirects By Default</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27179936">Enable Kernel Parameter to \
Ignore ICMP Broadcast Echo Requests</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27187152">Enable Kernel Parameter to \
Ignore Bogus ICMP Error Responses</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27194560">Enable Kernel Parameter to Use \
TCP Syncookies</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27201584">Enable Kernel Parameter to Use \
Reverse Path Filtering for All Interfaces</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27074448">Enable Kernel Parameter to Use \
Reverse Path Filtering by Default</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27091984">Disable Bluetooth Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27209824">Disable Bluetooth Kernel \
Modules</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27213888">Disable IPv6 Networking Support \
Automatic Loading</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27223104">Disable Accepting IPv6 \
Redirects</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27236768">Verify ip6tables Enabled if \
Using IPv6</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27244352">Verify iptables Enabled</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27248992">Set Default iptables Policy for \
Incoming Packets</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp27253648">Set Default iptables Policy for \
Forwarded Packets</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27257408">Disable DCCP Support</a>
</td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27262048">Disable SCTP Support</a>
</td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27266688">Disable RDS Support</a>
</td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27271328">Disable TIPC Support</a>
</td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27275968">Install openswan Package</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27280608">Ensure rsyslog is Installed</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27285264">Enable rsyslog Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27289920">Ensure Log Files Are Owned By \
Appropriate User</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-unknown">
<td class="id">
<a href="#ruleresult-idp27294576">Ensure Log Files Are Owned By \
Appropriate Group</a> </td>
<td class="result">
<strong class="strong">unknown</strong>
</td>
</tr>
<tr class="result-unknown">
<td class="id">
<a href="#ruleresult-idp27299232">Ensure System Log Files Have \
Correct Permissions</a> </td>
<td class="result">
<strong class="strong">unknown</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27303888">Ensure Logs Sent To Remote \
Host</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-unknown">
<td class="id">
<a href="#ruleresult-idp27317376">Ensure Logrotate Runs \
Periodically</a> </td>
<td class="result">
<strong class="strong">unknown</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27330080">Enable auditd Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27334720">Enable Auditing for Processes \
Which Start Prior to the Audit Daemon</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27339376">Configure auditd Number of Logs \
Retained</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27343936">Configure auditd Max Log File \
Size</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27348768">Configure auditd \
max_log_file_action Upon Reaching Maximum Log Size</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27354336">Configure auditd space_left \
Action on Low Disk Space</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27359904">Configure auditd \
admin_space_left Action on Low Disk Space</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27365488">Configure auditd mail_acct \
Action on Low Disk Space</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27373216">Record attempts to alter time \
through adjtimex</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27377872">Record attempts to alter time \
through settimeofday</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27382528">Record Attempts to Alter Time \
Through stime</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27387168">Record Attempts to Alter Time \
Through clock_settime</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27391824">Record Attempts to Alter the \
localtime File</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27396480">Record Events that Modify \
User/Group Information</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27401120">Record Events that Modify the \
System's Network Environment</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27405776">System Audit Logs Must Have \
Mode 0640 or Less Permissive</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27413344">Record Events that Modify the \
System's Mandatory Access Controls</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27417984">Record Events that Modify the \
System's Discretionary Access Controls - chmod</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27422640">Record Events that Modify the \
System's Discretionary Access Controls - chown</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27427296">Record Events that Modify the \
System's Discretionary Access Controls - fchmod</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27431952">Record Events that Modify the \
System's Discretionary Access Controls - fchmodat</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27436608">Record Events that Modify the \
System's Discretionary Access Controls - fchown</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27441264">Record Events that Modify the \
System's Discretionary Access Controls - fchownat</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27445920">Record Events that Modify the \
System's Discretionary Access Controls - fremovexattr</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27450592">Record Events that Modify the \
System's Discretionary Access Controls - fsetxattr</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27455248">Record Events that Modify the \
System's Discretionary Access Controls - lchown</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27459904">Record Events that Modify the \
System's Discretionary Access Controls - lremovexattr</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27464576">Record Events that Modify the \
System's Discretionary Access Controls - lsetxattr</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27469232">Record Events that Modify the \
System's Discretionary Access Controls - removexattr</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27473904">Record Events that Modify the \
System's Discretionary Access Controls - setxattr</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27484240">Ensure auditd Collects \
Unauthorized Access Attempts to Files (unsuccessful)</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27488880">Ensure auditd Collects \
Information on the Use of Privileged Commands</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27493536">Ensure auditd Collects \
Information on Exporting to Media (successful)</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27498176">Ensure auditd Collects File \
Deletion Events by User</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27502816">Ensure auditd Collects System \
Administrator Actions</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27507456">Ensure auditd Collects \
Information on Kernel Module Loading and Unloading</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27515040">Disable xinetd Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27519680">Uninstall xinetd Package</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27525392">Disable telnet Service</a>
</td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27530032">Uninstall telnet-server \
Package</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27535696">Uninstall rsh-server \
Package</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27540336">Disable rexec Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27544976">Disable rsh Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27549616">Disable rlogin Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27554256">Remove Rsh Trust Files</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27558896">Uninstall ypserv Package</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27564528">Disable ypbind Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27569168">Disable tftp Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27573808">Uninstall tftp-server \
Package</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27578448">Ensure tftp Daemon Uses Secure \
Mode</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27583088">Disable Automatic Bug Reporting \
Tool (abrtd)</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27616912">Disable Network Console \
(netconsole)</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27621728">Disable ntpdate Service \
(ntpdate)</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27626384">Disable Odd Job Daemon \
(oddjobd)</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27636912">Disable Apache Qpid (qpidd)</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27644496">Disable Network Router \
Discovery Daemon (rdisc)</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27649136">Disable Red Hat Network Service \
(rhnsd)</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27665552">Enable cron Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27681136">Allow Only SSH Protocol 2</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27687936">Set SSH Idle Timeout \
Interval</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27693488">Set SSH Client Alive Count</a>
</td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27698128">Disable SSH Support for .rhosts \
Files</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27702768">Disable Host-Based \
Authentication</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27707408">Disable SSH Root Login</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27712064">Disable SSH Access via Empty \
Passwords</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27716720">Enable SSH Warning Banner</a>
</td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27721376">Do Not Allow SSH Environment \
Options</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp27726032">Use Only Approved Ciphers</a>
</td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27730688">Disable X Windows Startup By \
Setting Runlevel</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27735344">Remove the X Windows Package \
Group</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27740000">Disable Avahi Server \
Software</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27779408">Disable DHCP Client</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27784208">Enable the NTP Daemon</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27788848">Specify a Remote NTP Server</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27795664">Enable Postfix Service</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27800304">Uninstall Sendmail Package</a>
</td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27804960">Disable Postfix Network \
Listening</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27811760">Configure LDAP Client to Use \
TLS For All Transactions</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27816400">Configure Certificate \
Directives for LDAP Use of TLS</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27821056">Uninstall openldap-servers \
Package</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27855088">Mount Remote Filesystems with \
nodev</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27859744">Mount Remote Filesystems with \
nosuid</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp27870304">Ensure Insecure File Locking is \
Not Allowed</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp27896784">Enable Logging of All FTP \
Transactions</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp27900592">Create Warning Banners for All \
FTP Users</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27992768">Require Client SMB Packet \
Signing, if using smbclient</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp27997520">Require Client SMB Packet \
Signing, if using mount.cifs</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp28013888">Configure SNMP Service to Use \
Only SNMPv3 or Newer </a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp28016736">Ensure Default Password Is Not \
Used</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div id="results-details">
<h2>Results details</h2>
<div class="result-detail" id="ruleresult-idp26514576">
<h3>Result for Ensure /tmp Located On Separate Partition</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">partition_for_tmp</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:24" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
The <code>/tmp</code> directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM.
</p>
<p>
The <code>/tmp</code> partition is used as temporary storage by many programs.
Placing <code>/tmp</code> in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26435-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26519280">
<h3>Result for Ensure /var Located On Separate Partition</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">partition_for_var</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:24" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The <code>/var</code> directory is used by daemons and other system
services to store frequently-changing data. Ensure that <code>/var</code> has its own \
partition or logical volume at installation time, or migrate it using LVM.
</p>
<p>
Ensuring that <code>/var</code> is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
system services such as daemons or other programs which use it.
It is not uncommon for the <code>/var</code> directory to contain
world-writable directories, installed by other software packages.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26639-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26523920">
<h3>Result for Ensure /var/log Located On Separate Partition</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">partition_for_var_log</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:24" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
System logs are stored in the <code>/var/log</code> directory.
Ensure that it has its own partition or logical
volume at installation time, or migrate it using LVM.
</p>
<p>
Placing <code>/var/log</code> in its own partition
enables better separation between log files
and other files in <code>/var/</code>.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26215-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26528560">
<h3>Result for Ensure /var/log/audit Located On Separate Partition</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">partition_for_var_log_audit</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:24" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
Audit logs are stored in the <code>/var/log/audit</code> directory. Ensure that it
has its own partition or logical volume at installation time, or migrate it
later using LVM. Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon.
</p>
<p>
Placing <code>/var/log/audit</code> in its own partition
enables better separation between audit files
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26436-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26533216">
<h3>Result for Ensure /home Located On Separate Partition</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">partition_for_home</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:24" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
If user home directories will be stored locally, create a separate partition
for <code>/home</code> at installation time (or migrate it later using LVM). If
<code>/home</code> will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later.
</p>
<p>
Ensuring that <code>/home</code> is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26557-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26537856">
<h3>Result for Encrypt Partitions</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong class="strong">encrypt_partitions</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:24" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
Red Hat Enterprise Linux 6 natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.
<br /><br />
For manual installations, select the <code>Encrypt</code> checkbox during
partition creation to encrypt the partition. When this
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered \
manually every time the system boots.
<br /><br />
For automated/unattended installations, it is possible to use Kickstart by adding
the <code>--encrypted</code> and <code>--passphrase=</code> options to the definition \
of each partition to be encrypted. For example, the following line would encrypt the \
root partition: <pre class="code"><code>part / --fstype=ext3 --size=100 --onpart=hda1 \
--encrypted --passphrase=<em>PASSPHRASE</em></code></pre> Any <em>PASSPHRASE</em> is \
stored in the Kickstart in plaintext, and the Kickstart must then be protected \
accordingly. Omitting the <code>--passphrase=</code> option from the partition \
definition will cause the installer to pause and interactively ask for the passphrase \
during installation. <br /><br />
Detailed information on encrypting partitions using LUKS can be found on
the Red Had Documentation web site:<br />
https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html
</p>
<p>
The risk of a system's physical compromise, particularly mobile systems such as
laptops, places its data at risk of compromise. Encrypting this data mitigates
the risk of its loss if the system is lost.
</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26540816">
<h3>Result for Ensure Red Hat GPG Key Installed</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">ensure_redhat_gpgkey_installed</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:24" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p> <p>
To ensure the system can cryptographically verify base software
packages come from Red Hat (and to connect to the Red Hat Network to
receive them if desired), the Red Hat GPG key must properly be installed.
To ensure the GPG key is installed, run:
<pre class="code"><code># rhn_register</code></pre>
If the system is not connected to the internet, or a local RHN Satellite,
then install the Red Hat GPG key from a secure, static location, such as
the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted
in /mnt/cdrom, use the following command as the root user to import
it into the keyring:
<pre class="code"><code># rpm --import /mnt/cdrom/RPM-GPG-KEY</code></pre></p>
<p>
This key is necessary to cryptographically verify packages
are from Red Hat.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26506-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26545472">
<h3>Result for Ensure gpgcheck Enabled In Main Yum Configuration</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">ensure_gpgcheck_globally_activated</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:24" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p> <p>The <code>gpgcheck</code> option should be used \
to ensure checking of an RPM package's signature always occurs prior to its
installation. To configure yum to check package signatures before installing
them, ensure the following line appears in <code>/etc/yum.conf</code> in
the <code>[main]</code> section:
<pre class="code"><code>gpgcheck=1</code></pre></p>
<p>
Ensuring the validity of packages' cryptographic signatures prior to
installation ensures the provenance of the software and
protects against malicious tampering.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26709-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26550128">
<h3>Result for Ensure gpgcheck Enabled For All Yum Package \
Repositories</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">ensure_gpgcheck_never_disabled</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:24" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p> <p>To ensure signature checking is not disabled for
any repos, remove any lines from files in <code>/etc/yum.repos.d</code> of the form:
<pre class="code"><code>gpgcheck=0</code></pre></p>
<p>
Ensuring all packages' cryptographic signatures are valid prior to
installation ensures the provenance of the software and
protects against malicious tampering.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26647-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26554784">
<h3>Result for Ensure Software Patches Installed</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">security_patches_up_to_date</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:24" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p>
<p>If the system is joined to the Red Hat Network, a Red Hat Satellite \
Server, or a yum server, run the following command to install updates:
<pre class="code"><code># yum update</code></pre>
If the system is not configured to use one of these sources, updates (in the form of \
RPM packages) can be manually downloaded from the Red Hat Network and installed using \
<code>rpm</code>. </p>
<p>
Installing software updates is a fundamental mitigation against
the exploitation of publicly-known vulnerabilities.
</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26557760">
<h3>Result for Install AIDE</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">package_aide_installed</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:24" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
Install the AIDE package with the command:
<pre class="code"><code># yum install aide</code></pre></p>
<p>
The AIDE package must be installed if it is to be available for integrity checking.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27024-9</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>yum -y install aide
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26568416">
<h3>Result for Configure Periodic Execution of AIDE</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">aide_periodic_cron_checking</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:24" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
AIDE should be executed on a periodic basis to check for changes.
To implement a daily execution of AIDE at 4:05am using cron, add the following line \
to <code>/etc/crontab</code>: <pre class="code"><code>05 4 * * * root /usr/sbin/aide \
--check</code></pre> AIDE can be executed periodically through other means; this is \
merely one example. </p>
<p>
By default, AIDE does not install itself for periodic execution. Periodically
running AIDE may reveal unexpected changes in installed files.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27222-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26572176">
<h3>Result for Verify File Permissions with RPM</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">rpm_verify_permissions</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:37" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>The RPM package management system can check file \
access permissions of installed software packages, including many that are
important to system security. The following command will reset permissions to
their expected values:
<pre class="code"><code># rpm --setperms <em>package</em></code></pre></p>
<p>
Permissions on system binaries and configuration files that are too generous
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26731-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26576816">
<h3>Result for Verify File Hashes with RPM</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">rpm_verify_hashes</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:39" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>The RPM package management system can check the \
hashes of installed software packages, including many that are important to system
security. Run the following command to list which files on the system
have hashes that differ from what is expected by the RPM database:
<pre class="code"><code># rpm -Va | grep '^..5'</code></pre>
A "c" in the second column indicates that a file is a configuration file,
which may appropriately be expected to change.
If the file that has changed was not expected to then refresh from distribution media \
or online repositories. <pre class="code"><code>rpm -Uvh \
<em>affected_package</em></code></pre> OR
<pre class="code"><code>yum reinstall <em>affected_package</em></code></pre></p>
<p>
The hash on important files like system executables should match the information \
given by the RPM database. Executables with erroneous hashes could be a sign of \
nefarious activity on the system.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27223-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26581456">
<h3>Result for Install Intrusion Detection Software</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p> <p>Rule ID: <strong \
class="strong">install_hids</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:39" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p> <p>
The base Red Hat platform already includes a sophisticated auditing system that
can detect intruder activity, as well as SELinux, which provides host-based
intrusion prevention capabilities by confining privileged programs and user
sessions which may become compromised.
<br /><br />
Install an additional intrusion detection tool to provide complementary or
duplicative monitoring, reporting, and reaction capabilities to those of the base
platform. For DoD systems, the McAfee Host Based Security System is provided
to fulfill this role.
</p>
<p>
Adding host-based intrusion detection tools can provide the capability to
automatically take actions in response to malicious behavior, which can provide
additional agility in reacting to network threats. These tools also often
include a reporting capability to provide network awareness of system, which
may not otherwise exist in an organization's systems management regime.
</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26584416">
<h3>Result for Install Virus Scanning Software</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong class="strong">install_antivirus</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:39" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
Install virus scanning software, which uses signatures to search for the
presence of viruses on the filesystem.
The McAfee uvscan virus scanning tool is provided for DoD systems.
Ensure virus definition files are no older than 7 days, or their last release.
Configure the virus scanning software to perform scans dynamically on all
accessed files. If this is not possible, configure the
system to scan all altered files on the system on a daily
basis. If the system processes inbound SMTP mail, configure the virus scanner
to scan all received mail.
</p>
<p>
Virus scanning software can be used to detect if a system has been compromised by
computer viruses, as well as to limit their spread to other systems.
</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26593024">
<h3>Result for Add noexec Option to Removable Media Partitions</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">mountopt_noexec_on_removable_partitions</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:39" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>The <code>noexec</code> mount option prevents the \
direct execution of binaries on the mounted filesystem. Users should not
be allowed to execute binaries that exist on partitions mounted
from removable media (such as a USB key). The <code>noexec</code>
option prevents code from being executed directly from the media
itself, and may therefore provide a line of defense against
certain types of worms or malicious code.
Add the <code>noexec</code> option to the fourth column of
<code>/etc/fstab</code> for the line which controls mounting of
any removable media partitions.
</p>
<p>Allowing users to execute binaries from removable media such as USB \
keys exposes the system to potential compromise.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27196-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26622320">
<h3>Result for Disable Modprobe Loading of USB Storage Driver</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">kernel_module_usb-storage_disabled</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:39" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To prevent USB storage devices from being used, configure the kernel module loading \
system to prevent automatic loading of the USB storage driver.
To configure the system to prevent the <code>usb-storage</code>
kernel module from being loaded, add the following line to a file in the directory \
<code>/etc/modprobe.d</code>: <pre class="code"><code>install usb-storage \
/bin/false</code></pre> This will prevent the <code>modprobe</code> program from \
loading the <code>usb-storage</code> module, but will not prevent an administrator \
(or another program) from using the <code>insmod</code> program to load the module \
manually.</p>
<p>USB storage devices such as thumb drives can be used to introduce \
unauthorized software and other vulnerabilities. Support for these devices should be \
disabled and the devices themselves should be tightly controlled.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27016-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26632064">
<h3>Result for Disable the Automounter</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">service_autofs_disabled</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:39" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The <code>autofs</code> daemon mounts and unmounts filesystems, such \
as user home directories shared via NFS, on demand. In addition, autofs can be used \
to handle removable media, and the default configuration provides the cdrom device as \
<code>/misc/cd</code>. However, this method of providing access to removable media is \
not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS \
is required, it is almost always possible to configure filesystem mounts statically \
by editing <code>/etc/fstab</code> rather than relying on the automounter.
<br /><br />
If the <code>autofs</code> service is not needed to dynamically mount NFS filesystems
or removable media, disable the service for all runlevels:
<pre class="code"><code># chkconfig --level 0123456 autofs off</code></pre>
Stop the service if it is already running:
<pre class="code"><code># service autofs stop</code></pre></p>
<p>All filesystems that are required for the successful operation of the \
system should be explicitly listed in <code>/etc/fstab</code> by and administrator. \
New filesystems should not be arbitrarily introduced via the automounter.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26976-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26663136">
<h3>Result for Verify User Who Owns shadow File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">userowner_shadow_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:39" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the owner of <code>/etc/shadow</code>, run the command:
<pre class="code"><code># chown root /etc/shadow </code></pre></p>
<p>The <code>/etc/shadow</code> file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26947-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26667776">
<h3>Result for Verify Group Who Owns shadow File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">groupowner_shadow_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:39" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the group owner of <code>/etc/shadow</code>, run the command:
<pre class="code"><code># chgrp root /etc/shadow </code></pre></p>
<p>The <code>/etc/shadow</code> file stores password hashes. Protection \
of this file is critical for system security.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26967-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26672416">
<h3>Result for Verify Permissions on shadow File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">perms_shadow_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:39" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the permissions of <code>/etc/shadow</code>, run the command:
<pre class="code"><code># chmod 0000 /etc/shadow</code></pre></p>
<p>The <code>/etc/shadow</code> file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26992-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26677056">
<h3>Result for Verify User Who Owns group File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">userowner_group_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:39" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the owner of <code>/etc/group</code>, run the command:
<pre class="code"><code># chown root /etc/group </code></pre></p>
<p>The <code>/etc/group</code> file contains information regarding groups \
that are configured on the system. Protection of this file is important for system \
security.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26822-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26681696">
<h3>Result for Verify Group Who Owns group File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">groupowner_group_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:39" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the group owner of <code>/etc/group</code>, run the command:
<pre class="code"><code># chgrp root /etc/group </code></pre></p>
<p>The <code>/etc/group</code> file contains information regarding groups \
that are configured on the system. Protection of this file is important for system \
security.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26930-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26686336">
<h3>Result for Verify Permissions on group File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">perms_group_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:39" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the permissions of <code>/etc/group</code>, run the command:
<pre class="code"><code># chmod 644 /etc/group</code></pre></p>
<p>The <code>/etc/group</code> file contains information regarding groups \
that are configured on the system. Protection of this file is important for system \
security.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26954-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26690976">
<h3>Result for Verify User Who Owns gshadow File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">userowner_gshadow_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:39" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the owner of <code>/etc/gshadow</code>, run the command:
<pre class="code"><code># chown root /etc/gshadow </code></pre></p>
<p>The <code>/etc/gshadow</code> file contains group password hashes. \
Protection of this file is critical for system security.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27026-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26695616">
<h3>Result for Verify Group Who Owns gshadow File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">groupowner_gshadow_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:39" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the group owner of <code>/etc/gshadow</code>, run the command:
<pre class="code"><code># chgrp root /etc/gshadow </code></pre></p>
<p>The <code>/etc/gshadow</code> file contains group password hashes. \
Protection of this file is critical for system security.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26975-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26700272">
<h3>Result for Verify Permissions on gshadow File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">perms_gshadow_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:39" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the permissions of <code>/etc/gshadow</code>, run the command:
<pre class="code"><code># chmod 0000 /etc/gshadow</code></pre></p>
<p>The <code>/etc/gshadow</code> file contains group password hashes. \
Protection of this file is critical for system security.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26951-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26704912">
<h3>Result for Verify User Who Owns passwd File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">userowner_passwd_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:39" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the owner of <code>/etc/passwd</code>, run the command:
<pre class="code"><code># chown root /etc/passwd </code></pre></p>
<p>The <code>/etc/passwd</code> file contains information about the users \
that are configured on the system. Protection of this file is critical for system \
security.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26953-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26709552">
<h3>Result for Verify Group Who Owns passwd File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">groupowner_passwd_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:39" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the group owner of <code>/etc/passwd</code>, run the command:
<pre class="code"><code># chgrp root /etc/passwd </code></pre></p>
<p>The <code>/etc/passwd</code> file contains information about the users \
that are configured on the system. Protection of this file is critical for system \
security.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26856-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26714192">
<h3>Result for Verify Permissions on passwd File</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">file_permissions_etc_passwd</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:39" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To properly set the permissions of <code>/etc/passwd</code>, run the command:
<pre class="code"><code># chmod 0644 /etc/passwd</code></pre></p>
<p>If the <code>/etc/passwd</code> file is writable by a group-owner or \
the world the risk of its compromise is increased. The file contains the list of
accounts on the system and associated information, and protection of this file
is critical for system security.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26868-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26718848">
<h3>Result for Verify that Shared Library Files Have Restrictive \
Permissions</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">file_permissions_library_dirs</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:40" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
<pre class="code"><code>/lib
/lib64
/usr/lib
/usr/lib64
</code></pre>
Kernel modules, which can be added to the kernel during runtime, are
stored in <code>/lib/modules</code>. All files in these directories
should not be group-writable or world-writable. If any file in these
directories is found to be group-writable or world-writable, correct
its permission with the following command:
<pre class="code"><code># chmod go-w <em>FILE</em></code></pre></p>
<p>Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Restrictive permissions are necessary to protect the integrity of the \
system. </p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26722592">
<h3>Result for Verify that Shared Library Files Have Root Ownership</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">file_ownership_library_dirs</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:40" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
<pre class="code"><code>/lib
/lib64
/usr/lib
/usr/lib64
</code></pre>
Kernel modules, which can be added to the kernel during runtime, are also
stored in <code>/lib/modules</code>. All files in these directories should be
owned by the <code>root</code> user. If any file in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
<pre class="code"><code># chown root <em>FILE</em></code></pre></p>
<p>Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership is necessary to protect the integrity of the system.
</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26726576">
<h3>Result for Verify that System Executables Have Restrictive \
Permissions</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">file_permissions_binary_dirs</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:40" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
System executables are stored in the following directories by default:
<pre class="code"><code>/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin</code></pre>
All files in these directories should not be group-writable or world-writable.
If any file <em>FILE</em> in these directories is found
to be group-writable or world-writable, correct its permission with the
following command:
<pre class="code"><code># chmod go-w <em>FILE</em></code></pre></p>
<p>System binaries are executed by privileged users, as well as system \
services, and restrictive permissions are necessary to ensure execution of these \
programs cannot be co-opted.
</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26729504">
<h3>Result for Verify that System Executables Have Root Ownership</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">file_ownership_binary_dirs</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:40" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
System executables are stored in the following directories by default:
<pre class="code"><code>/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin</code></pre>
All files in these directories should be owned by the <code>root</code> user.
If any file <em>FILE</em> in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
<pre class="code"><code># chown root <em>FILE</em></code></pre></p>
<p>System binaries are executed by privileged users as well as system \
services, and restrictive permissions are necessary to ensure that their
execution of these programs cannot be co-opted.
</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26732480">
<h3>Result for Verify that All World-Writable Directories Have Sticky \
Bits Set</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">sticky_world_writable_dirs</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:43" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>When the so-called 'sticky bit' is set on a \
directory, only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky
bit prevents users from removing each other's files. In cases where
there is no reason for a directory to be world-writable, a better
solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application,
consult that application's documentation instead of blindly
changing modes.
<br />
To set the sticky bit on a world-writable directory <em>DIR</em>, run the
following command:
<pre class="code"><code># chmod +t <em>DIR</em></code></pre></p>
<p>
Failing to set the sticky bit on public directories allows unauthorized users to \
delete files in the directory structure. <br /><br />
The only authorized public directories are those temporary directories supplied with \
the system, or those designed to be temporary file repositories. The setting is \
normally reserved for directories used by the system, by users for temporary file \
storage (such as <code>/tmp</code>), and for directories requiring global read/write \
access. </p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26840-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26737136">
<h3>Result for Ensure No World-Writable Files Exist</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong class="strong">world_writeable_files</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:43" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>It is generally a good idea to remove global \
(other) write access to a file when it is discovered. However, check with
documentation for specific applications before making changes.
Also, monitor for recurring world-writable files, as these may be
symptoms of a misconfigured application or user
account.</p>
<p>
Data in world-writable files can be modified by any
user on the system. In almost all circumstances, files can be
configured using a combination of user and group permissions to
support whatever legitimate access is needed without the risk
caused by world-writable files.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26910-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26746768">
<h3>Result for Ensure All Files Are Owned by a User</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">no_files_unowned_by_user</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:43" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>If any files are not owned by a user, then the
cause of their lack of ownership should be investigated.
Following this, the files should be deleted or assigned to an
appropriate user.
</p>
<p>
Unowned files do not directly imply a security problem, but they are generally
a sign that something is amiss. They may
be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging
to a deleted account. The files should be repaired so they
will not cause problems when accounts are created in the future,
and the cause should be discovered and addressed.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27032-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26751424">
<h3>Result for Ensure All Files Are Owned by a Group</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">no_files_unowned_by_group</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:43" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>If any files are not owned by a group, then the
cause of their lack of group-ownership should be investigated.
Following this, the files should be deleted or assigned to an
appropriate group.
</p>
<p>
Unowned files do not directly imply a security problem, but they are generally
a sign that something is amiss. They may
be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging
to a deleted account. The files should be repaired so they
will not cause problems when accounts are created in the future,
and the cause should be discovered and addressed.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26872-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26756080">
<h3>Result for Ensure All World-Writable Directories Are Owned by a \
System Account</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">world_writable_files_system_ownership</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>All directories in local partitions which are
world-writable should be owned by root or another
system account. If any world-writable directories are not
owned by a system account, this should be investigated.
Following this, the files should be deleted or assigned to an
appropriate group.
</p>
<p>
Allowing a user account to own a world-writable directory is
undesirable because it allows the owner of that directory to remove
or replace any files that may be placed in the directory by other
users.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26642-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26760736">
<h3>Result for Set Daemon Umask</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">set_daemon_umask</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The file <code>/etc/init.d/functions</code> includes initialization
parameters for most or all daemons started at boot time. The default umask of
022 prevents creation of group- or world-writable files. To set the default
umask for daemons, edit the following line, inserting 022 or 027 for
<em>UMASK</em> appropriately:
<pre class="code"><code>umask <em>UMASK</em></code></pre>
Setting the umask to too restrictive a setting can cause serious errors at
runtime. Many daemons on the system already individually restrict themselves to
a umask of 077 in their own init scripts.
</p>
<p>The umask influences the permissions assigned to files created by a
process at run time. An unnecessarily permissive umask could result in files
being created with insecure permissions.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27031-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26766272">
<h3>Result for Disable Core Dumps for All Users</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">disable_users_coredumps</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>To disable core dumps for all users, add the following line to
<code>/etc/security/limits.conf</code>:
<pre class="code"><code>* hard core 0</code></pre></p>
<p>A core dump includes a memory image taken at the time the operating \
system terminates an application. The memory image could contain sensitive data and \
is generally useful only for developers trying to debug problems.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27033-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26773872">
<h3>Result for Enable ExecShield</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">enable_execshield</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the <code>kernel.exec-shield</code> kernel \
parameter, run the following command:
<pre class="code"><code># sysctl -w kernel.exec-shield=1</code></pre>
If this is not the system's default value, add the following line to \
<code>/etc/sysctl.conf</code>: <pre class="code"><code>kernel.exec-shield = \
1</code></pre></p> <p>ExecShield uses the segmentation feature on all x86 systems
to prevent execution in memory higher than a certain address. It
writes an address as a limit in the code segment descriptor, to
control where code can be executed, on a per-process basis. When
the kernel places a process's memory regions such as the stack and
heap higher than this address, the hardware prevents execution in that
address range.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27007-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26778512">
<h3>Result for Enable Randomized Layout of Virtual Address Space</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">enable_randomize_va_space</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the <code>kernel.randomize_va_space</code> kernel \
parameter, run the following command:
<pre class="code"><code># sysctl -w kernel.randomize_va_space=2</code></pre>
If this is not the system's default value, add the following line to \
<code>/etc/sysctl.conf</code>: <pre class="code"><code>kernel.randomize_va_space = \
2</code></pre></p>
<p> Address space layout randomization (ASLR) makes it more difficult
for an attacker to predict the location of attack code they have introduced
into a process's address space during an attempt at exploitation. Additionally, ASLR \
makes it more difficult for an attacker to know the location of existing code
in order to re-purpose it using return oriented programming (ROP) techniques.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26999-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26788272">
<h3>Result for Ensure SELinux Not Disabled in /etc/grub.conf</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">enable_selinux_bootloader</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>SELinux can be disabled at boot time by an \
argument in <code>/etc/grub.conf</code>.
Remove any instances of <code>selinux=0</code> from the kernel arguments in that
file to prevent SELinux from being disabled at boot.
</p>
<p>
Disabling a major host protection feature, such as SELinux, at boot time prevents
it from confining system services at boot time. Further, it increases
the chances that it will remain off during system operation.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26956-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26792928">
<h3>Result for Ensure SELinux State is Enforcing</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">set_selinux_state</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>The SELinux state should be set to <code>enforcing</code> at
system boot time. In the file <code>/etc/selinux/config</code>, add or correct the
following line to configure the system to boot into enforcing mode:
<pre class="code"><code>SELINUX=enforcing</code></pre></p>
<p>
Setting the SELinux state to enforcing ensures SELinux is able to confine
potentially compromised processes to the security policy, which is designed to
prevent them from causing damage to the system or further elevating their
privileges.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26969-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26798464">
<h3>Result for Configure SELinux Policy</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">set_selinux_policy</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>The SELinux <code>targeted</code> policy is \
appropriate for general-purpose desktops and servers, as well as systems in many \
other roles. To configure the system to use this policy, add or correct the following \
line in <code>/etc/selinux/config</code>:
<pre class="code"><code>SELINUXTYPE=targeted</code></pre>
Other policies, such as <code>mls</code>, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases.
</p>
<p>
Setting the SELinux policy to <code>targeted</code> or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26875-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26809120">
<h3>Result for Ensure No Device Files are Unlabeled by SELinux</h3>
<p class="result-error">Result: <strong class="strong">error</strong></p>
<p>Rule ID: <strong \
class="strong">selinux_unlabeled_device_files</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>Device files, which are used for communication with important
system resources, should be labeled with proper SELinux types. If any device
files carry the SELinux type <code>unlabeled_t</code>, investigate the cause and
correct the file's context.
</p>
<p>
If a device file carries the SELinux type <code>unlabeled_t</code>, then SELinux
cannot properly restrict access to the device file.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26774-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26815920">
<h3>Result for Restrict Virtual Console Root Logins</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">restrict_root_console_logins</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in <code>/etc/securetty</code>:
<pre class="code"><code>vc/1
vc/2
vc/3
vc/4</code></pre></p>
<p>
Preventing direct root login to virtual console devices
helps ensure accountability for actions taken on the system
using the root account.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26855-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26820576">
<h3>Result for Restrict Serial Port Root Logins</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">restrict_serial_port_logins</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>To restrict root logins on serial ports,
ensure lines of this form do not appear in <code>/etc/securetty</code>:
<pre class="code"><code>ttyS0
ttyS1</code></pre></p>
<p>
Preventing direct root login to serial port interfaces
helps ensure accountability for actions taken on the systems
using the root account.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27047-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26827376">
<h3>Result for Ensure that System Accounts Do Not Run a Shell Upon \
Login</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">no_shelllogin_for_systemaccounts</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
Some accounts are not associated with a human
user of the system, and exist to perform some administrative
function. Should an attacker be able to log into these accounts,
they should not be granted access to a shell.
<br /><br />
The login shell for each local account is stored in the last field of each line
in <code>/etc/passwd</code>. System accounts are those user accounts with a user ID \
less than 500. The user ID is stored in the third field.
If any system account <em>SYSACCT</em> (other than root) has a login shell,
disable it with the command:
<pre class="code"><code># usermod -s /sbin/nologin <em>SYSACCT</em></code></pre></p>
<div class="xccdf-warning">
<p>
Do not perform the steps in this
section on the root account. Doing so might cause the system to
become inaccessible.
</p>
</div>
<p>
Ensuring shells are not given to system accounts upon login
makes it more difficult for attackers to make use of
system accounts.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26966-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26832848">
<h3>Result for Verify Only Root Has UID 0</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">no_uidzero_except_root</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
If any account other than root has a UID of 0,
this misconfiguration should be investigated and the
accounts other than root should be removed or have their UID changed.
</p>
<p>
An account has root authority if it has a UID of 0. Multiple accounts
with a UID of 0 afford more opportunity for potential intruders to
guess a password for a privileged account. Proper configuration of
sudo is recommended to afford multiple system administrators
access to root privileges in an accountable manner.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26971-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26839632">
<h3>Result for Prevent Log In to Accounts With Empty Password</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">no_empty_passwords</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p> <p>If an account is configured for password \
authentication but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the \
<code>nullok</code> option in <code>/etc/pam.d/system-auth</code> to
prevent logins with empty passwords.
</p>
<p>
If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational
environments.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27038-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26844272">
<h3>Result for Verify All Account Password Hashes are Shadowed</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">no_hashes_outside_shadow</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
If any password hashes are stored in <code>/etc/passwd</code> (in the second field,
instead of an <code>x</code>), the cause of this misconfiguration should be
investigated. The account should have its password reset and the hash should be
properly stored, or the account should be deleted entirely.
</p>
<p>
The hashes for all user account passwords should be stored in
the file <code>/etc/shadow</code> and never in <code>/etc/passwd</code>,
which is readable by all users.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26476-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26848928">
<h3>Result for All GIDs referenced in /etc/passwd must be defined in \
/etc/group</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong class="strong">gid_passwd_group_same</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
Add a group to the system for each GID referenced without a corresponding group.
</p>
<p>
Inconsistency in GIDs between <code>/etc/passwd</code> and <code>/etc/group</code> \
could lead to a user having unintended rights. </p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26851888">
<h3>Result for Verify No netrc Files Exist</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">no_netrc_files</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>The <code>.netrc</code> files contain login \
information used to auto-login into FTP servers and reside in the user's home
directory. These files may contain unencrypted passwords to
remote FTP servers making them susceptible to access by unauthorized
users and should not be used. Any <code>.netrc</code> files should be removed.
</p>
<p>
Unencrypted passwords for remote FTP servers may be stored in <code>.netrc</code>
files. DoD policy requires passwords be encrypted in storage and not used
in access scripts.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27225-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26856528">
<h3>Result for Set Password Minimum Length in login.defs</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">password_min_len</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>To specify password length requirements for \
new accounts, edit the file <code>/etc/login.defs</code> and add or correct the \
following lines:
<pre class="code"><code>PASS_MIN_LEN 14</code></pre><br /><br />
The DoD requirement is <code>14</code>.
The FISMA requirement is <code>12</code>.
If a program consults <code>/etc/login.defs</code> and also another PAM module
(such as <code>pam_cracklib</code>) during a password change operation,
then the most restrictive must be satisfied. See PAM section
for more information about enforcing password quality requirements.
</p>
<p>
Requiring a minimum password length makes password
cracking attacks more difficult by ensuring a larger
search space. However, any security benefit from an onerous requirement
must be carefully weighed against usability problems, support costs, or \
counterproductive behavior that may result.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27002-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26862032">
<h3>Result for Set Password Minimum Age</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">password_min_age</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>To specify password minimum age for new \
accounts, edit the file <code>/etc/login.defs</code>
and add or correct the following line, replacing <em>DAYS</em> appropriately:
<pre class="code"><code>PASS_MIN_DAYS <em>DAYS</em></code></pre>
A value of 1 day is considered for sufficient for many
environments.
The DoD requirement is 1.
</p>
<p>
Setting the minimum password age protects against
users cycling back to a favorite password
after satisfying the password reuse requirement.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27013-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26867568">
<h3>Result for Set Password Maximum Age</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">password_max_age</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>To specify password maximum age for new \
accounts, edit the file <code>/etc/login.defs</code>
and add or correct the following line, replacing <em>DAYS</em> appropriately:
<pre class="code"><code>PASS_MAX_DAYS <em>DAYS</em></code></pre>
A value of 180 days is sufficient for many environments.
The DoD requirement is 60.
</p>
<p>
Setting the password maximum age ensures users are required to
periodically change their passwords. This could possibly decrease
the utility of a stolen password. Requiring shorter password lifetimes
increases the risk of users writing down the password in a convenient
location subject to physical compromise.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26985-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26873104">
<h3>Result for Set Password Warning Age</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">password_warn_age</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file <code>/etc/login.defs</code> and add or correct
the following line, replacing <em>DAYS</em> appropriately:
<pre class="code"><code>PASS_WARN_AGE <em>DAYS</em></code></pre>
The DoD requirement is 7.
</p>
<p>
Setting the password warning age enables users to
make the change at a practical time.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26988-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26878640">
<h3>Result for Set Account Expiration Following Inactivity</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">account_disable_post_pw_expiration</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following lines in <code>/etc/default/useradd</code>, substituting
<code><em>NUM_DAYS</em></code> appropriately:
<pre class="code"><code>INACTIVE=<em>NUM_DAYS</em></code></pre>
A value of 35 is recommended.
If a password is currently on the
verge of expiration, then 35 days remain until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 95
days could elapse until the account would be automatically disabled. See the
<code>useradd</code> man page for more information. Determining the inactivity
timeout must be done with careful consideration of the length of a "normal"
period of inactivity for users in the particular environment. Setting
the timeout too low incurs support costs and also has the potential to impact
availability of the system to legitimate users.
</p>
<p>
Disabling inactive accounts ensures that accounts which may not
have been responsibly removed are not available to attackers
who may have compromised their credentials.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27283-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26884256">
<h3>Result for Ensure All Accounts on the System Have Unique Names</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong class="strong">account_unique_name</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
Change usernames, or delete accounts, so each has a unique name.
</p>
<p>
Unique usernames allow for accountability on the system.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27609-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26888000">
<h3>Result for Assign Expiration Date to Temporary Accounts</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong class="strong">account_temp_expire_date</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
In the event temporary or emergency accounts are required, configure the system
to terminate them after a documented time period. For every temporary and
emergency account, run the following command to set an expiration date on it,
substituting <code><em>USER</em></code> and <code><em>YYYY-MM-DD</em></code> \
appropriately: <pre class="code"><code># chage -E <em>YYYY-MM-DD \
USER</em></code></pre><code><em>YYYY-MM-DD</em></code> indicates the documented \
expiration date for the account. </p>
<p>
When temporary and emergency accounts are created, there is a risk they may
remain in place and active after the need for them no longer exists. Account
expiration greatly reduces the risk of accounts being misused or hijacked.
<br /></p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26890976">
<h3>Result for Set Last Logon/Access Notification</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">display_login_attempts</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>To configure the system to notify users of last logon/access
using <code>pam_lastlog</code>, add the following line immediately after \
<code>session required pam_limits.so</code>: <pre class="code"><code>session \
required pam_lastlog.so showfailed</code></pre></p> <p>
Users need to be aware of activity that occurs regarding
their account. Providing users with information regarding the number
of unsuccessful attempts that were made to login to their account
allows the user to determine if any unauthorized activity has occurred
and gives them an opportunity to notify administrators.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27291-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26895616">
<h3>Result for Set Password Retry Prompts Permitted Per-Session</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">password_retry</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>To configure the number of retry prompts that are permitted \
per-session: <br /><br />
Edit the <code>pam_cracklib.so</code> statement in \
<code>/etc/pam.d/system-auth</code> to show <code>retry=3</code>, or a lower value \
if site policy is more restrictive. <br /><br />
The DoD requirement is a maximum of 3 prompts per session.
</p>
<p>
Setting the password retry prompts that are permitted on a per-session basis to a low \
value requires some software, such as SSH, to re-connect. This can slow down and
draw additional attention to some types of password-guessing attacks. Note that this
is different from account lockout, which is provided by the pam_faillock module.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27123-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26901168">
<h3>Result for Set Password to Maximum of Three Consecutive Repeating \
Characters</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">password_require_consecrepeat</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The pam_cracklib module's <code>maxrepeat</code> parameter controls \
requirements for consecutive repeating characters. When set to a positive number, it \
will reject passwords which contain more than that number of consecutive characters. \
Add <code>maxrepeat=3</code> after pam_cracklib.so to prevent a run of four or more \
identical characters. </p>
<p>
Passwords with excessive repeating characters may be more vulnerable to \
password-guessing attacks. </p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27227-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26904928">
<h3>Result for Set Password Strength Minimum Digit Characters</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">password_require_digits</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The pam_cracklib module's <code>dcredit</code> parameter controls \
requirements for usage of digits in a password. When set to a negative number, any \
password will be required to contain that many digits. When set to a positive number, \
pam_cracklib will grant +1 additional length credit for each digit.
Add <code>dcredit=-1</code> after pam_cracklib.so to require use of a digit in \
passwords. </p>
<p>
Requiring digits makes password guessing attacks more difficult by ensuring a larger
search space.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26374-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26910496">
<h3>Result for Set Password Strength Minimum Uppercase Characters</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">password_require_uppercases</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The pam_cracklib module's <code>ucredit=</code> parameter controls \
requirements for usage of uppercase letters in a password. When set to a negative \
number, any password will be required to contain that many uppercase characters. When \
set to a positive number, pam_cracklib will grant +1 additional length credit for \
each uppercase character. Add <code>ucredit=-1</code> after pam_cracklib.so to \
require use of an upper case character in passwords. </p>
<p>
Requiring a minimum number of uppercase characters makes password guessing attacks
more difficult by ensuring a larger search space.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26601-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26916064">
<h3>Result for Set Password Strength Minimum Special Characters</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">password_require_specials</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The pam_cracklib module's <code>ocredit=</code> parameter controls \
requirements for usage of special (or ``other'') characters in a password. When set \
to a negative number, any password will be required to contain that many special \
characters. When set to a positive number, pam_cracklib will grant +1 additional \
length credit for each special character. Add <code>ocredit=-1</code> after \
pam_cracklib.so to require use of a special character in passwords. </p>
<p>
Requiring a minimum number of special characters makes password guessing attacks
more difficult by ensuring a larger search space.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26409-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26921632">
<h3>Result for Set Password Strength Minimum Lowercase Characters</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">password_require_lowercases</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The pam_cracklib module's <code>lcredit=</code> parameter controls \
requirements for usage of lowercase letters in a password. When set to a negative \
number, any password will be required to contain that many lowercase characters. When \
set to a positive number, pam_cracklib will grant +1 additional length credit for \
each lowercase character. Add <code>lcredit=-1</code> after pam_cracklib.so to \
require use of a lowercase character in passwords. </p>
<p>
Requiring a minimum number of lowercase characters makes password guessing attacks
more difficult by ensuring a larger search space.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26631-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26927200">
<h3>Result for Set Password Strength Minimum Different Characters</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">password_require_diffchars</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>The pam_cracklib module's <code>difok</code> parameter controls \
requirements for usage of different characters during a password change.
Add <code>difok=<em>NUM</em></code> after pam_cracklib.so to require differing
characters when changing passwords, substituting <em>NUM</em> appropriately.
The DoD requirement is <code>4</code>.
</p>
<p>
Requiring a minimum number of different characters during password changes ensures \
that newly changed passwords should not resemble previously compromised ones.
Note that passwords which are changed on compromised systems will still be \
compromised, however. </p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26615-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26932768">
<h3>Result for Set Deny For Failed Password Attempts</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">deny_password_attempts</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To configure the system to lock out accounts after a number of incorrect login
attempts using <code>pam_faillock.so</code>:
<br /><br />
Add the following lines immediately below the <code>pam_unix.so</code> statement in \
<code>AUTH</code> section of <code>/etc/pam.d/system-auth</code>:
<pre class="code"><code>auth [default=die] pam_faillock.so authfail deny=3 \
unlock_time=604800 fail_interval=900</code></pre><pre class="code"><code>auth \
required pam_faillock.so authsucc deny=3 unlock_time=604800 \
fail_interval=900</code></pre></p> <p>
Locking out user accounts after a number of incorrect attempts
prevents direct password guessing attacks.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26844-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26938336">
<h3>Result for Set Lockout Time For Failed Password Attempts</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">deny_password_attempts_unlock_time</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To configure the system to lock out accounts after a number of incorrect login
attempts and require an administrator to unlock the account using \
<code>pam_faillock.so</code>: <br /><br />
Add the following lines immediately below the <code>pam_env.so</code> statement in \
<code>/etc/pam.d/system-auth</code>: <pre class="code"><code>auth [default=die] \
pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900</code></pre><pre \
class="code"><code>auth required pam_faillock.so authsucc deny=3 unlock_time=604800 \
fail_interval=900</code></pre></p> <p>
Locking out user accounts after a number of incorrect attempts
prevents direct password guessing attacks. Ensuring that an administrator is
involved in unlocking locked accounts draws appropriate attention to such
situations.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27110-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26944736">
<h3>Result for Set Interval For Counting Failed Password Attempts</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">deny_password_attempts_fail_interval</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To configure the system to lock out accounts after a number of incorrect login
attempts within a 15 minute interval using <code>pam_faillock.so</code>:
<br /><br />
Add the following lines immediately below the <code>pam_env.so</code> statement in \
<code>/etc/pam.d/system-auth</code>: <pre class="code"><code>auth [default=die] \
pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900</code></pre><pre \
class="code"><code>auth required pam_faillock.so authsucc deny=3 unlock_time=604800 \
fail_interval=900</code></pre></p> <p>
Locking out user accounts after a number of incorrect attempts within a
specific period of time prevents direct password guessing attacks.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27215-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26951136">
<h3>Result for Limit Password Reuse</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">limiting_password_reuse</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>Do not allow users to reuse recent passwords. \
This can be accomplished by using the <code>remember</code> option for the \
<code>pam_unix</code> PAM module. In the file <code>/etc/pam.d/system-auth</code>, \
append <code>remember=24</code> to the line which refers to the \
<code>pam_unix.so</code> module, as shown: <pre class="code"><code>password \
sufficient pam_unix.so <em>existing_options</em> remember=24</code></pre> The DoD and \
FISMA requirement is 24 passwords.</p> <p>
Preventing re-use of previous passwords helps ensure that a compromised password is \
not re-used by a user. </p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26741-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26956704">
<h3>Result for Set Password Hashing Algorithm in \
/etc/pam.d/system-auth</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">set_password_hashing_algorithm_systemauth</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
In <code>/etc/pam.d/system-auth</code>, the <code>password</code> section of
the file controls which PAM modules execute during a password change.
Set the <code>pam_unix.so</code> module in the
<code>password</code> section to include the argument <code>sha512</code>, as shown \
below: <pre class="code"><code>password sufficient pam_unix.so sha512 <em>other \
arguments...</em></code></pre> This will help ensure when local users change their \
passwords, hashes for the new passwords will be generated using the SHA-512 \
algorithm. This is the default.
</p>
<p>
Using a stronger hashing algorithm makes password cracking attacks more difficult.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26303-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26961376">
<h3>Result for Set Password Hashing Algorithm in /etc/login.defs</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">set_password_hashing_algorithm_logindefs</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
In <code>/etc/login.defs</code>, add or correct the following line to ensure
the system will use SHA-512 as the hashing algorithm:
<pre class="code"><code>ENCRYPT_METHOD SHA512</code></pre></p>
<p>
Using a stronger hashing algorithm makes password cracking attacks more difficult.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27228-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26966048">
<h3>Result for Set Password Hashing Algorithm in /etc/libuser.conf</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">set_password_hashing_algorithm_libuserconf</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
In <code>/etc/libuser.conf</code>, add or correct the following line in its
<code>[defaults]</code> section to ensure the system will use the SHA-512
algorithm for password hashing:
<pre class="code"><code>crypt_style = sha512</code></pre></p>
<p>
Using a stronger hashing algorithm makes password cracking attacks more difficult.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27229-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26970720">
<h3>Result for Limit the Number of Concurrent Login Sessions Allowed Per \
User</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">max_concurrent_login_sessions</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
Limiting the number of allowed users and sessions per user can limit risks related to \
Denial of Service attacks. This addresses concurrent sessions for a single account \
and does not address concurrent sessions by a single user via multiple accounts. \
The DoD requirement is 10. To set the number of concurrent sessions per user add \
the following line in <code>/etc/security/limits.conf</code>: <pre \
class="code"><code>* hard maxlogins 10</code></pre></p>
<p>Limiting simultaneous user logins can insulate the system from denial \
of service problems caused by excessive logins. Automated login processes operating \
improperly or maliciously may result in an exceptional number of simultaneous login \
sessions. </p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27457-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26985104">
<h3>Result for Ensure the Default Bash Umask is Set Correctly</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">user_umask_bashrc</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To ensure the default umask for users of the Bash shell is set properly,
add or correct the <code>umask</code> setting in <code>/etc/bashrc</code> to read
as follows:
<pre class="code"><code>umask 077</code></pre></p>
<p>The umask value influences the permissions assigned to files when they \
are created. A misconfigured umask value could result in files with excessive \
permissions that can be read or written to by unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26917-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26990656">
<h3>Result for Ensure the Default C Shell Umask is Set Correctly</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">user_umask_cshrc</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To ensure the default umask for users of the C shell is set properly,
add or correct the <code>umask</code> setting in <code>/etc/csh.cshrc</code> to read \
as follows: <pre class="code"><code>umask 077</code></pre></p>
<p>The umask value influences the permissions assigned to files when they \
are created. A misconfigured umask value could result in files with excessive \
permissions that can be read or written to by unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27034-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp26996224">
<h3>Result for Ensure the Default Umask is Set Correctly in \
/etc/profile</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">user_umask_profile</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To ensure the default umask controlled by <code>/etc/profile</code> is set properly,
add or correct the <code>umask</code> setting in <code>/etc/profile</code> to read as \
follows: <pre class="code"><code>umask 077</code></pre></p>
<p>The umask value influences the permissions assigned to files when they \
are created. A misconfigured umask value could result in files with excessive \
permissions that can be read or written to by unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26669-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27001776">
<h3>Result for Ensure the Default Umask is Set Correctly in \
login.defs</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">user_umask_logindefs</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To ensure the default umask controlled by <code>/etc/login.defs</code> is set \
properly, add or correct the <code>UMASK</code> setting in \
<code>/etc/login.defs</code> to read as follows: <pre class="code"><code>UMASK \
077</code></pre></p>
<p>The umask value influences the permissions assigned to files when they \
are created. A misconfigured umask value could result in files with excessive \
permissions that can be read and written to by unauthorized users.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26371-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27007328">
<h3>Result for Verify /etc/grub.conf User Ownership</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">user_owner_grub_conf</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>The file <code>/etc/grub.conf</code> should
be owned by the <code>root</code> user to prevent destruction
or modification of the file.
To properly set the owner of <code>/etc/grub.conf</code>, run the command:
<pre class="code"><code># chown root /etc/grub.conf </code></pre></p>
<p>
Only root should be able to modify important boot parameters.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26995-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27011968">
<h3>Result for Verify /etc/grub.conf Group Ownership</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">group_owner_grub_conf</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>The file <code>/etc/grub.conf</code> should
be group-owned by the <code>root</code> group to prevent
destruction or modification of the file.
To properly set the group owner of <code>/etc/grub.conf</code>, run the command:
<pre class="code"><code># chgrp root /etc/grub.conf </code></pre></p>
<p>
The <code>root</code> group is a highly-privileged group. Furthermore, the \
group-owner of this file should not have any access privileges anyway.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27022-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27016608">
<h3>Result for Verify /boot/grub/grub.conf Permissions</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">permissions_grub_conf</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>File permissions for <code>/boot/grub/grub.conf</code> should be set \
to 600, which is the default.
To properly set the permissions of <code>/boot/grub/grub.conf</code>, run the \
command: <pre class="code"><code># chmod 600 /boot/grub/grub.conf</code></pre></p>
<p>
Proper permissions ensure that only the root user can modify important boot
parameters.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26949-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27021248">
<h3>Result for Set Boot Loader Password</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">bootloader_password</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>The grub boot loader should have password \
protection enabled to protect boot-time settings.
To do so, select a password and then generate a hash from it by running the following \
command: <pre class="code"><code># grub-crypt --sha-512</code></pre>
When prompted to enter a password, insert the following line into \
<code>/etc/grub.conf</code> immediately after the header comments. (Use the output \
from <code>grub-crypt</code> as the value of <strong \
class="bold">password-hash</strong>): <pre class="code"><code>password --encrypted \
<strong class="bold">password-hash</strong></code></pre>
NOTE: To meet FISMA Moderate, the bootloader password MUST differ from the root \
password. </p>
<p>
Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26911-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27025888">
<h3>Result for Require Authentication for Single User Mode</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">require_singleuser_auth</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>Single-user mode is intended as a system \
recovery method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
<br /><br />
To require entry of the root password even if the system is
started in single-user mode, add or correct the following line in the
file <code>/etc/sysconfig/init</code>:
<pre class="code"><code>SINGLE=/sbin/sulogin</code></pre></p>
<p>
This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27040-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27030544">
<h3>Result for Disable Ctrl-Alt-Del Reboot Activation</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong class="strong">disable_ctrlaltdel_reboot</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">high</strong></p> <p>
By default, the system includes the following line in
<code>/etc/init/control-alt-delete.conf</code>
to reboot the system when the Ctrl-Alt-Del key sequence is pressed:
<pre class="code"><code>exec /sbin/shutdown -r now "Control-Alt-Delete \
pressed"</code></pre><br /> To configure the system to log a message instead of
rebooting the system, alter that line to read as follows:
<pre class="code"><code>exec /usr/bin/logger -p security.info "Control-Alt-Delete \
pressed"</code></pre></p> <p>
A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.
In the GNOME graphical environment, risk of unintentional reboot from the
Ctrl-Alt-Del sequence is reduced because the user will be
prompted before any action is taken.
</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27033520">
<h3>Result for Disable Interactive Boot</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">disable_interactive_boot</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To disable the ability for users to perform interactive startups,
edit the file <code>/etc/sysconfig/init</code>.
Add or correct the line:
<pre class="code"><code>PROMPT=no</code></pre>
The <code>PROMPT</code> option allows the console user to perform an
interactive system startup, in which it is possible to select the
set of services which are started on boot.
</p>
<p>
Using interactive boot,
the console user could disable auditing, firewalls, or other
services, weakening system security.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27043-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27038176">
<h3>Result for Set GNOME Login Inactivity Timeout</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">set_screensaver_inactivity_timeout</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
Run the following command to set the idle time-out value for
inactivity in the GNOME desktop to 15 minutes:
<pre class="code"><code># gconftool-2 \
--direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type int \
--set /apps/gnome-screensaver/idle_delay 15</code></pre></p>
<p>
Setting the idle delay controls when the
screensaver will start, and can be combined with
screen locking to prevent access from passersby.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26828-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27043744">
<h3>Result for GNOME Desktop Screensaver Mandatory Use</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">enable_screensaver_after_idle</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
Run the following command to activate the screensaver
in the GNOME desktop after a period of inactivity:
<pre class="code"><code># gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/idle_activation_enabled true</code></pre></p>
<p>
Enabling idle activation of the screen saver ensures the screensaver will
be activated after the idle delay. Applications requiring continuous,
real-time screen display (such as network management products) require the
login session does not have administrator rights and the display station is located \
in a controlled-access area.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26600-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27048400">
<h3>Result for Enable Screen Lock Activation After Idle Period</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">enable_screensaver_password_lock</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
Run the following command to activate locking of the screensaver
in the GNOME desktop when it is activated:
<pre class="code"><code># gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/lock_enabled true</code></pre></p>
<p>
Enabling the activation of the screen lock after an idle period
ensures password entry will be required in order to
access the system, preventing access by passersby.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26235-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27053056">
<h3>Result for Implement Blank Screen Saver</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">set_blank_screensaver</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
Run the following command to set the screensaver mode
in the GNOME desktop to a blank screen:
<pre class="code"><code># gconftool-2
--direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type string \
--set /apps/gnome-screensaver/mode blank-only</code></pre></p>
<p>
Setting the screensaver mode to blank-only conceals the
contents of the display from passersby.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26638-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27057696">
<h3>Result for Install the screen Package</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">package_screen_installed</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To enable console screen locking, install the <code>screen</code> package:
<pre class="code"><code># yum install screen</code></pre>
Instruct users to begin new terminal sessions with the following command:
<pre class="code"><code>$ screen</code></pre>
The console can now be locked with the following key combination:
<pre class="code"><code>ctrl+a x</code></pre></p>
<p>
Installing <code>screen</code> ensures a console locking capability is available
for users who may need to suspend console logins.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26940-7</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>yum -y install screen
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27063296">
<h3>Result for Enable Smart Card Login</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p> <p>Rule ID: <strong \
class="strong">smartcard_auth</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To enable smart card authentication, consult the documentation at:
</p>
<ul class="itemizedlist">
<li>
<p>https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html</p>
</li>
</ul>
<p>Smart card login provides two-factor authentication stronger than
that provided by a username/password combination. Smart cards leverage a PKI
(public key infrastructure) in order to provide and verify credentials.
</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27066256">
<h3>Result for Modify the System Login Banner</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">set_system_login_banner</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To configure the system login banner:
<br /><br />
Edit <code>/etc/issue</code>. Replace the default text with a message
compliant with the local site policy or a legal disclaimer.
The DoD required text is either:
<br /><br /><code>You are accessing a U.S. Government (USG) Information System (IS) \
that is provided for USG-authorized use only. By using this IS (which includes any
device attached to this IS), you consent to the following conditions:
<br />-The USG routinely intercepts and monitors communications on this IS for \
purposes including, but not limited to, penetration testing, COMSEC monitoring, \
network operations and defense, personnel misconduct (PM), law enforcement (LE), and
counterintelligence (CI) investigations.
<br />-At any time, the USG may inspect and seize data stored on this IS.
<br />-Communications using, or data stored on, this IS are not private, are subject
to routine monitoring, interception, and search, and may be disclosed or used
for any USG-authorized purpose.
<br />-This IS includes security measures (e.g., authentication and access controls)
to protect USG interests -- not for your personal benefit or privacy.
<br />-Notwithstanding the above, using this IS does not constitute consent to PM, LE \
or CI investigative searching or monitoring of the content of privileged \
communications, or work product, related to personal representation or services by \
attorneys, psychotherapists, or clergy, and their assistants. Such communications and \
work product are private and confidential. See User Agreement for details.</code><br \
/><br /> OR:
<br /><br /><code>I've read & consent to terms in IS user agreem't.</code></p>
<p>
An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26974-6</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>login_banner_text="<abbr title="value: login_banner_text (Login \
Banner Verbiage)">You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s \
\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+prov \
ided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+t \
his[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+ \
to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\ \
s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+a \
nd[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+pu \
rposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[ \
\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and \
[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforce \
ment[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigatio \
ns.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect \
[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\ \
s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this \
[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+ro \
utine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+ma \
y[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorize \
d[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measu \
res[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+t \
o[\s\n]+protect[\s\n]+USG[\s\n]+interests[\s\n]+--[\s\n]+not[\s\n]+for[\s\n]+your[\s\n \
]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+t \
he[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[ \
\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+ \
searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+pr \
ivileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+ \
to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorney \
s,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistan \
ts.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n] \
+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.</abbr>"
cat <<EOF >/etc/issue
$login_banner_text
EOF
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27099344">
<h3>Result for Enable GUI Warning Banner</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">enable_gdm_login_banner</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To enable displaying a login warning banner in the GNOME
Display Manager's login screen, run the following command:
<pre class="code"><code>sudo -u gdm gconftool-2 \
--type bool \
--set /apps/gdm/simple-greeter/banner_message_enable true</code></pre>
To display a banner, this setting must be enabled and then
banner text must also be set.
</p>
<p>
An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27195-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27103568">
<h3>Result for Set GUI Warning Banner Text</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong class="strong">set_gdm_login_banner_text</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the text shown by the GNOME Display Manager
in the login screen, run the following command:
<pre class="code"><code>sudo -u gdm gconftool-2 \
--type string \
--set /apps/gdm/simple-greeter/banner_message_text \
"Text of the warning banner here"</code></pre>
When entering a warning banner that spans several lines, remember
to begin and end the string with <code>"</code>. This command writes
directly to the file \
<code>/var/lib/gdm/.gconf/apps/gdm/simple-greeter/%gconf.xml</code>, and this file \
can later be edited directly if necessary. </p>
<p>
An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27017-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27117792">
<h3>Result for Disable Kernel Parameter for Sending ICMP Redirects by \
Default</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">disable_sysctl_ipv4_default_send_redirects</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the \
<code>net.ipv4.conf.default.send_redirects</code> kernel parameter, run the \
following command: <pre class="code"><code># sysctl -w \
net.ipv4.conf.default.send_redirects=0</code></pre> If this is not the system's \
default value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.conf.default.send_redirects = \
0</code></pre></p>
<p>Sending ICMP redirects permits the system to instruct other systems
to update their routing information. The ability to send ICMP redirects is
only appropriate for systems acting as routers.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27001-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27122176">
<h3>Result for Disable Kernel Parameter for Sending ICMP Redirects for \
All Interfaces</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">disable_sysctl_ipv4_all_send_redirects</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the <code>net.ipv4.conf.all.send_redirects</code> \
kernel parameter, run the following command:
<pre class="code"><code># sysctl -w \
net.ipv4.conf.all.send_redirects=0</code></pre> If this is not the system's default \
value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.conf.all.send_redirects = \
0</code></pre></p>
<p>Sending ICMP redirects permits the system to instruct other systems
to update their routing information. The ability to send ICMP redirects is
only appropriate for systems acting as routers.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27004-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27126544">
<h3>Result for Disable Kernel Parameter for IP Forwarding</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">disable_sysctl_ipv4_ip_forward</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the <code>net.ipv4.ip_forward</code> kernel \
parameter, run the following command:
<pre class="code"><code># sysctl -w net.ipv4.ip_forward=0</code></pre>
If this is not the system's default value, add the following line to \
<code>/etc/sysctl.conf</code>: <pre class="code"><code>net.ipv4.ip_forward = \
0</code></pre></p>
<p>IP forwarding permits the kernel to forward packets from one network
interface to another. The ability to forward packets between two networks is
only appropriate for systems acting as routers.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26866-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27130912">
<h3>Result for Disable Kernel Parameter for Accepting Source-Routed \
Packets for All Interfaces</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_conf_all_accept_source_route</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the \
<code>net.ipv4.conf.all.accept_source_route</code> kernel parameter, run the \
following command: <pre class="code"><code># sysctl -w \
net.ipv4.conf.all.accept_source_route=0</code></pre> If this is not the system's \
default value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.conf.all.accept_source_route = \
0</code></pre></p>
<p>Accepting source-routed packets in the IPv4 protocol has few \
legitimate uses. It should be disabled unless it is absolutely required.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27037-1</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.conf.all.accept_source_route
#
sysctl -q -n -w net.ipv4.conf.all.accept_source_route=0
#
# If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value \
to "0" # else, add "net.ipv4.conf.all.accept_source_route = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.accept_source_route /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route \
= 0/g' /etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.all.accept_source_route to 0 per security requirements" \
>> /etc/sysctl.conf echo "net.ipv4.conf.all.accept_source_route = 0" >> \
/etc/sysctl.conf fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27137744">
<h3>Result for Disable Kernel Parameter for Accepting ICMP Redirects for \
All Interfaces</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_conf_all_accept_redirects</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the <code>net.ipv4.conf.all.accept_redirects</code> \
kernel parameter, run the following command:
<pre class="code"><code># sysctl -w \
net.ipv4.conf.all.accept_redirects=0</code></pre> If this is not the system's \
default value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.conf.all.accept_redirects = 0</code></pre></p> \
<p>Accepting ICMP redirects has few legitimate uses. It should be disabled unless it \
is absolutely required.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27027-2</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.conf.all.accept_redirects
#
sysctl -q -n -w net.ipv4.conf.all.accept_redirects=0
#
# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to \
"0" # else, add "net.ipv4.conf.all.accept_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.accept_redirects /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = \
0/g' /etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.all.accept_redirects to 0 per security requirements" \
>> /etc/sysctl.conf echo "net.ipv4.conf.all.accept_redirects = 0" >> \
/etc/sysctl.conf fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27144688">
<h3>Result for Disable Kernel Parameter for Accepting Secure Redirects \
for All Interfaces</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_conf_all_secure_redirects</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the <code>net.ipv4.conf.all.secure_redirects</code> \
kernel parameter, run the following command:
<pre class="code"><code># sysctl -w \
net.ipv4.conf.all.secure_redirects=0</code></pre> If this is not the system's \
default value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.conf.all.secure_redirects = \
0</code></pre></p>
<p>Accepting "secure" ICMP redirects (from those gateways listed as
default gateways) has few legitimate uses. It should be disabled unless it is
absolutely required.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26854-0</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.conf.all.secure_redirects
#
sysctl -q -n -w net.ipv4.conf.all.secure_redirects=0
#
# If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to \
"0" # else, add "net.ipv4.conf.all.secure_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.secure_redirects /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.all.secure_redirects.*/net.ipv4.conf.all.secure_redirects = \
0/g' /etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.all.secure_redirects to 0 per security requirements" \
>> /etc/sysctl.conf echo "net.ipv4.conf.all.secure_redirects = 0" >> \
/etc/sysctl.conf fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27151728">
<h3>Result for Enable Kernel Parameter to Log Martian Packets</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_conf_all_log_martians</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To set the runtime status of the <code>net.ipv4.conf.all.log_martians</code> \
kernel parameter, run the following command:
<pre class="code"><code># sysctl -w net.ipv4.conf.all.log_martians=1</code></pre>
If this is not the system's default value, add the following line to \
<code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.conf.all.log_martians = \
1</code></pre></p>
<p>The presence of "martian" packets (which have impossible addresses)
as well as spoofed packets, source-routed packets, and redirects could be a
sign of nefarious network activity. Logging these packets enables this activity
to be detected.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27066-0</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.conf.all.log_martians
#
sysctl -q -n -w net.ipv4.conf.all.log_martians=1
#
# If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to "1"
# else, add "net.ipv4.conf.all.log_martians = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.log_martians /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.all.log_martians.*/net.ipv4.conf.all.log_martians = 1/g' \
/etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.all.log_martians to 1 per security requirements" >> \
/etc/sysctl.conf echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf
fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27158928">
<h3>Result for Disable Kernel Parameter for Accepting Source-Routed \
Packets By Default</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_conf_default_accept_source_route</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the \
<code>net.ipv4.conf.default.accept_source_route</code> kernel parameter, run the \
following command: <pre class="code"><code># sysctl -w \
net.ipv4.conf.default.accept_source_route=0</code></pre> If this is not the system's \
default value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.conf.default.accept_source_route = \
0</code></pre></p>
<p>Accepting source-routed packets in the IPv4 protocol has few \
legitimate uses. It should be disabled unless it is absolutely required.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26983-7</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.conf.default.accept_source_route
#
sysctl -q -n -w net.ipv4.conf.default.accept_source_route=0
#
# If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change \
value to "0" # else, add "net.ipv4.conf.default.accept_source_route = 0" to \
/etc/sysctl.conf #
if grep --silent ^net.ipv4.conf.default.accept_source_route /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.default.accept_source_route.*/net.ipv4.conf.default.accept_source_route \
= 0/g' /etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.default.accept_source_route to 0 per security \
requirements" >> /etc/sysctl.conf echo \
"net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27166192">
<h3>Result for Disable Kernel Parameter for Accepting ICMP Redirects By \
Default</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_conf_default_accept_redirects</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To set the runtime status of the \
<code>net.ipv4.conf.default.accept_redirects</code> kernel parameter, run the \
following command: <pre class="code"><code># sysctl -w \
net.ipv4.conf.default.accept_redirects=0</code></pre> If this is not the system's \
default value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.conf.default.accept_redirects = 0</code></pre></p> \
<p>This feature of the IPv4 protocol has few legitimate uses. It should be disabled \
unless it is absolutely required.</p> <h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27015-7</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.conf.default.accept_redirects
#
sysctl -q -n -w net.ipv4.conf.default.accept_redirects=0
#
# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value \
to "0" # else, add "net.ipv4.conf.default.accept_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.accept_redirects /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.default.accept_redirects.*/net.ipv4.conf.default.accept_redirects \
= 0/g' /etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.default.accept_redirects to 0 per security requirements" \
>> /etc/sysctl.conf echo "net.ipv4.conf.default.accept_redirects = 0" >> \
/etc/sysctl.conf fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27172576">
<h3>Result for Disable Kernel Parameter for Accepting Secure Redirects By \
Default</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_conf_default_secure_redirects</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the \
<code>net.ipv4.conf.default.secure_redirects</code> kernel parameter, run the \
following command: <pre class="code"><code># sysctl -w \
net.ipv4.conf.default.secure_redirects=0</code></pre> If this is not the system's \
default value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.conf.default.secure_redirects = \
0</code></pre></p>
<p>Accepting "secure" ICMP redirects (from those gateways listed as
default gateways) has few legitimate uses. It should be disabled unless it is
absolutely required.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26831-8</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.conf.default.secure_redirects
#
sysctl -q -n -w net.ipv4.conf.default.secure_redirects=0
#
# If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value \
to "0" # else, add "net.ipv4.conf.default.secure_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.secure_redirects /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.default.secure_redirects.*/net.ipv4.conf.default.secure_redirects \
= 0/g' /etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.default.secure_redirects to 0 per security requirements" \
>> /etc/sysctl.conf echo "net.ipv4.conf.default.secure_redirects = 0" >> \
/etc/sysctl.conf fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27179936">
<h3>Result for Enable Kernel Parameter to Ignore ICMP Broadcast Echo \
Requests</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_icmp_echo_ignore_broadcasts</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To set the runtime status of the \
<code>net.ipv4.icmp_echo_ignore_broadcasts</code> kernel parameter, run the \
following command: <pre class="code"><code># sysctl -w \
net.ipv4.icmp_echo_ignore_broadcasts=1</code></pre> If this is not the system's \
default value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.icmp_echo_ignore_broadcasts = \
1</code></pre></p>
<p>Ignoring ICMP echo requests (pings) sent to broadcast or multicast
addresses makes the system slightly more difficult to enumerate on the network.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26883-9</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts
#
sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts=1
#
# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value \
to "1" # else, add "net.ipv4.icmp_echo_ignore_broadcasts = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.icmp_echo_ignore_broadcasts.*/net.ipv4.icmp_echo_ignore_broadcasts \
= 1/g' /etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.icmp_echo_ignore_broadcasts to 1 per security requirements" \
>> /etc/sysctl.conf echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> \
/etc/sysctl.conf fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27187152">
<h3>Result for Enable Kernel Parameter to Ignore Bogus ICMP Error \
Responses</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_icmp_ignore_bogus_error_responses</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To set the runtime status of the \
<code>net.ipv4.icmp_ignore_bogus_error_responses</code> kernel parameter, run the \
following command: <pre class="code"><code># sysctl -w \
net.ipv4.icmp_ignore_bogus_error_responses=1</code></pre> If this is not the \
system's default value, add the following line to <code>/etc/sysctl.conf</code>: \
<pre class="code"><code>net.ipv4.icmp_ignore_bogus_error_responses = \
1</code></pre></p> <p>Ignoring bogus ICMP error responses reduces
log size, although some activity would not be logged.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26993-6</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.icmp_ignore_bogus_error_responses
#
sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses=1
#
# If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change \
value to "1" # else, add "net.ipv4.icmp_ignore_bogus_error_responses = 1" to \
/etc/sysctl.conf #
if grep --silent ^net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.icmp_ignore_bogus_error_responses.*/net.ipv4.icmp_ignore_bogus_error_responses \
= 1/g' /etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.icmp_ignore_bogus_error_responses to 1 per security \
requirements" >> /etc/sysctl.conf echo \
"net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.conf fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27194560">
<h3>Result for Enable Kernel Parameter to Use TCP Syncookies</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_tcp_syncookies</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the <code>net.ipv4.tcp_syncookies</code> kernel \
parameter, run the following command:
<pre class="code"><code># sysctl -w net.ipv4.tcp_syncookies=1</code></pre>
If this is not the system's default value, add the following line to \
<code>/etc/sysctl.conf</code>: <pre class="code"><code>net.ipv4.tcp_syncookies = \
1</code></pre></p>
<p> A TCP SYN flood attack can cause a denial of service by filling a
system's TCP connection table with connections in the SYN_RCVD state.
Syncookies can be used to track a connection when a subsequent ACK is received,
verifying the initiator is attempting a valid connection and is not a flood
source. This feature is activated when a flood condition is detected, and
enables the system to continue servicing valid connection requests.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27053-8</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.tcp_syncookies
#
sysctl -q -n -w net.ipv4.tcp_syncookies=1
#
# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to "1"
# else, add "net.ipv4.tcp_syncookies = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.tcp_syncookies /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies = 1/g' /etc/sysctl.conf
else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.tcp_syncookies to 1 per security requirements" >> \
/etc/sysctl.conf echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27201584">
<h3>Result for Enable Kernel Parameter to Use Reverse Path Filtering for \
All Interfaces</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_conf_all_rp_filter</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the <code>net.ipv4.conf.all.rp_filter</code> kernel \
parameter, run the following command:
<pre class="code"><code># sysctl -w net.ipv4.conf.all.rp_filter=1</code></pre>
If this is not the system's default value, add the following line to \
<code>/etc/sysctl.conf</code>: <pre class="code"><code>net.ipv4.conf.all.rp_filter = \
1</code></pre></p>
<p>Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26979-5</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.conf.all.rp_filter
#
sysctl -q -n -w net.ipv4.conf.all.rp_filter=1
#
# If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to "1"
# else, add "net.ipv4.conf.all.rp_filter = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.rp_filter /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter = 1/g' \
/etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.all.rp_filter to 1 per security requirements" >> \
/etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27074448">
<h3>Result for Enable Kernel Parameter to Use Reverse Path Filtering by \
Default</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_net_ipv4_conf_default_rp_filter</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the <code>net.ipv4.conf.default.rp_filter</code> \
kernel parameter, run the following command:
<pre class="code"><code># sysctl -w \
net.ipv4.conf.default.rp_filter=1</code></pre> If this is not the system's default \
value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv4.conf.default.rp_filter = \
1</code></pre></p>
<p>Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26915-9</span>
</li>
</ul>
<div class="xccdf-fix">
<h4 class="short">Remediation script</h4>
<pre class="code">
<code>#
# Set runtime for net.ipv4.conf.default.rp_filter
#
sysctl -q -n -w net.ipv4.conf.default.rp_filter=1
#
# If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to "1"
# else, add "net.ipv4.conf.default.rp_filter = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.rp_filter /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter = 1/g' \
/etc/sysctl.conf else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.default.rp_filter to 1 per security requirements" >> \
/etc/sysctl.conf echo "net.ipv4.conf.default.rp_filter = 1" >> \
/etc/sysctl.conf fi
</code>
</pre>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27091984">
<h3>Result for Disable Bluetooth Service</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">service_bluetooth_disabled</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
The <code>bluetooth</code> service can be disabled with the following command:
<pre class="code"><code># chkconfig bluetooth off</code></pre><pre \
class="code"><code># service bluetooth stop</code></pre></p>
<p>Disabling the <code>bluetooth</code> service prevents the system from \
attempting connections to Bluetooth devices, which entails some security risk.
Nevertheless, variation in this risk decision may be expected due to the
utility of Bluetooth connectivity and its limited range.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27081-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27209824">
<h3>Result for Disable Bluetooth Kernel Modules</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">kernel_module_bluetooth_disabled</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>The kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate <code>/etc/modprobe.d</code> configuration file
to prevent the loading of the Bluetooth module:
<pre class="code"><code>install net-pf-31 /bin/false
install bluetooth /bin/false</code></pre></p>
<p>If Bluetooth functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
activation.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26763-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27213888">
<h3>Result for Disable IPv6 Networking Support Automatic Loading</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">disable_ipv6_module_loading</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>To prevent the IPv6 kernel module (<code>ipv6</code>) from loading the
IPv6 networking stack, add the following line to
<code>/etc/modprobe.d/disabled.conf</code> (or another file in
<code>/etc/modprobe.d</code>):
<pre class="code"><code>options ipv6 disable=1</code></pre>
This permits the IPv6 module to be loaded (and thus satisfy other modules that
depend on it), while disabling support for the IPv6 protocol.
</p>
<p>
Any unnecessary network stacks - including IPv6 - should be disabled, to reduce
the vulnerability to exploitation.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27153-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27223104">
<h3>Result for Disable Accepting IPv6 Redirects</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">set_sysctl_ipv6_default_accept_redirects</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
To set the runtime status of the \
<code>net.ipv6.conf.default.accept_redirects</code> kernel parameter, run the \
following command: <pre class="code"><code># sysctl -w \
net.ipv6.conf.default.accept_redirects=0</code></pre> If this is not the system's \
default value, add the following line to <code>/etc/sysctl.conf</code>: <pre \
class="code"><code>net.ipv6.conf.default.accept_redirects = 0</code></pre></p> <p>
An illicit ICMP redirect message could result in a man-in-the-middle attack.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27166-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27236768">
<h3>Result for Verify ip6tables Enabled if Using IPv6</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">enable_ip6tables</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
The <code>ip6tables</code> service can be enabled with the following command:
<pre class="code"><code># chkconfig --level 2345 ip6tables on</code></pre></p>
<p>The <code>ip6tables</code> service provides the system's host-based \
firewalling capability for IPv6 and ICMPv6.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27006-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27244352">
<h3>Result for Verify iptables Enabled</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">enable_iptables</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
The <code>iptables</code> service can be enabled with the following command:
<pre class="code"><code># chkconfig --level 2345 iptables on</code></pre></p>
<p>
The <code>iptables</code> service provides the system's host-based firewalling
capability for IPv4 and ICMP.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27018-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27248992">
<h3>Result for Set Default iptables Policy for Incoming Packets</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">set_iptables_default_rule</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>To set the default policy to DROP (instead of \
ACCEPT) for the built-in INPUT chain which processes incoming packets,
add or correct the following line in
<code>/etc/sysconfig/iptables</code>:
<pre class="code"><code>:INPUT DROP [0:0]</code></pre></p>
<p>In <code>iptables</code> the default policy is applied only after all
the applicable rules in the table are examined for a match. Setting the
default policy to <code>DROP</code> implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26444-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27253648">
<h3>Result for Set Default iptables Policy for Forwarded Packets</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">set_iptables_default_rule_forward</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>To set the default policy to DROP (instead of \
ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded \
from one interface to another,
add or correct the following line in
<code>/etc/sysconfig/iptables</code>:
<pre class="code"><code>:FORWARD DROP [0:0]</code></pre></p>
<p>In <code>iptables</code> the default policy is applied only after all
the applicable rules in the table are examined for a match. Setting the
default policy to <code>DROP</code> implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27186-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27257408">
<h3>Result for Disable DCCP Support</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">disable_protocol_dccp</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.
To configure the system to prevent the <code>dccp</code>
kernel module from being loaded, add the following line to a file in the directory \
<code>/etc/modprobe.d</code>: <pre class="code"><code>install dccp \
/bin/false</code></pre></p> <p>
Disabling DCCP protects
the system against exploitation of any flaws in its implementation.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26448-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27262048">
<h3>Result for Disable SCTP Support</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">disable_protocol_sctp</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the <code>sctp</code>
kernel module from being loaded, add the following line to a file in the directory \
<code>/etc/modprobe.d</code>: <pre class="code"><code>install sctp \
/bin/false</code></pre></p> <p>
Disabling SCTP protects
the system against exploitation of any flaws in its implementation.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26410-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27266688">
<h3>Result for Disable RDS Support</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">disable_protocol_rds</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
The Reliable Datagram Sockets (RDS) protocol is a transport
layer protocol designed to provide reliable high- bandwidth,
low-latency communications between nodes in a cluster.
To configure the system to prevent the <code>rds</code>
kernel module from being loaded, add the following line to a file in the directory \
<code>/etc/modprobe.d</code>: <pre class="code"><code>install rds \
/bin/false</code></pre></p> <p>
Disabling RDS protects
the system against exploitation of any flaws in its implementation.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26239-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27271328">
<h3>Result for Disable TIPC Support</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">disable_protocol_tipc</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
The Transparent Inter-Process Communication (TIPC) protocol
is designed to provide communications between nodes in a
cluster.
To configure the system to prevent the <code>tipc</code>
kernel module from being loaded, add the following line to a file in the directory \
<code>/etc/modprobe.d</code>: <pre class="code"><code>install tipc \
/bin/false</code></pre></p> <p>
Disabling TIPC protects
the system against exploitation of any flaws in its implementation.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26696-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27275968">
<h3>Result for Install openswan Package</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">install_openswan</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>The Openswan package provides an implementation \
of IPsec and IKE, which permits the creation of secure tunnels over
untrusted networks.
The <code>openswan</code> package can be installed with the following command:
<pre class="code"><code># yum install openswan</code></pre></p>
<p>Providing the ability for remote users or systems
to initiate a secure VPN connection protects information when it is
transmitted over a wide area network.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27626-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27280608">
<h3>Result for Ensure rsyslog is Installed</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">package_rsyslog_installed</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>
Rsyslog is installed by default.
The <code>rsyslog</code> package can be installed with the following command:
<pre class="code"><code># yum install rsyslog</code></pre></p>
<p>
The rsyslog package provides the rsyslog daemon, which provides
system logging services.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26809-4</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27285264">
<h3>Result for Enable rsyslog Service</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">service_rsyslog_enabled</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>The <code>rsyslog</code> service provides syslog-style logging by \
default on RHEL 6.
The <code>rsyslog</code> service can be enabled with the following command:
<pre class="code"><code># chkconfig --level 2345 rsyslog on</code></pre></p>
<p>The <code>rsyslog</code> service must be running in order to provide
logging services, which are essential to system administration.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26807-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27289920">
<h3>Result for Ensure Log Files Are Owned By Appropriate User</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">userowner_rsyslog_files</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>The owner of all log files written by
<code>rsyslog</code> should be root.
These log files are determined by the second part of each Rule line in
<code>/etc/rsyslog.conf</code> and typically all appear in <code>/var/log</code>.
For each log file <em>LOGFILE</em> referenced in <code>/etc/rsyslog.conf</code>,
run the following command to inspect the file's owner:
<pre class="code"><code>$ ls -l <em>LOGFILE</em></code></pre>
If the owner is not <code>root</code>, run the following command to
correct this:
<pre class="code"><code># chown root <em>LOGFILE</em></code></pre></p>
<p>The log files generated by rsyslog contain valuable information \
regarding system configuration, user authentication, and other such information. Log \
files should be protected from unauthorized access.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26812-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27294576">
<h3>Result for Ensure Log Files Are Owned By Appropriate Group</h3>
<p class="result-unknown">Result: <strong \
class="strong">unknown</strong></p>
<p>Rule ID: <strong class="strong">groupowner_rsyslog_files</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>The group-owner of all log files written by
<code>rsyslog</code> should be root.
These log files are determined by the second part of each Rule line in
<code>/etc/rsyslog.conf</code> and typically all appear in <code>/var/log</code>.
For each log file <em>LOGFILE</em> referenced in <code>/etc/rsyslog.conf</code>,
run the following command to inspect the file's group owner:
<pre class="code"><code>$ ls -l <em>LOGFILE</em></code></pre>
If the owner is not <code>root</code>, run the following command to
correct this:
<pre class="code"><code># chgrp root <em>LOGFILE</em></code></pre></p>
<p>The log files generated by rsyslog contain valuable information \
regarding system configuration, user authentication, and other such information. Log \
files should be protected from unauthorized access.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26821-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27299232">
<h3>Result for Ensure System Log Files Have Correct Permissions</h3>
<p class="result-unknown">Result: <strong \
class="strong">unknown</strong></p>
<p>Rule ID: <strong class="strong">rsyslog_file_permissions</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>The file permissions for all log files written \
by <code>rsyslog</code> should be set to 600, or more restrictive.
These log files are determined by the second part of each Rule line in
<code>/etc/rsyslog.conf</code> and typically all appear in <code>/var/log</code>.
For each log file <em>LOGFILE</em> referenced in <code>/etc/rsyslog.conf</code>,
run the following command to inspect the file's permissions:
<pre class="code"><code>$ ls -l <em>LOGFILE</em></code></pre>
If the permissions are not 600 or more restrictive,
run the following command to correct this:
<pre class="code"><code># chmod 0600 <em>LOGFILE</em></code></pre></p>
<p>Log files can contain valuable information regarding system
configuration. If the system log files are not protected unauthorized
users could change the logged data, eliminating their forensic value.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27190-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27303888">
<h3>Result for Ensure Logs Sent To Remote Host</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">rsyslog_send_messages_to_logserver</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
To configure rsyslog to send logs to a remote log server,
open <code>/etc/rsyslog.conf</code> and read and understand the last section of the \
file, which describes the multiple directives necessary to activate remote
logging.
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
substituting <code><em>loghost.example.com</em></code> appropriately.
The choice of protocol depends on the environment of the system;
although TCP and RELP provide more reliable message delivery,
they may not be supported in all environments.
<br />
To use UDP for log message delivery:
<pre class="code"><code>*.* @<em>loghost.example.com</em></code></pre><br />
To use TCP for log message delivery:
<pre class="code"><code>*.* @@<em>loghost.example.com</em></code></pre><br />
To use RELP for log message delivery:
<pre class="code"><code>*.* :omrelp:<em>loghost.example.com</em></code></pre></p>
<p>A log server (loghost) receives syslog messages from one or more
systems. This data can be used as an additional log source in the event a
system is compromised and its local logs are suspect. Forwarding log messages
to a remote loghost also provides system administrators with a centralized
place to view the status of multiple hosts within the enterprise.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26801-1</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27317376">
<h3>Result for Ensure Logrotate Runs Periodically</h3>
<p class="result-unknown">Result: <strong \
class="strong">unknown</strong></p>
<p>Rule ID: <strong \
class="strong">ensure_logrotate_activated</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>The <code>logrotate</code> service should be
enabled.</p>
<p>Log files that are not properly rotated run the risk of growing so \
large that they fill up the /var/log partition. Valuable logging information could be \
lost if the /var/log partition becomes full.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27014-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27330080">
<h3>Result for Enable auditd Service</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">enable_auditd_service</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>The <code>auditd</code> service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The <code>auditd</code> service can be enabled with the following command:
<pre class="code"><code># chkconfig --level 2345 auditd on</code></pre></p>
<p>Ensuring the <code>auditd</code> service is active ensures
audit records generated by the kernel can be written to disk, or that appropriate
actions will be taken if other obstacles exist.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27058-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27334720">
<h3>Result for Enable Auditing for Processes Which Start Prior to the \
Audit Daemon</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">enable_auditd_bootloader</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>To ensure all processes can be audited, even
those which start prior to the audit daemon, add the argument
<code>audit=1</code> to the kernel line in <code>/etc/grub.conf</code>, in the manner \
below: <pre class="code"><code>kernel /vmlinuz-version ro vga=ext \
root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1</code></pre></p> <p>
Each process on the system carries an "auditable" flag which
indicates whether its activities can be audited. Although <code>auditd</code>
takes care of enabling this for all processes which launch after it
does, adding the kernel argument ensures it is set for every
process during boot.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26785-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27339376">
<h3>Result for Configure auditd Number of Logs Retained</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">configure_auditd_num_logs</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>Determine how many log files
<code>auditd</code> should retain when it rotates logs.
Edit the file <code>/etc/audit/auditd.conf</code>. Add or modify the following
line, substituting <em>NUMLOGS</em> with the correct value:
<pre class="code"><code>num_logs = <em>NUMLOGS</em></code></pre>
Set the value to 5 for general-purpose systems.
Note that values less than 2 result in no log rotation.</p>
<p>The total storage for audit log files must be large enough to retain
log information over the period required. This is a function of the maximum log
file size and the number of logs retained.</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27343936">
<h3>Result for Configure auditd Max Log File Size</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">configure_auditd_max_log_file</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p> <p>Determine the amount of audit data (in \
megabytes) which should be retained in each log file. Edit the file
<code>/etc/audit/auditd.conf</code>. Add or modify the following line, substituting
the correct value for <em>STOREMB</em>:
<pre class="code"><code>max_log_file = <em>STOREMB</em></code></pre>
Set the value to <code>6</code> (MB) or higher for general-purpose systems.
Larger values, of course,
support retention of even more audit data.</p>
<p>The total storage for audit log files must be large enough to retain
log information over the period required. This is a function of the maximum
log file size and the number of logs retained.</p>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27348768">
<h3>Result for Configure auditd max_log_file_action Upon Reaching Maximum \
Log Size</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">configure_auditd_max_log_file_action</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p> The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by <code>auditd</code>, add or correct the line in \
<code>/etc/audit/auditd.conf</code>: <pre class="code"><code>max_log_file_action = \
<em>ACTION</em></code></pre> Possible values for <em>ACTION</em> are described in the \
<code>auditd.conf</code> man page. These include:
</p>
<ul class="itemizedlist">
<li>
<p>
<code>ignore</code>
</p>
</li>
<li>
<p>
<code>syslog</code>
</p>
</li>
<li>
<p>
<code>suspend</code>
</p>
</li>
<li>
<p>
<code>rotate</code>
</p>
</li>
<li>
<p>
<code>keep_logs</code>
</p>
</li>
</ul>
<p>
Set the <code><em>ACTION</em></code> to <code>rotate</code> to ensure log rotation
occurs. This is the default. The setting is case-insensitive.
</p>
<p>Automatically rotating logs (by setting this to <code>rotate</code>)
minimizes the chances of the system unexpectedly running out of disk space by
being overwhelmed with log data. However, for systems that must never discard
log data, or which use external processes to transfer it and reclaim space,
<code>keep_logs</code> can be employed.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27237-7</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27354336">
<h3>Result for Configure auditd space_left Action on Low Disk Space</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">configure_auditd_space_left_action</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>The <code>auditd</code> service can be configured to take an action
when disk space <em>starts</em> to run low.
Edit the file <code>/etc/audit/auditd.conf</code>. Modify the following line,
substituting <em>ACTION</em> appropriately:
<pre class="code"><code>space_left_action = <em>ACTION</em></code></pre>
Possible values for <em>ACTION</em> are described in the <code>auditd.conf</code> man \
page. These include:
</p>
<ul class="itemizedlist">
<li>
<p>
<code>ignore</code>
</p>
</li>
<li>
<p>
<code>syslog</code>
</p>
</li>
<li>
<p>
<code>email</code>
</p>
</li>
<li>
<p>
<code>exec</code>
</p>
</li>
<li>
<p>
<code>suspend</code>
</p>
</li>
<li>
<p>
<code>single</code>
</p>
</li>
<li>
<p>
<code>halt</code>
</p>
</li>
</ul>
<p>
Set this to <code>email</code> (instead of the default,
which is <code>suspend</code>) as it is more likely to get prompt attention. \
Acceptable values also include <code>suspend</code>, <code>single</code>, and \
<code>halt</code>. </p>
<p>Notifying administrators of an impending disk space problem may
allow them to take corrective action prior to any disruption.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27238-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27359904">
<h3>Result for Configure auditd admin_space_left Action on Low Disk \
Space</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">configure_auditd_admin_space_left_action</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>The <code>auditd</code> service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file <code>/etc/audit/auditd.conf</code>. Add or modify the following line,
substituting <em>ACTION</em> appropriately:
<pre class="code"><code>admin_space_left_action = <em>ACTION</em></code></pre>
Possible values for <em>ACTION</em> are described in the <code>auditd.conf</code> man \
page. These include:
</p>
<ul class="itemizedlist">
<li>
<p>
<code>ignore</code>
</p>
</li>
<li>
<p>
<code>syslog</code>
</p>
</li>
<li>
<p>
<code>email</code>
</p>
</li>
<li>
<p>
<code>exec</code>
</p>
</li>
<li>
<p>
<code>suspend</code>
</p>
</li>
<li>
<p>
<code>single</code>
</p>
</li>
<li>
<p>
<code>halt</code>
</p>
</li>
</ul>
<p>
Set this value to <code>single</code> to cause the system to switch to single user
mode for corrective action. Acceptable values also include <code>suspend</code> and
<code>halt</code>. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined.
</p>
<p>Administrators should be made aware of an inability to record
audit records. If a separate partition or logical volume of adequate size
is used, running low on space for audit records should never occur.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27239-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27365488">
<h3>Result for Configure auditd mail_acct Action on Low Disk Space</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">configure_auditd_action_mail_acct</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">medium</strong></p>
<p>The <code>auditd</code> service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in <code>/etc/audit/auditd.conf</code> to ensure that administrators are notified
via email for those situations:
<pre class="code"><code>action_mail_acct = root</code></pre></p>
<p>Email sent to the root account is typically aliased to the
administrators of the system, who can take appropriate action.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27241-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27373216">
<h3>Result for Record attempts to alter time through adjtimex</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">audit_rules_time_adjtimex</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>On a 32-bit system, add the following to \
<code>/etc/audit/audit.rules</code>: <pre class="code"><code># audit_time_rules
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules</code></pre>
On a 64-bit system, add the following to <code>/etc/audit/audit.rules</code>:
<pre class="code"><code># audit_time_rules
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules</code></pre>
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
<pre class="code"><code>-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S \
clock_settime
-k audit_time_rules</code></pre></p>
<p>Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26242-8</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27377872">
<h3>Result for Record attempts to alter time through settimeofday</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">audit_rules_time_settimeofday</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>On a 32-bit system, add the following to \
<code>/etc/audit/audit.rules</code>: <pre class="code"><code># audit_time_rules
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules</code></pre>
On a 64-bit system, add the following to <code>/etc/audit/audit.rules</code>:
<pre class="code"><code># audit_time_rules
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules</code></pre>
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
<pre class="code"><code>-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S \
clock_settime
-k audit_time_rules</code></pre></p>
<p>Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27203-9</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27382528">
<h3>Result for Record Attempts to Alter Time Through stime</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">audit_rules_time_stime</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>On a 32-bit system, add the following to \
<code>/etc/audit/audit.rules</code>: <pre class="code"><code># audit_time_rules
-a always,exit -F arch=b32 -S stime -k audit_time_rules</code></pre>
On a 64-bit system, the "-S time" is not necessary. The -k option allows for
the specification of a key in string form that can be used for better
reporting capability through ausearch and aureport. Multiple system calls
can be defined on the same line to save space if desired, but is not required.
See an example of multiple combined syscalls:
<pre class="code"><code>-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S \
clock_settime
-k audit_time_rules</code></pre></p>
<p>Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27169-2</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27387168">
<h3>Result for Record Attempts to Alter Time Through clock_settime</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">audit_rules_time_clock_settime</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>On a 32-bit system, add the following to \
<code>/etc/audit/audit.rules</code>: <pre class="code"><code># audit_time_rules
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules</code></pre>
On a 64-bit system, add the following to <code>/etc/audit/audit.rules</code>:
<pre class="code"><code># audit_time_rules
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules</code></pre>
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
<pre class="code"><code>-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S \
clock_settime
-k audit_time_rules</code></pre></p>
<p>Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27170-0</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27391824">
<h3>Result for Record Attempts to Alter the localtime File</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">audit_rules_time_watch_localtime</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>Add the following to \
<code>/etc/audit/audit.rules</code>: <pre class="code"><code>-w /etc/localtime -p wa \
-k audit_time_rules</code></pre> The -k option allows for the specification of a key \
in string form that can be used for better reporting capability through ausearch and \
aureport and should always be used.
</p>
<p>Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27172-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27396480">
<h3>Result for Record Events that Modify User/Group Information</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">audit_account_changes</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>Add the following to <code>/etc/audit/audit.rules</code>, in order
to capture events that modify account changes:
<pre class="code"><code># audit_account_changes
-w /etc/group -p wa -k audit_account_changes
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes</code></pre></p>
<p>In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any
unexpected users, groups, or modifications should be investigated for
legitimacy.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26664-3</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27401120">
<h3>Result for Record Events that Modify the System's Network \
Environment</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">audit_network_modifications</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p>
<p>Add the following to <code>/etc/audit/audit.rules</code>, setting
ARCH to either b32 or b64 as appropriate for your system:
<pre class="code"><code># audit_network_modifications
-a exit,always -F arch=ARCH -S sethostname -S setdomainname -k \
audit_network_modifications
-w /etc/issue -p wa -k audit_network_modifications
-w /etc/issue.net -p wa -k audit_network_modifications
-w /etc/hosts -p wa -k audit_network_modifications
-w /etc/sysconfig/network -p wa -k audit_network_modifications</code></pre></p>
<p>The network environment should not be modified by anything other
than administrator action. Any change to network parameters should be
audited.</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-26648-6</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27405776">
<h3>Result for System Audit Logs Must Have Mode 0640 or Less \
Permissive</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong class="strong">audit_logs_permissions</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>
Change the mode of the audit log files with the following command:
<pre class="code"><code># chmod 0640 <em>audit_file</em></code></pre></p>
<p>
If users can write to audit logs, audit trails can be modified or destroyed.
</p>
<h4>Security identifiers</h4>
<ul class="itemizedlist">
<li>
<span>CCE-27243-5</span>
</li>
</ul>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp27413344">
<h3>Result for Record Events that Modify the System's Mandatory Access \
Controls</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong class="strong">audit_mac_changes</strong></p>
<p>Time: <strong class="strong"><abbr title="2013-09-27T19:03:44" \
class="date">2013-09-27 19:03</abbr></strong></p> <p>Severity: <strong \
class="strong">low</strong></p> <p>Add the following to \
<code>/etc/audit/audit.rules</code>: <pre class="code"><code>-w /etc/selinux/ -p wa \
-k MAC-policy</code></pre></p> <p>The system's mand
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic