Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Red Hat Enterprise Linux 6 Security Technical Implementation Guide

  • Version/Release: V2R2
  • Published: 2020-12-04
  • Severity:
  • Sort:
View

Select any old version/release of this SCAP to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
a
The system must use a separate file system for /tmp.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000001
Vuln IDs
V-217846
Rule IDs
SV-217846r603264_rule
The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.
Fix: F-19325r376554_fix

The "/tmp" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.

a
The system must use a separate file system for /var.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000002
Vuln IDs
V-217847
Rule IDs
SV-217847r603264_rule
Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories, installed by other software packages.
Fix: F-19326r376557_fix

The "/var" directory is used by daemons and other system services to store frequently-changing data. Ensure that "/var" has its own partition or logical volume at installation time, or migrate it using LVM.

a
The system must use a separate file system for /var/log.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000003
Vuln IDs
V-217848
Rule IDs
SV-217848r603264_rule
Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".
Fix: F-19327r376560_fix

System logs are stored in the "/var/log" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.

a
The system must use a separate file system for the system audit data path.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000004
Vuln IDs
V-217849
Rule IDs
SV-217849r603264_rule
Placing "/var/log/audit" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.
Fix: F-19328r376563_fix

Audit logs are stored in the "/var/log/audit" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

b
The audit system must alert designated staff members when the audit storage volume approaches capacity.
RMF Control
AU-5
Severity
Medium
CCI
CCI-001855
Version
RHEL-06-000005
Vuln IDs
V-217850
Rule IDs
SV-217850r603264_rule
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
Fix: F-19329r376566_fix

The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: space_left_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "email" "exec" "suspend" "single" "halt" Set this to "email" (instead of the default, which is "suspend") as it is more likely to get prompt attention. The "syslog" option is acceptable, provided the local log management infrastructure notifies an appropriate administrator in a timely manner. RHEL-06-000521 ensures that the email generated through the operation "space_left_action" will be sent to an administrator.

a
The system must use a separate file system for user home directories.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000007
Vuln IDs
V-217851
Rule IDs
SV-217851r603264_rule
Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.
Fix: F-19330r376569_fix

If user home directories will be stored locally, create a separate partition for "/home" at installation time (or migrate it later using LVM). If "/home" will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.

c
Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
RMF Control
CM-5
Severity
High
CCI
CCI-001749
Version
RHEL-06-000008
Vuln IDs
V-217852
Rule IDs
SV-217852r603264_rule
The Red Hat GPG keys are necessary to cryptographically verify packages are from Red Hat.
Fix: F-19331r376572_fix

To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG keys must be installed properly. To install the Red Hat GPG keys, run: # rhn_register If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG keys from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in "/media/cdrom", use the following command as the root user to import them into the keyring: # rpm --import /media/cdrom/RPM-GPG-KEY

b
The system package management tool must cryptographically verify the authenticity of system software packages during installation.
RMF Control
CM-5
Severity
Medium
CCI
CCI-001749
Version
RHEL-06-000013
Vuln IDs
V-217855
Rule IDs
SV-217855r603264_rule
Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering.
Fix: F-19334r376581_fix

The "gpgcheck" option should be used to ensure checking of an RPM package's signature always occurs prior to its installation. To configure yum to check package signatures before installing them, ensure the following line appears in "/etc/yum.conf" in the "[main]" section: gpgcheck=1

a
The system package management tool must cryptographically verify the authenticity of all software packages during installation.
RMF Control
CM-5
Severity
Low
CCI
CCI-001749
Version
RHEL-06-000015
Vuln IDs
V-217856
Rule IDs
SV-217856r603264_rule
Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.
Fix: F-19335r376584_fix

To ensure signature checking is not disabled for any repos, remove any lines from files in "/etc/yum.repos.d" of the form: gpgcheck=0

b
A file integrity tool must be installed.
RMF Control
CM-7
Severity
Medium
CCI
CCI-001774
Version
RHEL-06-000016
Vuln IDs
V-217857
Rule IDs
SV-217857r603264_rule
The AIDE package must be installed if it is to be available for integrity checking.
Fix: F-19336r376587_fix

Install the AIDE package with the command: # yum install aide

b
The system must use a Linux Security Module at boot time.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002163
Version
RHEL-06-000017
Vuln IDs
V-217858
Rule IDs
SV-217858r603264_rule
Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.
Fix: F-19337r376590_fix

SELinux can be disabled at boot time by an argument in "/boot/grub/grub.conf". Remove any instances of "selinux=0" from the kernel arguments in that file to prevent SELinux from being disabled at boot.

c
There must be no .rhosts or hosts.equiv files on the system.
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
RHEL-06-000019
Vuln IDs
V-217860
Rule IDs
SV-217860r603264_rule
Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.
Fix: F-19339r376596_fix

The files "/etc/hosts.equiv" and "~/.rhosts" (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location. # rm /etc/hosts.equiv $ rm ~/.rhosts

b
The system must use a Linux Security Module configured to enforce limits on system services.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
RHEL-06-000020
Vuln IDs
V-217861
Rule IDs
SV-217861r603264_rule
Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. However, McAfee Endpoint Security for Linux (ENSL) is an approved alternative to both McAfee Virus Scan Enterprise (VSE) and HIPS. In either scenario, SELinux is interoperable with the McAfee products and SELinux is still required.
Fix: F-19340r462505_fix

The SELinux state should be set to "enforcing" at system boot time. In the file "/etc/selinux/config", add or correct the following line to configure the system to boot into enforcing mode: SELINUX=enforcing

a
The system must use a Linux Security Module configured to limit the privileges of system services.
RMF Control
AC-6
Severity
Low
CCI
CCI-002235
Version
RHEL-06-000023
Vuln IDs
V-217863
Rule IDs
SV-217863r603264_rule
Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.
Fix: F-19342r376605_fix

The SELinux "targeted" policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in "/etc/selinux/config": SELINUXTYPE=targeted Other policies, such as "mls", provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.

b
The system must prevent the root account from logging in from virtual consoles.
RMF Control
IA-2
Severity
Medium
CCI
CCI-000770
Version
RHEL-06-000027
Vuln IDs
V-217865
Rule IDs
SV-217865r603264_rule
Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account.
Fix: F-19344r376611_fix

To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in "/etc/securetty": vc/1 vc/2 vc/3 vc/4 Note: Virtual console entries are not limited to those listed above. Any lines starting with "vc/" followed by numerals should be removed.

a
The system must prevent the root account from logging in from serial consoles.
RMF Control
IA-2
Severity
Low
CCI
CCI-000770
Version
RHEL-06-000028
Vuln IDs
V-217866
Rule IDs
SV-217866r603264_rule
Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.
Fix: F-19345r376614_fix

To restrict root logins on serial ports, ensure lines of this form do not appear in "/etc/securetty": ttyS0 ttyS1 Note: Serial port entries are not limited to those listed above. Any lines starting with "ttyS" followed by numerals should be removed

c
The system must not have accounts configured with blank or null passwords.
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
RHEL-06-000030
Vuln IDs
V-217868
Rule IDs
SV-217868r603264_rule
If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
Fix: F-19347r376620_fix

If an account is configured for password authentication but does not have an assigned password, it may be possible to log onto the account without authentication. Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords.

b
The /etc/passwd file must not contain password hashes.
RMF Control
IA-5
Severity
Medium
CCI
CCI-000196
Version
RHEL-06-000031
Vuln IDs
V-217869
Rule IDs
SV-217869r603264_rule
The hashes for all user account passwords should be stored in the file "/etc/shadow" and never in "/etc/passwd", which is readable by all users.
Fix: F-19348r376623_fix

If any password hashes are stored in "/etc/passwd" (in the second field, instead of an "x"), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.

b
The root account must be the only account having a UID of 0.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000032
Vuln IDs
V-217870
Rule IDs
SV-217870r603264_rule
An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.
Fix: F-19349r376626_fix

If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.

b
The /etc/shadow file must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000033
Vuln IDs
V-217871
Rule IDs
SV-217871r603264_rule
The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.
Fix: F-19350r376629_fix

To properly set the owner of "/etc/shadow", run the command: # chown root /etc/shadow

b
The /etc/shadow file must be group-owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000034
Vuln IDs
V-217872
Rule IDs
SV-217872r603264_rule
The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.
Fix: F-19351r376632_fix

To properly set the group owner of "/etc/shadow", run the command: # chgrp root /etc/shadow

b
The /etc/shadow file must have mode 0000.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000035
Vuln IDs
V-217873
Rule IDs
SV-217873r603264_rule
The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.
Fix: F-19352r376635_fix

To properly set the permissions of "/etc/shadow", run the command: # chmod 0000 /etc/shadow

b
The /etc/gshadow file must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000036
Vuln IDs
V-217874
Rule IDs
SV-217874r603264_rule
The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
Fix: F-19353r376638_fix

To properly set the owner of "/etc/gshadow", run the command: # chown root /etc/gshadow

b
The /etc/gshadow file must be group-owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000037
Vuln IDs
V-217875
Rule IDs
SV-217875r603264_rule
The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
Fix: F-19354r376641_fix

To properly set the group owner of "/etc/gshadow", run the command: # chgrp root /etc/gshadow

b
The /etc/gshadow file must have mode 0000.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000038
Vuln IDs
V-217876
Rule IDs
SV-217876r603264_rule
The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.
Fix: F-19355r376644_fix

To properly set the permissions of "/etc/gshadow", run the command: # chmod 0000 /etc/gshadow

b
The /etc/passwd file must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000039
Vuln IDs
V-217877
Rule IDs
SV-217877r603264_rule
The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.
Fix: F-19356r376647_fix

To properly set the owner of "/etc/passwd", run the command: # chown root /etc/passwd

b
The /etc/passwd file must be group-owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000040
Vuln IDs
V-217878
Rule IDs
SV-217878r603264_rule
The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.
Fix: F-19357r376650_fix

To properly set the group owner of "/etc/passwd", run the command: # chgrp root /etc/passwd

b
The /etc/passwd file must have mode 0644 or less permissive.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000041
Vuln IDs
V-217879
Rule IDs
SV-217879r603264_rule
If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.
Fix: F-19358r376653_fix

To properly set the permissions of "/etc/passwd", run the command: # chmod 0644 /etc/passwd

b
The /etc/group file must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000042
Vuln IDs
V-217880
Rule IDs
SV-217880r603264_rule
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
Fix: F-19359r376656_fix

To properly set the owner of "/etc/group", run the command: # chown root /etc/group

b
The /etc/group file must be group-owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000043
Vuln IDs
V-217881
Rule IDs
SV-217881r603264_rule
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
Fix: F-19360r376659_fix

To properly set the group owner of "/etc/group", run the command: # chgrp root /etc/group

b
The /etc/group file must have mode 0644 or less permissive.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000044
Vuln IDs
V-217882
Rule IDs
SV-217882r603264_rule
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
Fix: F-19361r376662_fix

To properly set the permissions of "/etc/group", run the command: # chmod 644 /etc/group

b
All system command files must have mode 755 or less permissive.
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
RHEL-06-000047
Vuln IDs
V-217885
Rule IDs
SV-217885r603264_rule
System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.
Fix: F-19364r376671_fix

System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: # chmod go-w [FILE]

b
All system command files must be owned by root.
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
RHEL-06-000048
Vuln IDs
V-217886
Rule IDs
SV-217886r603264_rule
System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.
Fix: F-19365r376674_fix

System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin If any file [FILE] in these directories is found to be owned by a user other than root, correct its ownership with the following command: # chown root [FILE]

b
The system must require passwords to contain a minimum of 15 characters.
RMF Control
IA-5
Severity
Medium
CCI
CCI-000205
Version
RHEL-06-000050
Vuln IDs
V-217887
Rule IDs
SV-217887r603264_rule
Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. While it does not negate the password length requirement, it is preferable to migrate from a password-based authentication scheme to a stronger one based on PKI (public key infrastructure).
Fix: F-19366r462371_fix

To specify password length requirements for new accounts, edit the file "/etc/login.defs" and add or correct the following lines: PASS_MIN_LEN 15 The DoD requirement is "15". If a program consults "/etc/login.defs" and also another PAM module (such as "pam_cracklib") during a password change operation, then the most restrictive must be satisfied.

b
Users must not be able to change passwords more than once every 24 hours.
RMF Control
IA-5
Severity
Medium
CCI
CCI-000198
Version
RHEL-06-000051
Vuln IDs
V-217888
Rule IDs
SV-217888r603264_rule
Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.
Fix: F-19367r376680_fix

To specify password minimum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MIN_DAYS [DAYS] A value of 1 day is considered sufficient for many environments. The DoD requirement is 1.

b
User passwords must be changed at least every 60 days.
RMF Control
IA-5
Severity
Medium
CCI
CCI-000199
Version
RHEL-06-000053
Vuln IDs
V-217889
Rule IDs
SV-217889r603264_rule
Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.
Fix: F-19368r376683_fix

To specify password maximum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MAX_DAYS [DAYS] The DoD requirement is 60.

a
Users must be warned 7 days in advance of password expiration.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000054
Vuln IDs
V-217890
Rule IDs
SV-217890r603264_rule
Setting the password warning age enables users to make the change at a practical time.
Fix: F-19369r376686_fix

To specify how many days prior to password expiration that a warning will be issued to users, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_WARN_AGE [DAYS] The DoD requirement is 7.

a
The system must require passwords to contain at least one numeric character.
RMF Control
IA-5
Severity
Low
CCI
CCI-000194
Version
RHEL-06-000056
Vuln IDs
V-217892
Rule IDs
SV-217892r603264_rule
Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
Fix: F-19371r462374_fix

The pam_cracklib module's "dcredit" parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "dcredit=-1" after pam_cracklib.so to require use of a digit in passwords.

a
The system must require passwords to contain at least one uppercase alphabetic character.
RMF Control
IA-5
Severity
Low
CCI
CCI-000192
Version
RHEL-06-000057
Vuln IDs
V-217893
Rule IDs
SV-217893r603264_rule
Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.
Fix: F-19372r462377_fix

The pam_cracklib module's "ucredit=" parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "ucredit=-1" after pam_cracklib.so to require use of an uppercase character in passwords.

a
The system must require passwords to contain at least one special character.
RMF Control
IA-5
Severity
Low
CCI
CCI-001619
Version
RHEL-06-000058
Vuln IDs
V-217894
Rule IDs
SV-217894r603264_rule
Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.
Fix: F-19373r462380_fix

The pam_cracklib module's "ocredit=" parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "ocredit=-1" after pam_cracklib.so to require use of a special character in passwords.

a
The system must require passwords to contain at least one lower-case alphabetic character.
RMF Control
IA-5
Severity
Low
CCI
CCI-000193
Version
RHEL-06-000059
Vuln IDs
V-217895
Rule IDs
SV-217895r603264_rule
Requiring a minimum number of lower-case characters makes password guessing attacks more difficult by ensuring a larger search space.
Fix: F-19374r462383_fix

The pam_cracklib module's "lcredit=" parameter controls requirements for usage of lower-case letters in a password. When set to a negative number, any password will be required to contain that many lower-case characters. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "lcredit=-1" after pam_cracklib.so to require use of a lower-case character in passwords.

a
The system must require at least eight characters be changed between the old and new passwords during a password change.
RMF Control
IA-5
Severity
Low
CCI
CCI-000195
Version
RHEL-06-000060
Vuln IDs
V-217896
Rule IDs
SV-217896r603264_rule
Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.
Fix: F-19375r462386_fix

The pam_cracklib module's "difok" parameter controls requirements for usage of different characters during a password change. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "difok=[NUM]" after pam_cracklib.so to require differing characters when changing passwords, substituting [NUM] appropriately. The DoD requirement is 8.

b
The system must disable accounts after three consecutive unsuccessful logon attempts.
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
RHEL-06-000061
Vuln IDs
V-217897
Rule IDs
SV-217897r603264_rule
Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.
Fix: F-36298r602604_fix

To configure the system to lock out accounts after a number of incorrect logon attempts using "pam_faillock.so", modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.

b
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
RHEL-06-000062
Vuln IDs
V-217898
Rule IDs
SV-217898r603264_rule
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Fix: F-19377r462389_fix

In "/etc/pam.d/system-auth”, "/etc/pam.d/system-auth-ac", “/etc/pam.d/password-auth”, and “/etc/pam.d/password-auth-ac”, among potentially other files, the "password" section of the files controls which PAM modules execute during a password change. Set the "pam_unix.so" module in the "password" section to include the argument "sha512", as shown below: password sufficient pam_unix.so sha512 [other arguments...] This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. Note: Any updates made to "/etc/pam.d/system-auth" will be overwritten by the "authconfig" program. The "authconfig" program should not be used.

b
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
RHEL-06-000063
Vuln IDs
V-217899
Rule IDs
SV-217899r603264_rule
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Fix: F-19378r376713_fix

In "/etc/login.defs", add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: ENCRYPT_METHOD SHA512

b
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
RHEL-06-000064
Vuln IDs
V-217900
Rule IDs
SV-217900r603264_rule
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Fix: F-19379r376716_fix

In "/etc/libuser.conf", add or correct the following line in its "[defaults]" section to ensure the system will use the SHA-512 algorithm for password hashing: crypt_style = sha512

b
The system boot loader configuration file(s) must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000065
Vuln IDs
V-217901
Rule IDs
SV-217901r603264_rule
Only root should be able to modify important boot parameters.
Fix: F-19380r376719_fix

The file "/boot/grub/grub.conf" should be owned by the "root" user to prevent destruction or modification of the file. To properly set the owner of "/boot/grub/grub.conf", run the command: # chown root /boot/grub/grub.conf

b
The system boot loader configuration file(s) must be group-owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000066
Vuln IDs
V-217902
Rule IDs
SV-217902r603264_rule
The "root" group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.
Fix: F-19381r376722_fix

The file "/boot/grub/grub.conf" should be group-owned by the "root" group to prevent destruction or modification of the file. To properly set the group owner of "/boot/grub/grub.conf", run the command: # chgrp root /boot/grub/grub.conf

b
The system boot loader configuration file(s) must have mode 0600 or less permissive.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000067
Vuln IDs
V-217903
Rule IDs
SV-217903r603264_rule
Proper permissions ensure that only the root user can modify important boot parameters.
Fix: F-19382r376725_fix

Set file permissions for "/boot/grub/grub.conf" to 600, which is the default. To properly set the permissions of "/boot/grub/grub.conf", run the command: $ chmod 600 /boot/grub/grub.conf

b
The system boot loader must require authentication.
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
RHEL-06-000068
Vuln IDs
V-217904
Rule IDs
SV-217904r603264_rule
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
Fix: F-19383r462392_fix

The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command: # grub-crypt --sha-512 When prompted to enter a password, insert the following line into "/boot/grub/grub.conf" or “/boot/efi/EFI/redhat/grub.conf” immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]): password --encrypted [password-hash]

b
The system must require authentication upon booting into single-user and maintenance modes.
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
RHEL-06-000069
Vuln IDs
V-217905
Rule IDs
SV-217905r603264_rule
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
Fix: F-19384r376731_fix

Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file "/etc/sysconfig/init": SINGLE=/sbin/sulogin

b
The system must not permit interactive boot.
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
RHEL-06-000070
Vuln IDs
V-217906
Rule IDs
SV-217906r603264_rule
Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.
Fix: F-19385r376734_fix

To disable the ability for users to perform interactive startups, edit the file "/etc/sysconfig/init". Add or correct the line: PROMPT=no The "PROMPT" option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot.

a
The system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.
RMF Control
AC-11
Severity
Low
CCI
CCI-000057
Version
RHEL-06-000071
Vuln IDs
V-217907
Rule IDs
SV-217907r603264_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000163-GPOS-00072
Fix: F-19386r462508_fix

Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity. Create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as: #!/bin/bash TMOUT=900 readonly TMOUT export TMOUT

b
The system must not send ICMPv4 redirects by default.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000080
Vuln IDs
V-217911
Rule IDs
SV-217911r603264_rule
Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.
Fix: F-19390r376749_fix

To set the runtime status of the "net.ipv4.conf.default.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.send_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.send_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

b
The system must not send ICMPv4 redirects from any interface.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000081
Vuln IDs
V-217912
Rule IDs
SV-217912r603264_rule
Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.
Fix: F-19391r376752_fix

To set the runtime status of the "net.ipv4.conf.all.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.send_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.send_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

b
IP forwarding for IPv4 must not be enabled, unless the system is a router.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000082
Vuln IDs
V-217913
Rule IDs
SV-217913r603264_rule
IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.
Fix: F-19392r376755_fix

To set the runtime status of the "net.ipv4.ip_forward" kernel parameter, run the following command: # sysctl -w net.ipv4.ip_forward=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.ip_forward = 0 Issue the following command to make the changes take effect: # sysctl --system

b
The system must not accept IPv4 source-routed packets on any interface.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000083
Vuln IDs
V-217914
Rule IDs
SV-217914r603264_rule
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
Fix: F-19393r376758_fix

To set the runtime status of the "net.ipv4.conf.all.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_source_route=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.accept_source_route = 0 Issue the following command to make the changes take effect: # sysctl --system

b
The system must not accept ICMPv4 redirect packets on any interface.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000084
Vuln IDs
V-217915
Rule IDs
SV-217915r603264_rule
Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.
Fix: F-19394r376761_fix

To set the runtime status of the "net.ipv4.conf.all.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.accept_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

b
The system must not accept ICMPv4 secure redirect packets on any interface.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000086
Vuln IDs
V-217916
Rule IDs
SV-217916r603264_rule
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
Fix: F-19395r376764_fix

To set the runtime status of the "net.ipv4.conf.all.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.secure_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.secure_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

a
The system must log Martian packets.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000088
Vuln IDs
V-217917
Rule IDs
SV-217917r603264_rule
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
Fix: F-19396r376767_fix

To set the runtime status of the "net.ipv4.conf.all.log_martians" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.log_martians=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.log_martians = 1 Issue the following command to make the changes take effect: # sysctl --system

b
The system must not accept IPv4 source-routed packets by default.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000089
Vuln IDs
V-217918
Rule IDs
SV-217918r603264_rule
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
Fix: F-19397r376770_fix

To set the runtime status of the "net.ipv4.conf.default.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_source_route=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.accept_source_route = 0 Issue the following command to make the changes take effect: # sysctl --system

b
The system must not accept ICMPv4 secure redirect packets by default.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000090
Vuln IDs
V-217919
Rule IDs
SV-217919r603264_rule
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
Fix: F-19398r376773_fix

To set the runtime status of the "net.ipv4.conf.default.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.secure_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.secure_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

a
The system must ignore ICMPv4 redirect messages by default.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000091
Vuln IDs
V-217920
Rule IDs
SV-217920r603264_rule
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
Fix: F-19399r376776_fix

To set the runtime status of the "net.ipv4.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.accept_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

a
The system must not respond to ICMPv4 sent to a broadcast address.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000092
Vuln IDs
V-217921
Rule IDs
SV-217921r603264_rule
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
Fix: F-19400r376779_fix

To set the runtime status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.icmp_echo_ignore_broadcasts = 1 Issue the following command to make the changes take effect: # sysctl --system

a
The system must ignore ICMPv4 bogus error responses.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000093
Vuln IDs
V-217922
Rule IDs
SV-217922r603264_rule
Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.
Fix: F-19401r376782_fix

To set the runtime status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.icmp_ignore_bogus_error_responses = 1 Issue the following command to make the changes take effect: # sysctl --system

b
The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
RMF Control
SC-5
Severity
Medium
CCI
CCI-001095
Version
RHEL-06-000095
Vuln IDs
V-217923
Rule IDs
SV-217923r603264_rule
A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.
Fix: F-19402r376785_fix

To set the runtime status of the "net.ipv4.tcp_syncookies" kernel parameter, run the following command: # sysctl -w net.ipv4.tcp_syncookies=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.tcp_syncookies = 1 Issue the following command to make the changes take effect: # sysctl --system

b
The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000096
Vuln IDs
V-217924
Rule IDs
SV-217924r603264_rule
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
Fix: F-19403r376788_fix

To set the runtime status of the "net.ipv4.conf.all.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.rp_filter=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.rp_filter = 1 Issue the following command to make the changes take effect: # sysctl --system

b
The system must use a reverse-path filter for IPv4 network traffic when possible by default.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000097
Vuln IDs
V-217925
Rule IDs
SV-217925r603264_rule
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
Fix: F-19404r376791_fix

To set the runtime status of the "net.ipv4.conf.default.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.rp_filter=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.rp_filter = 1 Issue the following command to make the changes take effect: # sysctl --system

b
The system must ignore ICMPv6 redirects by default.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000099
Vuln IDs
V-217926
Rule IDs
SV-217926r603264_rule
An illicit ICMP redirect message could result in a man-in-the-middle attack.
Fix: F-19405r376794_fix

To set the runtime status of the "net.ipv6.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv6.conf.default.accept_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv6.conf.default.accept_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

b
The system must employ a local IPv4 firewall.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000113
Vuln IDs
V-217930
Rule IDs
SV-217930r603264_rule
The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.
Fix: F-19409r376806_fix

The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start

b
The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000117
Vuln IDs
V-217932
Rule IDs
SV-217932r603264_rule
The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.
Fix: F-19411r376812_fix

The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start

b
The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
RHEL-06-000124
Vuln IDs
V-217934
Rule IDs
SV-217934r603264_rule
Disabling DCCP protects the system against exploitation of any flaws in its implementation.
Fix: F-19413r462395_fix

The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the "dccp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install dccp /bin/true

b
The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
RHEL-06-000125
Vuln IDs
V-217935
Rule IDs
SV-217935r603264_rule
Disabling SCTP protects the system against exploitation of any flaws in its implementation.
Fix: F-19414r462398_fix

The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the "sctp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install sctp /bin/true

a
The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.
RMF Control
CM-7
Severity
Low
CCI
CCI-000382
Version
RHEL-06-000126
Vuln IDs
V-217936
Rule IDs
SV-217936r603264_rule
Disabling RDS protects the system against exploitation of any flaws in its implementation.
Fix: F-19415r376824_fix

The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the "rds" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install rds /bin/true

b
The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
RHEL-06-000127
Vuln IDs
V-217937
Rule IDs
SV-217937r603264_rule
Disabling TIPC protects the system against exploitation of any flaws in its implementation.
Fix: F-19416r462401_fix

The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the "tipc" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install tipc /bin/true

b
All rsyslog-generated log files must be owned by root.
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
RHEL-06-000133
Vuln IDs
V-217938
Rule IDs
SV-217938r603264_rule
The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.
Fix: F-19417r376830_fix

The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's owner: $ ls -l [LOGFILE] If the owner is not "root", run the following command to correct this: # chown root [LOGFILE]

b
The system must retain enough rotated audit logs to cover the required log retention period.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000159
Vuln IDs
V-217947
Rule IDs
SV-217947r603264_rule
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
Fix: F-19426r376857_fix

Determine how many log files "auditd" should retain when it rotates logs. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [NUMLOGS] with the correct value: num_logs = [NUMLOGS] Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.

b
The system must set a maximum audit log file size.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000160
Vuln IDs
V-217948
Rule IDs
SV-217948r603264_rule
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
Fix: F-19427r376860_fix

Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting the correct value for [STOREMB]: max_log_file = [STOREMB] Set the value to "6" (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.

b
The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.
RMF Control
AU-5
Severity
Medium
CCI
CCI-001855
Version
RHEL-06-000163
Vuln IDs
V-217950
Rule IDs
SV-217950r603264_rule
Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.
Fix: F-19429r376866_fix

The "auditd" service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [ACTION] appropriately: admin_space_left_action = [ACTION] Set this value to "single" to cause the system to switch to single-user mode for corrective action. Acceptable values also include "suspend" and "halt". For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for [ACTION] are described in the "auditd.conf" man page.

a
The audit system must be configured to audit all attempts to alter system time through adjtimex.
RMF Control
AU-12
Severity
Low
CCI
CCI-000169
Version
RHEL-06-000166
Vuln IDs
V-217951
Rule IDs
SV-217951r603264_rule
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Fix: F-19430r376869_fix

Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules

a
The audit system must be configured to audit all attempts to alter system time through settimeofday.
RMF Control
AU-12
Severity
Low
CCI
CCI-000169
Version
RHEL-06-000167
Vuln IDs
V-217952
Rule IDs
SV-217952r603264_rule
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Fix: F-19431r376872_fix

Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S settimeofday -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules

a
The audit system must be configured to audit all attempts to alter system time through stime.
RMF Control
AU-12
Severity
Low
CCI
CCI-000169
Version
RHEL-06-000169
Vuln IDs
V-217953
Rule IDs
SV-217953r603264_rule
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Fix: F-19432r376875_fix

Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S stime -k audit_time_rules

a
The audit system must be configured to audit all attempts to alter system time through clock_settime.
RMF Control
AU-12
Severity
Low
CCI
CCI-000169
Version
RHEL-06-000171
Vuln IDs
V-217954
Rule IDs
SV-217954r603264_rule
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Fix: F-19433r376878_fix

Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules

a
The audit system must be configured to audit all attempts to alter system time through /etc/localtime.
RMF Control
AU-12
Severity
Low
CCI
CCI-000169
Version
RHEL-06-000173
Vuln IDs
V-217955
Rule IDs
SV-217955r603264_rule
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Fix: F-19434r376881_fix

Add the following to "/etc/audit/audit.rules": -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.

a
The operating system must automatically audit account creation.
RMF Control
AC-2
Severity
Low
CCI
CCI-000018
Version
RHEL-06-000174
Vuln IDs
V-217956
Rule IDs
SV-217956r603264_rule
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Fix: F-19435r376884_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

a
The operating system must automatically audit account modification.
RMF Control
AC-2
Severity
Low
CCI
CCI-001403
Version
RHEL-06-000175
Vuln IDs
V-217957
Rule IDs
SV-217957r603264_rule
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Fix: F-19436r376887_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

a
The operating system must automatically audit account disabling actions.
RMF Control
AC-2
Severity
Low
CCI
CCI-001404
Version
RHEL-06-000176
Vuln IDs
V-217958
Rule IDs
SV-217958r603264_rule
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Fix: F-19437r376890_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

a
The operating system must automatically audit account termination.
RMF Control
AC-2
Severity
Low
CCI
CCI-001405
Version
RHEL-06-000177
Vuln IDs
V-217959
Rule IDs
SV-217959r603264_rule
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Fix: F-19438r376893_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

a
The audit system must be configured to audit modifications to the systems network configuration.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000182
Vuln IDs
V-217960
Rule IDs
SV-217960r603264_rule
The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.
Fix: F-19439r376896_fix

Add the following to "/etc/audit/audit.rules": # audit_network_modifications -a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications

a
The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000183
Vuln IDs
V-217961
Rule IDs
SV-217961r603264_rule
The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.
Fix: F-19440r376899_fix

Add the following to "/etc/audit/audit.rules": -w /etc/selinux/ -p wa -k MAC-policy

a
The audit system must be configured to audit all discretionary access control permission modifications using chmod.
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000184
Vuln IDs
V-217962
Rule IDs
SV-217962r603264_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-19441r376902_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using chown.
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000185
Vuln IDs
V-217963
Rule IDs
SV-217963r603264_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-19442r376905_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using fchmod.
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000186
Vuln IDs
V-217964
Rule IDs
SV-217964r603264_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-19443r376908_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000187
Vuln IDs
V-217965
Rule IDs
SV-217965r603264_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-19444r376911_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using fchown.
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000188
Vuln IDs
V-217966
Rule IDs
SV-217966r603264_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-19445r376914_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using fchownat.
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000189
Vuln IDs
V-217967
Rule IDs
SV-217967r603264_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-19446r376917_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000190
Vuln IDs
V-217968
Rule IDs
SV-217968r603264_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-19447r376920_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000191
Vuln IDs
V-217969
Rule IDs
SV-217969r603264_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-19448r376923_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using lchown.
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000192
Vuln IDs
V-217970
Rule IDs
SV-217970r603264_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-19449r376926_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000193
Vuln IDs
V-217971
Rule IDs
SV-217971r603264_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-19450r376929_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000194
Vuln IDs
V-217972
Rule IDs
SV-217972r603264_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-19451r376932_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using removexattr.
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000195
Vuln IDs
V-217973
Rule IDs
SV-217973r603264_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-19452r376935_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using setxattr.
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000196
Vuln IDs
V-217974
Rule IDs
SV-217974r603264_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-19453r376938_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit failed attempts to access files and programs.
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000197
Vuln IDs
V-217975
Rule IDs
SV-217975r603264_rule
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Fix: F-19454r376941_fix

At a minimum, the audit system should collect unauthorized file accesses for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access

a
The audit system must be configured to audit successful file system mounts.
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000199
Vuln IDs
V-217977
Rule IDs
SV-217977r603264_rule
The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.
Fix: F-19456r376947_fix

At a minimum, the audit system should collect media exportation events for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b32 -S mount -F auid=0 -k export If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b64 -S mount -F auid=0 -k export

a
The audit system must be configured to audit user deletions of files and programs.
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000200
Vuln IDs
V-217978
Rule IDs
SV-217978r603264_rule
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as detecting malicious processes that attempt to delete log files to conceal their presence.
Fix: F-19457r376950_fix

At a minimum, the audit system should collect file deletion events for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete

a
The audit system must be configured to audit changes to the /etc/sudoers file.
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000201
Vuln IDs
V-217979
Rule IDs
SV-217979r603264_rule
The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.
Fix: F-19458r376953_fix

At a minimum, the audit system should collect administrator actions for all users and root. Add the following to "/etc/audit/audit.rules": -w /etc/sudoers -p wa -k actions

b
The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
RHEL-06-000202
Vuln IDs
V-217980
Rule IDs
SV-217980r603264_rule
The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
Fix: F-19459r376956_fix

Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b32 -S init_module -S delete_module -k modules If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S init_module -S delete_module -k modules

b
The xinetd service must be disabled if no network services utilizing it are enabled.
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
RHEL-06-000203
Vuln IDs
V-217981
Rule IDs
SV-217981r603264_rule
The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.
Fix: F-19460r376959_fix

The "xinetd" service can be disabled with the following commands: # chkconfig xinetd off # service xinetd stop

a
The xinetd service must be uninstalled if no network services utilizing it are enabled.
RMF Control
CM-7
Severity
Low
CCI
CCI-000382
Version
RHEL-06-000204
Vuln IDs
V-217982
Rule IDs
SV-217982r603264_rule
Removing the "xinetd" package decreases the risk of the xinetd service's accidental (or intentional) activation.
Fix: F-19461r376962_fix

The "xinetd" package can be uninstalled with the following command: # yum erase xinetd

c
The telnet-server package must not be installed.
RMF Control
CM-7
Severity
High
CCI
CCI-000381
Version
RHEL-06-000206
Vuln IDs
V-217983
Rule IDs
SV-217983r603264_rule
Removing the "telnet-server" package decreases the risk of the unencrypted telnet service's accidental (or intentional) activation. Mitigation: If the telnet-server package is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.
Fix: F-19462r376965_fix

The "telnet-server" package can be uninstalled with the following command: # yum erase telnet-server

c
The telnet daemon must not be running.
RMF Control
CM-7
Severity
High
CCI
CCI-000381
Version
RHEL-06-000211
Vuln IDs
V-217984
Rule IDs
SV-217984r603264_rule
The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. Mitigation: If an enabled telnet daemon is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.
Fix: F-19463r376968_fix

The "telnet" service can be disabled with the following command: # chkconfig telnet off

c
The rsh-server package must not be installed.
RMF Control
CM-7
Severity
High
CCI
CCI-000381
Version
RHEL-06-000213
Vuln IDs
V-217985
Rule IDs
SV-217985r603264_rule
The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.
Fix: F-19464r376971_fix

The "rsh-server" package can be uninstalled with the following command: # yum erase rsh-server

c
The rshd service must not be running.
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
RHEL-06-000214
Vuln IDs
V-217986
Rule IDs
SV-217986r603264_rule
The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
Fix: F-19465r376974_fix

The "rsh" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rsh" service can be disabled with the following command: # chkconfig rsh off

c
The rexecd service must not be running.
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
RHEL-06-000216
Vuln IDs
V-217987
Rule IDs
SV-217987r603264_rule
The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
Fix: F-19466r376977_fix

The "rexec" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rexec" service can be disabled with the following command: # chkconfig rexec off

c
The rlogind service must not be running.
RMF Control
CM-7
Severity
High
CCI
CCI-000381
Version
RHEL-06-000218
Vuln IDs
V-217988
Rule IDs
SV-217988r603264_rule
The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
Fix: F-19467r376980_fix

The "rlogin" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rlogin" service can be disabled with the following command: # chkconfig rlogin off

b
The ypserv package must not be installed.
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
RHEL-06-000220
Vuln IDs
V-217989
Rule IDs
SV-217989r603264_rule
Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.
Fix: F-19468r376983_fix

The "ypserv" package can be uninstalled with the following command: # yum erase ypserv

b
The ypbind service must not be running.
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
RHEL-06-000221
Vuln IDs
V-217990
Rule IDs
SV-217990r603264_rule
Disabling the "ypbind" service ensures the system is not acting as a client in a NIS or NIS+ domain.
Fix: F-19469r376986_fix

The "ypbind" service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The "ypbind" service can be disabled with the following commands: # chkconfig ypbind off # service ypbind stop

b
The tftp-server package must not be installed unless required.
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
RHEL-06-000222
Vuln IDs
V-217991
Rule IDs
SV-217991r603264_rule
Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.
Fix: F-19470r376989_fix

The "tftp-server" package can be removed with the following command: # yum erase tftp-server

b
The cron service must be running.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000224
Vuln IDs
V-217993
Rule IDs
SV-217993r603264_rule
Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.
Fix: F-19472r376995_fix

The "crond" service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The "crond" service can be enabled with the following commands: # chkconfig crond on # service crond start

c
The SSH daemon must be configured to use only the SSHv2 protocol.
RMF Control
IA-2
Severity
High
CCI
CCI-001941
Version
RHEL-06-000227
Vuln IDs
V-217994
Rule IDs
SV-217994r603264_rule
SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.
Fix: F-19473r376998_fix

Only SSH protocol version 2 connections should be permitted. The default setting in "/etc/ssh/sshd_config" is correct, and can be verified by ensuring that the following line appears: Protocol 2

a
The SSH daemon must set a timeout interval on idle sessions.
RMF Control
SC-10
Severity
Low
CCI
CCI-001133
Version
RHEL-06-000230
Vuln IDs
V-217996
Rule IDs
SV-217996r603819_rule
Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.
Fix: F-19475r603818_fix

SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in "/etc/ssh/sshd_config" as follows: ClientAliveInterval [interval] The timeout [interval] is given in seconds. To have a timeout of ten minutes, set [interval] to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.

a
The SSH daemon must set a timeout count on idle sessions.
RMF Control
MA-4
Severity
Low
CCI
CCI-000879
Version
RHEL-06-000231
Vuln IDs
V-217997
Rule IDs
SV-217997r603264_rule
This ensures a user login will be terminated as soon as the "ClientAliveCountMax" is reached.
Fix: F-19476r377007_fix

To ensure the SSH idle timeout occurs precisely when the "ClientAliveCountMax" is set, edit "/etc/ssh/sshd_config" as follows: ClientAliveCountMax 0

b
The SSH daemon must ignore .rhosts files.
RMF Control
IA-2
Severity
Medium
CCI
CCI-000766
Version
RHEL-06-000234
Vuln IDs
V-217998
Rule IDs
SV-217998r603264_rule
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
Fix: F-19477r377010_fix

SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via ".rhosts" files. To ensure this behavior is disabled, add or correct the following line in "/etc/ssh/sshd_config": IgnoreRhosts yes

b
The SSH daemon must not allow host-based authentication.
RMF Control
IA-2
Severity
Medium
CCI
CCI-000766
Version
RHEL-06-000236
Vuln IDs
V-217999
Rule IDs
SV-217999r603264_rule
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
Fix: F-19478r377013_fix

SSH's cryptographic host-based authentication is more secure than ".rhosts" authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization. To disable host-based authentication, add or correct the following line in "/etc/ssh/sshd_config": HostbasedAuthentication no

b
The system must not permit root logins using remote access programs such as ssh.
RMF Control
IA-2
Severity
Medium
CCI
CCI-000770
Version
RHEL-06-000237
Vuln IDs
V-218000
Rule IDs
SV-218000r603264_rule
Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.
Fix: F-19479r377016_fix

The root user should never be allowed to log in to a system directly over a network. To disable root login via SSH, add or correct the following line in "/etc/ssh/sshd_config": PermitRootLogin no

c
The SSH daemon must not allow authentication using an empty password.
RMF Control
IA-2
Severity
High
CCI
CCI-000766
Version
RHEL-06-000239
Vuln IDs
V-218001
Rule IDs
SV-218001r603264_rule
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
Fix: F-19480r377019_fix

To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config": PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.

b
The SSH daemon must be configured with the Department of Defense (DoD) login banner.
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
RHEL-06-000240
Vuln IDs
V-218002
Rule IDs
SV-218002r603264_rule
The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.
Fix: F-19481r377022_fix

To enable the warning banner and ensure it is consistent across the system, add or correct the following line in "/etc/ssh/sshd_config": Banner /etc/issue Another section contains information on how to create an appropriate system-wide warning banner.

a
The SSH daemon must not permit user environment settings.
RMF Control
AC-4
Severity
Low
CCI
CCI-001414
Version
RHEL-06-000241
Vuln IDs
V-218003
Rule IDs
SV-218003r603264_rule
SSH environment options potentially allow users to bypass access restriction in some configurations.
Fix: F-19482r377025_fix

To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in "/etc/ssh/sshd_config": PermitUserEnvironment no

a
The avahi service must be disabled.
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
RHEL-06-000246
Vuln IDs
V-218006
Rule IDs
SV-218006r603264_rule
Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.
Fix: F-19485r377034_fix

The "avahi-daemon" service can be disabled with the following commands: # chkconfig avahi-daemon off # service avahi-daemon stop

b
The system clock must be synchronized continuously, or at least daily.
RMF Control
AU-8
Severity
Medium
CCI
CCI-001891
Version
RHEL-06-000247
Vuln IDs
V-218007
Rule IDs
SV-218007r603264_rule
Enabling the "ntpd" service ensures that the "ntpd" service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.
Fix: F-19486r377037_fix

The "ntpd" service can be enabled with the following command: # chkconfig ntpd on # service ntpd start

b
The system clock must be synchronized to an authoritative DoD time source.
RMF Control
AU-8
Severity
Medium
CCI
CCI-001891
Version
RHEL-06-000248
Vuln IDs
V-218008
Rule IDs
SV-218008r603264_rule
Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is recommended.
Fix: F-19487r377040_fix

To specify a remote NTP server for time synchronization, edit the file "/etc/ntp.conf". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver. server [ntpserver] This instructs the NTP software to contact that remote server to obtain time data.

b
Mail relaying must be restricted.
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
RHEL-06-000249
Vuln IDs
V-218009
Rule IDs
SV-218009r603264_rule
This ensures "postfix" accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.
Fix: F-19488r377043_fix

Edit the file "/etc/postfix/main.cf" to ensure that only the following "inet_interfaces" line appears: inet_interfaces = localhost

a
The openldap-servers package must not be installed unless required.
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
RHEL-06-000256
Vuln IDs
V-218010
Rule IDs
SV-218010r603264_rule
Unnecessary packages should not be installed to decrease the attack surface of the system.
Fix: F-19489r377046_fix

The "openldap-servers" package should be removed if not in use. # yum erase openldap-servers The openldap-servers RPM is not installed by default on RHEL6 machines. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed.

b
The graphical desktop environment must set the idle timeout to no more than 15 minutes.
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
RHEL-06-000257
Vuln IDs
V-218011
Rule IDs
SV-218011r603264_rule
Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.
Fix: F-19490r377049_fix

Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes: # gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /apps/gnome-screensaver/idle_delay 15

b
The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
RHEL-06-000258
Vuln IDs
V-218012
Rule IDs
SV-218012r603264_rule
Enabling idle activation of the screen saver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.
Fix: F-19491r377052_fix

Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true

b
The graphical desktop environment must have automatic lock enabled.
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
RHEL-06-000259
Vuln IDs
V-218013
Rule IDs
SV-218013r603264_rule
Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby.
Fix: F-19492r377055_fix

Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/lock_enabled true

a
The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
RMF Control
AC-11
Severity
Low
CCI
CCI-000060
Version
RHEL-06-000260
Vuln IDs
V-218014
Rule IDs
SV-218014r603264_rule
Setting the screensaver mode to blank-only conceals the contents of the display from passersby.
Fix: F-19493r377058_fix

Run the following command to set the screensaver mode in the GNOME desktop to a blank screen: # gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome-screensaver/mode blank-only

a
The Automatic Bug Reporting Tool (abrtd) service must not be running.
RMF Control
CM-7
Severity
Low
CCI
CCI-000382
Version
RHEL-06-000261
Vuln IDs
V-218015
Rule IDs
SV-218015r603264_rule
Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers.
Fix: F-19494r377061_fix

The Automatic Bug Reporting Tool ("abrtd") daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The "abrtd" service can be disabled with the following commands: # chkconfig abrtd off # service abrtd stop

a
The atd service must be disabled.
RMF Control
CM-7
Severity
Low
CCI
CCI-000382
Version
RHEL-06-000262
Vuln IDs
V-218016
Rule IDs
SV-218016r603264_rule
The "atd" service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with "at" or "batch" is not common.
Fix: F-19495r377064_fix

The "at" and "batch" commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon "atd" keeps track of tasks scheduled via "at" and "batch", and executes them at the specified time. The "atd" service can be disabled with the following commands: # chkconfig atd off # service atd stop

a
The ntpdate service must not be running.
RMF Control
CM-7
Severity
Low
CCI
CCI-000382
Version
RHEL-06-000265
Vuln IDs
V-218017
Rule IDs
SV-218017r603264_rule
The "ntpdate" service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.
Fix: F-19496r377067_fix

The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in "/etc/ntp/step-tickers" or "/etc/ntp.conf" and then sets the local hardware clock to the newly synchronized system time. The "ntpdate" service can be disabled with the following commands: # chkconfig ntpdate off # service ntpdate stop

a
The oddjobd service must not be running.
RMF Control
CM-7
Severity
Low
CCI
CCI-000382
Version
RHEL-06-000266
Vuln IDs
V-218018
Rule IDs
SV-218018r603264_rule
The "oddjobd" service may provide necessary functionality in some environments but it can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.
Fix: F-19497r377070_fix

The "oddjobd" service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with "oddjobd" is through the system message bus. The "oddjobd" service can be disabled with the following commands: # chkconfig oddjobd off # service oddjobd stop

a
The qpidd service must not be running.
RMF Control
CM-7
Severity
Low
CCI
CCI-000382
Version
RHEL-06-000267
Vuln IDs
V-218019
Rule IDs
SV-218019r603264_rule
The qpidd service is automatically installed when the "base" package selection is selected during installation. The qpidd service listens for network connections which increases the attack surface of the system. If the system is not intended to receive AMQP traffic then the "qpidd" service is not needed and should be disabled or removed.
Fix: F-19498r377073_fix

The "qpidd" service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The "qpidd" service can be disabled with the following commands: # chkconfig qpidd off # service qpidd stop

a
The rdisc service must not be running.
RMF Control
CM-7
Severity
Low
CCI
CCI-000382
Version
RHEL-06-000268
Vuln IDs
V-218020
Rule IDs
SV-218020r603264_rule
General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.
Fix: F-19499r377076_fix

The "rdisc" service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. The "rdisc" service can be disabled with the following commands: # chkconfig rdisc off # service rdisc stop

a
The system must use SMB client signing for connecting to samba servers using smbclient.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000272
Vuln IDs
V-218024
Rule IDs
SV-218024r603264_rule
Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.
Fix: F-19503r377088_fix

To require samba clients running "smbclient" to use packet signing, add the following to the "[global]" section of the Samba configuration file in "/etc/samba/smb.conf": client signing = mandatory Requiring samba clients such as "smbclient" to use packet signing ensures they can only communicate with servers that support packet signing.

b
The system must prohibit the reuse of passwords within five iterations.
RMF Control
IA-5
Severity
Medium
CCI
CCI-000200
Version
RHEL-06-000274
Vuln IDs
V-218026
Rule IDs
SV-218026r603264_rule
Preventing reuse of previous passwords helps ensure that a compromised password is not reused by a user.
Fix: F-19505r462404_fix

Do not allow users to reuse recent passwords. This can be accomplished by using the "remember" option for the "pam_pwhistory" PAM module. In the file "/etc/pam.d/system-auth" and /etc/pam.d/password-auth, append "remember=5" to the lines that refer to the "pam_pwhistory.so" module, as shown: password required pam_pwhistory.so [existing_options] remember=5 or password requisite pam_pwhistory.so [existing_options] remember=5 The DoD requirement is five passwords.

c
The x86 Ctrl-Alt-Delete key sequence must be disabled.
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
RHEL-06-000286
Vuln IDs
V-218036
Rule IDs
SV-218036r603264_rule
A locally logged-in user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
Fix: F-19515r377124_fix

By default, the system includes the following line in "/etc/init/control-alt-delete.conf" to reboot the system when the Ctrl-Alt-Delete key sequence is pressed: exec /sbin/shutdown -r now "Ctrl-Alt-Delete pressed" To configure the system to log a message instead of rebooting the system, add the following line to "/etc/init/control-alt-delete.override" to read as follows: exec /usr/bin/logger -p authpriv.notice "Ctrl-Alt-Delete pressed"

a
The postfix service must be enabled for mail delivery.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000287
Vuln IDs
V-218037
Rule IDs
SV-218037r603264_rule
Local mail delivery is essential to some system maintenance and notification tasks.
Fix: F-19516r377127_fix

The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The "postfix" service can be enabled with the following command: # chkconfig postfix on # service postfix start

b
The sendmail package must be removed.
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
RHEL-06-000288
Vuln IDs
V-218038
Rule IDs
SV-218038r603264_rule
The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.
Fix: F-19517r377130_fix

Sendmail is not the default mail transfer agent and is not installed by default. The "sendmail" package can be removed with the following command: # yum erase sendmail

a
The netconsole service must be disabled unless required.
RMF Control
CM-7
Severity
Low
CCI
CCI-000382
Version
RHEL-06-000289
Vuln IDs
V-218039
Rule IDs
SV-218039r603264_rule
The "netconsole" service is not necessary unless there is a need to debug kernel panics, which is not common.
Fix: F-19518r377133_fix

The "netconsole" service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. The "netconsole" service can be disabled with the following commands: # chkconfig netconsole off # service netconsole stop

b
X Windows must not be enabled unless required.
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
RHEL-06-000290
Vuln IDs
V-218040
Rule IDs
SV-218040r603264_rule
Unnecessary services should be disabled to decrease the attack surface of the system.
Fix: F-19519r377136_fix

Setting the system's runlevel to 3 will prevent automatic startup of the X server. To do so, ensure the following line in "/etc/inittab" features a "3" as shown: id:3:initdefault:

a
The xorg-x11-server-common (X Windows) package must not be installed, unless required.
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
RHEL-06-000291
Vuln IDs
V-218041
Rule IDs
SV-218041r603264_rule
Unnecessary packages should not be installed to decrease the attack surface of the system.
Fix: F-19520r377139_fix

Removing all packages which constitute the X Window System ensures users or malicious software cannot start X. To do so, run the following command: # yum groupremove "X Window System"

b
The DHCP client must be disabled if not needed.
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
RHEL-06-000292
Vuln IDs
V-218042
Rule IDs
SV-218042r603264_rule
DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances.
Fix: F-19521r462410_fix

For each interface [IFACE] on the system (e.g. eth0), edit "/etc/sysconfig/network-scripts/ifcfg-[IFACE]" and make the following changes. Correct the BOOTPROTO line to read: BOOTPROTO=none Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: NETMASK=[local LAN netmask] IPADDR=[assigned IP address] GATEWAY=[local LAN default gateway]

a
The system must require passwords to contain no more than three consecutive repeating characters.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000299
Vuln IDs
V-218047
Rule IDs
SV-218047r603264_rule
Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
Fix: F-19526r377157_fix

The pam_cracklib module's "maxrepeat" parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "maxrepeat=3" after pam_cracklib.so to prevent a run of (3 + 1) or more identical characters. password required pam_cracklib.so maxrepeat=3

a
Process core dumps must be disabled unless needed.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000308
Vuln IDs
V-218054
Rule IDs
SV-218054r603264_rule
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
Fix: F-19533r377178_fix

To disable core dumps for all users, add the following line to "/etc/security/limits.conf": * hard core 0

c
The NFS server must not have the insecure file locking option enabled.
RMF Control
IA-2
Severity
High
CCI
CCI-000764
Version
RHEL-06-000309
Vuln IDs
V-218055
Rule IDs
SV-218055r603264_rule
Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user.
Fix: F-19534r377181_fix

By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files. To get around this, the "insecure_locks" option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. Remove any instances of the "insecure_locks" option from the file "/etc/exports".

b
The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.
RMF Control
AU-5
Severity
Medium
CCI
CCI-000139
Version
RHEL-06-000313
Vuln IDs
V-218057
Rule IDs
SV-218057r603264_rule
Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.
Fix: F-19536r377187_fix

The "auditd" service can be configured to send email to a designated account in certain situations. Add or correct the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations: action_mail_acct = root

a
The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
RMF Control
AC-10
Severity
Low
CCI
CCI-000054
Version
RHEL-06-000319
Vuln IDs
V-218059
Rule IDs
SV-218059r603264_rule
Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.
Fix: F-19538r377193_fix

Limiting the number of allowed users and sessions per user can limit risks related to denial of service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in "/etc/security/limits.conf": * hard maxlogins 10 A documented site-defined number may be substituted for 10 in the above.

a
The system must provide VPN connectivity for communications over untrusted networks.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000321
Vuln IDs
V-218061
Rule IDs
SV-218061r603264_rule
Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.
Fix: F-19540r462413_fix

The “libreswan” package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The "libreswan" package can be installed with the following command: # yum install libreswan

b
A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
RMF Control
AC-8
Severity
Medium
CCI
CCI-000050
Version
RHEL-06-000324
Vuln IDs
V-218062
Rule IDs
SV-218062r603264_rule
An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.
Fix: F-19541r377202_fix

To enable displaying a login warning banner in the GNOME Display Manager's login screen, run the following command: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gdm/simple-greeter/banner_message_enable true To display a banner, this setting must be enabled and then banner text must also be set.

b
The Bluetooth service must be disabled.
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
RHEL-06-000331
Vuln IDs
V-218064
Rule IDs
SV-218064r603264_rule
Disabling the "bluetooth" service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.
Fix: F-19543r377208_fix

The "bluetooth" service can be disabled with the following command: # chkconfig bluetooth off # service bluetooth stop

a
Accounts must be locked upon 35 days of inactivity.
RMF Control
AC-2
Severity
Low
CCI
CCI-000017
Version
RHEL-06-000334
Vuln IDs
V-218065
Rule IDs
SV-218065r603264_rule
Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
Fix: F-19544r377211_fix

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately: INACTIVE=[NUM_DAYS] A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the "useradd" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.

a
The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.
RMF Control
IA-4
Severity
Low
CCI
CCI-000795
Version
RHEL-06-000335
Vuln IDs
V-218066
Rule IDs
SV-218066r603264_rule
Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
Fix: F-19545r377214_fix

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately: INACTIVE=[NUM_DAYS] A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the "useradd" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.

c
The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
RHEL-06-000338
Vuln IDs
V-218069
Rule IDs
SV-218069r603264_rule
Using the "-s" option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally specified directory reduces the risk of sharing files which should remain private.
Fix: F-19548r377223_fix

If running the "tftp" service is necessary, it should be configured to change its root directory at startup. To do so, ensure "/etc/xinetd.d/tftp" includes "-s" as a command line argument, as shown in the following example (which is also the default): server_args = -s /var/lib/tftpboot

a
The system default umask for the bash shell must be 077.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000342
Vuln IDs
V-218073
Rule IDs
SV-218073r603264_rule
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.
Fix: F-19552r377235_fix

To ensure the default umask for users of the Bash shell is set properly, add or correct the "umask" setting in "/etc/bashrc" to read as follows: umask 077

a
The system default umask for the csh shell must be 077.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000343
Vuln IDs
V-218074
Rule IDs
SV-218074r603264_rule
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.
Fix: F-19553r377238_fix

To ensure the default umask for users of the C shell is set properly, add or correct the "umask" setting in "/etc/csh.cshrc" to read as follows: umask 077

a
The system default umask in /etc/profile must be 077.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000344
Vuln IDs
V-218075
Rule IDs
SV-218075r603264_rule
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.
Fix: F-19554r377241_fix

To ensure the default umask controlled by "/etc/profile" is set properly, add or correct the "umask" setting in "/etc/profile" to read as follows: umask 077

a
The system default umask in /etc/login.defs must be 077.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000345
Vuln IDs
V-218076
Rule IDs
SV-218076r603264_rule
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.
Fix: F-19555r377244_fix

To ensure the default umask controlled by "/etc/login.defs" is set properly, add or correct the "umask" setting in "/etc/login.defs" to read as follows: UMASK 077

a
The system default umask for daemons must be 027 or 022.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000346
Vuln IDs
V-218077
Rule IDs
SV-218077r603264_rule
The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.
Fix: F-19556r377247_fix

The file "/etc/init.d/functions" includes initialization parameters for most or all daemons started at boot time. The default umask of 022 prevents creation of group- or world-writable files. To set the default umask for daemons, edit the following line, inserting 022 or 027 for [UMASK] appropriately: umask [UMASK] Setting the umask to too restrictive a setting can cause serious errors at runtime. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts.

b
The system must require administrator action to unlock an account locked by excessive failed login attempts.
RMF Control
AC-7
Severity
Medium
CCI
CCI-000047
Version
RHEL-06-000356
Vuln IDs
V-218081
Rule IDs
SV-218081r603264_rule
Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.
Fix: F-36301r602613_fix

To configure the system to lock out accounts after a number of incorrect logon attempts and require an administrator to unlock the account using "pam_faillock.so", modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.

b
The system must disable accounts after excessive login failures within a 15-minute interval.
RMF Control
AC-7
Severity
Medium
CCI
CCI-002238
Version
RHEL-06-000357
Vuln IDs
V-218082
Rule IDs
SV-218082r603264_rule
Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks.
Fix: F-36299r602607_fix

Utilizing "pam_faillock.so", the "fail_interval" directive configures the system to lock out accounts after a number of incorrect logon attempts. Modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.

b
The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000372
Vuln IDs
V-218083
Rule IDs
SV-218083r603264_rule
Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.
Fix: F-19562r377265_fix

To configure the system to notify users of last logon/access using "pam_lastlog", add the following line immediately after "session required pam_limits.so": session required pam_lastlog.so showfailed

b
Audit log files must have mode 0640 or less permissive.
RMF Control
AU-9
Severity
Medium
CCI
CCI-000163
Version
RHEL-06-000383
Vuln IDs
V-218084
Rule IDs
SV-218084r603264_rule
If users can write to audit logs, audit trails can be modified or destroyed.
Fix: F-19563r377268_fix

Change the mode of the audit log files with the following command: # chmod 0640 [audit_file]

b
Audit log files must be owned by root.
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
RHEL-06-000384
Vuln IDs
V-218085
Rule IDs
SV-218085r603264_rule
If non-privileged users can write to audit logs, audit trails can be modified or destroyed.
Fix: F-19564r377271_fix

Change the owner of the audit log files with the following command: # chown root [audit_file]

b
The operating system must enforce requirements for the connection of mobile devices to operating systems.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000503
Vuln IDs
V-218087
Rule IDs
SV-218087r603264_rule
USB storage devices such as thumb drives can be used to introduce unauthorized software and other vulnerabilities. Support for these devices should be disabled and the devices themselves should be tightly controlled.
Fix: F-19566r462419_fix

To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the "usb-storage" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install usb-storage /bin/true This will prevent the "modprobe" program from loading the "usb-storage" module, but will not prevent an administrator (or another program) from using the "insmod" program to load the module manually.

a
Auditing must be enabled at boot by setting a kernel parameter.
RMF Control
AU-12
Severity
Low
CCI
CCI-000169
Version
RHEL-06-000525
Vuln IDs
V-218103
Rule IDs
SV-218103r603264_rule
Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although "auditd" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.
Fix: F-19582r462422_fix

To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument "audit=1" to the kernel line in "/boot/grub/grub.conf" or “/boot/efi/EFI/redhat/grub.conf”, in the manner below: kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1 UEFI systems may prepend "/boot" to the "/vmlinuz-version" argument.

a
Automated file system mounting tools must not be enabled unless needed.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000526
Vuln IDs
V-218104
Rule IDs
SV-218104r603264_rule
All filesystems that are required for the successful operation of the system should be explicitly listed in "/etc/fstab" by an administrator. New filesystems should not be arbitrarily introduced via the automounter. The "autofs" daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as "/misc/cd". However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it is almost always possible to configure filesystem mounts statically by editing "/etc/fstab" rather than relying on the automounter.
Fix: F-19583r377328_fix

If the "autofs" service is not needed to dynamically mount NFS filesystems or removable media, disable the service for all runlevels: # chkconfig --level 0123456 autofs off Stop the service if it is already running: # service autofs stop

a
The Red Hat Enterprise Linux operating system must mount /dev/shm with the nodev option.
RMF Control
CM-7
Severity
Low
CCI
CCI-001764
Version
RHEL-06-000530
Vuln IDs
V-218108
Rule IDs
SV-218108r603264_rule
The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Fix: F-19587r377340_fix

Configure the "/etc/fstab" to use the "nodev" option for all lines containing "/dev/shm".

a
The Red Hat Enterprise Linux operating system must mount /dev/shm with the nosuid option.
RMF Control
CM-7
Severity
Low
CCI
CCI-001764
Version
RHEL-06-000531
Vuln IDs
V-218109
Rule IDs
SV-218109r603264_rule
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Fix: F-19588r377343_fix

Configure the "/etc/fstab" to use the "nosuid" option for all lines containing "/dev/shm".

a
The Red Hat Enterprise Linux operating system must mount /dev/shm with the noexec option.
RMF Control
CM-7
Severity
Low
CCI
CCI-001764
Version
RHEL-06-000532
Vuln IDs
V-218110
Rule IDs
SV-218110r603264_rule
The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Fix: F-19589r377346_fix

Configure the "/etc/fstab" to use the "noexec" option for all lines containing "/dev/shm".