Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · SCAP

Red Hat Enterprise Linux 6 Security Technical Implementation Guide

V1R21 · · · Published 26 Oct 2018 · 177 rules
View

Open a previous version of this SCAP benchmark.

The Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
Sort by
a
Automated file system mounting tools must not be enabled unless needed.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000526
Vuln IDs
V-38437
Rule IDs
SV-50237r1_rule
All filesystems that are required for the successful operation of the system should be explicitly listed in "/etc/fstab" by an administrator. New filesystems should not be arbitrarily introduced via the automounter. The "autofs" daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as "/misc/cd". However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it is almost always possible to configure filesystem mounts statically by editing "/etc/fstab" rather than relying on the automounter.
Fix: F-43381r1_fix

If the "autofs" service is not needed to dynamically mount NFS filesystems or removable media, disable the service for all runlevels: # chkconfig --level 0123456 autofs off Stop the service if it is already running: # service autofs stop

a
Auditing must be enabled at boot by setting a kernel parameter.
RMF Control
AU-12
Severity
L
CCI
CCI-000169
Version
RHEL-06-000525
Vuln IDs
V-38438
Rule IDs
SV-50238r4_rule
Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although "auditd" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.
Fix: F-43382r4_fix

To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument "audit=1" to the kernel line in "/boot/grub/grub.conf" or “/boot/efi/EFI/redhat/grub.conf”, in the manner below: kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1 UEFI systems may prepend "/boot" to the "/vmlinuz-version" argument.

b
The /etc/gshadow file must be owned by root.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000036
Vuln IDs
V-38443
Rule IDs
SV-50243r1_rule
The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
Fix: F-43388r1_fix

To properly set the owner of "/etc/gshadow", run the command: # chown root /etc/gshadow

b
The /etc/gshadow file must be group-owned by root.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000037
Vuln IDs
V-38448
Rule IDs
SV-50248r1_rule
The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
Fix: F-43393r1_fix

To properly set the group owner of "/etc/gshadow", run the command: # chgrp root /etc/gshadow

b
The /etc/gshadow file must have mode 0000.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000038
Vuln IDs
V-38449
Rule IDs
SV-50249r1_rule
The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.
Fix: F-43394r1_fix

To properly set the permissions of "/etc/gshadow", run the command: # chmod 0000 /etc/gshadow

b
The /etc/passwd file must be owned by root.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000039
Vuln IDs
V-38450
Rule IDs
SV-50250r1_rule
The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.
Fix: F-43395r1_fix

To properly set the owner of "/etc/passwd", run the command: # chown root /etc/passwd

b
The /etc/passwd file must be group-owned by root.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000040
Vuln IDs
V-38451
Rule IDs
SV-50251r1_rule
The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.
Fix: F-43396r1_fix

To properly set the group owner of "/etc/passwd", run the command: # chgrp root /etc/passwd

a
The system must use a separate file system for /tmp.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000001
Vuln IDs
V-38455
Rule IDs
SV-50255r1_rule
The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.
Fix: F-43387r1_fix

The "/tmp" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.

a
The system must use a separate file system for /var.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000002
Vuln IDs
V-38456
Rule IDs
SV-50256r1_rule
Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories, installed by other software packages.
Fix: F-43401r2_fix

The "/var" directory is used by daemons and other system services to store frequently-changing data. Ensure that "/var" has its own partition or logical volume at installation time, or migrate it using LVM.

b
The /etc/passwd file must have mode 0644 or less permissive.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000041
Vuln IDs
V-38457
Rule IDs
SV-50257r1_rule
If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.
Fix: F-43397r1_fix

To properly set the permissions of "/etc/passwd", run the command: # chmod 0644 /etc/passwd

b
The /etc/group file must be owned by root.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000042
Vuln IDs
V-38458
Rule IDs
SV-50258r1_rule
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
Fix: F-43403r1_fix

To properly set the owner of "/etc/group", run the command: # chown root /etc/group

b
The /etc/group file must be group-owned by root.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000043
Vuln IDs
V-38459
Rule IDs
SV-50259r1_rule
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
Fix: F-43404r1_fix

To properly set the group owner of "/etc/group", run the command: # chgrp root /etc/group

b
The /etc/group file must have mode 0644 or less permissive.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000044
Vuln IDs
V-38461
Rule IDs
SV-50261r1_rule
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
Fix: F-43406r1_fix

To properly set the permissions of "/etc/group", run the command: # chmod 644 /etc/group

a
The system must use a separate file system for /var/log.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000003
Vuln IDs
V-38463
Rule IDs
SV-50263r1_rule
Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".
Fix: F-43408r1_fix

System logs are stored in the "/var/log" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.

a
The system must use a separate file system for the system audit data path.
RMF Control
AU-4
Severity
L
CCI
CCI-000137
Version
RHEL-06-000004
Vuln IDs
V-38467
Rule IDs
SV-50267r1_rule
Placing "/var/log/audit" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.
Fix: F-43412r1_fix

Audit logs are stored in the "/var/log/audit" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

b
All system command files must have mode 755 or less permissive.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
RHEL-06-000047
Vuln IDs
V-38469
Rule IDs
SV-50269r3_rule
System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.
Fix: F-43414r1_fix

System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: # chmod go-w [FILE]

b
The audit system must alert designated staff members when the audit storage volume approaches capacity.
RMF Control
AU-4
Severity
M
CCI
CCI-000138
Version
RHEL-06-000005
Vuln IDs
V-38470
Rule IDs
SV-50270r2_rule
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
Fix: F-43415r2_fix

The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: space_left_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "email" "exec" "suspend" "single" "halt" Set this to "email" (instead of the default, which is "suspend") as it is more likely to get prompt attention. The "syslog" option is acceptable, provided the local log management infrastructure notifies an appropriate administrator in a timely manner. RHEL-06-000521 ensures that the email generated through the operation "space_left_action" will be sent to an administrator.

b
All system command files must be owned by root.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
RHEL-06-000048
Vuln IDs
V-38472
Rule IDs
SV-50272r1_rule
System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.
Fix: F-43417r1_fix

System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin If any file [FILE] in these directories is found to be owned by a user other than root, correct its ownership with the following command: # chown root [FILE]

a
The system must use a separate file system for user home directories.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000007
Vuln IDs
V-38473
Rule IDs
SV-50273r1_rule
Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.
Fix: F-43418r1_fix

If user home directories will be stored locally, create a separate partition for "/home" at installation time (or migrate it later using LVM). If "/home" will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.

b
The system must require passwords to contain a minimum of 15 characters.
RMF Control
IA-5
Severity
M
CCI
CCI-000205
Version
RHEL-06-000050
Vuln IDs
V-38475
Rule IDs
SV-50275r3_rule
Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. While it does not negate the password length requirement, it is preferable to migrate from a password-based authentication scheme to a stronger one based on PKI (public key infrastructure).
Fix: F-43419r3_fix

To specify password length requirements for new accounts, edit the file "/etc/login.defs" and add or correct the following lines: PASS_MIN_LEN 15 The DoD requirement is "15". If a program consults "/etc/login.defs" and also another PAM module (such as "pam_cracklib") during a password change operation, then the most restrictive must be satisfied.

c
Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
RMF Control
CM-5
Severity
H
CCI
CCI-000352
Version
RHEL-06-000008
Vuln IDs
V-38476
Rule IDs
SV-50276r3_rule
The Red Hat GPG keys are necessary to cryptographically verify packages are from Red Hat.
Fix: F-43421r3_fix

To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG keys must be installed properly. To install the Red Hat GPG keys, run: # rhn_register If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG keys from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in "/media/cdrom", use the following command as the root user to import them into the keyring: # rpm --import /media/cdrom/RPM-GPG-KEY

b
Users must not be able to change passwords more than once every 24 hours.
RMF Control
IA-5
Severity
M
CCI
CCI-000198
Version
RHEL-06-000051
Vuln IDs
V-38477
Rule IDs
SV-50277r1_rule
Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.
Fix: F-43422r1_fix

To specify password minimum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MIN_DAYS [DAYS] A value of 1 day is considered sufficient for many environments. The DoD requirement is 1.

b
User passwords must be changed at least every 60 days.
RMF Control
IA-5
Severity
M
CCI
CCI-000199
Version
RHEL-06-000053
Vuln IDs
V-38479
Rule IDs
SV-50279r1_rule
Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.
Fix: F-43424r1_fix

To specify password maximum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MAX_DAYS [DAYS] The DoD requirement is 60.

a
Users must be warned 7 days in advance of password expiration.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000054
Vuln IDs
V-38480
Rule IDs
SV-50280r1_rule
Setting the password warning age enables users to make the change at a practical time.
Fix: F-43425r1_fix

To specify how many days prior to password expiration that a warning will be issued to users, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_WARN_AGE [DAYS] The DoD requirement is 7.

a
The system must require passwords to contain at least one numeric character.
RMF Control
IA-5
Severity
L
CCI
CCI-000194
Version
RHEL-06-000056
Vuln IDs
V-38482
Rule IDs
SV-50282r2_rule
Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
Fix: F-43427r2_fix

The pam_cracklib module's "dcredit" parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "dcredit=-1" after pam_cracklib.so to require use of a digit in passwords.

b
The system package management tool must cryptographically verify the authenticity of system software packages during installation.
RMF Control
SA-7
Severity
M
CCI
CCI-000663
Version
RHEL-06-000013
Vuln IDs
V-38483
Rule IDs
SV-50283r1_rule
Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering.
Fix: F-43429r1_fix

The "gpgcheck" option should be used to ensure checking of an RPM package's signature always occurs prior to its installation. To configure yum to check package signatures before installing them, ensure the following line appears in "/etc/yum.conf" in the "[main]" section: gpgcheck=1

a
The system package management tool must cryptographically verify the authenticity of all software packages during installation.
RMF Control
SA-7
Severity
L
CCI
CCI-000663
Version
RHEL-06-000015
Vuln IDs
V-38487
Rule IDs
SV-50288r1_rule
Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.
Fix: F-43433r1_fix

To ensure signature checking is not disabled for any repos, remove any lines from files in "/etc/yum.repos.d" of the form: gpgcheck=0

b
A file integrity tool must be installed.
RMF Control
RA-5
Severity
M
CCI
CCI-001069
Version
RHEL-06-000016
Vuln IDs
V-38489
Rule IDs
SV-50290r1_rule
The AIDE package must be installed if it is to be available for integrity checking.
Fix: F-43436r1_fix

Install the AIDE package with the command: # yum install aide

b
The operating system must enforce requirements for the connection of mobile devices to operating systems.
RMF Control
AC-19
Severity
M
CCI
CCI-000086
Version
RHEL-06-000503
Vuln IDs
V-38490
Rule IDs
SV-50291r6_rule
USB storage devices such as thumb drives can be used to introduce unauthorized software and other vulnerabilities. Support for these devices should be disabled and the devices themselves should be tightly controlled.
Fix: F-43437r3_fix

To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the "usb-storage" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install usb-storage /bin/true This will prevent the "modprobe" program from loading the "usb-storage" module, but will not prevent an administrator (or another program) from using the "insmod" program to load the module manually.

c
There must be no .rhosts or hosts.equiv files on the system.
RMF Control
AC-17
Severity
H
CCI
CCI-001436
Version
RHEL-06-000019
Vuln IDs
V-38491
Rule IDs
SV-50292r1_rule
Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.
Fix: F-43438r1_fix

The files "/etc/hosts.equiv" and "~/.rhosts" (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location. # rm /etc/hosts.equiv $ rm ~/.rhosts

b
The system must prevent the root account from logging in from virtual consoles.
RMF Control
IA-2
Severity
M
CCI
CCI-000770
Version
RHEL-06-000027
Vuln IDs
V-38492
Rule IDs
SV-50293r1_rule
Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account.
Fix: F-43439r2_fix

To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in "/etc/securetty": vc/1 vc/2 vc/3 vc/4 Note: Virtual console entries are not limited to those listed above. Any lines starting with "vc/" followed by numerals should be removed.

a
The system must prevent the root account from logging in from serial consoles.
RMF Control
IA-2
Severity
L
CCI
CCI-000770
Version
RHEL-06-000028
Vuln IDs
V-38494
Rule IDs
SV-50295r1_rule
Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.
Fix: F-43441r1_fix

To restrict root logins on serial ports, ensure lines of this form do not appear in "/etc/securetty": ttyS0 ttyS1 Note: Serial port entries are not limited to those listed above. Any lines starting with "ttyS" followed by numerals should be removed

b
Audit log files must be owned by root.
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
RHEL-06-000384
Vuln IDs
V-38495
Rule IDs
SV-50296r1_rule
If non-privileged users can write to audit logs, audit trails can be modified or destroyed.
Fix: F-43443r1_fix

Change the owner of the audit log files with the following command: # chown root [audit_file]

c
The system must not have accounts configured with blank or null passwords.
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
RHEL-06-000030
Vuln IDs
V-38497
Rule IDs
SV-50298r3_rule
If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
Fix: F-43444r5_fix

If an account is configured for password authentication but does not have an assigned password, it may be possible to log onto the account without authentication. Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords.

b
Audit log files must have mode 0640 or less permissive.
RMF Control
AU-9
Severity
M
CCI
CCI-000163
Version
RHEL-06-000383
Vuln IDs
V-38498
Rule IDs
SV-50299r1_rule
If users can write to audit logs, audit trails can be modified or destroyed.
Fix: F-43445r1_fix

Change the mode of the audit log files with the following command: # chmod 0640 [audit_file]

b
The /etc/passwd file must not contain password hashes.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000031
Vuln IDs
V-38499
Rule IDs
SV-50300r1_rule
The hashes for all user account passwords should be stored in the file "/etc/shadow" and never in "/etc/passwd", which is readable by all users.
Fix: F-43446r1_fix

If any password hashes are stored in "/etc/passwd" (in the second field, instead of an "x"), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.

b
The root account must be the only account having a UID of 0.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000032
Vuln IDs
V-38500
Rule IDs
SV-50301r2_rule
An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.
Fix: F-43447r1_fix

If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.

b
The system must disable accounts after excessive login failures within a 15-minute interval.
RMF Control
AC-7
Severity
M
CCI
CCI-001452
Version
RHEL-06-000357
Vuln IDs
V-38501
Rule IDs
SV-50302r4_rule
Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks.
Fix: F-43448r6_fix

Utilizing "pam_faillock.so", the "fail_interval" directive configures the system to lock out accounts after a number of incorrect logon attempts. Modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.

b
The /etc/shadow file must be owned by root.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000033
Vuln IDs
V-38502
Rule IDs
SV-50303r1_rule
The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.
Fix: F-43449r1_fix

To properly set the owner of "/etc/shadow", run the command: # chown root /etc/shadow

b
The /etc/shadow file must be group-owned by root.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000034
Vuln IDs
V-38503
Rule IDs
SV-50304r1_rule
The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.
Fix: F-43450r1_fix

To properly set the group owner of "/etc/shadow", run the command: # chgrp root /etc/shadow

b
The /etc/shadow file must have mode 0000.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000035
Vuln IDs
V-38504
Rule IDs
SV-50305r1_rule
The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.
Fix: F-43451r1_fix

To properly set the permissions of "/etc/shadow", run the command: # chmod 0000 /etc/shadow

b
IP forwarding for IPv4 must not be enabled, unless the system is a router.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000082
Vuln IDs
V-38511
Rule IDs
SV-50312r2_rule
IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.
Fix: F-43458r2_fix

To set the runtime status of the "net.ipv4.ip_forward" kernel parameter, run the following command: # sysctl -w net.ipv4.ip_forward=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.ip_forward = 0

b
The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
RMF Control
SC-7
Severity
M
CCI
CCI-001100
Version
RHEL-06-000117
Vuln IDs
V-38512
Rule IDs
SV-50313r2_rule
The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.
Fix: F-43459r2_fix

The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start

b
The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
RHEL-06-000124
Vuln IDs
V-38514
Rule IDs
SV-50315r5_rule
Disabling DCCP protects the system against exploitation of any flaws in its implementation.
Fix: F-43461r3_fix

The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the "dccp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install dccp /bin/true

b
The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
RHEL-06-000125
Vuln IDs
V-38515
Rule IDs
SV-50316r5_rule
Disabling SCTP protects the system against exploitation of any flaws in its implementation.
Fix: F-43462r3_fix

The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the "sctp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install sctp /bin/true

a
The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.
RMF Control
CM-7
Severity
L
CCI
CCI-000382
Version
RHEL-06-000126
Vuln IDs
V-38516
Rule IDs
SV-50317r3_rule
Disabling RDS protects the system against exploitation of any flaws in its implementation.
Fix: F-43463r4_fix

The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the "rds" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install rds /bin/true

b
The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
RHEL-06-000127
Vuln IDs
V-38517
Rule IDs
SV-50318r5_rule
Disabling TIPC protects the system against exploitation of any flaws in its implementation.
Fix: F-43464r3_fix

The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the "tipc" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install tipc /bin/true

b
All rsyslog-generated log files must be owned by root.
RMF Control
SI-11
Severity
M
CCI
CCI-001314
Version
RHEL-06-000133
Vuln IDs
V-38518
Rule IDs
SV-50319r2_rule
The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.
Fix: F-43465r1_fix

The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's owner: $ ls -l [LOGFILE] If the owner is not "root", run the following command to correct this: # chown root [LOGFILE]

a
The audit system must be configured to audit all attempts to alter system time through settimeofday.
RMF Control
AU-12
Severity
L
CCI
CCI-000169
Version
RHEL-06-000167
Vuln IDs
V-38522
Rule IDs
SV-50323r3_rule
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Fix: F-43470r2_fix

On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S settimeofday -k audit_time_rules On a 64-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules

b
The system must not accept IPv4 source-routed packets on any interface.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000083
Vuln IDs
V-38523
Rule IDs
SV-50324r2_rule
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
Fix: F-43471r1_fix

To set the runtime status of the "net.ipv4.conf.all.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_source_route=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.accept_source_route = 0

b
The system must not accept ICMPv4 redirect packets on any interface.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000084
Vuln IDs
V-38524
Rule IDs
SV-50325r2_rule
Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.
Fix: F-43472r1_fix

To set the runtime status of the "net.ipv4.conf.all.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.accept_redirects = 0

a
The audit system must be configured to audit all attempts to alter system time through stime.
RMF Control
AU-12
Severity
L
CCI
CCI-000169
Version
RHEL-06-000169
Vuln IDs
V-38525
Rule IDs
SV-50326r4_rule
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Fix: F-43473r4_fix

On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S stime -k audit_time_rules On a 64-bit system, the "-S stime" is not necessary. The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules

b
The system must not accept ICMPv4 secure redirect packets on any interface.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000086
Vuln IDs
V-38526
Rule IDs
SV-50327r2_rule
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
Fix: F-43474r1_fix

To set the runtime status of the "net.ipv4.conf.all.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.secure_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.secure_redirects = 0

a
The audit system must be configured to audit all attempts to alter system time through clock_settime.
RMF Control
AU-12
Severity
L
CCI
CCI-000169
Version
RHEL-06-000171
Vuln IDs
V-38527
Rule IDs
SV-50328r3_rule
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Fix: F-43475r2_fix

On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules On a 64-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules

a
The system must log Martian packets.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000088
Vuln IDs
V-38528
Rule IDs
SV-50329r2_rule
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
Fix: F-43476r1_fix

To set the runtime status of the "net.ipv4.conf.all.log_martians" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.log_martians=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.log_martians = 1

b
The system must not accept IPv4 source-routed packets by default.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000089
Vuln IDs
V-38529
Rule IDs
SV-50330r2_rule
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
Fix: F-43478r1_fix

To set the runtime status of the "net.ipv4.conf.default.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_source_route=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.accept_source_route = 0

a
The audit system must be configured to audit all attempts to alter system time through /etc/localtime.
RMF Control
AU-12
Severity
L
CCI
CCI-000169
Version
RHEL-06-000173
Vuln IDs
V-38530
Rule IDs
SV-50331r2_rule
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Fix: F-43477r1_fix

Add the following to "/etc/audit/audit.rules": -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.

a
The operating system must automatically audit account creation.
RMF Control
AC-2
Severity
L
CCI
CCI-000018
Version
RHEL-06-000174
Vuln IDs
V-38531
Rule IDs
SV-50332r2_rule
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Fix: F-43480r1_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

b
The system must not accept ICMPv4 secure redirect packets by default.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000090
Vuln IDs
V-38532
Rule IDs
SV-50333r2_rule
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
Fix: F-43479r1_fix

To set the runtime status of the "net.ipv4.conf.default.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.secure_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.secure_redirects = 0

a
The system must ignore ICMPv4 redirect messages by default.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000091
Vuln IDs
V-38533
Rule IDs
SV-50334r3_rule
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
Fix: F-43481r1_fix

To set the runtime status of the "net.ipv4.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.accept_redirects = 0

a
The operating system must automatically audit account modification.
RMF Control
AC-2
Severity
L
CCI
CCI-001403
Version
RHEL-06-000175
Vuln IDs
V-38534
Rule IDs
SV-50335r2_rule
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Fix: F-43482r1_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

a
The system must not respond to ICMPv4 sent to a broadcast address.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000092
Vuln IDs
V-38535
Rule IDs
SV-50336r2_rule
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
Fix: F-43483r1_fix

To set the runtime status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.icmp_echo_ignore_broadcasts = 1

a
The operating system must automatically audit account disabling actions.
RMF Control
AC-2
Severity
L
CCI
CCI-001404
Version
RHEL-06-000176
Vuln IDs
V-38536
Rule IDs
SV-50337r2_rule
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Fix: F-43484r1_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

a
The system must ignore ICMPv4 bogus error responses.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000093
Vuln IDs
V-38537
Rule IDs
SV-50338r2_rule
Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.
Fix: F-43485r1_fix

To set the runtime status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.icmp_ignore_bogus_error_responses = 1

a
The operating system must automatically audit account termination.
RMF Control
AC-2
Severity
L
CCI
CCI-001405
Version
RHEL-06-000177
Vuln IDs
V-38538
Rule IDs
SV-50339r2_rule
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Fix: F-43486r1_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

b
The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
RMF Control
SC-5
Severity
M
CCI
CCI-001095
Version
RHEL-06-000095
Vuln IDs
V-38539
Rule IDs
SV-50340r2_rule
A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.
Fix: F-43487r1_fix

To set the runtime status of the "net.ipv4.tcp_syncookies" kernel parameter, run the following command: # sysctl -w net.ipv4.tcp_syncookies=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.tcp_syncookies = 1

a
The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000183
Vuln IDs
V-38541
Rule IDs
SV-50342r2_rule
The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.
Fix: F-43489r1_fix

Add the following to "/etc/audit/audit.rules": -w /etc/selinux/ -p wa -k MAC-policy

b
The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000096
Vuln IDs
V-38542
Rule IDs
SV-50343r2_rule
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
Fix: F-43490r1_fix

To set the runtime status of the "net.ipv4.conf.all.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.rp_filter=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.rp_filter = 1

a
The audit system must be configured to audit all discretionary access control permission modifications using chmod.
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000184
Vuln IDs
V-38543
Rule IDs
SV-50344r3_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-43491r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod

b
The system must use a reverse-path filter for IPv4 network traffic when possible by default.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000097
Vuln IDs
V-38544
Rule IDs
SV-50345r2_rule
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
Fix: F-43492r1_fix

To set the runtime status of the "net.ipv4.conf.default.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.rp_filter=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.rp_filter = 1

a
The audit system must be configured to audit all discretionary access control permission modifications using chown.
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000185
Vuln IDs
V-38545
Rule IDs
SV-50346r3_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-43493r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using fchmod.
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000186
Vuln IDs
V-38547
Rule IDs
SV-50348r3_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-43495r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod

b
The system must ignore ICMPv6 redirects by default.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000099
Vuln IDs
V-38548
Rule IDs
SV-50349r3_rule
An illicit ICMP redirect message could result in a man-in-the-middle attack.
Fix: F-43496r1_fix

To set the runtime status of the "net.ipv6.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv6.conf.default.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv6.conf.default.accept_redirects = 0

a
The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000187
Vuln IDs
V-38550
Rule IDs
SV-50351r3_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-43498r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using fchown.
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000188
Vuln IDs
V-38552
Rule IDs
SV-50353r3_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-43500r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using fchownat.
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000189
Vuln IDs
V-38554
Rule IDs
SV-50355r3_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-43502r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod

b
The system must employ a local IPv4 firewall.
RMF Control
SC-7
Severity
M
CCI
CCI-001118
Version
RHEL-06-000113
Vuln IDs
V-38555
Rule IDs
SV-50356r2_rule
The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.
Fix: F-43503r2_fix

The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start

a
The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000190
Vuln IDs
V-38556
Rule IDs
SV-50357r3_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-43504r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000191
Vuln IDs
V-38557
Rule IDs
SV-50358r3_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-43505r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using lchown.
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000192
Vuln IDs
V-38558
Rule IDs
SV-50359r3_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-43506r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000193
Vuln IDs
V-38559
Rule IDs
SV-50360r3_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-43507r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000194
Vuln IDs
V-38561
Rule IDs
SV-50362r3_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-43509r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using removexattr.
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000195
Vuln IDs
V-38563
Rule IDs
SV-50364r3_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-43511r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using setxattr.
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000196
Vuln IDs
V-38565
Rule IDs
SV-50366r3_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Fix: F-43513r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit successful file system mounts.
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000199
Vuln IDs
V-38568
Rule IDs
SV-50369r3_rule
The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.
Fix: F-43516r2_fix

At a minimum, the audit system should collect media exportation events for all users and root. Add the following to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=ARCH -S mount -F auid=0 -k export

a
The system must require passwords to contain at least one uppercase alphabetic character.
RMF Control
IA-5
Severity
L
CCI
CCI-000192
Version
RHEL-06-000057
Vuln IDs
V-38569
Rule IDs
SV-50370r2_rule
Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.
Fix: F-43517r2_fix

The pam_cracklib module's "ucredit=" parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "ucredit=-1" after pam_cracklib.so to require use of an uppercase character in passwords.

a
The system must require passwords to contain at least one special character.
RMF Control
IA-5
Severity
L
CCI
CCI-001619
Version
RHEL-06-000058
Vuln IDs
V-38570
Rule IDs
SV-50371r2_rule
Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.
Fix: F-43518r2_fix

The pam_cracklib module's "ocredit=" parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "ocredit=-1" after pam_cracklib.so to require use of a special character in passwords.

a
The system must require passwords to contain at least one lower-case alphabetic character.
RMF Control
IA-5
Severity
L
CCI
CCI-000193
Version
RHEL-06-000059
Vuln IDs
V-38571
Rule IDs
SV-50372r3_rule
Requiring a minimum number of lower-case characters makes password guessing attacks more difficult by ensuring a larger search space.
Fix: F-43519r3_fix

The pam_cracklib module's "lcredit=" parameter controls requirements for usage of lower-case letters in a password. When set to a negative number, any password will be required to contain that many lower-case characters. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "lcredit=-1" after pam_cracklib.so to require use of a lower-case character in passwords.

a
The system must require at least eight characters be changed between the old and new passwords during a password change.
RMF Control
IA-5
Severity
L
CCI
CCI-000195
Version
RHEL-06-000060
Vuln IDs
V-38572
Rule IDs
SV-50373r3_rule
Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.
Fix: F-43520r4_fix

The pam_cracklib module's "difok" parameter controls requirements for usage of different characters during a password change. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "difok=[NUM]" after pam_cracklib.so to require differing characters when changing passwords, substituting [NUM] appropriately. The DoD requirement is 8.

b
The system must disable accounts after three consecutive unsuccessful logon attempts.
RMF Control
AC-7
Severity
M
CCI
CCI-000044
Version
RHEL-06-000061
Vuln IDs
V-38573
Rule IDs
SV-50374r4_rule
Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.
Fix: F-43521r8_fix

To configure the system to lock out accounts after a number of incorrect logon attempts using "pam_faillock.so", modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.

b
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
RHEL-06-000062
Vuln IDs
V-38574
Rule IDs
SV-50375r4_rule
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Fix: F-43522r4_fix

In "/etc/pam.d/system-auth”, "/etc/pam.d/system-auth-ac", “/etc/pam.d/password-auth”, and “/etc/pam.d/password-auth-ac”, among potentially other files, the "password" section of the files controls which PAM modules execute during a password change. Set the "pam_unix.so" module in the "password" section to include the argument "sha512", as shown below: password sufficient pam_unix.so sha512 [other arguments...] This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. Note: Any updates made to "/etc/pam.d/system-auth" will be overwritten by the "authconfig" program. The "authconfig" program should not be used.

a
The audit system must be configured to audit user deletions of files and programs.
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000200
Vuln IDs
V-38575
Rule IDs
SV-50376r4_rule
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as detecting malicious processes that attempt to delete log files to conceal their presence.
Fix: F-43523r4_fix

At a minimum, the audit system should collect file deletion events for all users and root. Add the following (or equivalent) to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete

b
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
RHEL-06-000063
Vuln IDs
V-38576
Rule IDs
SV-50377r1_rule
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Fix: F-43524r1_fix

In "/etc/login.defs", add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: ENCRYPT_METHOD SHA512

b
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
RHEL-06-000064
Vuln IDs
V-38577
Rule IDs
SV-50378r1_rule
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Fix: F-43525r1_fix

In "/etc/libuser.conf", add or correct the following line in its "[defaults]" section to ensure the system will use the SHA-512 algorithm for password hashing: crypt_style = sha512

a
The audit system must be configured to audit changes to the /etc/sudoers file.
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000201
Vuln IDs
V-38578
Rule IDs
SV-50379r2_rule
The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.
Fix: F-43526r1_fix

At a minimum, the audit system should collect administrator actions for all users and root. Add the following to "/etc/audit/audit.rules": -w /etc/sudoers -p wa -k actions

b
The system boot loader configuration file(s) must be owned by root.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000065
Vuln IDs
V-38579
Rule IDs
SV-50380r2_rule
Only root should be able to modify important boot parameters.
Fix: F-43527r2_fix

The file "/boot/grub/grub.conf" should be owned by the "root" user to prevent destruction or modification of the file. To properly set the owner of "/boot/grub/grub.conf", run the command: # chown root /boot/grub/grub.conf

b
The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
RHEL-06-000202
Vuln IDs
V-38580
Rule IDs
SV-50381r2_rule
The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
Fix: F-43528r2_fix

Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=[ARCH] -S init_module -S delete_module -k modules

b
The system boot loader configuration file(s) must be group-owned by root.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000066
Vuln IDs
V-38581
Rule IDs
SV-50382r2_rule
The "root" group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.
Fix: F-43529r2_fix

The file "/boot/grub/grub.conf" should be group-owned by the "root" group to prevent destruction or modification of the file. To properly set the group owner of "/boot/grub/grub.conf", run the command: # chgrp root /boot/grub/grub.conf

b
The xinetd service must be disabled if no network services utilizing it are enabled.
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
RHEL-06-000203
Vuln IDs
V-38582
Rule IDs
SV-50383r2_rule
The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.
Fix: F-43530r2_fix

The "xinetd" service can be disabled with the following commands: # chkconfig xinetd off # service xinetd stop

b
The system boot loader configuration file(s) must have mode 0600 or less permissive.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000067
Vuln IDs
V-38583
Rule IDs
SV-50384r4_rule
Proper permissions ensure that only the root user can modify important boot parameters.
Fix: F-43531r3_fix

File permissions for "/boot/grub/grub.conf" and “/boot/efi/EFI/redhat/grub.conf” should be set to 600, which is the default. To properly set the permissions of "/boot/grub/grub.conf", run the command: $ chmod 600 /boot/grub/grub.conf To properly set the permissions of “/boot/efi/EFI/redhat/grub.conf”, run the command: $ chmod 600 /boot/efi/EFI/redhat/grub.conf Boot partitions based on VFAT, NTFS, or other non-standard configurations may require alternative measures.

a
The xinetd service must be uninstalled if no network services utilizing it are enabled.
RMF Control
CM-7
Severity
L
CCI
CCI-000382
Version
RHEL-06-000204
Vuln IDs
V-38584
Rule IDs
SV-50385r1_rule
Removing the "xinetd" package decreases the risk of the xinetd service's accidental (or intentional) activation.
Fix: F-43532r1_fix

The "xinetd" package can be uninstalled with the following command: # yum erase xinetd

b
The system boot loader must require authentication.
RMF Control
AC-3
Severity
M
CCI
CCI-000213
Version
RHEL-06-000068
Vuln IDs
V-38585
Rule IDs
SV-50386r4_rule
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
Fix: F-43533r3_fix

The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command: # grub-crypt --sha-512 When prompted to enter a password, insert the following line into "/boot/grub/grub.conf" or “/boot/efi/EFI/redhat/grub.conf” immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]): password --encrypted [password-hash]

b
The system must require authentication upon booting into single-user and maintenance modes.
RMF Control
AC-3
Severity
M
CCI
CCI-000213
Version
RHEL-06-000069
Vuln IDs
V-38586
Rule IDs
SV-50387r1_rule
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
Fix: F-43534r1_fix

Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file "/etc/sysconfig/init": SINGLE=/sbin/sulogin

c
The telnet-server package must not be installed.
RMF Control
CM-7
Severity
H
CCI
CCI-000381
Version
RHEL-06-000206
Vuln IDs
V-38587
Rule IDs
SV-50388r1_rule
Removing the "telnet-server" package decreases the risk of the unencrypted telnet service's accidental (or intentional) activation. Mitigation: If the telnet-server package is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.
Fix: F-43535r1_fix

The "telnet-server" package can be uninstalled with the following command: # yum erase telnet-server

b
The system must not permit interactive boot.
RMF Control
AC-3
Severity
M
CCI
CCI-000213
Version
RHEL-06-000070
Vuln IDs
V-38588
Rule IDs
SV-50389r1_rule
Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.
Fix: F-43536r1_fix

To disable the ability for users to perform interactive startups, edit the file "/etc/sysconfig/init". Add or correct the line: PROMPT=no The "PROMPT" option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot.

c
The telnet daemon must not be running.
RMF Control
MA-4
Severity
H
CCI
CCI-000888
Version
RHEL-06-000211
Vuln IDs
V-38589
Rule IDs
SV-50390r2_rule
The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. Mitigation: If an enabled telnet daemon is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.
Fix: F-43537r1_fix

The "telnet" service can be disabled with the following command: # chkconfig telnet off

a
The system must allow locking of the console screen in text mode.
RMF Control
AC-11
Severity
L
CCI
CCI-000058
Version
RHEL-06-000071
Vuln IDs
V-38590
Rule IDs
SV-50391r1_rule
Installing "screen" ensures a console locking capability is available for users who may need to suspend console logins.
Fix: F-43538r1_fix

To enable console screen locking when in text mode, install the "screen" package: # yum install screen Instruct users to begin new terminal sessions with the following command: $ screen The console can now be locked with the following key combination: ctrl+a x

c
The rsh-server package must not be installed.
RMF Control
CM-7
Severity
H
CCI
CCI-000381
Version
RHEL-06-000213
Vuln IDs
V-38591
Rule IDs
SV-50392r1_rule
The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.
Fix: F-43539r1_fix

The "rsh-server" package can be uninstalled with the following command: # yum erase rsh-server

b
The system must require administrator action to unlock an account locked by excessive failed login attempts.
RMF Control
AC-7
Severity
M
CCI
CCI-000047
Version
RHEL-06-000356
Vuln IDs
V-38592
Rule IDs
SV-50393r4_rule
Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.
Fix: F-43541r6_fix

To configure the system to lock out accounts after a number of incorrect logon attempts and require an administrator to unlock the account using "pam_faillock.so", modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.

c
The rshd service must not be running.
RMF Control
AC-17
Severity
H
CCI
CCI-000068
Version
RHEL-06-000214
Vuln IDs
V-38594
Rule IDs
SV-50395r2_rule
The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
Fix: F-43542r3_fix

The "rsh" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rsh" service can be disabled with the following command: # chkconfig rsh off

c
The rexecd service must not be running.
RMF Control
AC-17
Severity
H
CCI
CCI-000068
Version
RHEL-06-000216
Vuln IDs
V-38598
Rule IDs
SV-50399r2_rule
The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
Fix: F-43546r3_fix

The "rexec" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rexec" service can be disabled with the following command: # chkconfig rexec off

b
The system must not send ICMPv4 redirects by default.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000080
Vuln IDs
V-38600
Rule IDs
SV-50401r2_rule
Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.
Fix: F-43547r1_fix

To set the runtime status of the "net.ipv4.conf.default.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.send_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.send_redirects = 0

b
The system must not send ICMPv4 redirects from any interface.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000081
Vuln IDs
V-38601
Rule IDs
SV-50402r2_rule
Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.
Fix: F-43548r1_fix

To set the runtime status of the "net.ipv4.conf.all.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.send_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.send_redirects = 0

c
The rlogind service must not be running.
RMF Control
AC-17
Severity
H
CCI
CCI-001436
Version
RHEL-06-000218
Vuln IDs
V-38602
Rule IDs
SV-50403r2_rule
The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
Fix: F-43549r3_fix

The "rlogin" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rlogin" service can be disabled with the following command: # chkconfig rlogin off

b
The ypserv package must not be installed.
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
RHEL-06-000220
Vuln IDs
V-38603
Rule IDs
SV-50404r1_rule
Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.
Fix: F-43551r1_fix

The "ypserv" package can be uninstalled with the following command: # yum erase ypserv

b
The ypbind service must not be running.
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
RHEL-06-000221
Vuln IDs
V-38604
Rule IDs
SV-50405r2_rule
Disabling the "ypbind" service ensures the system is not acting as a client in a NIS or NIS+ domain.
Fix: F-43552r2_fix

The "ypbind" service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The "ypbind" service can be disabled with the following commands: # chkconfig ypbind off # service ypbind stop

b
The cron service must be running.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000224
Vuln IDs
V-38605
Rule IDs
SV-50406r2_rule
Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.
Fix: F-43553r2_fix

The "crond" service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The "crond" service can be enabled with the following commands: # chkconfig crond on # service crond start

b
The tftp-server package must not be installed unless required.
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
RHEL-06-000222
Vuln IDs
V-38606
Rule IDs
SV-50407r2_rule
Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.
Fix: F-43554r1_fix

The "tftp-server" package can be removed with the following command: # yum erase tftp-server

c
The SSH daemon must be configured to use only the SSHv2 protocol.
RMF Control
IA-2
Severity
H
CCI
CCI-000774
Version
RHEL-06-000227
Vuln IDs
V-38607
Rule IDs
SV-50408r1_rule
SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.
Fix: F-43555r1_fix

Only SSH protocol version 2 connections should be permitted. The default setting in "/etc/ssh/sshd_config" is correct, and can be verified by ensuring that the following line appears: Protocol 2

a
The SSH daemon must set a timeout interval on idle sessions.
RMF Control
SC-10
Severity
L
CCI
CCI-001133
Version
RHEL-06-000230
Vuln IDs
V-38608
Rule IDs
SV-50409r1_rule
Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.
Fix: F-43556r1_fix

SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in "/etc/ssh/sshd_config" as follows: ClientAliveInterval [interval] The timeout [interval] is given in seconds. To have a timeout of 15 minutes, set [interval] to 900. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.

a
The SSH daemon must set a timeout count on idle sessions.
RMF Control
MA-4
Severity
L
CCI
CCI-000879
Version
RHEL-06-000231
Vuln IDs
V-38610
Rule IDs
SV-50411r1_rule
This ensures a user login will be terminated as soon as the "ClientAliveCountMax" is reached.
Fix: F-43558r1_fix

To ensure the SSH idle timeout occurs precisely when the "ClientAliveCountMax" is set, edit "/etc/ssh/sshd_config" as follows: ClientAliveCountMax 0

b
The SSH daemon must ignore .rhosts files.
RMF Control
IA-2
Severity
M
CCI
CCI-000766
Version
RHEL-06-000234
Vuln IDs
V-38611
Rule IDs
SV-50412r1_rule
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
Fix: F-43559r1_fix

SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via ".rhosts" files. To ensure this behavior is disabled, add or correct the following line in "/etc/ssh/sshd_config": IgnoreRhosts yes

b
The SSH daemon must not allow host-based authentication.
RMF Control
IA-2
Severity
M
CCI
CCI-000766
Version
RHEL-06-000236
Vuln IDs
V-38612
Rule IDs
SV-50413r1_rule
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
Fix: F-43560r1_fix

SSH's cryptographic host-based authentication is more secure than ".rhosts" authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization. To disable host-based authentication, add or correct the following line in "/etc/ssh/sshd_config": HostbasedAuthentication no

b
The system must not permit root logins using remote access programs such as ssh.
RMF Control
IA-2
Severity
M
CCI
CCI-000770
Version
RHEL-06-000237
Vuln IDs
V-38613
Rule IDs
SV-50414r1_rule
Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.
Fix: F-43561r1_fix

The root user should never be allowed to log in to a system directly over a network. To disable root login via SSH, add or correct the following line in "/etc/ssh/sshd_config": PermitRootLogin no

c
The SSH daemon must not allow authentication using an empty password.
RMF Control
IA-2
Severity
H
CCI
CCI-000766
Version
RHEL-06-000239
Vuln IDs
V-38614
Rule IDs
SV-50415r1_rule
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
Fix: F-43562r1_fix

To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config": PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.

b
The SSH daemon must be configured with the Department of Defense (DoD) login banner.
RMF Control
AC-8
Severity
M
CCI
CCI-000048
Version
RHEL-06-000240
Vuln IDs
V-38615
Rule IDs
SV-50416r1_rule
The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.
Fix: F-43563r1_fix

To enable the warning banner and ensure it is consistent across the system, add or correct the following line in "/etc/ssh/sshd_config": Banner /etc/issue Another section contains information on how to create an appropriate system-wide warning banner.

a
The SSH daemon must not permit user environment settings.
RMF Control
AC-4
Severity
L
CCI
CCI-001414
Version
RHEL-06-000241
Vuln IDs
V-38616
Rule IDs
SV-50417r1_rule
SSH environment options potentially allow users to bypass access restriction in some configurations.
Fix: F-43565r1_fix

To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in "/etc/ssh/sshd_config": PermitUserEnvironment no

a
The avahi service must be disabled.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000246
Vuln IDs
V-38618
Rule IDs
SV-50419r2_rule
Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.
Fix: F-43567r2_fix

The "avahi-daemon" service can be disabled with the following commands: # chkconfig avahi-daemon off # service avahi-daemon stop

b
The system clock must be synchronized continuously, or at least daily.
RMF Control
AU-8
Severity
M
CCI
CCI-000160
Version
RHEL-06-000247
Vuln IDs
V-38620
Rule IDs
SV-50421r1_rule
Enabling the "ntpd" service ensures that the "ntpd" service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.
Fix: F-43568r1_fix

The "ntpd" service can be enabled with the following command: # chkconfig ntpd on # service ntpd start

b
The system clock must be synchronized to an authoritative DoD time source.
RMF Control
AU-8
Severity
M
CCI
CCI-000160
Version
RHEL-06-000248
Vuln IDs
V-38621
Rule IDs
SV-50422r1_rule
Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is recommended.
Fix: F-43570r1_fix

To specify a remote NTP server for time synchronization, edit the file "/etc/ntp.conf". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver. server [ntpserver] This instructs the NTP software to contact that remote server to obtain time data.

b
Mail relaying must be restricted.
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
RHEL-06-000249
Vuln IDs
V-38622
Rule IDs
SV-50423r2_rule
This ensures "postfix" accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.
Fix: F-43572r1_fix

Edit the file "/etc/postfix/main.cf" to ensure that only the following "inet_interfaces" line appears: inet_interfaces = localhost

a
The openldap-servers package must not be installed unless required.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000256
Vuln IDs
V-38627
Rule IDs
SV-50428r2_rule
Unnecessary packages should not be installed to decrease the attack surface of the system.
Fix: F-43577r2_fix

The "openldap-servers" package should be removed if not in use. # yum erase openldap-servers The openldap-servers RPM is not installed by default on RHEL6 machines. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed.

b
The graphical desktop environment must set the idle timeout to no more than 15 minutes.
RMF Control
AC-11
Severity
M
CCI
CCI-000057
Version
RHEL-06-000257
Vuln IDs
V-38629
Rule IDs
SV-50430r3_rule
Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.
Fix: F-43578r1_fix

Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes: # gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /apps/gnome-screensaver/idle_delay 15

b
The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.
RMF Control
AC-11
Severity
M
CCI
CCI-000057
Version
RHEL-06-000258
Vuln IDs
V-38630
Rule IDs
SV-50431r3_rule
Enabling idle activation of the screen saver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.
Fix: F-43579r1_fix

Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true

b
The system must set a maximum audit log file size.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000160
Vuln IDs
V-38633
Rule IDs
SV-50434r1_rule
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
Fix: F-43582r1_fix

Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting the correct value for [STOREMB]: max_log_file = [STOREMB] Set the value to "6" (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.

b
The system must retain enough rotated audit logs to cover the required log retention period.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000159
Vuln IDs
V-38636
Rule IDs
SV-50437r1_rule
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
Fix: F-43585r1_fix

Determine how many log files "auditd" should retain when it rotates logs. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [NUMLOGS] with the correct value: num_logs = [NUMLOGS] Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.

b
The graphical desktop environment must have automatic lock enabled.
RMF Control
AC-11
Severity
M
CCI
CCI-000057
Version
RHEL-06-000259
Vuln IDs
V-38638
Rule IDs
SV-50439r3_rule
Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby.
Fix: F-43587r1_fix

Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/lock_enabled true

a
The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
RMF Control
AC-11
Severity
L
CCI
CCI-000060
Version
RHEL-06-000260
Vuln IDs
V-38639
Rule IDs
SV-50440r3_rule
Setting the screensaver mode to blank-only conceals the contents of the display from passersby.
Fix: F-43588r2_fix

Run the following command to set the screensaver mode in the GNOME desktop to a blank screen: # gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome-screensaver/mode blank-only

a
The Automatic Bug Reporting Tool (abrtd) service must not be running.
RMF Control
CM-7
Severity
L
CCI
CCI-000382
Version
RHEL-06-000261
Vuln IDs
V-38640
Rule IDs
SV-50441r2_rule
Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers.
Fix: F-43589r2_fix

The Automatic Bug Reporting Tool ("abrtd") daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The "abrtd" service can be disabled with the following commands: # chkconfig abrtd off # service abrtd stop

a
The atd service must be disabled.
RMF Control
CM-7
Severity
L
CCI
CCI-000382
Version
RHEL-06-000262
Vuln IDs
V-38641
Rule IDs
SV-50442r3_rule
The "atd" service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with "at" or "batch" is not common.
Fix: F-43590r2_fix

The "at" and "batch" commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon "atd" keeps track of tasks scheduled via "at" and "batch", and executes them at the specified time. The "atd" service can be disabled with the following commands: # chkconfig atd off # service atd stop

a
The system default umask for daemons must be 027 or 022.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000346
Vuln IDs
V-38642
Rule IDs
SV-50443r1_rule
The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.
Fix: F-43592r1_fix

The file "/etc/init.d/functions" includes initialization parameters for most or all daemons started at boot time. The default umask of 022 prevents creation of group- or world-writable files. To set the default umask for daemons, edit the following line, inserting 022 or 027 for [UMASK] appropriately: umask [UMASK] Setting the umask to too restrictive a setting can cause serious errors at runtime. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts.

a
The ntpdate service must not be running.
RMF Control
CM-7
Severity
L
CCI
CCI-000382
Version
RHEL-06-000265
Vuln IDs
V-38644
Rule IDs
SV-50445r2_rule
The "ntpdate" service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.
Fix: F-43593r2_fix

The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in "/etc/ntp/step-tickers" or "/etc/ntp.conf" and then sets the local hardware clock to the newly synchronized system time. The "ntpdate" service can be disabled with the following commands: # chkconfig ntpdate off # service ntpdate stop

a
The system default umask in /etc/login.defs must be 077.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000345
Vuln IDs
V-38645
Rule IDs
SV-50446r1_rule
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.
Fix: F-43594r1_fix

To ensure the default umask controlled by "/etc/login.defs" is set properly, add or correct the "umask" setting in "/etc/login.defs" to read as follows: UMASK 077

a
The oddjobd service must not be running.
RMF Control
CM-7
Severity
L
CCI
CCI-000382
Version
RHEL-06-000266
Vuln IDs
V-38646
Rule IDs
SV-50447r2_rule
The "oddjobd" service may provide necessary functionality in some environments but it can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.
Fix: F-43595r2_fix

The "oddjobd" service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with "oddjobd" is through the system message bus. The "oddjobd" service can be disabled with the following commands: # chkconfig oddjobd off # service oddjobd stop

a
The system default umask in /etc/profile must be 077.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000344
Vuln IDs
V-38647
Rule IDs
SV-50448r1_rule
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.
Fix: F-43596r1_fix

To ensure the default umask controlled by "/etc/profile" is set properly, add or correct the "umask" setting in "/etc/profile" to read as follows: umask 077

a
The qpidd service must not be running.
RMF Control
CM-7
Severity
L
CCI
CCI-000382
Version
RHEL-06-000267
Vuln IDs
V-38648
Rule IDs
SV-50449r2_rule
The qpidd service is automatically installed when the "base" package selection is selected during installation. The qpidd service listens for network connections which increases the attack surface of the system. If the system is not intended to receive AMQP traffic then the "qpidd" service is not needed and should be disabled or removed.
Fix: F-43597r2_fix

The "qpidd" service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The "qpidd" service can be disabled with the following commands: # chkconfig qpidd off # service qpidd stop

a
The system default umask for the csh shell must be 077.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000343
Vuln IDs
V-38649
Rule IDs
SV-50450r1_rule
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.
Fix: F-43598r1_fix

To ensure the default umask for users of the C shell is set properly, add or correct the "umask" setting in "/etc/csh.cshrc" to read as follows: umask 077

a
The rdisc service must not be running.
RMF Control
CM-7
Severity
L
CCI
CCI-000382
Version
RHEL-06-000268
Vuln IDs
V-38650
Rule IDs
SV-50451r2_rule
General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.
Fix: F-43599r2_fix

The "rdisc" service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. The "rdisc" service can be disabled with the following commands: # chkconfig rdisc off # service rdisc stop

a
The system default umask for the bash shell must be 077.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000342
Vuln IDs
V-38651
Rule IDs
SV-50452r1_rule
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.
Fix: F-43600r1_fix

To ensure the default umask for users of the Bash shell is set properly, add or correct the "umask" setting in "/etc/bashrc" to read as follows: umask 077

a
The system must use SMB client signing for connecting to samba servers using smbclient.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000272
Vuln IDs
V-38656
Rule IDs
SV-50457r1_rule
Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.
Fix: F-43606r1_fix

To require samba clients running "smbclient" to use packet signing, add the following to the "[global]" section of the Samba configuration file in "/etc/samba/smb.conf": client signing = mandatory Requiring samba clients such as "smbclient" to use packet signing ensures they can only communicate with servers that support packet signing.

b
The system must prohibit the reuse of passwords within five iterations.
RMF Control
IA-5
Severity
M
CCI
CCI-000200
Version
RHEL-06-000274
Vuln IDs
V-38658
Rule IDs
SV-50459r6_rule
Preventing reuse of previous passwords helps ensure that a compromised password is not reused by a user.
Fix: F-43608r6_fix

Do not allow users to reuse recent passwords. This can be accomplished by using the "remember" option for the "pam_pwhistory" PAM module. In the file "/etc/pam.d/system-auth" and /etc/pam.d/password-auth, append "remember=5" to the lines that refer to the "pam_pwhistory.so" module, as shown: password required pam_pwhistory.so [existing_options] remember=5 or password requisite pam_pwhistory.so [existing_options] remember=5 The DoD requirement is five passwords.

c
The x86 Ctrl-Alt-Delete key sequence must be disabled.
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
RHEL-06-000286
Vuln IDs
V-38668
Rule IDs
SV-50469r4_rule
A locally logged-in user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
Fix: F-43617r3_fix

By default, the system includes the following line in "/etc/init/control-alt-delete.conf" to reboot the system when the Ctrl-Alt-Delete key sequence is pressed: exec /sbin/shutdown -r now "Ctrl-Alt-Delete pressed" To configure the system to log a message instead of rebooting the system, add the following line to "/etc/init/control-alt-delete.override" to read as follows: exec /usr/bin/logger -p authpriv.notice "Ctrl-Alt-Delete pressed"

a
The postfix service must be enabled for mail delivery.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000287
Vuln IDs
V-38669
Rule IDs
SV-50470r1_rule
Local mail delivery is essential to some system maintenance and notification tasks.
Fix: F-43618r1_fix

The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The "postfix" service can be enabled with the following command: # chkconfig postfix on # service postfix start

b
The sendmail package must be removed.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000288
Vuln IDs
V-38671
Rule IDs
SV-50472r1_rule
The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.
Fix: F-43620r1_fix

Sendmail is not the default mail transfer agent and is not installed by default. The "sendmail" package can be removed with the following command: # yum erase sendmail

a
The netconsole service must be disabled unless required.
RMF Control
CM-7
Severity
L
CCI
CCI-000382
Version
RHEL-06-000289
Vuln IDs
V-38672
Rule IDs
SV-50473r2_rule
The "netconsole" service is not necessary unless there is a need to debug kernel panics, which is not common.
Fix: F-43622r2_fix

The "netconsole" service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. The "netconsole" service can be disabled with the following commands: # chkconfig netconsole off # service netconsole stop

b
X Windows must not be enabled unless required.
RMF Control
AC-17
Severity
M
CCI
CCI-001436
Version
RHEL-06-000290
Vuln IDs
V-38674
Rule IDs
SV-50475r1_rule
Unnecessary services should be disabled to decrease the attack surface of the system.
Fix: F-43623r1_fix

Setting the system's runlevel to 3 will prevent automatic startup of the X server. To do so, ensure the following line in "/etc/inittab" features a "3" as shown: id:3:initdefault:

a
Process core dumps must be disabled unless needed.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000308
Vuln IDs
V-38675
Rule IDs
SV-50476r2_rule
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
Fix: F-43624r1_fix

To disable core dumps for all users, add the following line to "/etc/security/limits.conf": * hard core 0

a
The xorg-x11-server-common (X Windows) package must not be installed, unless required.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000291
Vuln IDs
V-38676
Rule IDs
SV-50477r2_rule
Unnecessary packages should not be installed to decrease the attack surface of the system.
Fix: F-43625r1_fix

Removing all packages which constitute the X Window System ensures users or malicious software cannot start X. To do so, run the following command: # yum groupremove "X Window System"

c
The NFS server must not have the insecure file locking option enabled.
RMF Control
IA-2
Severity
H
CCI
CCI-000764
Version
RHEL-06-000309
Vuln IDs
V-38677
Rule IDs
SV-50478r1_rule
Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user.
Fix: F-43626r1_fix

By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files. To get around this, the "insecure_locks" option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. Remove any instances of the "insecure_locks" option from the file "/etc/exports".

b
The DHCP client must be disabled if not needed.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000292
Vuln IDs
V-38679
Rule IDs
SV-50480r3_rule
DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances.
Fix: F-43628r2_fix

For each interface [IFACE] on the system (e.g. eth0), edit "/etc/sysconfig/network-scripts/ifcfg-[IFACE]" and make the following changes. Correct the BOOTPROTO line to read: BOOTPROTO=none Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: NETMASK=[local LAN netmask] IPADDR=[assigned IP address] GATEWAY=[local LAN default gateway]

b
The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.
RMF Control
AU-5
Severity
M
CCI
CCI-000139
Version
RHEL-06-000313
Vuln IDs
V-38680
Rule IDs
SV-50481r1_rule
Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.
Fix: F-43629r1_fix

The "auditd" service can be configured to send email to a designated account in certain situations. Add or correct the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations: action_mail_acct = root

a
The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
RMF Control
AC-10
Severity
L
CCI
CCI-000054
Version
RHEL-06-000319
Vuln IDs
V-38684
Rule IDs
SV-50485r2_rule
Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.
Fix: F-43633r1_fix

Limiting the number of allowed users and sessions per user can limit risks related to denial of service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in "/etc/security/limits.conf": * hard maxlogins 10 A documented site-defined number may be substituted for 10 in the above.

a
The system must provide VPN connectivity for communications over untrusted networks.
RMF Control
SC-9
Severity
L
CCI
CCI-001130
Version
RHEL-06-000321
Vuln IDs
V-38687
Rule IDs
SV-50488r3_rule
Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.
Fix: F-43636r2_fix

The “libreswan” package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The "libreswan" package can be installed with the following command: # yum install libreswan

b
A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
RMF Control
AC-8
Severity
M
CCI
CCI-000050
Version
RHEL-06-000324
Vuln IDs
V-38688
Rule IDs
SV-50489r3_rule
An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.
Fix: F-43637r2_fix

To enable displaying a login warning banner in the GNOME Display Manager's login screen, run the following command: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gdm/simple-greeter/banner_message_enable true To display a banner, this setting must be enabled and then banner text must also be set.

b
The Bluetooth service must be disabled.
RMF Control
AC-19
Severity
M
CCI
CCI-000085
Version
RHEL-06-000331
Vuln IDs
V-38691
Rule IDs
SV-50492r2_rule
Disabling the "bluetooth" service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.
Fix: F-43640r1_fix

The "bluetooth" service can be disabled with the following command: # chkconfig bluetooth off # service bluetooth stop

a
Accounts must be locked upon 35 days of inactivity.
RMF Control
AC-2
Severity
L
CCI
CCI-000017
Version
RHEL-06-000334
Vuln IDs
V-38692
Rule IDs
SV-50493r1_rule
Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
Fix: F-43641r2_fix

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately: INACTIVE=[NUM_DAYS] A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the "useradd" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.

a
The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.
RMF Control
IA-4
Severity
L
CCI
CCI-000795
Version
RHEL-06-000335
Vuln IDs
V-38694
Rule IDs
SV-50495r1_rule
Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
Fix: F-43643r2_fix

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately: INACTIVE=[NUM_DAYS] A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the "useradd" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.

c
The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
RHEL-06-000338
Vuln IDs
V-38701
Rule IDs
SV-50502r1_rule
Using the "-s" option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally specified directory reduces the risk of sharing files which should remain private.
Fix: F-43650r1_fix

If running the "tftp" service is necessary, it should be configured to change its root directory at startup. To do so, ensure "/etc/xinetd.d/tftp" includes "-s" as a command line argument, as shown in the following example (which is also the default): server_args = -s /var/lib/tftpboot

b
The system must use a Linux Security Module at boot time.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000017
Vuln IDs
V-51337
Rule IDs
SV-65547r2_rule
Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.
Fix: F-56147r2_fix

SELinux can be disabled at boot time by an argument in "/boot/grub/grub.conf". Remove any instances of "selinux=0" from the kernel arguments in that file to prevent SELinux from being disabled at boot.

b
The system must use a Linux Security Module configured to enforce limits on system services.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000020
Vuln IDs
V-51363
Rule IDs
SV-65573r1_rule
Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.
Fix: F-56165r1_fix

The SELinux state should be set to "enforcing" at system boot time. In the file "/etc/selinux/config", add or correct the following line to configure the system to boot into enforcing mode: SELINUX=enforcing

a
The system must use a Linux Security Module configured to limit the privileges of system services.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000023
Vuln IDs
V-51369
Rule IDs
SV-65579r1_rule
Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.
Fix: F-56171r1_fix

The SELinux "targeted" policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in "/etc/selinux/config": SELINUXTYPE=targeted Other policies, such as "mls", provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.

b
The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000372
Vuln IDs
V-51875
Rule IDs
SV-66089r1_rule
Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.
Fix: F-56701r1_fix

To configure the system to notify users of last logon/access using "pam_lastlog", add the following line immediately after "session required pam_limits.so": session required pam_lastlog.so showfailed

b
The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000163
Vuln IDs
V-54381
Rule IDs
SV-68627r3_rule
Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.
Fix: F-59235r2_fix

The "auditd" service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [ACTION] appropriately: admin_space_left_action = [ACTION] Set this value to "single" to cause the system to switch to single-user mode for corrective action. Acceptable values also include "suspend" and "halt". For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for [ACTION] are described in the "auditd.conf" man page.

a
The audit system must be configured to audit all attempts to alter system time through adjtimex.
RMF Control
AU-12
Severity
L
CCI
CCI-000169
Version
RHEL-06-000166
Vuln IDs
V-81441
Rule IDs
SV-96155r1_rule
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Fix: F-88259r1_fix

On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules On a 64-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules

a
The Red Hat Enterprise Linux operating system must mount /dev/shm with the nodev option.
RMF Control
CM-7
Severity
L
CCI
CCI-001764
Version
RHEL-06-000530
Vuln IDs
V-81445
Rule IDs
SV-96159r1_rule
The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Fix: F-88263r1_fix

Configure the "/etc/fstab" to use the "nodev" option for all lines containing "/dev/shm".

a
The Red Hat Enterprise Linux operating system must mount /dev/shm with the nosuid option.
RMF Control
CM-7
Severity
L
CCI
CCI-001764
Version
RHEL-06-000531
Vuln IDs
V-81447
Rule IDs
SV-96161r1_rule
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Fix: F-88265r1_fix

Configure the "/etc/fstab" to use the "nosuid" option for all lines containing "/dev/shm".

a
The Red Hat Enterprise Linux operating system must mount /dev/shm with the noexec option.
RMF Control
CM-7
Severity
L
CCI
CCI-001764
Version
RHEL-06-000532
Vuln IDs
V-81449
Rule IDs
SV-96163r1_rule
The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Fix: F-88267r1_fix

Configure the "/etc/fstab" to use the "noexec" option for all lines containing "/dev/shm".