Red Hat Enterprise Linux 6 Security Technical Implementation Guide
Open a previous version of this SCAP benchmark.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000526
- Vuln IDs
- V-38437
- Rule IDs
- SV-50237r1_rule
Fix: F-43381r1_fix
If the "autofs" service is not needed to dynamically mount NFS filesystems or removable media, disable the service for all runlevels: # chkconfig --level 0123456 autofs off Stop the service if it is already running: # service autofs stop
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000169
- Version
- RHEL-06-000525
- Vuln IDs
- V-38438
- Rule IDs
- SV-50238r4_rule
Fix: F-43382r4_fix
To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument "audit=1" to the kernel line in "/boot/grub/grub.conf" or “/boot/efi/EFI/redhat/grub.conf”, in the manner below: kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1 UEFI systems may prepend "/boot" to the "/vmlinuz-version" argument.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000036
- Vuln IDs
- V-38443
- Rule IDs
- SV-50243r1_rule
Fix: F-43388r1_fix
To properly set the owner of "/etc/gshadow", run the command: # chown root /etc/gshadow
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000037
- Vuln IDs
- V-38448
- Rule IDs
- SV-50248r1_rule
Fix: F-43393r1_fix
To properly set the group owner of "/etc/gshadow", run the command: # chgrp root /etc/gshadow
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000038
- Vuln IDs
- V-38449
- Rule IDs
- SV-50249r1_rule
Fix: F-43394r1_fix
To properly set the permissions of "/etc/gshadow", run the command: # chmod 0000 /etc/gshadow
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000039
- Vuln IDs
- V-38450
- Rule IDs
- SV-50250r1_rule
Fix: F-43395r1_fix
To properly set the owner of "/etc/passwd", run the command: # chown root /etc/passwd
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000040
- Vuln IDs
- V-38451
- Rule IDs
- SV-50251r1_rule
Fix: F-43396r1_fix
To properly set the group owner of "/etc/passwd", run the command: # chgrp root /etc/passwd
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000001
- Vuln IDs
- V-38455
- Rule IDs
- SV-50255r1_rule
Fix: F-43387r1_fix
The "/tmp" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000002
- Vuln IDs
- V-38456
- Rule IDs
- SV-50256r1_rule
Fix: F-43401r2_fix
The "/var" directory is used by daemons and other system services to store frequently-changing data. Ensure that "/var" has its own partition or logical volume at installation time, or migrate it using LVM.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000041
- Vuln IDs
- V-38457
- Rule IDs
- SV-50257r1_rule
Fix: F-43397r1_fix
To properly set the permissions of "/etc/passwd", run the command: # chmod 0644 /etc/passwd
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000042
- Vuln IDs
- V-38458
- Rule IDs
- SV-50258r1_rule
Fix: F-43403r1_fix
To properly set the owner of "/etc/group", run the command: # chown root /etc/group
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000043
- Vuln IDs
- V-38459
- Rule IDs
- SV-50259r1_rule
Fix: F-43404r1_fix
To properly set the group owner of "/etc/group", run the command: # chgrp root /etc/group
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000044
- Vuln IDs
- V-38461
- Rule IDs
- SV-50261r1_rule
Fix: F-43406r1_fix
To properly set the permissions of "/etc/group", run the command: # chmod 644 /etc/group
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000003
- Vuln IDs
- V-38463
- Rule IDs
- SV-50263r1_rule
Fix: F-43408r1_fix
System logs are stored in the "/var/log" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.
- RMF Control
- AU-4
- Severity
- L
- CCI
- CCI-000137
- Version
- RHEL-06-000004
- Vuln IDs
- V-38467
- Rule IDs
- SV-50267r1_rule
Fix: F-43412r1_fix
Audit logs are stored in the "/var/log/audit" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- RHEL-06-000047
- Vuln IDs
- V-38469
- Rule IDs
- SV-50269r3_rule
Fix: F-43414r1_fix
System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: # chmod go-w [FILE]
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-000138
- Version
- RHEL-06-000005
- Vuln IDs
- V-38470
- Rule IDs
- SV-50270r2_rule
Fix: F-43415r2_fix
The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: space_left_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "email" "exec" "suspend" "single" "halt" Set this to "email" (instead of the default, which is "suspend") as it is more likely to get prompt attention. The "syslog" option is acceptable, provided the local log management infrastructure notifies an appropriate administrator in a timely manner. RHEL-06-000521 ensures that the email generated through the operation "space_left_action" will be sent to an administrator.
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- RHEL-06-000048
- Vuln IDs
- V-38472
- Rule IDs
- SV-50272r1_rule
Fix: F-43417r1_fix
System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin If any file [FILE] in these directories is found to be owned by a user other than root, correct its ownership with the following command: # chown root [FILE]
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000007
- Vuln IDs
- V-38473
- Rule IDs
- SV-50273r1_rule
Fix: F-43418r1_fix
If user home directories will be stored locally, create a separate partition for "/home" at installation time (or migrate it later using LVM). If "/home" will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000205
- Version
- RHEL-06-000050
- Vuln IDs
- V-38475
- Rule IDs
- SV-50275r3_rule
Fix: F-43419r3_fix
To specify password length requirements for new accounts, edit the file "/etc/login.defs" and add or correct the following lines: PASS_MIN_LEN 15 The DoD requirement is "15". If a program consults "/etc/login.defs" and also another PAM module (such as "pam_cracklib") during a password change operation, then the most restrictive must be satisfied.
- RMF Control
- CM-5
- Severity
- H
- CCI
- CCI-000352
- Version
- RHEL-06-000008
- Vuln IDs
- V-38476
- Rule IDs
- SV-50276r3_rule
Fix: F-43421r3_fix
To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG keys must be installed properly. To install the Red Hat GPG keys, run: # rhn_register If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG keys from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in "/media/cdrom", use the following command as the root user to import them into the keyring: # rpm --import /media/cdrom/RPM-GPG-KEY
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000198
- Version
- RHEL-06-000051
- Vuln IDs
- V-38477
- Rule IDs
- SV-50277r1_rule
Fix: F-43422r1_fix
To specify password minimum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MIN_DAYS [DAYS] A value of 1 day is considered sufficient for many environments. The DoD requirement is 1.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000199
- Version
- RHEL-06-000053
- Vuln IDs
- V-38479
- Rule IDs
- SV-50279r1_rule
Fix: F-43424r1_fix
To specify password maximum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MAX_DAYS [DAYS] The DoD requirement is 60.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000054
- Vuln IDs
- V-38480
- Rule IDs
- SV-50280r1_rule
Fix: F-43425r1_fix
To specify how many days prior to password expiration that a warning will be issued to users, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_WARN_AGE [DAYS] The DoD requirement is 7.
- RMF Control
- IA-5
- Severity
- L
- CCI
- CCI-000194
- Version
- RHEL-06-000056
- Vuln IDs
- V-38482
- Rule IDs
- SV-50282r2_rule
Fix: F-43427r2_fix
The pam_cracklib module's "dcredit" parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "dcredit=-1" after pam_cracklib.so to require use of a digit in passwords.
- RMF Control
- SA-7
- Severity
- M
- CCI
- CCI-000663
- Version
- RHEL-06-000013
- Vuln IDs
- V-38483
- Rule IDs
- SV-50283r1_rule
Fix: F-43429r1_fix
The "gpgcheck" option should be used to ensure checking of an RPM package's signature always occurs prior to its installation. To configure yum to check package signatures before installing them, ensure the following line appears in "/etc/yum.conf" in the "[main]" section: gpgcheck=1
- RMF Control
- SA-7
- Severity
- L
- CCI
- CCI-000663
- Version
- RHEL-06-000015
- Vuln IDs
- V-38487
- Rule IDs
- SV-50288r1_rule
Fix: F-43433r1_fix
To ensure signature checking is not disabled for any repos, remove any lines from files in "/etc/yum.repos.d" of the form: gpgcheck=0
- RMF Control
- RA-5
- Severity
- M
- CCI
- CCI-001069
- Version
- RHEL-06-000016
- Vuln IDs
- V-38489
- Rule IDs
- SV-50290r1_rule
Fix: F-43436r1_fix
Install the AIDE package with the command: # yum install aide
- RMF Control
- AC-19
- Severity
- M
- CCI
- CCI-000086
- Version
- RHEL-06-000503
- Vuln IDs
- V-38490
- Rule IDs
- SV-50291r6_rule
Fix: F-43437r3_fix
To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the "usb-storage" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install usb-storage /bin/true This will prevent the "modprobe" program from loading the "usb-storage" module, but will not prevent an administrator (or another program) from using the "insmod" program to load the module manually.
- RMF Control
- AC-17
- Severity
- H
- CCI
- CCI-001436
- Version
- RHEL-06-000019
- Vuln IDs
- V-38491
- Rule IDs
- SV-50292r1_rule
Fix: F-43438r1_fix
The files "/etc/hosts.equiv" and "~/.rhosts" (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location. # rm /etc/hosts.equiv $ rm ~/.rhosts
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000770
- Version
- RHEL-06-000027
- Vuln IDs
- V-38492
- Rule IDs
- SV-50293r1_rule
Fix: F-43439r2_fix
To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in "/etc/securetty": vc/1 vc/2 vc/3 vc/4 Note: Virtual console entries are not limited to those listed above. Any lines starting with "vc/" followed by numerals should be removed.
- RMF Control
- IA-2
- Severity
- L
- CCI
- CCI-000770
- Version
- RHEL-06-000028
- Vuln IDs
- V-38494
- Rule IDs
- SV-50295r1_rule
Fix: F-43441r1_fix
To restrict root logins on serial ports, ensure lines of this form do not appear in "/etc/securetty": ttyS0 ttyS1 Note: Serial port entries are not limited to those listed above. Any lines starting with "ttyS" followed by numerals should be removed
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- RHEL-06-000384
- Vuln IDs
- V-38495
- Rule IDs
- SV-50296r1_rule
Fix: F-43443r1_fix
Change the owner of the audit log files with the following command: # chown root [audit_file]
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- RHEL-06-000030
- Vuln IDs
- V-38497
- Rule IDs
- SV-50298r3_rule
Fix: F-43444r5_fix
If an account is configured for password authentication but does not have an assigned password, it may be possible to log onto the account without authentication. Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords.
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000163
- Version
- RHEL-06-000383
- Vuln IDs
- V-38498
- Rule IDs
- SV-50299r1_rule
Fix: F-43445r1_fix
Change the mode of the audit log files with the following command: # chmod 0640 [audit_file]
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000031
- Vuln IDs
- V-38499
- Rule IDs
- SV-50300r1_rule
Fix: F-43446r1_fix
If any password hashes are stored in "/etc/passwd" (in the second field, instead of an "x"), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000032
- Vuln IDs
- V-38500
- Rule IDs
- SV-50301r2_rule
Fix: F-43447r1_fix
If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-001452
- Version
- RHEL-06-000357
- Vuln IDs
- V-38501
- Rule IDs
- SV-50302r4_rule
Fix: F-43448r6_fix
Utilizing "pam_faillock.so", the "fail_interval" directive configures the system to lock out accounts after a number of incorrect logon attempts. Modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000033
- Vuln IDs
- V-38502
- Rule IDs
- SV-50303r1_rule
Fix: F-43449r1_fix
To properly set the owner of "/etc/shadow", run the command: # chown root /etc/shadow
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000034
- Vuln IDs
- V-38503
- Rule IDs
- SV-50304r1_rule
Fix: F-43450r1_fix
To properly set the group owner of "/etc/shadow", run the command: # chgrp root /etc/shadow
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000035
- Vuln IDs
- V-38504
- Rule IDs
- SV-50305r1_rule
Fix: F-43451r1_fix
To properly set the permissions of "/etc/shadow", run the command: # chmod 0000 /etc/shadow
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000082
- Vuln IDs
- V-38511
- Rule IDs
- SV-50312r3_rule
Fix: F-43458r3_fix
To set the runtime status of the "net.ipv4.ip_forward" kernel parameter, run the following command: # sysctl -w net.ipv4.ip_forward=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.ip_forward = 0 Issue the following command to make the changes take effect: # sysctl --system
- RMF Control
- SC-7
- Severity
- M
- CCI
- CCI-001100
- Version
- RHEL-06-000117
- Vuln IDs
- V-38512
- Rule IDs
- SV-50313r2_rule
Fix: F-43459r2_fix
The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- RHEL-06-000124
- Vuln IDs
- V-38514
- Rule IDs
- SV-50315r5_rule
Fix: F-43461r3_fix
The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the "dccp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install dccp /bin/true
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- RHEL-06-000125
- Vuln IDs
- V-38515
- Rule IDs
- SV-50316r5_rule
Fix: F-43462r3_fix
The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the "sctp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install sctp /bin/true
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000382
- Version
- RHEL-06-000126
- Vuln IDs
- V-38516
- Rule IDs
- SV-50317r3_rule
Fix: F-43463r4_fix
The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the "rds" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install rds /bin/true
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- RHEL-06-000127
- Vuln IDs
- V-38517
- Rule IDs
- SV-50318r5_rule
Fix: F-43464r3_fix
The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the "tipc" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install tipc /bin/true
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- RHEL-06-000133
- Vuln IDs
- V-38518
- Rule IDs
- SV-50319r2_rule
Fix: F-43465r1_fix
The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's owner: $ ls -l [LOGFILE] If the owner is not "root", run the following command to correct this: # chown root [LOGFILE]
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000169
- Version
- RHEL-06-000167
- Vuln IDs
- V-38522
- Rule IDs
- SV-50323r4_rule
Fix: F-43470r3_fix
Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S settimeofday -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000083
- Vuln IDs
- V-38523
- Rule IDs
- SV-50324r3_rule
Fix: F-43471r2_fix
To set the runtime status of the "net.ipv4.conf.all.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_source_route=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.accept_source_route = 0 Issue the following command to make the changes take effect: # sysctl --system
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000084
- Vuln IDs
- V-38524
- Rule IDs
- SV-50325r3_rule
Fix: F-43472r2_fix
To set the runtime status of the "net.ipv4.conf.all.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.accept_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000169
- Version
- RHEL-06-000169
- Vuln IDs
- V-38525
- Rule IDs
- SV-50326r5_rule
Fix: F-43473r5_fix
Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S stime -k audit_time_rules
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000086
- Vuln IDs
- V-38526
- Rule IDs
- SV-50327r3_rule
Fix: F-43474r2_fix
To set the runtime status of the "net.ipv4.conf.all.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.secure_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.secure_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000169
- Version
- RHEL-06-000171
- Vuln IDs
- V-38527
- Rule IDs
- SV-50328r4_rule
Fix: F-43475r3_fix
Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000088
- Vuln IDs
- V-38528
- Rule IDs
- SV-50329r3_rule
Fix: F-43476r2_fix
To set the runtime status of the "net.ipv4.conf.all.log_martians" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.log_martians=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.log_martians = 1 Issue the following command to make the changes take effect: # sysctl --system
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000089
- Vuln IDs
- V-38529
- Rule IDs
- SV-50330r3_rule
Fix: F-43478r2_fix
To set the runtime status of the "net.ipv4.conf.default.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_source_route=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.accept_source_route = 0 Issue the following command to make the changes take effect: # sysctl --system
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000169
- Version
- RHEL-06-000173
- Vuln IDs
- V-38530
- Rule IDs
- SV-50331r2_rule
Fix: F-43477r1_fix
Add the following to "/etc/audit/audit.rules": -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.
- RMF Control
- AC-2
- Severity
- L
- CCI
- CCI-000018
- Version
- RHEL-06-000174
- Vuln IDs
- V-38531
- Rule IDs
- SV-50332r2_rule
Fix: F-43480r1_fix
Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000090
- Vuln IDs
- V-38532
- Rule IDs
- SV-50333r3_rule
Fix: F-43479r2_fix
To set the runtime status of the "net.ipv4.conf.default.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.secure_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.secure_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000091
- Vuln IDs
- V-38533
- Rule IDs
- SV-50334r4_rule
Fix: F-43481r2_fix
To set the runtime status of the "net.ipv4.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.accept_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system
- RMF Control
- AC-2
- Severity
- L
- CCI
- CCI-001403
- Version
- RHEL-06-000175
- Vuln IDs
- V-38534
- Rule IDs
- SV-50335r2_rule
Fix: F-43482r1_fix
Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000092
- Vuln IDs
- V-38535
- Rule IDs
- SV-50336r3_rule
Fix: F-43483r2_fix
To set the runtime status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.icmp_echo_ignore_broadcasts = 1 Issue the following command to make the changes take effect: # sysctl --system
- RMF Control
- AC-2
- Severity
- L
- CCI
- CCI-001404
- Version
- RHEL-06-000176
- Vuln IDs
- V-38536
- Rule IDs
- SV-50337r2_rule
Fix: F-43484r1_fix
Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000093
- Vuln IDs
- V-38537
- Rule IDs
- SV-50338r3_rule
Fix: F-43485r2_fix
To set the runtime status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.icmp_ignore_bogus_error_responses = 1 Issue the following command to make the changes take effect: # sysctl --system
- RMF Control
- AC-2
- Severity
- L
- CCI
- CCI-001405
- Version
- RHEL-06-000177
- Vuln IDs
- V-38538
- Rule IDs
- SV-50339r2_rule
Fix: F-43486r1_fix
Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes
- RMF Control
- SC-5
- Severity
- M
- CCI
- CCI-001095
- Version
- RHEL-06-000095
- Vuln IDs
- V-38539
- Rule IDs
- SV-50340r3_rule
Fix: F-43487r2_fix
To set the runtime status of the "net.ipv4.tcp_syncookies" kernel parameter, run the following command: # sysctl -w net.ipv4.tcp_syncookies=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.tcp_syncookies = 1 Issue the following command to make the changes take effect: # sysctl --system
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000182
- Vuln IDs
- V-38540
- Rule IDs
- SV-50341r5_rule
Fix: F-43488r4_fix
Add the following to "/etc/audit/audit.rules": # audit_network_modifications -a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000183
- Vuln IDs
- V-38541
- Rule IDs
- SV-50342r2_rule
Fix: F-43489r1_fix
Add the following to "/etc/audit/audit.rules": -w /etc/selinux/ -p wa -k MAC-policy
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000096
- Vuln IDs
- V-38542
- Rule IDs
- SV-50343r3_rule
Fix: F-43490r3_fix
To set the runtime status of the "net.ipv4.conf.all.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.rp_filter=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.rp_filter = 1 Issue the following command to make the changes take effect: # sysctl --system
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- RHEL-06-000184
- Vuln IDs
- V-38543
- Rule IDs
- SV-50344r4_rule
Fix: F-43491r2_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000097
- Vuln IDs
- V-38544
- Rule IDs
- SV-50345r3_rule
Fix: F-43492r2_fix
To set the runtime status of the "net.ipv4.conf.default.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.rp_filter=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.rp_filter = 1 Issue the following command to make the changes take effect: # sysctl --system
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- RHEL-06-000185
- Vuln IDs
- V-38545
- Rule IDs
- SV-50346r4_rule
Fix: F-43493r2_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- RHEL-06-000186
- Vuln IDs
- V-38547
- Rule IDs
- SV-50348r4_rule
Fix: F-43495r2_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000099
- Vuln IDs
- V-38548
- Rule IDs
- SV-50349r4_rule
Fix: F-43496r2_fix
To set the runtime status of the "net.ipv6.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv6.conf.default.accept_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv6.conf.default.accept_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- RHEL-06-000187
- Vuln IDs
- V-38550
- Rule IDs
- SV-50351r4_rule
Fix: F-43498r2_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- RHEL-06-000188
- Vuln IDs
- V-38552
- Rule IDs
- SV-50353r4_rule
Fix: F-43500r2_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- RHEL-06-000189
- Vuln IDs
- V-38554
- Rule IDs
- SV-50355r4_rule
Fix: F-43502r2_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod
- RMF Control
- SC-7
- Severity
- M
- CCI
- CCI-001118
- Version
- RHEL-06-000113
- Vuln IDs
- V-38555
- Rule IDs
- SV-50356r2_rule
Fix: F-43503r2_fix
The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- RHEL-06-000190
- Vuln IDs
- V-38556
- Rule IDs
- SV-50357r4_rule
Fix: F-43504r2_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- RHEL-06-000191
- Vuln IDs
- V-38557
- Rule IDs
- SV-50358r4_rule
Fix: F-43505r2_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- RHEL-06-000192
- Vuln IDs
- V-38558
- Rule IDs
- SV-50359r4_rule
Fix: F-43506r2_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- RHEL-06-000193
- Vuln IDs
- V-38559
- Rule IDs
- SV-50360r4_rule
Fix: F-43507r2_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- RHEL-06-000194
- Vuln IDs
- V-38561
- Rule IDs
- SV-50362r4_rule
Fix: F-43509r2_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- RHEL-06-000195
- Vuln IDs
- V-38563
- Rule IDs
- SV-50364r4_rule
Fix: F-43511r2_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- RHEL-06-000196
- Vuln IDs
- V-38565
- Rule IDs
- SV-50366r4_rule
Fix: F-43513r2_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- RHEL-06-000197
- Vuln IDs
- V-38566
- Rule IDs
- SV-50367r3_rule
Fix: F-43514r3_fix
At a minimum, the audit system should collect unauthorized file accesses for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- RHEL-06-000199
- Vuln IDs
- V-38568
- Rule IDs
- SV-50369r4_rule
Fix: F-43516r3_fix
At a minimum, the audit system should collect media exportation events for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b32 -S mount -F auid=0 -k export If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b64 -S mount -F auid=0 -k export
- RMF Control
- IA-5
- Severity
- L
- CCI
- CCI-000192
- Version
- RHEL-06-000057
- Vuln IDs
- V-38569
- Rule IDs
- SV-50370r2_rule
Fix: F-43517r2_fix
The pam_cracklib module's "ucredit=" parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "ucredit=-1" after pam_cracklib.so to require use of an uppercase character in passwords.
- RMF Control
- IA-5
- Severity
- L
- CCI
- CCI-001619
- Version
- RHEL-06-000058
- Vuln IDs
- V-38570
- Rule IDs
- SV-50371r2_rule
Fix: F-43518r2_fix
The pam_cracklib module's "ocredit=" parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "ocredit=-1" after pam_cracklib.so to require use of a special character in passwords.
- RMF Control
- IA-5
- Severity
- L
- CCI
- CCI-000193
- Version
- RHEL-06-000059
- Vuln IDs
- V-38571
- Rule IDs
- SV-50372r3_rule
Fix: F-43519r3_fix
The pam_cracklib module's "lcredit=" parameter controls requirements for usage of lower-case letters in a password. When set to a negative number, any password will be required to contain that many lower-case characters. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "lcredit=-1" after pam_cracklib.so to require use of a lower-case character in passwords.
- RMF Control
- IA-5
- Severity
- L
- CCI
- CCI-000195
- Version
- RHEL-06-000060
- Vuln IDs
- V-38572
- Rule IDs
- SV-50373r3_rule
Fix: F-43520r4_fix
The pam_cracklib module's "difok" parameter controls requirements for usage of different characters during a password change. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "difok=[NUM]" after pam_cracklib.so to require differing characters when changing passwords, substituting [NUM] appropriately. The DoD requirement is 8.
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-000044
- Version
- RHEL-06-000061
- Vuln IDs
- V-38573
- Rule IDs
- SV-50374r4_rule
Fix: F-43521r8_fix
To configure the system to lock out accounts after a number of incorrect logon attempts using "pam_faillock.so", modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.
- RMF Control
- IA-7
- Severity
- M
- CCI
- CCI-000803
- Version
- RHEL-06-000062
- Vuln IDs
- V-38574
- Rule IDs
- SV-50375r4_rule
Fix: F-43522r4_fix
In "/etc/pam.d/system-auth”, "/etc/pam.d/system-auth-ac", “/etc/pam.d/password-auth”, and “/etc/pam.d/password-auth-ac”, among potentially other files, the "password" section of the files controls which PAM modules execute during a password change. Set the "pam_unix.so" module in the "password" section to include the argument "sha512", as shown below: password sufficient pam_unix.so sha512 [other arguments...] This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. Note: Any updates made to "/etc/pam.d/system-auth" will be overwritten by the "authconfig" program. The "authconfig" program should not be used.
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- RHEL-06-000200
- Vuln IDs
- V-38575
- Rule IDs
- SV-50376r5_rule
Fix: F-43523r5_fix
At a minimum, the audit system should collect file deletion events for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete
- RMF Control
- IA-7
- Severity
- M
- CCI
- CCI-000803
- Version
- RHEL-06-000063
- Vuln IDs
- V-38576
- Rule IDs
- SV-50377r1_rule
Fix: F-43524r1_fix
In "/etc/login.defs", add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: ENCRYPT_METHOD SHA512
- RMF Control
- IA-7
- Severity
- M
- CCI
- CCI-000803
- Version
- RHEL-06-000064
- Vuln IDs
- V-38577
- Rule IDs
- SV-50378r1_rule
Fix: F-43525r1_fix
In "/etc/libuser.conf", add or correct the following line in its "[defaults]" section to ensure the system will use the SHA-512 algorithm for password hashing: crypt_style = sha512
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- RHEL-06-000201
- Vuln IDs
- V-38578
- Rule IDs
- SV-50379r2_rule
Fix: F-43526r1_fix
At a minimum, the audit system should collect administrator actions for all users and root. Add the following to "/etc/audit/audit.rules": -w /etc/sudoers -p wa -k actions
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000065
- Vuln IDs
- V-38579
- Rule IDs
- SV-50380r2_rule
Fix: F-43527r2_fix
The file "/boot/grub/grub.conf" should be owned by the "root" user to prevent destruction or modification of the file. To properly set the owner of "/boot/grub/grub.conf", run the command: # chown root /boot/grub/grub.conf
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RHEL-06-000202
- Vuln IDs
- V-38580
- Rule IDs
- SV-50381r3_rule
Fix: F-43528r3_fix
Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b32 -S init_module -S delete_module -k modules If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S init_module -S delete_module -k modules
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000066
- Vuln IDs
- V-38581
- Rule IDs
- SV-50382r2_rule
Fix: F-43529r2_fix
The file "/boot/grub/grub.conf" should be group-owned by the "root" group to prevent destruction or modification of the file. To properly set the group owner of "/boot/grub/grub.conf", run the command: # chgrp root /boot/grub/grub.conf
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- RHEL-06-000203
- Vuln IDs
- V-38582
- Rule IDs
- SV-50383r2_rule
Fix: F-43530r2_fix
The "xinetd" service can be disabled with the following commands: # chkconfig xinetd off # service xinetd stop
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000067
- Vuln IDs
- V-38583
- Rule IDs
- SV-50384r5_rule
Fix: F-43531r4_fix
Set file permissions for "/boot/grub/grub.conf" to 600, which is the default. To properly set the permissions of "/boot/grub/grub.conf", run the command: $ chmod 600 /boot/grub/grub.conf
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000382
- Version
- RHEL-06-000204
- Vuln IDs
- V-38584
- Rule IDs
- SV-50385r1_rule
Fix: F-43532r1_fix
The "xinetd" package can be uninstalled with the following command: # yum erase xinetd
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RHEL-06-000068
- Vuln IDs
- V-38585
- Rule IDs
- SV-50386r4_rule
Fix: F-43533r3_fix
The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command: # grub-crypt --sha-512 When prompted to enter a password, insert the following line into "/boot/grub/grub.conf" or “/boot/efi/EFI/redhat/grub.conf” immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]): password --encrypted [password-hash]
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RHEL-06-000069
- Vuln IDs
- V-38586
- Rule IDs
- SV-50387r1_rule
Fix: F-43534r1_fix
Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file "/etc/sysconfig/init": SINGLE=/sbin/sulogin
- RMF Control
- CM-7
- Severity
- H
- CCI
- CCI-000381
- Version
- RHEL-06-000206
- Vuln IDs
- V-38587
- Rule IDs
- SV-50388r1_rule
Fix: F-43535r1_fix
The "telnet-server" package can be uninstalled with the following command: # yum erase telnet-server
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RHEL-06-000070
- Vuln IDs
- V-38588
- Rule IDs
- SV-50389r1_rule
Fix: F-43536r1_fix
To disable the ability for users to perform interactive startups, edit the file "/etc/sysconfig/init". Add or correct the line: PROMPT=no The "PROMPT" option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot.
- RMF Control
- MA-4
- Severity
- H
- CCI
- CCI-000888
- Version
- RHEL-06-000211
- Vuln IDs
- V-38589
- Rule IDs
- SV-50390r2_rule
Fix: F-43537r1_fix
The "telnet" service can be disabled with the following command: # chkconfig telnet off
- RMF Control
- AC-11
- Severity
- L
- CCI
- CCI-000058
- Version
- RHEL-06-000071
- Vuln IDs
- V-38590
- Rule IDs
- SV-50391r1_rule
Fix: F-43538r1_fix
To enable console screen locking when in text mode, install the "screen" package: # yum install screen Instruct users to begin new terminal sessions with the following command: $ screen The console can now be locked with the following key combination: ctrl+a x
- RMF Control
- CM-7
- Severity
- H
- CCI
- CCI-000381
- Version
- RHEL-06-000213
- Vuln IDs
- V-38591
- Rule IDs
- SV-50392r1_rule
Fix: F-43539r1_fix
The "rsh-server" package can be uninstalled with the following command: # yum erase rsh-server
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-000047
- Version
- RHEL-06-000356
- Vuln IDs
- V-38592
- Rule IDs
- SV-50393r4_rule
Fix: F-43541r6_fix
To configure the system to lock out accounts after a number of incorrect logon attempts and require an administrator to unlock the account using "pam_faillock.so", modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.
- RMF Control
- AC-17
- Severity
- H
- CCI
- CCI-000068
- Version
- RHEL-06-000214
- Vuln IDs
- V-38594
- Rule IDs
- SV-50395r2_rule
Fix: F-43542r3_fix
The "rsh" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rsh" service can be disabled with the following command: # chkconfig rsh off
- RMF Control
- AC-17
- Severity
- H
- CCI
- CCI-000068
- Version
- RHEL-06-000216
- Vuln IDs
- V-38598
- Rule IDs
- SV-50399r2_rule
Fix: F-43546r3_fix
The "rexec" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rexec" service can be disabled with the following command: # chkconfig rexec off
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000080
- Vuln IDs
- V-38600
- Rule IDs
- SV-50401r3_rule
Fix: F-43547r2_fix
To set the runtime status of the "net.ipv4.conf.default.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.send_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.send_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000081
- Vuln IDs
- V-38601
- Rule IDs
- SV-50402r3_rule
Fix: F-43548r2_fix
To set the runtime status of the "net.ipv4.conf.all.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.send_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.send_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system
- RMF Control
- AC-17
- Severity
- H
- CCI
- CCI-001436
- Version
- RHEL-06-000218
- Vuln IDs
- V-38602
- Rule IDs
- SV-50403r2_rule
Fix: F-43549r3_fix
The "rlogin" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rlogin" service can be disabled with the following command: # chkconfig rlogin off
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- RHEL-06-000220
- Vuln IDs
- V-38603
- Rule IDs
- SV-50404r1_rule
Fix: F-43551r1_fix
The "ypserv" package can be uninstalled with the following command: # yum erase ypserv
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- RHEL-06-000221
- Vuln IDs
- V-38604
- Rule IDs
- SV-50405r2_rule
Fix: F-43552r2_fix
The "ypbind" service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The "ypbind" service can be disabled with the following commands: # chkconfig ypbind off # service ypbind stop
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000224
- Vuln IDs
- V-38605
- Rule IDs
- SV-50406r2_rule
Fix: F-43553r2_fix
The "crond" service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The "crond" service can be enabled with the following commands: # chkconfig crond on # service crond start
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- RHEL-06-000222
- Vuln IDs
- V-38606
- Rule IDs
- SV-50407r3_rule
Fix: F-43554r1_fix
The "tftp-server" package can be removed with the following command: # yum erase tftp-server
- RMF Control
- IA-2
- Severity
- H
- CCI
- CCI-000774
- Version
- RHEL-06-000227
- Vuln IDs
- V-38607
- Rule IDs
- SV-50408r1_rule
Fix: F-43555r1_fix
Only SSH protocol version 2 connections should be permitted. The default setting in "/etc/ssh/sshd_config" is correct, and can be verified by ensuring that the following line appears: Protocol 2
- RMF Control
- SC-10
- Severity
- L
- CCI
- CCI-001133
- Version
- RHEL-06-000230
- Vuln IDs
- V-38608
- Rule IDs
- SV-50409r1_rule
Fix: F-43556r1_fix
SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in "/etc/ssh/sshd_config" as follows: ClientAliveInterval [interval] The timeout [interval] is given in seconds. To have a timeout of 15 minutes, set [interval] to 900. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
- RMF Control
- MA-4
- Severity
- L
- CCI
- CCI-000879
- Version
- RHEL-06-000231
- Vuln IDs
- V-38610
- Rule IDs
- SV-50411r1_rule
Fix: F-43558r1_fix
To ensure the SSH idle timeout occurs precisely when the "ClientAliveCountMax" is set, edit "/etc/ssh/sshd_config" as follows: ClientAliveCountMax 0
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000766
- Version
- RHEL-06-000234
- Vuln IDs
- V-38611
- Rule IDs
- SV-50412r1_rule
Fix: F-43559r1_fix
SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via ".rhosts" files. To ensure this behavior is disabled, add or correct the following line in "/etc/ssh/sshd_config": IgnoreRhosts yes
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000766
- Version
- RHEL-06-000236
- Vuln IDs
- V-38612
- Rule IDs
- SV-50413r1_rule
Fix: F-43560r1_fix
SSH's cryptographic host-based authentication is more secure than ".rhosts" authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization. To disable host-based authentication, add or correct the following line in "/etc/ssh/sshd_config": HostbasedAuthentication no
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000770
- Version
- RHEL-06-000237
- Vuln IDs
- V-38613
- Rule IDs
- SV-50414r1_rule
Fix: F-43561r1_fix
The root user should never be allowed to log in to a system directly over a network. To disable root login via SSH, add or correct the following line in "/etc/ssh/sshd_config": PermitRootLogin no
- RMF Control
- IA-2
- Severity
- H
- CCI
- CCI-000766
- Version
- RHEL-06-000239
- Vuln IDs
- V-38614
- Rule IDs
- SV-50415r1_rule
Fix: F-43562r1_fix
To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config": PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-000048
- Version
- RHEL-06-000240
- Vuln IDs
- V-38615
- Rule IDs
- SV-50416r1_rule
Fix: F-43563r1_fix
To enable the warning banner and ensure it is consistent across the system, add or correct the following line in "/etc/ssh/sshd_config": Banner /etc/issue Another section contains information on how to create an appropriate system-wide warning banner.
- RMF Control
- AC-4
- Severity
- L
- CCI
- CCI-001414
- Version
- RHEL-06-000241
- Vuln IDs
- V-38616
- Rule IDs
- SV-50417r1_rule
Fix: F-43565r1_fix
To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in "/etc/ssh/sshd_config": PermitUserEnvironment no
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000246
- Vuln IDs
- V-38618
- Rule IDs
- SV-50419r2_rule
Fix: F-43567r2_fix
The "avahi-daemon" service can be disabled with the following commands: # chkconfig avahi-daemon off # service avahi-daemon stop
- RMF Control
- AU-8
- Severity
- M
- CCI
- CCI-000160
- Version
- RHEL-06-000247
- Vuln IDs
- V-38620
- Rule IDs
- SV-50421r1_rule
Fix: F-43568r1_fix
The "ntpd" service can be enabled with the following command: # chkconfig ntpd on # service ntpd start
- RMF Control
- AU-8
- Severity
- M
- CCI
- CCI-000160
- Version
- RHEL-06-000248
- Vuln IDs
- V-38621
- Rule IDs
- SV-50422r1_rule
Fix: F-43570r1_fix
To specify a remote NTP server for time synchronization, edit the file "/etc/ntp.conf". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver. server [ntpserver] This instructs the NTP software to contact that remote server to obtain time data.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- RHEL-06-000249
- Vuln IDs
- V-38622
- Rule IDs
- SV-50423r2_rule
Fix: F-43572r1_fix
Edit the file "/etc/postfix/main.cf" to ensure that only the following "inet_interfaces" line appears: inet_interfaces = localhost
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000256
- Vuln IDs
- V-38627
- Rule IDs
- SV-50428r2_rule
Fix: F-43577r2_fix
The "openldap-servers" package should be removed if not in use. # yum erase openldap-servers The openldap-servers RPM is not installed by default on RHEL6 machines. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed.
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000057
- Version
- RHEL-06-000257
- Vuln IDs
- V-38629
- Rule IDs
- SV-50430r3_rule
Fix: F-43578r1_fix
Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes: # gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /apps/gnome-screensaver/idle_delay 15
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000057
- Version
- RHEL-06-000258
- Vuln IDs
- V-38630
- Rule IDs
- SV-50431r3_rule
Fix: F-43579r1_fix
Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000160
- Vuln IDs
- V-38633
- Rule IDs
- SV-50434r1_rule
Fix: F-43582r1_fix
Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting the correct value for [STOREMB]: max_log_file = [STOREMB] Set the value to "6" (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000159
- Vuln IDs
- V-38636
- Rule IDs
- SV-50437r1_rule
Fix: F-43585r1_fix
Determine how many log files "auditd" should retain when it rotates logs. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [NUMLOGS] with the correct value: num_logs = [NUMLOGS] Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000057
- Version
- RHEL-06-000259
- Vuln IDs
- V-38638
- Rule IDs
- SV-50439r3_rule
Fix: F-43587r1_fix
Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/lock_enabled true
- RMF Control
- AC-11
- Severity
- L
- CCI
- CCI-000060
- Version
- RHEL-06-000260
- Vuln IDs
- V-38639
- Rule IDs
- SV-50440r3_rule
Fix: F-43588r2_fix
Run the following command to set the screensaver mode in the GNOME desktop to a blank screen: # gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome-screensaver/mode blank-only
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000382
- Version
- RHEL-06-000261
- Vuln IDs
- V-38640
- Rule IDs
- SV-50441r2_rule
Fix: F-43589r2_fix
The Automatic Bug Reporting Tool ("abrtd") daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The "abrtd" service can be disabled with the following commands: # chkconfig abrtd off # service abrtd stop
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000382
- Version
- RHEL-06-000262
- Vuln IDs
- V-38641
- Rule IDs
- SV-50442r3_rule
Fix: F-43590r2_fix
The "at" and "batch" commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon "atd" keeps track of tasks scheduled via "at" and "batch", and executes them at the specified time. The "atd" service can be disabled with the following commands: # chkconfig atd off # service atd stop
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000346
- Vuln IDs
- V-38642
- Rule IDs
- SV-50443r1_rule
Fix: F-43592r1_fix
The file "/etc/init.d/functions" includes initialization parameters for most or all daemons started at boot time. The default umask of 022 prevents creation of group- or world-writable files. To set the default umask for daemons, edit the following line, inserting 022 or 027 for [UMASK] appropriately: umask [UMASK] Setting the umask to too restrictive a setting can cause serious errors at runtime. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts.
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000382
- Version
- RHEL-06-000265
- Vuln IDs
- V-38644
- Rule IDs
- SV-50445r2_rule
Fix: F-43593r2_fix
The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in "/etc/ntp/step-tickers" or "/etc/ntp.conf" and then sets the local hardware clock to the newly synchronized system time. The "ntpdate" service can be disabled with the following commands: # chkconfig ntpdate off # service ntpdate stop
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000345
- Vuln IDs
- V-38645
- Rule IDs
- SV-50446r1_rule
Fix: F-43594r1_fix
To ensure the default umask controlled by "/etc/login.defs" is set properly, add or correct the "umask" setting in "/etc/login.defs" to read as follows: UMASK 077
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000382
- Version
- RHEL-06-000266
- Vuln IDs
- V-38646
- Rule IDs
- SV-50447r2_rule
Fix: F-43595r2_fix
The "oddjobd" service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with "oddjobd" is through the system message bus. The "oddjobd" service can be disabled with the following commands: # chkconfig oddjobd off # service oddjobd stop
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000344
- Vuln IDs
- V-38647
- Rule IDs
- SV-50448r1_rule
Fix: F-43596r1_fix
To ensure the default umask controlled by "/etc/profile" is set properly, add or correct the "umask" setting in "/etc/profile" to read as follows: umask 077
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000382
- Version
- RHEL-06-000267
- Vuln IDs
- V-38648
- Rule IDs
- SV-50449r2_rule
Fix: F-43597r2_fix
The "qpidd" service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The "qpidd" service can be disabled with the following commands: # chkconfig qpidd off # service qpidd stop
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000343
- Vuln IDs
- V-38649
- Rule IDs
- SV-50450r1_rule
Fix: F-43598r1_fix
To ensure the default umask for users of the C shell is set properly, add or correct the "umask" setting in "/etc/csh.cshrc" to read as follows: umask 077
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000382
- Version
- RHEL-06-000268
- Vuln IDs
- V-38650
- Rule IDs
- SV-50451r2_rule
Fix: F-43599r2_fix
The "rdisc" service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. The "rdisc" service can be disabled with the following commands: # chkconfig rdisc off # service rdisc stop
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000342
- Vuln IDs
- V-38651
- Rule IDs
- SV-50452r1_rule
Fix: F-43600r1_fix
To ensure the default umask for users of the Bash shell is set properly, add or correct the "umask" setting in "/etc/bashrc" to read as follows: umask 077
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000272
- Vuln IDs
- V-38656
- Rule IDs
- SV-50457r1_rule
Fix: F-43606r1_fix
To require samba clients running "smbclient" to use packet signing, add the following to the "[global]" section of the Samba configuration file in "/etc/samba/smb.conf": client signing = mandatory Requiring samba clients such as "smbclient" to use packet signing ensures they can only communicate with servers that support packet signing.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000200
- Version
- RHEL-06-000274
- Vuln IDs
- V-38658
- Rule IDs
- SV-50459r6_rule
Fix: F-43608r6_fix
Do not allow users to reuse recent passwords. This can be accomplished by using the "remember" option for the "pam_pwhistory" PAM module. In the file "/etc/pam.d/system-auth" and /etc/pam.d/password-auth, append "remember=5" to the lines that refer to the "pam_pwhistory.so" module, as shown: password required pam_pwhistory.so [existing_options] remember=5 or password requisite pam_pwhistory.so [existing_options] remember=5 The DoD requirement is five passwords.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- RHEL-06-000286
- Vuln IDs
- V-38668
- Rule IDs
- SV-50469r4_rule
Fix: F-43617r3_fix
By default, the system includes the following line in "/etc/init/control-alt-delete.conf" to reboot the system when the Ctrl-Alt-Delete key sequence is pressed: exec /sbin/shutdown -r now "Ctrl-Alt-Delete pressed" To configure the system to log a message instead of rebooting the system, add the following line to "/etc/init/control-alt-delete.override" to read as follows: exec /usr/bin/logger -p authpriv.notice "Ctrl-Alt-Delete pressed"
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000287
- Vuln IDs
- V-38669
- Rule IDs
- SV-50470r1_rule
Fix: F-43618r1_fix
The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The "postfix" service can be enabled with the following command: # chkconfig postfix on # service postfix start
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000288
- Vuln IDs
- V-38671
- Rule IDs
- SV-50472r1_rule
Fix: F-43620r1_fix
Sendmail is not the default mail transfer agent and is not installed by default. The "sendmail" package can be removed with the following command: # yum erase sendmail
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000382
- Version
- RHEL-06-000289
- Vuln IDs
- V-38672
- Rule IDs
- SV-50473r2_rule
Fix: F-43622r2_fix
The "netconsole" service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. The "netconsole" service can be disabled with the following commands: # chkconfig netconsole off # service netconsole stop
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-001436
- Version
- RHEL-06-000290
- Vuln IDs
- V-38674
- Rule IDs
- SV-50475r1_rule
Fix: F-43623r1_fix
Setting the system's runlevel to 3 will prevent automatic startup of the X server. To do so, ensure the following line in "/etc/inittab" features a "3" as shown: id:3:initdefault:
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000308
- Vuln IDs
- V-38675
- Rule IDs
- SV-50476r2_rule
Fix: F-43624r1_fix
To disable core dumps for all users, add the following line to "/etc/security/limits.conf": * hard core 0
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000291
- Vuln IDs
- V-38676
- Rule IDs
- SV-50477r2_rule
Fix: F-43625r1_fix
Removing all packages which constitute the X Window System ensures users or malicious software cannot start X. To do so, run the following command: # yum groupremove "X Window System"
- RMF Control
- IA-2
- Severity
- H
- CCI
- CCI-000764
- Version
- RHEL-06-000309
- Vuln IDs
- V-38677
- Rule IDs
- SV-50478r1_rule
Fix: F-43626r1_fix
By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files. To get around this, the "insecure_locks" option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. Remove any instances of the "insecure_locks" option from the file "/etc/exports".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000292
- Vuln IDs
- V-38679
- Rule IDs
- SV-50480r4_rule
Fix: F-43628r2_fix
For each interface [IFACE] on the system (e.g. eth0), edit "/etc/sysconfig/network-scripts/ifcfg-[IFACE]" and make the following changes. Correct the BOOTPROTO line to read: BOOTPROTO=none Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: NETMASK=[local LAN netmask] IPADDR=[assigned IP address] GATEWAY=[local LAN default gateway]
- RMF Control
- AU-5
- Severity
- M
- CCI
- CCI-000139
- Version
- RHEL-06-000313
- Vuln IDs
- V-38680
- Rule IDs
- SV-50481r1_rule
Fix: F-43629r1_fix
The "auditd" service can be configured to send email to a designated account in certain situations. Add or correct the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations: action_mail_acct = root
- RMF Control
- AC-10
- Severity
- L
- CCI
- CCI-000054
- Version
- RHEL-06-000319
- Vuln IDs
- V-38684
- Rule IDs
- SV-50485r2_rule
Fix: F-43633r1_fix
Limiting the number of allowed users and sessions per user can limit risks related to denial of service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in "/etc/security/limits.conf": * hard maxlogins 10 A documented site-defined number may be substituted for 10 in the above.
- RMF Control
- SC-9
- Severity
- L
- CCI
- CCI-001130
- Version
- RHEL-06-000321
- Vuln IDs
- V-38687
- Rule IDs
- SV-50488r3_rule
Fix: F-43636r2_fix
The “libreswan” package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The "libreswan" package can be installed with the following command: # yum install libreswan
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-000050
- Version
- RHEL-06-000324
- Vuln IDs
- V-38688
- Rule IDs
- SV-50489r3_rule
Fix: F-43637r2_fix
To enable displaying a login warning banner in the GNOME Display Manager's login screen, run the following command: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gdm/simple-greeter/banner_message_enable true To display a banner, this setting must be enabled and then banner text must also be set.
- RMF Control
- AC-19
- Severity
- M
- CCI
- CCI-000085
- Version
- RHEL-06-000331
- Vuln IDs
- V-38691
- Rule IDs
- SV-50492r2_rule
Fix: F-43640r1_fix
The "bluetooth" service can be disabled with the following command: # chkconfig bluetooth off # service bluetooth stop
- RMF Control
- AC-2
- Severity
- L
- CCI
- CCI-000017
- Version
- RHEL-06-000334
- Vuln IDs
- V-38692
- Rule IDs
- SV-50493r1_rule
Fix: F-43641r2_fix
To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately: INACTIVE=[NUM_DAYS] A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the "useradd" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000299
- Vuln IDs
- V-38693
- Rule IDs
- SV-50494r4_rule
Fix: F-43642r3_fix
The pam_cracklib module's "maxrepeat" parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "maxrepeat=3" after pam_cracklib.so to prevent a run of (3 + 1) or more identical characters. password required pam_cracklib.so maxrepeat=3
- RMF Control
- IA-4
- Severity
- L
- CCI
- CCI-000795
- Version
- RHEL-06-000335
- Vuln IDs
- V-38694
- Rule IDs
- SV-50495r1_rule
Fix: F-43643r2_fix
To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately: INACTIVE=[NUM_DAYS] A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the "useradd" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- RHEL-06-000338
- Vuln IDs
- V-38701
- Rule IDs
- SV-50502r2_rule
Fix: F-43650r1_fix
If running the "tftp" service is necessary, it should be configured to change its root directory at startup. To do so, ensure "/etc/xinetd.d/tftp" includes "-s" as a command line argument, as shown in the following example (which is also the default): server_args = -s /var/lib/tftpboot
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000017
- Vuln IDs
- V-51337
- Rule IDs
- SV-65547r2_rule
Fix: F-56147r2_fix
SELinux can be disabled at boot time by an argument in "/boot/grub/grub.conf". Remove any instances of "selinux=0" from the kernel arguments in that file to prevent SELinux from being disabled at boot.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000020
- Vuln IDs
- V-51363
- Rule IDs
- SV-65573r1_rule
Fix: F-56165r1_fix
The SELinux state should be set to "enforcing" at system boot time. In the file "/etc/selinux/config", add or correct the following line to configure the system to boot into enforcing mode: SELINUX=enforcing
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RHEL-06-000023
- Vuln IDs
- V-51369
- Rule IDs
- SV-65579r1_rule
Fix: F-56171r1_fix
The SELinux "targeted" policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in "/etc/selinux/config": SELINUXTYPE=targeted Other policies, such as "mls", provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000372
- Vuln IDs
- V-51875
- Rule IDs
- SV-66089r2_rule
Fix: F-56701r1_fix
To configure the system to notify users of last logon/access using "pam_lastlog", add the following line immediately after "session required pam_limits.so": session required pam_lastlog.so showfailed
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RHEL-06-000163
- Vuln IDs
- V-54381
- Rule IDs
- SV-68627r3_rule
Fix: F-59235r2_fix
The "auditd" service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [ACTION] appropriately: admin_space_left_action = [ACTION] Set this value to "single" to cause the system to switch to single-user mode for corrective action. Acceptable values also include "suspend" and "halt". For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for [ACTION] are described in the "auditd.conf" man page.
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000169
- Version
- RHEL-06-000166
- Vuln IDs
- V-81441
- Rule IDs
- SV-96155r2_rule
Fix: F-88259r2_fix
Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-001764
- Version
- RHEL-06-000530
- Vuln IDs
- V-81445
- Rule IDs
- SV-96159r1_rule
Fix: F-88263r1_fix
Configure the "/etc/fstab" to use the "nodev" option for all lines containing "/dev/shm".
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-001764
- Version
- RHEL-06-000531
- Vuln IDs
- V-81447
- Rule IDs
- SV-96161r1_rule
Fix: F-88265r1_fix
Configure the "/etc/fstab" to use the "nosuid" option for all lines containing "/dev/shm".
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-001764
- Version
- RHEL-06-000532
- Vuln IDs
- V-81449
- Rule IDs
- SV-96163r1_rule
Fix: F-88267r1_fix
Configure the "/etc/fstab" to use the "noexec" option for all lines containing "/dev/shm".