Red Hat Enterprise Linux 6 V2R1 (SCAP)

a

The system must use a separate file system for /tmp.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: RHEL-06-000001
Vuln IDs: V-217846
Rule IDs: SV-217846r505923_rule

The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

Fix: F-19325r376554_fix

The "/tmp" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.

a

The system must use a separate file system for /var.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: RHEL-06-000002
Vuln IDs: V-217847
Rule IDs: SV-217847r505923_rule

Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories, installed by other software packages.

Fix: F-19326r376557_fix

The "/var" directory is used by daemons and other system services to store frequently-changing data. Ensure that "/var" has its own partition or logical volume at installation time, or migrate it using LVM.

a

The system must use a separate file system for /var/log.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: RHEL-06-000003
Vuln IDs: V-217848
Rule IDs: SV-217848r505923_rule

Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".

Fix: F-19327r376560_fix

System logs are stored in the "/var/log" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.

a

The system must use a separate file system for the system audit data path.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: RHEL-06-000004
Vuln IDs: V-217849
Rule IDs: SV-217849r505923_rule

Placing "/var/log/audit" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.

Fix: F-19328r376563_fix

Audit logs are stored in the "/var/log/audit" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

b

The audit system must alert designated staff members when the audit storage volume approaches capacity.

RMF Control: AU-5
Severity: M
CCI: CCI-001855
Version: RHEL-06-000005
Vuln IDs: V-217850
Rule IDs: SV-217850r505923_rule

Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

Fix: F-19329r376566_fix

The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: space_left_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "email" "exec" "suspend" "single" "halt" Set this to "email" (instead of the default, which is "suspend") as it is more likely to get prompt attention. The "syslog" option is acceptable, provided the local log management infrastructure notifies an appropriate administrator in a timely manner. RHEL-06-000521 ensures that the email generated through the operation "space_left_action" will be sent to an administrator.

a

The system must use a separate file system for user home directories.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: RHEL-06-000007
Vuln IDs: V-217851
Rule IDs: SV-217851r505923_rule

Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.

Fix: F-19330r376569_fix

If user home directories will be stored locally, create a separate partition for "/home" at installation time (or migrate it later using LVM). If "/home" will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.

c

Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.

RMF Control: CM-5
Severity: H
CCI: CCI-001749
Version: RHEL-06-000008
Vuln IDs: V-217852
Rule IDs: SV-217852r505923_rule

The Red Hat GPG keys are necessary to cryptographically verify packages are from Red Hat.

Fix: F-19331r376572_fix

To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG keys must be installed properly. To install the Red Hat GPG keys, run: # rhn_register If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG keys from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in "/media/cdrom", use the following command as the root user to import them into the keyring: # rpm --import /media/cdrom/RPM-GPG-KEY

b

The system package management tool must cryptographically verify the authenticity of system software packages during installation.

RMF Control: CM-5
Severity: M
CCI: CCI-001749
Version: RHEL-06-000013
Vuln IDs: V-217855
Rule IDs: SV-217855r505923_rule

Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering.

Fix: F-19334r376581_fix

The "gpgcheck" option should be used to ensure checking of an RPM package's signature always occurs prior to its installation. To configure yum to check package signatures before installing them, ensure the following line appears in "/etc/yum.conf" in the "[main]" section: gpgcheck=1

a

The system package management tool must cryptographically verify the authenticity of all software packages during installation.

RMF Control: CM-5
Severity: L
CCI: CCI-001749
Version: RHEL-06-000015
Vuln IDs: V-217856
Rule IDs: SV-217856r505923_rule

Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.

Fix: F-19335r376584_fix

To ensure signature checking is not disabled for any repos, remove any lines from files in "/etc/yum.repos.d" of the form: gpgcheck=0

b

A file integrity tool must be installed.

RMF Control: CM-7
Severity: M
CCI: CCI-001774
Version: RHEL-06-000016
Vuln IDs: V-217857
Rule IDs: SV-217857r505923_rule

The AIDE package must be installed if it is to be available for integrity checking.

Fix: F-19336r376587_fix

Install the AIDE package with the command: # yum install aide

b

The system must use a Linux Security Module at boot time.

RMF Control: AC-3
Severity: M
CCI: CCI-002163
Version: RHEL-06-000017
Vuln IDs: V-217858
Rule IDs: SV-217858r505923_rule

Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.

Fix: F-19337r376590_fix

SELinux can be disabled at boot time by an argument in "/boot/grub/grub.conf". Remove any instances of "selinux=0" from the kernel arguments in that file to prevent SELinux from being disabled at boot.

c

There must be no .rhosts or hosts.equiv files on the system.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: RHEL-06-000019
Vuln IDs: V-217860
Rule IDs: SV-217860r505923_rule

Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.

Fix: F-19339r376596_fix

The files "/etc/hosts.equiv" and "~/.rhosts" (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location. # rm /etc/hosts.equiv $ rm ~/.rhosts

b

The system must use a Linux Security Module configured to enforce limits on system services.

RMF Control: AC-3
Severity: M
CCI: CCI-002165
Version: RHEL-06-000020
Vuln IDs: V-217861
Rule IDs: SV-217861r505923_rule

Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. However, McAfee Endpoint Security for Linux (ENSL) is an approved alternative to both McAfee Virus Scan Enterprise (VSE) and HIPS. In either scenario, SELinux is interoperable with the McAfee products and SELinux is still required.

Fix: F-19340r462505_fix

The SELinux state should be set to "enforcing" at system boot time. In the file "/etc/selinux/config", add or correct the following line to configure the system to boot into enforcing mode: SELINUX=enforcing

a

The system must use a Linux Security Module configured to limit the privileges of system services.

RMF Control: AC-3
Severity: L
CCI: CCI-002165
Version: RHEL-06-000023
Vuln IDs: V-217863
Rule IDs: SV-217863r505923_rule

Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Fix: F-19342r376605_fix

The SELinux "targeted" policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in "/etc/selinux/config": SELINUXTYPE=targeted Other policies, such as "mls", provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.

b

The system must prevent the root account from logging in from virtual consoles.

RMF Control: IA-2
Severity: M
CCI: CCI-000770
Version: RHEL-06-000027
Vuln IDs: V-217865
Rule IDs: SV-217865r505923_rule

Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account.

Fix: F-19344r376611_fix

To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in "/etc/securetty": vc/1 vc/2 vc/3 vc/4 Note: Virtual console entries are not limited to those listed above. Any lines starting with "vc/" followed by numerals should be removed.

a

The system must prevent the root account from logging in from serial consoles.

RMF Control: IA-2
Severity: L
CCI: CCI-000770
Version: RHEL-06-000028
Vuln IDs: V-217866
Rule IDs: SV-217866r505923_rule

Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.

Fix: F-19345r376614_fix

To restrict root logins on serial ports, ensure lines of this form do not appear in "/etc/securetty": ttyS0 ttyS1 Note: Serial port entries are not limited to those listed above. Any lines starting with "ttyS" followed by numerals should be removed

c

The system must not have accounts configured with blank or null passwords.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: RHEL-06-000030
Vuln IDs: V-217868
Rule IDs: SV-217868r505923_rule

If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

Fix: F-19347r376620_fix

If an account is configured for password authentication but does not have an assigned password, it may be possible to log onto the account without authentication. Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords.

b

The /etc/passwd file must not contain password hashes.

RMF Control: IA-5
Severity: M
CCI: CCI-000196
Version: RHEL-06-000031
Vuln IDs: V-217869
Rule IDs: SV-217869r505923_rule

The hashes for all user account passwords should be stored in the file "/etc/shadow" and never in "/etc/passwd", which is readable by all users.

Fix: F-19348r376623_fix

If any password hashes are stored in "/etc/passwd" (in the second field, instead of an "x"), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.

b

The root account must be the only account having a UID of 0.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000032
Vuln IDs: V-217870
Rule IDs: SV-217870r505923_rule

An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.

Fix: F-19349r376626_fix

If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.

b

The /etc/shadow file must be owned by root.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000033
Vuln IDs: V-217871
Rule IDs: SV-217871r505923_rule

The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

Fix: F-19350r376629_fix

To properly set the owner of "/etc/shadow", run the command: # chown root /etc/shadow

b

The /etc/shadow file must be group-owned by root.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000034
Vuln IDs: V-217872
Rule IDs: SV-217872r505923_rule

The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.

Fix: F-19351r376632_fix

To properly set the group owner of "/etc/shadow", run the command: # chgrp root /etc/shadow

b

The /etc/shadow file must have mode 0000.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000035
Vuln IDs: V-217873
Rule IDs: SV-217873r505923_rule

The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

Fix: F-19352r376635_fix

To properly set the permissions of "/etc/shadow", run the command: # chmod 0000 /etc/shadow

b

The /etc/gshadow file must be owned by root.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000036
Vuln IDs: V-217874
Rule IDs: SV-217874r505923_rule

The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.

Fix: F-19353r376638_fix

To properly set the owner of "/etc/gshadow", run the command: # chown root /etc/gshadow

b

The /etc/gshadow file must be group-owned by root.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000037
Vuln IDs: V-217875
Rule IDs: SV-217875r505923_rule

The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.

Fix: F-19354r376641_fix

To properly set the group owner of "/etc/gshadow", run the command: # chgrp root /etc/gshadow

b

The /etc/gshadow file must have mode 0000.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000038
Vuln IDs: V-217876
Rule IDs: SV-217876r505923_rule

The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.

Fix: F-19355r376644_fix

To properly set the permissions of "/etc/gshadow", run the command: # chmod 0000 /etc/gshadow

b

The /etc/passwd file must be owned by root.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000039
Vuln IDs: V-217877
Rule IDs: SV-217877r505923_rule

The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.

Fix: F-19356r376647_fix

To properly set the owner of "/etc/passwd", run the command: # chown root /etc/passwd

b

The /etc/passwd file must be group-owned by root.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000040
Vuln IDs: V-217878
Rule IDs: SV-217878r505923_rule

The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.

Fix: F-19357r376650_fix

To properly set the group owner of "/etc/passwd", run the command: # chgrp root /etc/passwd

b

The /etc/passwd file must have mode 0644 or less permissive.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000041
Vuln IDs: V-217879
Rule IDs: SV-217879r505923_rule

If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.

Fix: F-19358r376653_fix

To properly set the permissions of "/etc/passwd", run the command: # chmod 0644 /etc/passwd

b

The /etc/group file must be owned by root.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000042
Vuln IDs: V-217880
Rule IDs: SV-217880r505923_rule

The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Fix: F-19359r376656_fix

To properly set the owner of "/etc/group", run the command: # chown root /etc/group

b

The /etc/group file must be group-owned by root.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000043
Vuln IDs: V-217881
Rule IDs: SV-217881r505923_rule

The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Fix: F-19360r376659_fix

To properly set the group owner of "/etc/group", run the command: # chgrp root /etc/group

b

The /etc/group file must have mode 0644 or less permissive.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000044
Vuln IDs: V-217882
Rule IDs: SV-217882r505923_rule

The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Fix: F-19361r376662_fix

To properly set the permissions of "/etc/group", run the command: # chmod 644 /etc/group

b

All system command files must have mode 755 or less permissive.

RMF Control: CM-5
Severity: M
CCI: CCI-001499
Version: RHEL-06-000047
Vuln IDs: V-217885
Rule IDs: SV-217885r505923_rule

System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.

Fix: F-19364r376671_fix

System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: # chmod go-w [FILE]

b

All system command files must be owned by root.

RMF Control: CM-5
Severity: M
CCI: CCI-001499
Version: RHEL-06-000048
Vuln IDs: V-217886
Rule IDs: SV-217886r505923_rule

System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.

Fix: F-19365r376674_fix

System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin If any file [FILE] in these directories is found to be owned by a user other than root, correct its ownership with the following command: # chown root [FILE]

b

The system must require passwords to contain a minimum of 15 characters.

RMF Control: IA-5
Severity: M
CCI: CCI-000205
Version: RHEL-06-000050
Vuln IDs: V-217887
Rule IDs: SV-217887r505923_rule

Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. While it does not negate the password length requirement, it is preferable to migrate from a password-based authentication scheme to a stronger one based on PKI (public key infrastructure).

Fix: F-19366r462371_fix

To specify password length requirements for new accounts, edit the file "/etc/login.defs" and add or correct the following lines: PASS_MIN_LEN 15 The DoD requirement is "15". If a program consults "/etc/login.defs" and also another PAM module (such as "pam_cracklib") during a password change operation, then the most restrictive must be satisfied.

b

Users must not be able to change passwords more than once every 24 hours.

RMF Control: IA-5
Severity: M
CCI: CCI-000198
Version: RHEL-06-000051
Vuln IDs: V-217888
Rule IDs: SV-217888r505923_rule

Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.

Fix: F-19367r376680_fix

To specify password minimum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MIN_DAYS [DAYS] A value of 1 day is considered sufficient for many environments. The DoD requirement is 1.

b

User passwords must be changed at least every 60 days.

RMF Control: IA-5
Severity: M
CCI: CCI-000199
Version: RHEL-06-000053
Vuln IDs: V-217889
Rule IDs: SV-217889r505923_rule

Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.

Fix: F-19368r376683_fix

To specify password maximum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MAX_DAYS [DAYS] The DoD requirement is 60.

a

Users must be warned 7 days in advance of password expiration.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: RHEL-06-000054
Vuln IDs: V-217890
Rule IDs: SV-217890r505923_rule

Setting the password warning age enables users to make the change at a practical time.

Fix: F-19369r376686_fix

To specify how many days prior to password expiration that a warning will be issued to users, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_WARN_AGE [DAYS] The DoD requirement is 7.

a

The system must require passwords to contain at least one numeric character.

RMF Control: IA-5
Severity: L
CCI: CCI-000194
Version: RHEL-06-000056
Vuln IDs: V-217892
Rule IDs: SV-217892r505923_rule

Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.

Fix: F-19371r462374_fix

The pam_cracklib module's "dcredit" parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "dcredit=-1" after pam_cracklib.so to require use of a digit in passwords.

a

The system must require passwords to contain at least one uppercase alphabetic character.

RMF Control: IA-5
Severity: L
CCI: CCI-000192
Version: RHEL-06-000057
Vuln IDs: V-217893
Rule IDs: SV-217893r505923_rule

Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.

Fix: F-19372r462377_fix

The pam_cracklib module's "ucredit=" parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "ucredit=-1" after pam_cracklib.so to require use of an uppercase character in passwords.

a

The system must require passwords to contain at least one special character.

RMF Control: IA-5
Severity: L
CCI: CCI-001619
Version: RHEL-06-000058
Vuln IDs: V-217894
Rule IDs: SV-217894r505923_rule

Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.

Fix: F-19373r462380_fix

The pam_cracklib module's "ocredit=" parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "ocredit=-1" after pam_cracklib.so to require use of a special character in passwords.

a

The system must require passwords to contain at least one lower-case alphabetic character.

RMF Control: IA-5
Severity: L
CCI: CCI-000193
Version: RHEL-06-000059
Vuln IDs: V-217895
Rule IDs: SV-217895r505923_rule

Requiring a minimum number of lower-case characters makes password guessing attacks more difficult by ensuring a larger search space.

Fix: F-19374r462383_fix

The pam_cracklib module's "lcredit=" parameter controls requirements for usage of lower-case letters in a password. When set to a negative number, any password will be required to contain that many lower-case characters. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "lcredit=-1" after pam_cracklib.so to require use of a lower-case character in passwords.

a

The system must require at least eight characters be changed between the old and new passwords during a password change.

RMF Control: IA-5
Severity: L
CCI: CCI-000195
Version: RHEL-06-000060
Vuln IDs: V-217896
Rule IDs: SV-217896r505923_rule

Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.

Fix: F-19375r462386_fix

The pam_cracklib module's "difok" parameter controls requirements for usage of different characters during a password change. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "difok=[NUM]" after pam_cracklib.so to require differing characters when changing passwords, substituting [NUM] appropriately. The DoD requirement is 8.

b

The system must disable accounts after three consecutive unsuccessful logon attempts.

RMF Control: AC-7
Severity: M
CCI: CCI-000044
Version: RHEL-06-000061
Vuln IDs: V-217897
Rule IDs: SV-217897r505923_rule

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.

Fix: F-19376r499424_fix

To configure the system to lock out accounts after a number of incorrect logon attempts using "pam_faillock.so", modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.

b

The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).

RMF Control: IA-7
Severity: M
CCI: CCI-000803
Version: RHEL-06-000062
Vuln IDs: V-217898
Rule IDs: SV-217898r505923_rule

Using a stronger hashing algorithm makes password cracking attacks more difficult.

Fix: F-19377r462389_fix

In "/etc/pam.d/system-auth”, "/etc/pam.d/system-auth-ac", “/etc/pam.d/password-auth”, and “/etc/pam.d/password-auth-ac”, among potentially other files, the "password" section of the files controls which PAM modules execute during a password change. Set the "pam_unix.so" module in the "password" section to include the argument "sha512", as shown below: password sufficient pam_unix.so sha512 [other arguments...] This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. Note: Any updates made to "/etc/pam.d/system-auth" will be overwritten by the "authconfig" program. The "authconfig" program should not be used.

b

The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).

RMF Control: IA-7
Severity: M
CCI: CCI-000803
Version: RHEL-06-000063
Vuln IDs: V-217899
Rule IDs: SV-217899r505923_rule

Using a stronger hashing algorithm makes password cracking attacks more difficult.

Fix: F-19378r376713_fix

In "/etc/login.defs", add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: ENCRYPT_METHOD SHA512

b

The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).

RMF Control: IA-7
Severity: M
CCI: CCI-000803
Version: RHEL-06-000064
Vuln IDs: V-217900
Rule IDs: SV-217900r505923_rule

Using a stronger hashing algorithm makes password cracking attacks more difficult.

Fix: F-19379r376716_fix

In "/etc/libuser.conf", add or correct the following line in its "[defaults]" section to ensure the system will use the SHA-512 algorithm for password hashing: crypt_style = sha512

b

The system boot loader configuration file(s) must be owned by root.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000065
Vuln IDs: V-217901
Rule IDs: SV-217901r505923_rule

Only root should be able to modify important boot parameters.

Fix: F-19380r376719_fix

The file "/boot/grub/grub.conf" should be owned by the "root" user to prevent destruction or modification of the file. To properly set the owner of "/boot/grub/grub.conf", run the command: # chown root /boot/grub/grub.conf

b

The system boot loader configuration file(s) must be group-owned by root.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000066
Vuln IDs: V-217902
Rule IDs: SV-217902r505923_rule

The "root" group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.

Fix: F-19381r376722_fix

The file "/boot/grub/grub.conf" should be group-owned by the "root" group to prevent destruction or modification of the file. To properly set the group owner of "/boot/grub/grub.conf", run the command: # chgrp root /boot/grub/grub.conf

b

The system boot loader configuration file(s) must have mode 0600 or less permissive.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000067
Vuln IDs: V-217903
Rule IDs: SV-217903r505923_rule

Proper permissions ensure that only the root user can modify important boot parameters.

Fix: F-19382r376725_fix

Set file permissions for "/boot/grub/grub.conf" to 600, which is the default. To properly set the permissions of "/boot/grub/grub.conf", run the command: $ chmod 600 /boot/grub/grub.conf

b

The system boot loader must require authentication.

RMF Control: AC-3
Severity: M
CCI: CCI-000213
Version: RHEL-06-000068
Vuln IDs: V-217904
Rule IDs: SV-217904r505923_rule

Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.

Fix: F-19383r462392_fix

The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command: # grub-crypt --sha-512 When prompted to enter a password, insert the following line into "/boot/grub/grub.conf" or “/boot/efi/EFI/redhat/grub.conf” immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]): password --encrypted [password-hash]

b

The system must require authentication upon booting into single-user and maintenance modes.

RMF Control: AC-3
Severity: M
CCI: CCI-000213
Version: RHEL-06-000069
Vuln IDs: V-217905
Rule IDs: SV-217905r505923_rule

This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.

Fix: F-19384r376731_fix

Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file "/etc/sysconfig/init": SINGLE=/sbin/sulogin

b

The system must not permit interactive boot.

RMF Control: AC-3
Severity: M
CCI: CCI-000213
Version: RHEL-06-000070
Vuln IDs: V-217906
Rule IDs: SV-217906r505923_rule

Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.

Fix: F-19385r376734_fix

To disable the ability for users to perform interactive startups, edit the file "/etc/sysconfig/init". Add or correct the line: PROMPT=no The "PROMPT" option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot.

a

The system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.

RMF Control: AC-11
Severity: L
CCI: CCI-000057
Version: RHEL-06-000071
Vuln IDs: V-217907
Rule IDs: SV-217907r505923_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000163-GPOS-00072

Fix: F-19386r462508_fix

Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity. Create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as: #!/bin/bash TMOUT=900 readonly TMOUT export TMOUT

b

The system must not send ICMPv4 redirects by default.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000080
Vuln IDs: V-217911
Rule IDs: SV-217911r505923_rule

Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.

Fix: F-19390r376749_fix

To set the runtime status of the "net.ipv4.conf.default.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.send_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.send_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

b

The system must not send ICMPv4 redirects from any interface.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000081
Vuln IDs: V-217912
Rule IDs: SV-217912r505923_rule

Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.

Fix: F-19391r376752_fix

To set the runtime status of the "net.ipv4.conf.all.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.send_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.send_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

b

IP forwarding for IPv4 must not be enabled, unless the system is a router.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000082
Vuln IDs: V-217913
Rule IDs: SV-217913r505923_rule

IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.

Fix: F-19392r376755_fix

To set the runtime status of the "net.ipv4.ip_forward" kernel parameter, run the following command: # sysctl -w net.ipv4.ip_forward=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.ip_forward = 0 Issue the following command to make the changes take effect: # sysctl --system

b

The system must not accept IPv4 source-routed packets on any interface.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000083
Vuln IDs: V-217914
Rule IDs: SV-217914r505923_rule

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Fix: F-19393r376758_fix

To set the runtime status of the "net.ipv4.conf.all.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_source_route=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.accept_source_route = 0 Issue the following command to make the changes take effect: # sysctl --system

b

The system must not accept ICMPv4 redirect packets on any interface.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000084
Vuln IDs: V-217915
Rule IDs: SV-217915r505923_rule

Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.

Fix: F-19394r376761_fix

To set the runtime status of the "net.ipv4.conf.all.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.accept_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

b

The system must not accept ICMPv4 secure redirect packets on any interface.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000086
Vuln IDs: V-217916
Rule IDs: SV-217916r505923_rule

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Fix: F-19395r376764_fix

To set the runtime status of the "net.ipv4.conf.all.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.secure_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.secure_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

a

The system must log Martian packets.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: RHEL-06-000088
Vuln IDs: V-217917
Rule IDs: SV-217917r505923_rule

The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

Fix: F-19396r376767_fix

To set the runtime status of the "net.ipv4.conf.all.log_martians" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.log_martians=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.log_martians = 1 Issue the following command to make the changes take effect: # sysctl --system

b

The system must not accept IPv4 source-routed packets by default.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000089
Vuln IDs: V-217918
Rule IDs: SV-217918r505923_rule

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Fix: F-19397r376770_fix

To set the runtime status of the "net.ipv4.conf.default.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_source_route=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.accept_source_route = 0 Issue the following command to make the changes take effect: # sysctl --system

b

The system must not accept ICMPv4 secure redirect packets by default.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000090
Vuln IDs: V-217919
Rule IDs: SV-217919r505923_rule

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Fix: F-19398r376773_fix

To set the runtime status of the "net.ipv4.conf.default.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.secure_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.secure_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

a

The system must ignore ICMPv4 redirect messages by default.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: RHEL-06-000091
Vuln IDs: V-217920
Rule IDs: SV-217920r505923_rule

This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Fix: F-19399r376776_fix

To set the runtime status of the "net.ipv4.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.accept_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

a

The system must not respond to ICMPv4 sent to a broadcast address.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: RHEL-06-000092
Vuln IDs: V-217921
Rule IDs: SV-217921r505923_rule

Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.

Fix: F-19400r376779_fix

To set the runtime status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.icmp_echo_ignore_broadcasts = 1 Issue the following command to make the changes take effect: # sysctl --system

a

The system must ignore ICMPv4 bogus error responses.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: RHEL-06-000093
Vuln IDs: V-217922
Rule IDs: SV-217922r505923_rule

Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.

Fix: F-19401r376782_fix

To set the runtime status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.icmp_ignore_bogus_error_responses = 1 Issue the following command to make the changes take effect: # sysctl --system

b

The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.

RMF Control: SC-5
Severity: M
CCI: CCI-001095
Version: RHEL-06-000095
Vuln IDs: V-217923
Rule IDs: SV-217923r505923_rule

A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.

Fix: F-19402r376785_fix

To set the runtime status of the "net.ipv4.tcp_syncookies" kernel parameter, run the following command: # sysctl -w net.ipv4.tcp_syncookies=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.tcp_syncookies = 1 Issue the following command to make the changes take effect: # sysctl --system

b

The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000096
Vuln IDs: V-217924
Rule IDs: SV-217924r505923_rule

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

Fix: F-19403r376788_fix

To set the runtime status of the "net.ipv4.conf.all.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.rp_filter=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.rp_filter = 1 Issue the following command to make the changes take effect: # sysctl --system

b

The system must use a reverse-path filter for IPv4 network traffic when possible by default.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000097
Vuln IDs: V-217925
Rule IDs: SV-217925r505923_rule

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

Fix: F-19404r376791_fix

To set the runtime status of the "net.ipv4.conf.default.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.rp_filter=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.rp_filter = 1 Issue the following command to make the changes take effect: # sysctl --system

b

The system must ignore ICMPv6 redirects by default.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000099
Vuln IDs: V-217926
Rule IDs: SV-217926r505923_rule

An illicit ICMP redirect message could result in a man-in-the-middle attack.

Fix: F-19405r376794_fix

To set the runtime status of the "net.ipv6.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv6.conf.default.accept_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv6.conf.default.accept_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

b

The system must employ a local IPv4 firewall.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000113
Vuln IDs: V-217930
Rule IDs: SV-217930r505923_rule

The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.

Fix: F-19409r376806_fix

The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start

b

The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000117
Vuln IDs: V-217932
Rule IDs: SV-217932r505923_rule

The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.

Fix: F-19411r376812_fix

The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start

b

The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.

RMF Control: CM-7
Severity: M
CCI: CCI-000382
Version: RHEL-06-000124
Vuln IDs: V-217934
Rule IDs: SV-217934r505923_rule

Disabling DCCP protects the system against exploitation of any flaws in its implementation.

Fix: F-19413r462395_fix

The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the "dccp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install dccp /bin/true

b

The Stream Control Transmission Protocol (SCTP) must be disabled unless required.

RMF Control: CM-7
Severity: M
CCI: CCI-000382
Version: RHEL-06-000125
Vuln IDs: V-217935
Rule IDs: SV-217935r505923_rule

Disabling SCTP protects the system against exploitation of any flaws in its implementation.

Fix: F-19414r462398_fix

The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the "sctp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install sctp /bin/true

a

The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.

RMF Control: CM-7
Severity: L
CCI: CCI-000382
Version: RHEL-06-000126
Vuln IDs: V-217936
Rule IDs: SV-217936r505923_rule

Disabling RDS protects the system against exploitation of any flaws in its implementation.

Fix: F-19415r376824_fix

The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the "rds" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install rds /bin/true

b

The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.

RMF Control: CM-7
Severity: M
CCI: CCI-000382
Version: RHEL-06-000127
Vuln IDs: V-217937
Rule IDs: SV-217937r505923_rule

Disabling TIPC protects the system against exploitation of any flaws in its implementation.

Fix: F-19416r462401_fix

The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the "tipc" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install tipc /bin/true

b

All rsyslog-generated log files must be owned by root.

RMF Control: SI-11
Severity: M
CCI: CCI-001314
Version: RHEL-06-000133
Vuln IDs: V-217938
Rule IDs: SV-217938r505923_rule

The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.

Fix: F-19417r376830_fix

The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's owner: $ ls -l [LOGFILE] If the owner is not "root", run the following command to correct this: # chown root [LOGFILE]

b

The system must retain enough rotated audit logs to cover the required log retention period.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000159
Vuln IDs: V-217947
Rule IDs: SV-217947r505923_rule

The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.

Fix: F-19426r376857_fix

Determine how many log files "auditd" should retain when it rotates logs. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [NUMLOGS] with the correct value: num_logs = [NUMLOGS] Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.

b

The system must set a maximum audit log file size.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: RHEL-06-000160
Vuln IDs: V-217948
Rule IDs: SV-217948r505923_rule

The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.

Fix: F-19427r376860_fix

Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting the correct value for [STOREMB]: max_log_file = [STOREMB] Set the value to "6" (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.

b

The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.

RMF Control: AU-5
Severity: M
CCI: CCI-001855
Version: RHEL-06-000163
Vuln IDs: V-217950
Rule IDs: SV-217950r505923_rule

Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.

Fix: F-19429r376866_fix

The "auditd" service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [ACTION] appropriately: admin_space_left_action = [ACTION] Set this value to "single" to cause the system to switch to single-user mode for corrective action. Acceptable values also include "suspend" and "halt". For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for [ACTION] are described in the "auditd.conf" man page.

a

The audit system must be configured to audit all attempts to alter system time through adjtimex.

RMF Control: AU-12
Severity: L
CCI: CCI-000169
Version: RHEL-06-000166
Vuln IDs: V-217951
Rule IDs: SV-217951r505923_rule

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Fix: F-19430r376869_fix

Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules

a

The audit system must be configured to audit all attempts to alter system time through settimeofday.

RMF Control: AU-12
Severity: L
CCI: CCI-000169
Version: RHEL-06-000167
Vuln IDs: V-217952
Rule IDs: SV-217952r505923_rule

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Fix: F-19431r376872_fix

Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S settimeofday -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules

a

The audit system must be configured to audit all attempts to alter system time through stime.

RMF Control: AU-12
Severity: L
CCI: CCI-000169
Version: RHEL-06-000169
Vuln IDs: V-217953
Rule IDs: SV-217953r505923_rule

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Fix: F-19432r376875_fix

Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S stime -k audit_time_rules

a

The audit system must be configured to audit all attempts to alter system time through clock_settime.

RMF Control: AU-12
Severity: L
CCI: CCI-000169
Version: RHEL-06-000171
Vuln IDs: V-217954
Rule IDs: SV-217954r505923_rule

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Fix: F-19433r376878_fix

Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules

a

The audit system must be configured to audit all attempts to alter system time through /etc/localtime.

RMF Control: AU-12
Severity: L
CCI: CCI-000169
Version: RHEL-06-000173
Vuln IDs: V-217955
Rule IDs: SV-217955r505923_rule

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Fix: F-19434r376881_fix

Add the following to "/etc/audit/audit.rules": -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.

a

The operating system must automatically audit account creation.

RMF Control: AC-2
Severity: L
CCI: CCI-000018
Version: RHEL-06-000174
Vuln IDs: V-217956
Rule IDs: SV-217956r505923_rule

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

Fix: F-19435r376884_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

a

The operating system must automatically audit account modification.

RMF Control: AC-2
Severity: L
CCI: CCI-001403
Version: RHEL-06-000175
Vuln IDs: V-217957
Rule IDs: SV-217957r505923_rule

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

Fix: F-19436r376887_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

a

The operating system must automatically audit account disabling actions.

RMF Control: AC-2
Severity: L
CCI: CCI-001404
Version: RHEL-06-000176
Vuln IDs: V-217958
Rule IDs: SV-217958r505923_rule

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

Fix: F-19437r376890_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

a

The operating system must automatically audit account termination.

RMF Control: AC-2
Severity: L
CCI: CCI-001405
Version: RHEL-06-000177
Vuln IDs: V-217959
Rule IDs: SV-217959r505923_rule

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

Fix: F-19438r376893_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

a

The audit system must be configured to audit modifications to the systems network configuration.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: RHEL-06-000182
Vuln IDs: V-217960
Rule IDs: SV-217960r505923_rule

The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.

Fix: F-19439r376896_fix

Add the following to "/etc/audit/audit.rules": # audit_network_modifications -a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications

a

The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: RHEL-06-000183
Vuln IDs: V-217961
Rule IDs: SV-217961r505923_rule

The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.

Fix: F-19440r376899_fix

Add the following to "/etc/audit/audit.rules": -w /etc/selinux/ -p wa -k MAC-policy

a

The audit system must be configured to audit all discretionary access control permission modifications using chmod.

RMF Control: AU-12
Severity: L
CCI: CCI-000172
Version: RHEL-06-000184
Vuln IDs: V-217962
Rule IDs: SV-217962r505923_rule