This web site uses advanced JavaScript for several data processing functions. Internet Explorer has severe deficiencies in it's JavaScript engine. Please use a modern day browser, such as Chrome or Edge, in order to take full advantage of this web site.
Red Hat Enterprise Linux 6 Security Technical Implementation Guide
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]
Vuln
Rule
Version
CCI
Severity
Title
Description
SV-217846r505923_rule
RHEL-06-000001
CCI-000366
LOW
The system must use a separate file system for /tmp.
The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.
SV-217847r505923_rule
RHEL-06-000002
CCI-000366
LOW
The system must use a separate file system for /var.
Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories, installed by other software packages.
SV-217848r505923_rule
RHEL-06-000003
CCI-000366
LOW
The system must use a separate file system for /var/log.
Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".
SV-217849r505923_rule
RHEL-06-000004
CCI-000366
LOW
The system must use a separate file system for the system audit data path.
Placing "/var/log/audit" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.
SV-217850r505923_rule
RHEL-06-000005
CCI-001855
MEDIUM
The audit system must alert designated staff members when the audit storage volume approaches capacity.
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
SV-217851r505923_rule
RHEL-06-000007
CCI-000366
LOW
The system must use a separate file system for user home directories.
Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.
SV-217852r505923_rule
RHEL-06-000008
CCI-001749
HIGH
Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
The Red Hat GPG keys are necessary to cryptographically verify packages are from Red Hat.
SV-217855r505923_rule
RHEL-06-000013
CCI-001749
MEDIUM
The system package management tool must cryptographically verify the authenticity of system software packages during installation.
Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering.
SV-217856r505923_rule
RHEL-06-000015
CCI-001749
LOW
The system package management tool must cryptographically verify the authenticity of all software packages during installation.
Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.
SV-217857r505923_rule
RHEL-06-000016
CCI-001774
MEDIUM
A file integrity tool must be installed.
The AIDE package must be installed if it is to be available for integrity checking.
SV-217858r505923_rule
RHEL-06-000017
CCI-002163
MEDIUM
The system must use a Linux Security Module at boot time.
Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.
SV-217860r505923_rule
RHEL-06-000019
CCI-000366
HIGH
There must be no .rhosts or hosts.equiv files on the system.
Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.
SV-217861r505923_rule
RHEL-06-000020
CCI-002165
MEDIUM
The system must use a Linux Security Module configured to enforce limits on system services.
Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.
Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. However, McAfee Endpoint Security for Linux (ENSL) is an approved alternative to both McAfee Virus Scan Enterprise (VSE) and HIPS. In either scenario, SELinux is interoperable with the McAfee products and SELinux is still required.
SV-217863r505923_rule
RHEL-06-000023
CCI-002165
LOW
The system must use a Linux Security Module configured to limit the privileges of system services.
Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.
SV-217865r505923_rule
RHEL-06-000027
CCI-000770
MEDIUM
The system must prevent the root account from logging in from virtual consoles.
Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account.
SV-217866r505923_rule
RHEL-06-000028
CCI-000770
LOW
The system must prevent the root account from logging in from serial consoles.
Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.
SV-217868r505923_rule
RHEL-06-000030
CCI-000366
HIGH
The system must not have accounts configured with blank or null passwords.
If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
SV-217869r505923_rule
RHEL-06-000031
CCI-000196
MEDIUM
The /etc/passwd file must not contain password hashes.
The hashes for all user account passwords should be stored in the file "/etc/shadow" and never in "/etc/passwd", which is readable by all users.
SV-217870r505923_rule
RHEL-06-000032
CCI-000366
MEDIUM
The root account must be the only account having a UID of 0.
An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.
SV-217871r505923_rule
RHEL-06-000033
CCI-000366
MEDIUM
The /etc/shadow file must be owned by root.
The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.
SV-217872r505923_rule
RHEL-06-000034
CCI-000366
MEDIUM
The /etc/shadow file must be group-owned by root.
The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.
SV-217873r505923_rule
RHEL-06-000035
CCI-000366
MEDIUM
The /etc/shadow file must have mode 0000.
The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.
SV-217874r505923_rule
RHEL-06-000036
CCI-000366
MEDIUM
The /etc/gshadow file must be owned by root.
The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
SV-217875r505923_rule
RHEL-06-000037
CCI-000366
MEDIUM
The /etc/gshadow file must be group-owned by root.
The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
SV-217876r505923_rule
RHEL-06-000038
CCI-000366
MEDIUM
The /etc/gshadow file must have mode 0000.
The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.
SV-217877r505923_rule
RHEL-06-000039
CCI-000366
MEDIUM
The /etc/passwd file must be owned by root.
The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.
SV-217878r505923_rule
RHEL-06-000040
CCI-000366
MEDIUM
The /etc/passwd file must be group-owned by root.
The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.
SV-217879r505923_rule
RHEL-06-000041
CCI-000366
MEDIUM
The /etc/passwd file must have mode 0644 or less permissive.
If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.
SV-217880r505923_rule
RHEL-06-000042
CCI-000366
MEDIUM
The /etc/group file must be owned by root.
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
SV-217881r505923_rule
RHEL-06-000043
CCI-000366
MEDIUM
The /etc/group file must be group-owned by root.
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
SV-217882r505923_rule
RHEL-06-000044
CCI-000366
MEDIUM
The /etc/group file must have mode 0644 or less permissive.
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
SV-217885r505923_rule
RHEL-06-000047
CCI-001499
MEDIUM
All system command files must have mode 755 or less permissive.
System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.
SV-217886r505923_rule
RHEL-06-000048
CCI-001499
MEDIUM
All system command files must be owned by root.
System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.
SV-217887r505923_rule
RHEL-06-000050
CCI-000205
MEDIUM
The system must require passwords to contain a minimum of 15 characters.
Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result.
While it does not negate the password length requirement, it is preferable to migrate from a password-based authentication scheme to a stronger one based on PKI (public key infrastructure).
SV-217888r505923_rule
RHEL-06-000051
CCI-000198
MEDIUM
Users must not be able to change passwords more than once every 24 hours.
Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.
SV-217889r505923_rule
RHEL-06-000053
CCI-000199
MEDIUM
User passwords must be changed at least every 60 days.
Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.
SV-217890r505923_rule
RHEL-06-000054
CCI-000366
LOW
Users must be warned 7 days in advance of password expiration.
Setting the password warning age enables users to make the change at a practical time.
SV-217892r505923_rule
RHEL-06-000056
CCI-000194
LOW
The system must require passwords to contain at least one numeric character.
Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
SV-217893r505923_rule
RHEL-06-000057
CCI-000192
LOW
The system must require passwords to contain at least one uppercase alphabetic character.
Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.
SV-217894r505923_rule
RHEL-06-000058
CCI-001619
LOW
The system must require passwords to contain at least one special character.
Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.
SV-217895r505923_rule
RHEL-06-000059
CCI-000193
LOW
The system must require passwords to contain at least one lower-case alphabetic character.
Requiring a minimum number of lower-case characters makes password guessing attacks more difficult by ensuring a larger search space.
SV-217896r505923_rule
RHEL-06-000060
CCI-000195
LOW
The system must require at least eight characters be changed between the old and new passwords during a password change.
Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.
SV-217897r505923_rule
RHEL-06-000061
CCI-000044
MEDIUM
The system must disable accounts after three consecutive unsuccessful logon attempts.
Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.
SV-217898r505923_rule
RHEL-06-000062
CCI-000803
MEDIUM
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).
Using a stronger hashing algorithm makes password cracking attacks more difficult.
SV-217899r505923_rule
RHEL-06-000063
CCI-000803
MEDIUM
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).
Using a stronger hashing algorithm makes password cracking attacks more difficult.
SV-217900r505923_rule
RHEL-06-000064
CCI-000803
MEDIUM
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).
Using a stronger hashing algorithm makes password cracking attacks more difficult.
SV-217901r505923_rule
RHEL-06-000065
CCI-000366
MEDIUM
The system boot loader configuration file(s) must be owned by root.
Only root should be able to modify important boot parameters.
SV-217902r505923_rule
RHEL-06-000066
CCI-000366
MEDIUM
The system boot loader configuration file(s) must be group-owned by root.
The "root" group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.
SV-217903r505923_rule
RHEL-06-000067
CCI-000366
MEDIUM
The system boot loader configuration file(s) must have mode 0600 or less permissive.
Proper permissions ensure that only the root user can modify important boot parameters.
SV-217904r505923_rule
RHEL-06-000068
CCI-000213
MEDIUM
The system boot loader must require authentication.
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
SV-217905r505923_rule
RHEL-06-000069
CCI-000213
MEDIUM
The system must require authentication upon booting into single-user and maintenance modes.
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
SV-217906r505923_rule
RHEL-06-000070
CCI-000213
MEDIUM
The system must not permit interactive boot.
Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.
SV-217907r505923_rule
RHEL-06-000071
CCI-000057
LOW
The system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000163-GPOS-00072
SV-217911r505923_rule
RHEL-06-000080
CCI-000366
MEDIUM
The system must not send ICMPv4 redirects by default.
Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.
SV-217912r505923_rule
RHEL-06-000081
CCI-000366
MEDIUM
The system must not send ICMPv4 redirects from any interface.
Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.
SV-217913r505923_rule
RHEL-06-000082
CCI-000366
MEDIUM
IP forwarding for IPv4 must not be enabled, unless the system is a router.
IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.
SV-217914r505923_rule
RHEL-06-000083
CCI-000366
MEDIUM
The system must not accept IPv4 source-routed packets on any interface.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
SV-217915r505923_rule
RHEL-06-000084
CCI-000366
MEDIUM
The system must not accept ICMPv4 redirect packets on any interface.
Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.
SV-217916r505923_rule
RHEL-06-000086
CCI-000366
MEDIUM
The system must not accept ICMPv4 secure redirect packets on any interface.
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
SV-217917r505923_rule
RHEL-06-000088
CCI-000366
LOW
The system must log Martian packets.
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
SV-217918r505923_rule
RHEL-06-000089
CCI-000366
MEDIUM
The system must not accept IPv4 source-routed packets by default.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
SV-217919r505923_rule
RHEL-06-000090
CCI-000366
MEDIUM
The system must not accept ICMPv4 secure redirect packets by default.
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
SV-217920r505923_rule
RHEL-06-000091
CCI-000366
LOW
The system must ignore ICMPv4 redirect messages by default.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
SV-217921r505923_rule
RHEL-06-000092
CCI-000366
LOW
The system must not respond to ICMPv4 sent to a broadcast address.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
SV-217922r505923_rule
RHEL-06-000093
CCI-000366
LOW
The system must ignore ICMPv4 bogus error responses.
Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.
SV-217923r505923_rule
RHEL-06-000095
CCI-001095
MEDIUM
The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.
SV-217924r505923_rule
RHEL-06-000096
CCI-000366
MEDIUM
The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
SV-217925r505923_rule
RHEL-06-000097
CCI-000366
MEDIUM
The system must use a reverse-path filter for IPv4 network traffic when possible by default.
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
SV-217926r505923_rule
RHEL-06-000099
CCI-000366
MEDIUM
The system must ignore ICMPv6 redirects by default.
An illicit ICMP redirect message could result in a man-in-the-middle attack.
SV-217930r505923_rule
RHEL-06-000113
CCI-000366
MEDIUM
The system must employ a local IPv4 firewall.
The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.
SV-217932r505923_rule
RHEL-06-000117
CCI-000366
MEDIUM
The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.
SV-217934r505923_rule
RHEL-06-000124
CCI-000382
MEDIUM
The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
Disabling DCCP protects the system against exploitation of any flaws in its implementation.
SV-217935r505923_rule
RHEL-06-000125
CCI-000382
MEDIUM
The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
Disabling SCTP protects the system against exploitation of any flaws in its implementation.
SV-217936r505923_rule
RHEL-06-000126
CCI-000382
LOW
The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.
Disabling RDS protects the system against exploitation of any flaws in its implementation.
SV-217937r505923_rule
RHEL-06-000127
CCI-000382
MEDIUM
The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.
Disabling TIPC protects the system against exploitation of any flaws in its implementation.
SV-217938r505923_rule
RHEL-06-000133
CCI-001314
MEDIUM
All rsyslog-generated log files must be owned by root.
The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.
SV-217947r505923_rule
RHEL-06-000159
CCI-000366
MEDIUM
The system must retain enough rotated audit logs to cover the required log retention period.
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
SV-217948r505923_rule
RHEL-06-000160
CCI-000366
MEDIUM
The system must set a maximum audit log file size.
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
SV-217950r505923_rule
RHEL-06-000163
CCI-001855
MEDIUM
The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.
Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.
SV-217951r505923_rule
RHEL-06-000166
CCI-000169
LOW
The audit system must be configured to audit all attempts to alter system time through adjtimex.
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
SV-217952r505923_rule
RHEL-06-000167
CCI-000169
LOW
The audit system must be configured to audit all attempts to alter system time through settimeofday.
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
SV-217953r505923_rule
RHEL-06-000169
CCI-000169
LOW
The audit system must be configured to audit all attempts to alter system time through stime.
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
SV-217954r505923_rule
RHEL-06-000171
CCI-000169
LOW
The audit system must be configured to audit all attempts to alter system time through clock_settime.
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
SV-217955r505923_rule
RHEL-06-000173
CCI-000169
LOW
The audit system must be configured to audit all attempts to alter system time through /etc/localtime.
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
SV-217956r505923_rule
RHEL-06-000174
CCI-000018
LOW
The operating system must automatically audit account creation.
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
SV-217957r505923_rule
RHEL-06-000175
CCI-001403
LOW
The operating system must automatically audit account modification.
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
SV-217958r505923_rule
RHEL-06-000176
CCI-001404
LOW
The operating system must automatically audit account disabling actions.
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
SV-217959r505923_rule
RHEL-06-000177
CCI-001405
LOW
The operating system must automatically audit account termination.
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
SV-217960r505923_rule
RHEL-06-000182
CCI-000366
LOW
The audit system must be configured to audit modifications to the systems network configuration.
The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.
SV-217961r505923_rule
RHEL-06-000183
CCI-000366
LOW
The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).
The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.
SV-217962r505923_rule
RHEL-06-000184
CCI-000172
LOW
The audit system must be configured to audit all discretionary access control permission modifications using chmod.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
SV-217963r505923_rule
RHEL-06-000185
CCI-000172
LOW
The audit system must be configured to audit all discretionary access control permission modifications using chown.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
SV-217964r505923_rule
RHEL-06-000186
CCI-000172
LOW
The audit system must be configured to audit all discretionary access control permission modifications using fchmod.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
SV-217965r505923_rule
RHEL-06-000187
CCI-000172
LOW
The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
SV-217966r505923_rule
RHEL-06-000188
CCI-000172
LOW
The audit system must be configured to audit all discretionary access control permission modifications using fchown.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
SV-217967r505923_rule
RHEL-06-000189
CCI-000172
LOW
The audit system must be configured to audit all discretionary access control permission modifications using fchownat.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
SV-217968r505923_rule
RHEL-06-000190
CCI-000172
LOW
The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
SV-217969r505923_rule
RHEL-06-000191
CCI-000172
LOW
The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
SV-217970r505923_rule
RHEL-06-000192
CCI-000172
LOW
The audit system must be configured to audit all discretionary access control permission modifications using lchown.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
SV-217971r505923_rule
RHEL-06-000193
CCI-000172
LOW
The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
SV-217972r505923_rule
RHEL-06-000194
CCI-000172
LOW
The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
SV-217973r505923_rule
RHEL-06-000195
CCI-000172
LOW
The audit system must be configured to audit all discretionary access control permission modifications using removexattr.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
SV-217974r505923_rule
RHEL-06-000196
CCI-000172
LOW
The audit system must be configured to audit all discretionary access control permission modifications using setxattr.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
SV-217975r505923_rule
RHEL-06-000197
CCI-000172
LOW
The audit system must be configured to audit failed attempts to access files and programs.
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
SV-217977r505923_rule
RHEL-06-000199
CCI-000172
LOW
The audit system must be configured to audit successful file system mounts.
The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.
SV-217978r505923_rule
RHEL-06-000200
CCI-000172
LOW
The audit system must be configured to audit user deletions of files and programs.
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as detecting malicious processes that attempt to delete log files to conceal their presence.
SV-217979r505923_rule
RHEL-06-000201
CCI-000172
LOW
The audit system must be configured to audit changes to the /etc/sudoers file.
The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.
SV-217980r505923_rule
RHEL-06-000202
CCI-000172
MEDIUM
The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
SV-217981r505923_rule
RHEL-06-000203
CCI-000382
MEDIUM
The xinetd service must be disabled if no network services utilizing it are enabled.
The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.
SV-217982r505923_rule
RHEL-06-000204
CCI-000382
LOW
The xinetd service must be uninstalled if no network services utilizing it are enabled.
Removing the "xinetd" package decreases the risk of the xinetd service's accidental (or intentional) activation.
SV-217983r505923_rule
RHEL-06-000206
CCI-000381
HIGH
The telnet-server package must not be installed.
Removing the "telnet-server" package decreases the risk of the unencrypted telnet service's accidental (or intentional) activation.
Mitigation: If the telnet-server package is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.
SV-217984r505923_rule
RHEL-06-000211
CCI-000381
HIGH
The telnet daemon must not be running.
The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks.
Mitigation: If an enabled telnet daemon is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.
SV-217985r505923_rule
RHEL-06-000213
CCI-000381
HIGH
The rsh-server package must not be installed.
The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.
SV-217986r505923_rule
RHEL-06-000214
CCI-000068
HIGH
The rshd service must not be running.
The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
SV-217987r505923_rule
RHEL-06-000216
CCI-000068
HIGH
The rexecd service must not be running.
The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
SV-217988r505923_rule
RHEL-06-000218
CCI-000381
HIGH
The rlogind service must not be running.
The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
SV-217989r505923_rule
RHEL-06-000220
CCI-000381
MEDIUM
The ypserv package must not be installed.
Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.
SV-217990r505923_rule
RHEL-06-000221
CCI-000382
MEDIUM
The ypbind service must not be running.
Disabling the "ypbind" service ensures the system is not acting as a client in a NIS or NIS+ domain.
SV-217991r505923_rule
RHEL-06-000222
CCI-000381
MEDIUM
The tftp-server package must not be installed unless required.
Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.
SV-217993r505923_rule
RHEL-06-000224
CCI-000366
MEDIUM
The cron service must be running.
Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.
SV-217994r505923_rule
RHEL-06-000227
CCI-001941
HIGH
The SSH daemon must be configured to use only the SSHv2 protocol.
SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.
SV-217996r505923_rule
RHEL-06-000230
CCI-001133
LOW
The SSH daemon must set a timeout interval on idle sessions.
Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.
SV-217997r505923_rule
RHEL-06-000231
CCI-000879
LOW
The SSH daemon must set a timeout count on idle sessions.
This ensures a user login will be terminated as soon as the "ClientAliveCountMax" is reached.
SV-217998r505923_rule
RHEL-06-000234
CCI-000766
MEDIUM
The SSH daemon must ignore .rhosts files.
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
SV-217999r505923_rule
RHEL-06-000236
CCI-000766
MEDIUM
The SSH daemon must not allow host-based authentication.
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
SV-218000r505923_rule
RHEL-06-000237
CCI-000770
MEDIUM
The system must not permit root logins using remote access programs such as ssh.
Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.
SV-218001r505923_rule
RHEL-06-000239
CCI-000766
HIGH
The SSH daemon must not allow authentication using an empty password.
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
SV-218002r505923_rule
RHEL-06-000240
CCI-000048
MEDIUM
The SSH daemon must be configured with the Department of Defense (DoD) login banner.
The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.
SV-218003r505923_rule
RHEL-06-000241
CCI-001414
LOW
The SSH daemon must not permit user environment settings.
SSH environment options potentially allow users to bypass access restriction in some configurations.
SV-218006r505923_rule
RHEL-06-000246
CCI-000381
LOW
The avahi service must be disabled.
Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.
SV-218007r505923_rule
RHEL-06-000247
CCI-001891
MEDIUM
The system clock must be synchronized continuously, or at least daily.
Enabling the "ntpd" service ensures that the "ntpd" service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.
SV-218008r505923_rule
RHEL-06-000248
CCI-001891
MEDIUM
The system clock must be synchronized to an authoritative DoD time source.
Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is recommended.
SV-218009r505923_rule
RHEL-06-000249
CCI-000382
MEDIUM
Mail relaying must be restricted.
This ensures "postfix" accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.
SV-218010r505923_rule
RHEL-06-000256
CCI-000381
LOW
The openldap-servers package must not be installed unless required.
Unnecessary packages should not be installed to decrease the attack surface of the system.
SV-218011r505923_rule
RHEL-06-000257
CCI-000057
MEDIUM
The graphical desktop environment must set the idle timeout to no more than 15 minutes.
Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.
SV-218012r505923_rule
RHEL-06-000258
CCI-000057
MEDIUM
The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.
Enabling idle activation of the screen saver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.
SV-218013r505923_rule
RHEL-06-000259
CCI-000057
MEDIUM
The graphical desktop environment must have automatic lock enabled.
Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby.
SV-218014r505923_rule
RHEL-06-000260
CCI-000060
LOW
The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
Setting the screensaver mode to blank-only conceals the contents of the display from passersby.
SV-218015r505923_rule
RHEL-06-000261
CCI-000382
LOW
The Automatic Bug Reporting Tool (abrtd) service must not be running.
Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers.
SV-218016r505923_rule
RHEL-06-000262
CCI-000382
LOW
The atd service must be disabled.
The "atd" service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with "at" or "batch" is not common.
SV-218017r505923_rule
RHEL-06-000265
CCI-000382
LOW
The ntpdate service must not be running.
The "ntpdate" service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.
SV-218018r505923_rule
RHEL-06-000266
CCI-000382
LOW
The oddjobd service must not be running.
The "oddjobd" service may provide necessary functionality in some environments but it can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.
SV-218019r505923_rule
RHEL-06-000267
CCI-000382
LOW
The qpidd service must not be running.
The qpidd service is automatically installed when the "base" package selection is selected during installation. The qpidd service listens for network connections which increases the attack surface of the system. If the system is not intended to receive AMQP traffic then the "qpidd" service is not needed and should be disabled or removed.
SV-218020r505923_rule
RHEL-06-000268
CCI-000382
LOW
The rdisc service must not be running.
General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.
SV-218024r505923_rule
RHEL-06-000272
CCI-000366
LOW
The system must use SMB client signing for connecting to samba servers using smbclient.
Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.
SV-218026r505923_rule
RHEL-06-000274
CCI-000200
MEDIUM
The system must prohibit the reuse of passwords within five iterations.
Preventing reuse of previous passwords helps ensure that a compromised password is not reused by a user.
SV-218036r505923_rule
RHEL-06-000286
CCI-000366
HIGH
The x86 Ctrl-Alt-Delete key sequence must be disabled.
A locally logged-in user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
SV-218037r505923_rule
RHEL-06-000287
CCI-000366
LOW
The postfix service must be enabled for mail delivery.
Local mail delivery is essential to some system maintenance and notification tasks.
SV-218038r505923_rule
RHEL-06-000288
CCI-000381
MEDIUM
The sendmail package must be removed.
The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.
SV-218039r505923_rule
RHEL-06-000289
CCI-000382
LOW
The netconsole service must be disabled unless required.
The "netconsole" service is not necessary unless there is a need to debug kernel panics, which is not common.
SV-218040r505923_rule
RHEL-06-000290
CCI-000381
MEDIUM
X Windows must not be enabled unless required.
Unnecessary services should be disabled to decrease the attack surface of the system.
SV-218041r505923_rule
RHEL-06-000291
CCI-000381
LOW
The xorg-x11-server-common (X Windows) package must not be installed, unless required.
Unnecessary packages should not be installed to decrease the attack surface of the system.
SV-218042r505923_rule
RHEL-06-000292
CCI-000381
MEDIUM
The DHCP client must be disabled if not needed.
DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances.
SV-218047r505923_rule
RHEL-06-000299
CCI-000366
LOW
The system must require passwords to contain no more than three consecutive repeating characters.
Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
SV-218054r505923_rule
RHEL-06-000308
CCI-000366
LOW
Process core dumps must be disabled unless needed.
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
SV-218055r505923_rule
RHEL-06-000309
CCI-000764
HIGH
The NFS server must not have the insecure file locking option enabled.
Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user.
SV-218057r505923_rule
RHEL-06-000313
CCI-000139
MEDIUM
The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.
Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.
SV-218059r505923_rule
RHEL-06-000319
CCI-000054
LOW
The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.
SV-218061r505923_rule
RHEL-06-000321
CCI-000366
LOW
The system must provide VPN connectivity for communications over untrusted networks.
Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.
SV-218062r505923_rule
RHEL-06-000324
CCI-000050
MEDIUM
A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.
SV-218064r505923_rule
RHEL-06-000331
CCI-000381
MEDIUM
The Bluetooth service must be disabled.
Disabling the "bluetooth" service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.
SV-218065r505923_rule
RHEL-06-000334
CCI-000017
LOW
Accounts must be locked upon 35 days of inactivity.
Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
SV-218066r505923_rule
RHEL-06-000335
CCI-000795
LOW
The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.
Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
SV-218069r505923_rule
RHEL-06-000338
CCI-000366
HIGH
The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
Using the "-s" option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally specified directory reduces the risk of sharing files which should remain private.
SV-218073r505923_rule
RHEL-06-000342
CCI-000366
LOW
The system default umask for the bash shell must be 077.
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.
SV-218074r505923_rule
RHEL-06-000343
CCI-000366
LOW
The system default umask for the csh shell must be 077.
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.
SV-218075r505923_rule
RHEL-06-000344
CCI-000366
LOW
The system default umask in /etc/profile must be 077.
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.
SV-218076r505923_rule
RHEL-06-000345
CCI-000366
LOW
The system default umask in /etc/login.defs must be 077.
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.
SV-218077r505923_rule
RHEL-06-000346
CCI-000366
LOW
The system default umask for daemons must be 027 or 022.
The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.
SV-218081r505923_rule
RHEL-06-000356
CCI-000047
MEDIUM
The system must require administrator action to unlock an account locked by excessive failed login attempts.
Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.
SV-218082r505923_rule
RHEL-06-000357
CCI-002238
MEDIUM
The system must disable accounts after excessive login failures within a 15-minute interval.
Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks.
SV-218083r505923_rule
RHEL-06-000372
CCI-000366
MEDIUM
The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.
Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.
SV-218084r505923_rule
RHEL-06-000383
CCI-000163
MEDIUM
Audit log files must have mode 0640 or less permissive.
If users can write to audit logs, audit trails can be modified or destroyed.
SV-218085r505923_rule
RHEL-06-000384
CCI-000162
MEDIUM
Audit log files must be owned by root.
If non-privileged users can write to audit logs, audit trails can be modified or destroyed.
SV-218087r505923_rule
RHEL-06-000503
CCI-000366
MEDIUM
The operating system must enforce requirements for the connection of mobile devices to operating systems.
USB storage devices such as thumb drives can be used to introduce unauthorized software and other vulnerabilities. Support for these devices should be disabled and the devices themselves should be tightly controlled.
SV-218103r505923_rule
RHEL-06-000525
CCI-000169
LOW
Auditing must be enabled at boot by setting a kernel parameter.
Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although "auditd" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.
SV-218104r505923_rule
RHEL-06-000526
CCI-000366
LOW
Automated file system mounting tools must not be enabled unless needed.
All filesystems that are required for the successful operation of the system should be explicitly listed in "/etc/fstab" by an administrator. New filesystems should not be arbitrarily introduced via the automounter.
The "autofs" daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as "/misc/cd". However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it is almost always possible to configure filesystem mounts statically by editing "/etc/fstab" rather than relying on the automounter.
SV-218108r505923_rule
RHEL-06-000530
CCI-001764
LOW
The Red Hat Enterprise Linux operating system must mount /dev/shm with the nodev option.
The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
SV-218109r505923_rule
RHEL-06-000531
CCI-001764
LOW
The Red Hat Enterprise Linux operating system must mount /dev/shm with the nosuid option.
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
SV-218110r505923_rule
RHEL-06-000532
CCI-001764
LOW
The Red Hat Enterprise Linux operating system must mount /dev/shm with the noexec option.
The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Overview
RMF Control
Vuln Id
Rule Id
Version
CCI
Severity
Description
Details
Check Text ()
Fix Text ()
Feedback
Thank you so much for spending time on this site. We are always seeking feedback for suggestions or feature requests. Please let us know if there is anything you'd like to see added to the site.