Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Check the /etc/gshadow file is owned by root. # ls -l /etc/gshadow If the file is not owned by root, this is a finding.
Change the owner of the /etc/gshadow file to root. # chown root /etc/gshadow
Check the /etc/gshadow file is group-owned by root. # ls -l /etc/gshadow If the file is not group-owned by root, this is a finding.
Change the group-owner of the /etc/gshadow file to root. # chgrp root /etc/gshadow
Check the mode of the /etc/gshadow file. # ls -l /etc/gshadow If the file mode is more permissive than 0400, this is a finding.
Change the mode of the /etc/gshadow file to 0400 or less permissive. # chmod 0400 /etc/gshadow
Check /etc/gshadow has no extended ACL. # ls -l /etc/gshadow If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Remove the extended ACL from the file. # setfacl --remove-all /etc/gshadow
Check the /etc/gshadow file for password hashes. # cut -d : -f 2 /etc/gshadow | egrep -v '^(x|!!)$' If any password hashes are returned, this is a finding.
Edit /etc/gshadow and change the password field to an exclamation point (!) to lock the group password.
Perform the following to check for unnecessary privileged accounts: # grep "^shutdown" /etc/passwd # grep "^halt" /etc/passwd # grep "^reboot" /etc/passwd If any unnecessary privileged accounts exist this is a finding.
Remove any special privilege accounts, such as shutdown and halt, from the /etc/passwd and /etc/shadow files using the "userdel" or "system-config-users" commands.
Verify the options of the running Xwindows server are correct. Procedure: Get the running xserver information # ps -ef |grep X If the response contains /usr/bin/Xorg:0 /usr/bin/Xorg:0 -br -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7 this is indicative of Xorg starting through gdm. This is the default on this version of the operating system. Examine the Xorg line: If the "-auth" option is missing this would be a finding. If the "-audit" option is missing or not set to 4, this is a finding. If the "-s" option is missing or greater than 15, this is a finding. If the response to the grep contains X:0 /usr/bin/X:0 this indicates the X server was started with the xinit command with no associated .xserverrc in the home directory of the user. No options are selected by default. This is a finding. Otherwise if there are options on the X:0 line: If the "-auth" option is missing this is a finding If the "-audit" option is missing or not set to 4, this is a finding. If the "-s" option is missing or greater than 15, this is a finding.
Enable the following options: -audit (at level 4), -auth and -s with 15 minutes as the timeout value. Procedure for gdm: Edit /etc/gdm/custom.conf and add the following: [server-Standard] name=Standard server command=/usr/bin/Xorg -br -audit 4 -s 15 chooser=false handled=true flexible=true priority=0 Procedure for xinit: Edit or create a .xserverrc file in the user's home directory containing the startup script for xinit. This script must have an exec line with at least these options: exec /usr/bin/X -audit 4 -s 15 -auth <Xauth file> & The <Xauth file> is created using the "xauth" command and is customarily located in the user's home directory with the name ".Xauthority".
If the "xorg-x11-server-Xorg" package is not installed, this is not applicable. Verify the options of the running Xwindows server are correct. Procedure: Get the running xserver information # ps -ef |grep X If the response contains /usr/bin/Xorg:0 /usr/bin/Xorg:0 -br -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7 this is indicative of Xorg starting through gdm. This is the default window manager on this version of the operating system. If the "-ac" option is found, this is a finding. If the "-core" option is found, this is a finding. If the "-nolock" option is found, this is a finding. If the response to the grep contains X:0 /usr/bin/X:0 Examine the X:0 line: If the "-ac" option is found, this is a finding. If the "-core" option is found, this is a finding. If the "-nolock" option is found, this is a finding.
Disable the unwanted options: Procedure: For gdm: Remove the -ac, -core and -nolock options by creating a "command" entry in the /etc/gdm/custom.conf file with the options removed. For Xwindows started by xinit: Create or modify the .xserverrc script in the user's home directory to remove the -ac, -core and -nolock options from the exec /usr/bin/X command.
Check access configuration ownership: # ls -lL /etc/security/access.conf If this file exists and is not owned by root, this is a finding.
Follow the correct configuration parameters for access configuration file. Use the chown command to configure it properly. (for example: # chown root /etc/security/access.conf ).
Check access configuration group ownership: # ls -lL /etc/security/access.conf If this file exists and has a group-owner that is not a privileged user, this is a finding.
Use the chgrp command to ensure the group owner is root, sys, or bin. (for example: # chgrp root /etc/security/access.conf ).
Check access configuration mode: # ls -lL /etc/security/access.conf If this file exists and has a mode more permissive than 0640, this is a finding.
Use the chmod command to set the permissions to 0640. (for example: # chmod 0640 /etc/security/access.conf ).
Check the permissions of the file. # ls -lL /etc/security/access.conf If the permissions of the file or directory contain a '+', an extended ACL is present. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Remove the extended ACL from the file. # setfacl --remove-all /etc/security/access.conf
Check /etc/sysctl.conf ownership. # ls -lL /etc/sysctl.conf If /etc/sysctl.conf is not owned by root, this is a finding.
Use the chown command to change the owner of /etc/sysctl.conf to root: # chown root /etc/sysctl.conf
Check /etc/sysctl.conf group ownership: # ls -lL /etc/sysctl.conf If /etc/sysctl.conf is not group-owned by root, this is a finding.
Use the chgrp command to change the group owner of /etc/sysctl.conf to root: # chgrp root /etc/sysctl.conf
Check /etc/sysctl.conf permissions: # ls -lL /etc/sysctl.conf If /etc/sysctl.conf has a mode more permissive than 0600, this is a finding.
Use the chmod command to change the mode of the /etc/sysctl.conf file. # chmod 0600 /etc/sysctl.conf
Check the permissions of the file. # ls -lL /etc/sysctl.conf If the permissions of the file or directory contain a '+', an extended ACL is present. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Remove the extended ACL from the file. # setfacl --remove-all /etc/sysctl.conf
Determine if an NFS server is running on the system by: # ps -ef |grep nfsd If an NFS server is running, confirm it is not configured with the insecure_locks option by: # exportfs -v The example below would be a finding: /misc/export speedy.example.com(rw,insecure_locks)
Remove the "insecure_locks" option from all NFS exports on the system. Procedure: Edit /etc/exports and remove all instances of the insecure_locks option. Re-export the file systems to make the setting take effect. # exportfs -a
Verify that reboot using the CTRL-ALT-DELETE key sequence has been disabled by performing: # grep ctrlaltdel /etc/inittab If the line returned does not specify "/usr/bin/logger", or is not commented out, this is a finding.
Ensure the CTRL-ALT-DELETE key sequence has been disabled and attempts to use the sequence are logged. In the /etc/inittab file replace: ca::ctrlaltdel:/sbin/shutdown -t3 -r now with ca:nil:ctrlaltdel:/usr/bin/logger -p security.info "Ctrl-Alt-Del was pressed" Once this change has been made, execute the following command to force the "init" daemon to re-read /etc/inittab: # telinit q
Ensure the pam_console.so module is not configured in any files in /etc/pam.d by: # cd /etc/pam.d # grep pam_console.so * Or # ls -la /etc/security/console.perms If either the pam_console.so entry or the file /etc/security/console.perms is found then this is a finding.
Configure PAM to not grant sole access of administrative privileges to the first user logged in at the console. Identify any instances of pam_console. # cd /etc/pam.d # grep pam_console.so * For any files containing an un-commented reference to pam_console.so, edit the file and remove or comment out the reference. Remove the console.perms file if it exists: # rm /etc/security/console.perms
Check /etc/securetty group ownership: # ls -lL /etc/securetty If /etc/securetty is not group owned by root, sys, or bin, then this is a finding.
Change the group-owner of /etc/securetty to root, sys, or bin. Example: # chgrp root /etc/securetty
Check /etc/securetty ownership. Procedure: # ls -lL /etc/securetty If /etc/securetty is not owned by root, this is a finding.
Change the owner of the /etc/securetty file to root. Procedure: # chown root /etc/securetty
Check /etc/securetty permissions. Procedure: # ls -lL /etc/securetty If /etc/securetty has a mode more permissive than 0600, this is a finding.
Change the mode of the /etc/securetty file to 0600. Procedure: # chmod 0600 /etc/securetty
Check for the audit=1 kernel parameter. # grep 'audit=1' /proc/cmdline If no results are returned, this is a finding.
Edit the grub bootloader file /boot/grub/grub.conf or /boot/grub/menu.lst by appending the "audit=1" parameter to the kernel boot line. Reboot the system for the change to take effect.
Check if SELinux is enabled with at least a "targeted" policy. # grep ^SELINUX /etc/sysconfig/selinux If the SELINUX option is not set to "enforcing", this is a finding. If the SELINUXTYPE option is not set to "targeted" or "strict", this is a finding. If the use of the system is incompatible with the confines of SELinux this rule may be waived.
Enable one of the SELinux policies. Edit /etc/sysconfig/selinux and set the value of the SELINUX option to "enforcing" and SELINUXTYPE to "targeted" or "strict". Restart the system.
Check if the system requires a password for entering single-user mode. # grep ':S:' /etc/inittab If /sbin/sulogin is not listed, this is a finding.
Edit /etc/inittab and set sulogin to run in single-user mode. Example line in /etc/inittab: ~:S:wait:/sbin/sulogin Note: The first field in the /etc/inittab line may be any sequence of 1-4 characters.
Check the version of the operating system. Example: # cat /etc/oracle-release Vendor End-of-Support Information: Oracle Linux 5 premier support ends on March 2017, but sustaining support continues indefinitely. For more information, see the Oracle Lifetime Support Policy for Oracle Linux at: http://www.oracle.com/us/support/library/elsp-lifetime-069338.pdf. Check with the vendor for additional information. If the version installed is not supported, this is a finding.
Upgrade to a supported version of the operating system.
Obtain the list of available package security updates from the operating system vendor. Check the available package security updates have been installed on the system. Use the "rpm" command to list the packages installed on the system. Example: # rpm -qa -last If updated packages are available and applicable to the system and have not been installed, this is a finding. For more information, see: (1) http://linux.oracle.com/errata/ and (2) http://linux.oracle.com/cve/.
Install the patches or updated packages available from the vendor.
Verify a system integrity baseline exists. The Advanced Intrusion Detection Environment (AIDE) tool is included with the operating system. Other host intrusion detection system (HIDS) software is available but must be checked manually. Procedure: # grep DBDIR /etc/aide.conf If /etc/aide.conf does not exist AIDE has not been installed. Unless another HIDS is used on the system, this is a finding. Examine the response for "database" this indicates the location of the system integrity baseline database used as input to a comparison. # ls -la <DBDIR> If no "database" file as defined in /etc/aide.conf exists a system integrity baseline has not been created, this is a finding. Examine /etc/aide.conf to ensure some form of cryptographic hash (i.e., md5, rmd160, sha256) is used for files. In the default /etc/aide.conf the "NORMAL" or "LSPP" rules which are used for virtually all files DO include some form of cryptographic hash. If the site has defined rules to replace the functionality provided by the default "NORMAL" and "LSPP" rules but DOES NOT include cryptographic hashes, this is a finding. Otherwise, if any element used to define the "NORMAL" and "LSPP" rules has been modified resulting in cryptographic hashes not being used, this is a finding. If any other modification to the default /etc/aide.conf file have been made resulting in rules which do not include cryptographic hashes on appropriate files, this is a finding.
Use AIDE to create a file integrity baseline, including cryptographic hashes, for the system. Configure the /etc/aide.conf file to ensure some form of cryptographic hash (e.g., md5, rmd160, sha256) is used for files. In the default /etc/aide.conf the "NORMAL" or "LSPP" rules which are used for virtually all files DO include some form of cryptographic hash.
Verify a system integrity baseline is maintained. The baseline has been updated to be consistent with the latest approved system configuration changes. The Advanced Intrusion Detection Environment (AIDE) tool is included with the operating system. Other host intrusion detection system (HIDS) software is available but must be checked manually. Procedure: # grep DBDIR /etc/aide.conf If /etc/aide.conf does not exist AIDE has not been installed. Unless another HIDS is used on the system, this is a finding. Examine the response for "database" indicates the location of the system integrity baseline database used as input to a comparison. # ls -la <DBDIR> If the no "database" file as defined in /etc/aide.conf a system integrity baseline has not been created, this is a finding. Ask the SA when the last approved system configuration changes occurred. If the modification date of the AIDE database is prior to the last approved configuration change, this is a finding.
Regularly rebuild the integrity baseline, including cryptographic hashes, for the system to be consistent with the latest approved system configuration. Procedure: After an approved modification to the system configuration has been made perform: # aide -u This will update the database.
Check for the presence of an aide on the system: # rpm -qa | grep aide If aide is not installed, ask the SA what file integrity tool is being used to check the system. Check the global crontabs for the presence of an "aide" job to run at least weekly, if aide is installed. Otherwise, check for the presence of a cron job to run the alternate file integrity checking application. # grep aide /etc/cron*/* If a tool is being run then the configuration file for the appropriate tool needs to be checked for selection lines /bin, /sbin, /lib, and /usr. Procedure: Check the root crontab (crontab -l) and the global crontabs in /etc/crontab, /etc/cron.d/* for the presence of an "aide" job to run at least weekly, which should have asterisks (*) in columns 3, 4, and 5. Check the weekly cron directory (/etc/cron.weekly) for any script running "aide --check" or "aide -C" or simply "aide". If there is not, this is a finding. NOTE: The frequency may be increased to daily, if necessary, in accordance with the contingency plan.
Establish an automated job, scheduled to run weekly or more frequently, to run "aide --check" which is the file integrity tool to check for unauthorized system libraries or binaries. NOTE: The frequency may be increased to daily, if necessary, in accordance with the contingency plan.
Check if NTP running: # ps -ef | egrep "xntpd|ntpd" Check if "ntpd -qg" scheduled to run: # grep "ntpd -qg" /var/spool/cron/* # grep "ntpd -qg" /etc/cron.d/* # grep "ntpd -qg" /etc/cron.daily/* # grep "ntpd -qg" /etc/cron.hourly/* # grep "ntpd -qg" /etc/cron.monthly/* # grep "ntpd -qg" /etc/cron.weekly/* If NTP is running or "ntpd -qg" is found: # more /etc/ntp.conf Confirm the timeservers and peers or multicast client (as applicable) are local or authoritative U.S. DoD sources appropriate for the level of classification which the network operates. If a non-local/non-authoritative time-server is used, this is a finding.
Use an authoritative local time server or a time server operated by the U.S. government. Ensure all systems in the facility feed from one or more local time servers which feed from the authoritative U.S. government time server.
Check to see if ntp is running in continuous mode. # ps -ax | grep ntp If the process is found, then check the ntp.conf file for the maxpoll option setting. # grep maxpoll /etc/ntp.conf If the option is set to 17 or is not set, this is a finding.
Enable the NTP daemon for continuous synchronization. # service ntpd start ; chkconfig ntpd on Edit the "/etc/ntp.conf" file and add or update an entry to define "maxpoll" to "10".
Check the root crontab (crontab -l) and the global crontabs in /etc/crontab, /etc/cron.d/*, or scripts in the /etc/cron.daily directory for the presence of an "ntpd -qg" job. If the "ntpd -qg" command is not invoked with at least two external NTP servers listed, this is a finding. Check the NTP daemon configuration for at least two external servers. # grep ^server /etc/ntp.conf | egrep -v '(127.127.1.0|127.127.1.1)' If less than two servers or external reference clocks (127.127.x.x other than 127.127.1.0 or 127.127.1.1) are listed, this is a finding.
If using "ntpd -qg", add additional NTP servers to the cron job running "ntpd -qg". If using the NTP daemon, add an additional "server" line to /etc/ntp.conf for each additional NTP server.
Check the root crontab (crontab -l) and the global crontabs in /etc/crontab, /etc/cron.d/*, or scripts in the /etc/cron.daily directory for the presence of an "ntpd -qg" job. If the "ntpd -qg" command is invoked with NTP servers outside of the enclave, this is a finding. Check the NTP daemon configuration for NTP servers. # grep ^server /etc/ntp.conf | grep -v 127.127.1.1 If an NTP server is listed outside of the enclave, this is a finding.
If using "ntpd -qg", remove NTP servers external to the enclave from the cron job running "ntpd -qg". If using the NTP daemon, remove the "server" line from /etc/ntp.conf for each NTP server external to the enclave.
Check the ownership of the NTP configuration file. # ls -l /etc/ntp.conf If the owner is not root, this is a finding.
Change the owner of the NTP configuration file. # chown root /etc/ntp.conf
Check the group ownership of the NTP configuration file. Procedure: # ls -lL /etc/ntp.conf If the group owner is not root, bin, or sys, this is a finding.
Change the group-owner of the NTP configuration file. Procedure: # chgrp root /etc/ntp.conf
Check the mode for the NTP configuration file is not more permissive than 0640. # ls -l /etc/ntp.conf If the mode is more permissive than 0640, this is a finding.
Change the mode of the NTP configuration file to 0640 or more restrictive. # chmod 0640 /etc/ntp.conf
Check the NTP configuration file has no extended ACL. # ls -l /etc/ntp.conf If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Remove the extended ACL from the NTP configuration file. # setfacl --remove-all /etc/ntp.conf
Use the last command to check for multiple accesses to an account from different workstations/IP addresses. # last -w If users log directly on to accounts, rather than using the switch user (su) command from their own named account to access them, this is a finding (such as logging directly onto oracle). Verify with the SA or the ISSO on documentation for users/administrators to log on to their own accounts first and then switch user (su) to the account to be shared has been maintained, including requirements and procedures. If no such documentation exists, this is a finding.
Use the switch user (su) command from a named account login to access shared accounts. Document requirements and procedures for users/administrators to log into their own accounts first and then switch user (su) to the account to be shared.
Check the system for unnecessary user accounts. Procedure: # more /etc/passwd Obtain a list of authorized accounts from the IAO. If any unnecessary accounts are found on the system, this is a finding.
Remove all unnecessary accounts from the /etc/passwd file before connecting a system to the network. Other accounts that are associated with a service not in use should also be removed.
Check the system for the unnecessary "games" accounts. Procedure: # grep ^games /etc/passwd If this account exists, it is a finding.
Remove the "games" account from the /etc/passwd file before connecting a system to the network.
Check the system for the unnecessary "news" accounts. Procedure: # rpm -q inn If the "inn" is installed the "news" user is necessary and this is not a finding. # grep ^news /etc/passwd If this account exists and "inn" is not installed, this is a finding.
Remove the "news" account from the /etc/passwd file before connecting a system to the network.
Check the system for the unnecessary "gopher" accounts. Procedure: # grep ^gopher /etc/passwd If this account exists, it is a finding.
Remove the "gopher" account from the /etc/passwd file before connecting a system to the network.
Check the system for the unnecessary "ftp" accounts. Procedure: # rpm -q krb5-workstation An ftp server is part of "krb5-workstation". If it is installed the "ftp" user is necessary and this is not a finding. # rpm -q vsftp If the "vsftp" ftp server is installed the "ftp" user is necessary and this is not a finding. # grep ^ftp /etc/passwd If this account exists and no ftp server is installed which requires it, this is a finding.
Remove the "ftp" account from the /etc/passwd file before connecting a system to the network.
Check the system for duplicate account names. Example: # pwck -r If any duplicate account names are found, this is a finding.
Change user account names, or delete accounts, so each account has a unique name.
Perform the following to ensure there are no duplicate UIDs: # cut -d: -f3 /etc/passwd | uniq -d If any duplicate UIDs are found, this is a finding.
Edit user accounts to provide unique UIDs for each account.
Check the UID assignments for all accounts. # cut -d: -f 1,3 /etc/passwd | egrep ":[1-4][0-9]{2}$|:[0-9]{1,2}$" Confirm all accounts with a UID of 499 and below are used by a system account. If a UID reserved for system accounts (0 - 499) is used by a non-system account, then this is a finding.
Change the UID numbers for non-system accounts with reserved UIDs (those less or equal to 499).
Confirm all accounts with a GID of 499 and below are used by a system account. Procedure: List all the users with a GID of 0-499. # cut -d: -f 1,4 /etc/passwd|egrep ":[1-4][0-9]{2}$|:[0-9]{1,2}$" If a GID reserved for system accounts (0 - 499) is used by a non-system account, this is a finding.
Change the primary group GID numbers for non-system accounts with reserved primary group GIDs (those less or equal to 499).
Perform the following to ensure there are no GIDs referenced in /etc/passwd not defined in /etc/group: # pwck -r If GIDs referenced in /etc/passwd are not defined in /etc/group are returned, this is a finding.
Add a group to the system for each GID referenced without a corresponding group.
Access the system console and make a login attempt. Check for either of the following login banners based on the character limitations imposed by the system. An exact match is required. If one of these banners is not displayed, this is a finding. You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests- -not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR I've read & consent to terms in IS user agreem't.
Edit /etc/issue and add one of the DoD login banners (based on the character limitations imposed by the system). DoD Login Banners: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests- -not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR I've read & consent to terms in IS user agreem't.
Access the graphical desktop environment(s) provided by the system and attempt to log in. Check for either of the following login banners based on the character limitations imposed by the system. An exact match is required. If one of these banners is not displayed, this is a finding. You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests- -not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR I've read & consent to terms in IS user agreem't.
Configure the system to display one of the DoD login banners prior to, or as part of, the graphical desktop environment login process. Procedure: Modify /usr/share/gdm/themes/RHEL/RHEL.xml by adding the following xml after the first two "pixmap" entries. <item type="rect" id="custom-dod-banner"> <pos anchor="nw" x="20%" y="10" width="80%" height="100%"/> <box> <item type="label"> <normal font="Sans Bold 9" color="#ffffff"/> <text> Insert the "approved text" here based on the character limitations imposed by the system. </text> </item> </box> </item> Approved text: DoD Login Banners: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR I've read & consent to terms in IS user agreem't.
FTP to the system. # ftp localhost Check for either of the following login banners based on the character limitations imposed by the system. An exact match is required. If one of these banners is not displayed, this is a finding. If the system does not run the FTP service, this is not applicable. DoD Login Banners: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR I've read & consent to terms in IS user agreem't.
Provide the proper text for the DoD banner to be presented by the FTP server to the user. For vsftp: Examine the /etc/vsftp.conf file for the "banner_file" entry. (i.e., banner_file = /etc/banner/vsftp) For gssftp: Examine the /etc/xinetd.d/gssftp file for the "banner" entry. (i.e., banner = /etc/banner/gssftp) For both: Add the banner entry if one is not found. Modify or create the referenced banner file to contain one of the following DoD login banners (based on the character limitations imposed by the system). DoD Login Banners: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR I've read & consent to terms in IS user agreem't.
Determine if all logon attempts are being logged. Procedure: Verify successful logins are being logged: # last -R | more If the command does not return successful logins, this is a finding. Verify if unsuccessful logons are being logged: # lastb -R | more If the command does not return unsuccessful logins, this is a finding.
Make sure the collection files exist. Procedure: If there are no successful logins being returned from the "last" command, create /var/log/wtmp: # touch /var/log/wtmp If there are no unsuccessful logins being returned from the "lastb" command, create /var/log/btmp: # touch /var/log/btmp
Check for a default maxlogins line in the /etc/security/limits.conf and /etc/security/limits.d/* files. Procedure: #grep maxlogins /etc/security/limits.conf /etc/security/limits.d/* The default maxlimits should be set to a max of 10 or a documented site defined number: * - maxlogins 10 If no such line exists, this is a finding.
Add a "maxlogins" line such as "* hard maxlogins 10" to /etc/security/limits.conf or a file in /etc/security/limits.d. The enforced maximum should be defined by site requirements and policy.
Check that pam_lastlog is used and not silent, or that the SSH daemon is configured to display last login information. # grep pam_lastlog /etc/pam.d/sshd If pam_lastlog is present, and does not have the "silent" option, this is not a finding. # grep -i PrintLastLog /etc/ssh/sshd_config If PrintLastLog is not present in the configuration, this is not a finding. This is the default setting. If PrintLastLog is present in the configuration and set to "yes" (case insensitive), this is not a finding. Otherwise, this is a finding.
Implement pam_lastlog, or enable PrintLastLog in the SSH daemon. To enable pam_lastlog, add a line such as "session required pam_lastlog.so" to /etc/pam.d/sshd. To enable PrintLastLog in the SSH daemon, remove any lines disabling this option from /etc/ssh/sshd_config.
Check the pam_tally configuration. # more /etc/pam.d/system-auth Confirm the following line is configured, before any "auth sufficient" lines: auth required pam_tally2.so deny=3 If no such line is found, this is a finding.
By default link /etc/pam.d/system-auth points to /etc/pam.d/system-auth-ac which is the file maintained by the authconfig utility. In order to add pam options other than those available via the utility create /etc/pam.d/system-auth-local with the options and including system-auth-ac. In order to set the account lockout to three failed attempts the content should be similar to: auth required pam_access.so auth required pam_tally2.so deny=3 auth include system-auth-ac account required pam_tally2.so account include system-auth-ac password include system-auth-ac session include system-auth-ac Once system-auth-local is written reset the /etc/pam.d/system-auth to point to system-auth-local. This is necessary because authconfig writes directly to system-auth-ac so any changes made by hand will be lost if authconfig is run.
Check the value of the FAIL_DELAY variable and the ability to use it. Procedure: # grep FAIL_DELAY /etc/login.defs If the value does not exist, or is less than 4, this is a finding. Check for the use of pam_faildelay. # grep pam_faildelay /etc/pam.d/system-auth* If pam_faildelay.so module is not present, this is a finding. If pam_faildelay is present only in /etc/pam.d/system-auth-ac: ensure that /etc/pam.d/system-auth includes /etc/pam.d/system-auth-ac. #grep system-auth-ac /etc/pam.d/system-auth This should return: auth include system-auth-ac account include system-auth-ac password include system-auth-ac session include system-auth-ac /etc/pam.d/system-auth-ac should only be included by /etc/pam.d/system-auth. All other pam files should include /etc/pam.d/system-auth. If pam_faildelay is not defined in /etc/pam.d/system-auth either directly or through inclusion of system-auth-ac, this is a finding.
Add the pam_faildelay module and set the FAIL_DELAY variable. Procedure: Edit /etc/login.defs and set the value of the FAIL_DELAY variable to 4 or more. The default link /etc/pam.d/system-auth points to /etc/pam.d/system-auth-ac which is the file maintained by the authconfig utility. In order to add pam options other than those available via the utility create or modify /etc/pam.d/system-auth-local with the options and including system-auth-ac. For example: auth required pam_access.so auth optional pam_faildelay.so delay=4000000 auth include system-auth-ac account include system-auth-ac password include system-auth-ac session include system-auth-ac Once system-auth-local is written ensure the /etc/pam.d/system-auth points to system-auth-local. This is necessary because authconfig writes directly to system-auth-ac so any manual changes made will be lost if authconfig is run.
If the "xorg-x11-server-Xorg" package is not installed, this is not applicable. For the Gnome screen saver, check the idle_activation_enabled flag. Procedure: # gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_activation_enabled If this does not return "true" and a documented exception has not been made by the IAO, this is a finding.
For the Gnome screen saver, set the idle_activation_enabled flag. Procedure: # gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gnome-screensaver/idle_activation_enabled true
If the "xorg-x11-server-Xorg" package is not installed, this is not applicable. For the Gnome screen saver, check the idle_delay setting. Procedure: # gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_delay If this does not return 15 or less, this is a finding.
For the Gnome screen saver, set idle_delay to 15. Procedure: # gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type int --set /apps/gnome-screensaver/idle_delay 15
If the "xorg-x11-server-Xorg" package is not installed, this is not applicable. For the Gnome screen saver, check the lock_enabled flag. Procedure: # gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/lock_enabled If this does not return "true", this is a finding.
For the Gnome screen saver, set the lock_enabled flag. Procedure: # gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gnome-screensaver/lock_enabled true
Determine if a publicly-viewable pattern is displayed during a session lock. Some screensaver themes available but not included in the operating system distribution use a snapshot of the current screen as a graphic. This theme does not qualify as a publicly-viewable pattern. If the screen lock pattern is not publicly-viewable, this is a finding.
Configure the system to display a publicly-viewable pattern during a session lock. This is done graphically by selecting a screensaver theme using gnome-screensaver-preferences command. Any of the themes distributed with this operating system may be used including "Blank Screen".
If there is an application running on the system continuously in use (such as a network monitoring application), ask the SA what the name of the application is. Verify documentation exists for the requirement and justification of the application. If no documentation exists, this is a finding. Execute "ps -ef | more" to determine which user owns the process(es) associated with the application. If the owner is root, this is a finding.
Configure the system so the owner of a session requires a continuous screen display, such as a network management display, is not root. Ensure the display is also located in a secure, controlled access area. Document and justify this requirement and ensure the terminal and keyboard for the display (or workstation) are secure from all but authorized personnel by maintaining them in a secure area, in a locked cabinet where a swipe card, or other positive forms of identification, must be used to gain entry.
Check the minimum time period between password changes for each user account is 1 day. # cat /etc/shadow | cut -d ':' -f 4 | grep -v 1 If any results are returned, this is a finding.
Change the minimum time period between password changes for each user account to 1 day. # passwd -n 1 <user name>
Verify the system will not log in accounts with blank passwords. # grep nullok /etc/pam.d/system-auth /etc/pam.d/system-auth-ac If an entry for nullok is found, this is a finding on Linux.
Edit /etc/pam.d/system-auth and remove the "nullok" setting.
Check the system password length setting. Procedure: Check the password minlen option # grep pam_cracklib.so /etc/pam.d/system-auth Confirm the minlen option is set to at least 15 as in the example below: password required pam_cracklib.so minlen=15 There may be other options on the line. If no such line is found, or the minlen is less than 15 this is a finding. # grep PASS_MIN_LEN /etc/login.defs Confirm the PASS_MIN_LEN option is set to at least 15 as in the example below: PASS_MIN_LEN 15 If this line does not exist, or is less than 15, this is a finding.
Edit "/etc/pam.d/system-auth" to include the line: password required pam_cracklib.so minlen=15 prior to the "password include system-auth-ac" line. Edit /etc/login.defs to include the line: PASS_MIN_LEN 15
Verify no valid password hash in /etc/passwd or /etc/shadow begins with a character other than an underscore (_) or dollar sign ($). # cut -d ':' -f2 /etc/passwd # cut -d ':' -f2 /etc/shadow If any valid password hash is present that does not have an initial underscore (_) or dollar sign ($) character, this is a finding. Note: Locked accounts are indicated by a leading exclamation point (!). System accounts, other than "root", may have an asterisk (*) in the password field. On systems utilizing shadow passwords, the password field in /etc/passwd will be a single "x".
Change the passwords for all accounts using non-compliant password hashes. (This requires GEN000590 is already met.)
Verify the algorithm used for password hashing is of the SHA-2 family. # egrep "password .* pam_unix.so" /etc/pam.d/system-auth-ac # egrep "ENCRYPT_METHOD" /etc/login.defs # egrep "crypt_style" /etc/libuser.conf If any output indicates the hash algorithm is not set to sha256 or sha512, this is a finding.
Change the default password algorithm. # authconfig --passalgo=sha512 --update NOTE: Executing the above command will also update the required parameters in /etc/login.defs and /etc/libuser.conf
Check all password hashes in /etc/passwd or /etc/shadow begin with '$5$' or '$6$'. Procedure: # cut -d ':' -f2 /etc/passwd # cut -d ':' -f2 /etc/shadow Any password hashes present not beginning with '$5$' or, '$6$' is a finding. Any entries showing only NP, LK, or x are not findings.
Change the passwords for all accounts using non-compliant password hashes. (This requires GEN000590 is already met.)
Check the ucredit setting. # grep ucredit /etc/pam.d/system-auth If ucredit is not set to -1, this is a finding.
Edit "/etc/pam.d/system-auth" to include the line: password required pam_cracklib.so ucredit=-1 prior to the "password include system-auth-ac" line.
Verify the system-auth settings are being applied. Procedure: Verify the additional pam.d requirements are in use. The file "/etc/pam.d/system-auth-ac" is auto generated by "authconfig". Any manual changes made to it will be lost next time "authconfig" is run. Check to see if the systems default of the symlink "/etc/pam.d/system-auth" pointing to "/etc/pam.d/system-auth-ac" has been changed. # ls -l /etc/pam.d/system-auth If the symlink points to "/etc/pam.d/system-auth-ac", manual changes cannot be protected. This is a finding. # grep system-auth-ac /etc/pam.d/system-auth The local system-auth file pointed to by "/etc/pam.d/system-auth" must contain "/etc/pam.d/system-auth-ac" for the auth, account, password, and session lines. If it does not then the parameters maintained by "authconfig" will not be applied, this is a finding.
By default, the operating system delivers /etc/pam.d/system-auth as a symbolic link to /etc/pam.d/system-auth-ac (an automatically generated file). When a site adds password requirements a new system-auth-local file must be created with only the additional requirements and includes for auth, account, passwd and session pointing to "/etc/pam.d/system-auth-ac". Then the symlink "/etc/system-auth" is modified to point to "/etc/pam.d/system-auth-local". This way any changes made do not get lost when "/etc/pam.d/system-auth-ac" is regenerated and each program's pam.d definition file need only have "include system-auth" for auth, account, passwd and session, as needed, in order to assure the password requirements will be applied to it.
Check /etc/pam.d/system-auth for lcredit setting. Procedure: Check the password lcredit option # grep pam_cracklib.so /etc/pam.d/system-auth Confirm the lcredit option is set to -1 as in the example: password required pam_cracklib.so lcredit=-1 There may be other options on the line. If no such line is found, or the lcredit is not -1 this is a finding.
Edit "/etc/pam.d/system-auth" to include the line: password required pam_cracklib.so lcredit=-1 prior to the "password include system-auth-ac" line.
Check the dcredit setting. Procedure: Check the password dcredit option # grep pam_cracklib.so /etc/pam.d/system-auth Confirm the dcredit option is set to -1 as in the example: password required pam_cracklib.so dcredit=-1 There may be other options on the line. If no such line is found, or the dcredit option is not -1 this is a finding.
Edit "/etc/pam.d/system-auth" to include the line: password required pam_cracklib.so dcredit=-1 prior to the "password include system-auth-ac" line.
Check the ocredit setting. Procedure: Check the password ocredit option # grep pam_cracklib.so /etc/pam.d/system-auth Confirm the ocredit option is set to -1 as in the example: password required pam_cracklib.so ocredit=-1 There may be other options on the line. If no such line is found, or the ocredit is not -1 this is a finding.
Edit "/etc/pam.d/system-auth" to include the line: password required pam_cracklib.so ocredit=-1 prior to the "password include system-auth-ac" line.
Check the maxrepeat setting. Procedure: Check the password maxrepeat configuration # grep pam_cracklib.so /etc/pam.d/system-auth If the maxrepeat option is missing, this is a finding. If the maxrepeat option is set to more than 3, this is a finding.
Edit "/etc/pam.d/system-auth" to include the line: password required pam_cracklib.so maxrepeat=3 prior to the "password include system-auth-ac" line.
Check the max days field (the 5th field) of /etc/shadow. # more /etc/shadow If the max days field is equal to 0 or greater than 60 for any user, this is a finding.
Set the max days field to 60 for all user accounts. # passwd -x 60 <user>
Ask the SA if there are any automated processing accounts on the system. If there are automated processing accounts on the system, ask the SA if the passwords for those automated accounts are changed at least once a year or are locked. If SA indicates passwords for automated processing accounts are not changed once per year or are not locked, this is a finding.
Implement or establish procedures to change the passwords of automated processing accounts at least once per year or lock them.
Check /etc/pam.d/system-auth for a pam_cracklib parameter difok. Procedure: # grep difok /etc/pam.d/system-auth If difok is not present, or has a value less than 8, this is a finding. Check for system-auth-ac inclusions. # grep -c system-auth-ac /etc/pam.d/* If the system-auth-ac file is included anywhere # more /etc/pam.d/system-auth-ac | grep difok If system-auth-ac is included anywhere and difok is not present, or has a value less than 8, this is a finding. Ensure the passwd command uses the system-auth settings. # grep system-auth /etc/pam.d/passwd If a line "password include system-auth" is not found then the password checks in system-auth will not be applied to new passwords.
If /etc/pam.d/system-auth references /etc/pam.d/system-auth-ac refer to the man page for system-auth-ac for a description of how to add options not configurable with authconfig. Edit /etc/pam.d/system-auth and add or edit a pam_cracklib entry with a difok parameter set equal to or greater than 8.
Indications of inactive accounts are those that have no entries in the "last" log. Check the date in the "last" log to verify it is within the last 35 days or the maximum numbers of days set by the site if more restrictive. If an inactive account is not disabled via an entry in the password field in the /etc/passwd or /etc/shadow (or equivalent), check the /etc/passwd file to check if the account has a valid shell. The passwd command can also be used to list a status for an account. For example, the following may be used to provide status information on each local account: NOTE: The following must be done in the BASH shell. # cut -d: -f1 /etc/passwd | xargs -n1 passwd -S If an inactive account is found not disabled, this is a finding.
All inactive accounts will have /sbin/nologin (or an equivalent), as the default shell in the /etc/passwd file and have the password disabled. Examine the user accounts using the "last" command. Note the date of last login for each account. If any (other than system and application accounts) exceed 35 days or the maximum number of days set by the site, not to exceed 35 days, then disable the accounts using system-config-users tool. Alternately place a shell field of /sbin/nologin /bin/false or /dev/null in the passwd file entry for the account.
Check /etc/pam.d/system-auth for pam_cracklib configuration. Procedure: # grep pam_cracklib /etc/pam.d/system-auth* If pam_cracklib is not present. This is a finding. If pam_cracklib is present only in /etc/pam.d/system-auth-ac: ensure that /etc/pam.d/system-auth includes /etc/pam.d/system-auth-ac. #grep system-auth-ac /etc/pam.d/system-auth This should return: auth include system-auth-ac account include system-auth-ac password include system-auth-ac session include system-auth-ac /etc/pam.d/system-auth-ac should only be included by /etc/pam.d/system-auth. All other pam files should include /etc/pam.d/system-auth. If pam_cracklib is not defined in /etc/pam.d/system-auth either directly or through inclusion of system-auth-ac, this is a finding. Ensure the passwd command uses the system-auth settings. # grep system-auth /etc/pam.d/passwd If a line "password include system-auth" is not found then the password checks in system-auth will not be applied to new passwords, this is a finding.
If /etc/pam.d/system-auth references /etc/pam.d/system-auth-ac refer to the man page for system-auth-ac for a description of how to add options not configurable with authconfig. Edit /etc/pam.d/system-auth and configure pam_cracklib by adding a line such as "password required pam_cracklib.so"
# ls /etc/security/opasswd If /etc/security/opasswd does not exist, then this is a finding. # grep password /etc/pam.d/system-auth| egrep '(pam_pwhistory.so|pam_unix.so|pam_cracklib.so)' | grep remember If the "remember" option in /etc/pam.d/system-auth is not 5 or greater, this is a finding. Check for system-auth-ac inclusions. # grep -c system-auth-ac /etc/pam.d/* If the system-auth-ac file is included anywhere, this is a finding. # more /etc/pam.d/system-auth-ac | grep password | egrep '(pam_pwhistory.so|pam_unix.so|pam_cracklib.so)' | grep remember If in /etc/pam.d/system-auth-ac is referenced by another file and the "remember" option is not set to 5 or greater, this is a finding.
Create the password history file. # touch /etc/security/opasswd # chown root:root /etc/security/opasswd # chmod 0600 /etc/security/opasswd Enable password history. If /etc/pam.d/system-auth references /etc/pam.d/system-auth-ac refer to the man page for system-auth-ac for a description of how to add options not configurable with authconfig. Edit /etc/pam.d/system-auth to include the remember option on any "password pam_unix" or "password pam_pwhistory" lines set to at least 5.
Check /etc/pam.d/su uses pam_wheel. # grep pam_wheel /etc/pam.d/su If pam_wheel is not present, or is commented out, this is a finding.
Edit /etc/pam.d/su and uncomment or add a line such as "auth required pam_wheel.so". If necessary, create a "wheel" group and add administrative users to the group.
Check the system for duplicate UID 0 assignments by listing all accounts assigned UID 0. Procedure: # awk -F: '($3 == 0) { print $1 }' /etc/passwd If any accounts other than root are assigned UID 0, this is a finding.
Remove or change the UID of accounts other than root that have UID 0.
Determine if root is assigned a home directory other than / by listing its home directory. Procedure: # awk -F: '($1 == "root") { print $6 }' /etc/passwd If the root user home directory is /, this is a finding.
The root home directory should be something other than / (such as /roothome). Procedure: # mkdir /rootdir # chown root /rootdir # chgrp root /rootdir # chmod 700 /rootdir # cp -r /.??* /rootdir/. Then, edit the passwd file and change the root home directory to /rootdir. The cp -r /.??* command copies all files and subdirectories of file names beginning with "." into the new root directory, which preserves the previous root environment. Ensure you are in the "/" directory when executing the "cp" command.
Check the mode of the root home directory. Procedure: # find ~root -type d -prune -exec ls -ld {} \; If the home directory is /, this check will be marked "Not Applicable". If the mode of the directory is not set to 0700 or less permissive, this is a finding.
The root home directory will be configured to have permission set of 0700 or less permissive. Do not change the protections of the / directory. Use the following command to change protections for the root home directory: # chmod 0700 /rootdir.
Check the root account's home directory has no extended ACL. # find ~root -type d -prune -exec ls -ld {} \; If the permissions include a '+' the directory has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Remove the extended ACL from the root account's home directory. # setfacl --remove-all <root home directory>
To view the root user's PATH, log in as the root user, and execute: # env | grep PATH This variable is formatted as a colon-separated list of directories. Relative path entries must be document with the ISSO. Such as a leading or trailing colon, two consecutive colons, or a single period this is a finding. If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.
Edit the root user's local initialization files ~/.profile,~/.bashrc (assuming root shell is bash). Remove any relative path entries that have not been documented with the ISSO. Remove any empty path entries that are defined in these files.
Check the LD_LIBRARY_PATH environment variable is empty or not defined for the root user. # echo $LD_LIBRARY_PATH If a path list is returned, this is a finding.
Edit the root user initialization files and remove any definition of LD_LIBRARY_PATH.
Check the LD_PRELOAD environment variable is empty or not defined for the root user. # echo $LD_PRELOAD If a path list is returned, this is a finding.
Edit the root user initialization files and remove any definition of LD_PRELOAD.
Check for world-writable permissions on all directories in the root user's executable search path. Procedure: # ls -ld `echo $PATH | sed "s/:/ /g"` If any of the directories in the PATH variable are world-writable, this is a finding.
For each world-writable path in root's executable search path, do one of the following: 1. Remove the world-writable permission on the directory. Procedure: # chmod o-w <path> 2. Remove the world-writable directory from the executable search path. Procedure: Identify and edit the initialization file referencing the world-writable directory and remove it from the PATH variable.
Check /etc/securetty # more /etc/securetty If the file does not exist, or contains more than "console" or a single "tty" device this is a finding.
Create if needed and set the contents of /etc/securetty to a "console" or "tty" device. # echo console > /etc/securetty or # echo tty1 > /etc/securetty
Check /etc/securetty # more /etc/securetty If the file does not exist, or contains more than "console" or a single "tty" device this is a finding.
Create if needed and set the contents of /etc/securetty to a "console" or "tty" device. # echo console > /etc/securetty or # echo tty1 > /etc/securetty
Check if root is used for direct logins. Procedure: # last root | grep -v reboot Direct logins are indicated by the presence of a terminal or pseudo-terminal ID and/or X display name in the output of the last command. If any direct login records for root are listed, this is a finding.
Enforce policy requiring all root account access is attained by first logging into a user account and then becoming root preferably through the use of "sudo" which provides traceability to the command level. If that is not workable then using "su" to access the root account will provide traceability to the login user.
Verify neither the "NOPASSWD" option nor the "!authenticate" option is configured for use in "/etc/sudoers" and associated files. Note that the "#include" and "#includedir" directives may be used to include configuration data from locations other than the defaults enumerated here. # egrep '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/* # egrep '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/* If the "NOPASSWD" or "!authenticate" options are configured for use in "/etc/sudoers" or associated files, this is a finding.
Update the "/etc/sudoers" or other sudo configuration files to remove or comment out lines utilizing the "NOPASSWD" and "!authenticate" options. # visudo # visudo -f [other sudo configuration file]
Check the log files to determine if access to the root account is being logged. Procedure: Depending on what system is used for log processing either /etc/syslog.conf or /etc/rsyslog.conf will be the logging configuration file. Examine /etc/syslog.conf or /etc/rsyslog.conf to confirm the location to which "authpriv" messages will be directed. The default syslog.conf or rsyslog.conf uses /var/log/messages and /var/log/secure but this needs to be confirmed. # grep @ /etc/syslog.conf Or: # grep @ /etc/rsyslog.conf If a line starting with "*.*" is returned then all syslog messages will be sent to system whose address appears after the "@". In this case syslog may or may not be configured to also log "authpriv" messages locally. # grep authpriv /etc/syslog.conf Or: # grep authpriv /etc/rsyslog.conf If any lines are returned which do not start with "#" the "authpriv" messages will be sent to the indicated files or remote systems. Try to "su -" and enter an incorrect password. If there are no records indicating the authentication failure, this is a finding.
Troubleshoot the system logging configuration to provide for logging of root account login attempts. Procedure: Edit /etc/syslog.conf or /etc/rsyslog.conf to make sure "authpriv.*" messages are directed to a file or remote system. Examine /etc/audit/audit.rules to ensure user authentication messages have not been specifically excluded. Remove any entries that correspond to: -a exclude,never -Fmsgtype=USER_START -a exclude,never -Fmsgtype=USER_LOGIN -a exclude,never -Fmsgtype=USER_AUTH -a exclude,never -Fmsgtype=USER_END -a exclude,never -Fmsgtype=USER_ACCT
Determine if root's shell executable resides on a dedicated file system. Procedure: Find the location of the root user's shell # grep "^root" /etc/passwd|cut -d: -f7|cut -d/ -f2 The result is the top level directory under / where the shell resides (e.g., usr) Check if it is on a dedicated file system. # grep /<top level directory> /etc/fstab If /<top level directory> is on a dedicated file system, this is a finding.
Change the root account's shell to one present on the / file system. Procedure: Edit /etc/passwd and change the shell for the root account to one present on the / file system (such as /bin/sh, assuming /bin is not on a separate file system). If the system does not store shell configuration in the /etc/passwd file, consult vendor documentation for the correct procedure for the system.
Determine if root has logged in over an unencrypted network connection. Examine /etc/syslog.conf to confirm the location to which "authpriv" messages are being sent. # grep authpriv.* /etc/syslog.conf Once the file is determined, perform the following command: # grep password <file> | more Look for any lines that do not have sshd as the associated service. If root has logged in over the network and sshd is not running, this is a finding.
Enable SSH on the system and use it for all remote connections used to attain root access
Determine if the SSH daemon is configured to permit root logins. Procedure: # grep -v "^#" /etc/ssh/sshd_config | grep -i permitrootlogin If the PermitRootLogin entry is not found or is not set to "no", this is a finding.
Edit the sshd_config file and set the PermitRootLogin option to "no".
Check system directories for uneven file permissions. Procedure: # ls -lL /etc /bin /usr/bin /usr/lbin /usr/usb /sbin /usr/sbin Uneven file permissions exist if the file owner has less permissions than the group or other user classes. If any of the files in the above listed directories contain uneven file permissions, this is a finding.
Change the mode of files with uneven permissions so owners do not have less permission than group or world users.
Check the system for files with no assigned owner. Procedure: # find / -ignore_readdir_race -nouser If any files have no assigned owner, this is a finding. Caution should be used when centralized authorization is used because valid files may appear as unowned due to communication issues.
All directories and files (executable and data) will have an identifiable owner and group name. Either trace files to an authorized user, change the file's owner to root, or delete them. Determine the legitimate owner of the files and use the chown command to set the owner and group to the correct value. If the legitimate owner cannot be determined, change the owner to root (but make sure none of the changed files remain executable because they could be Trojan horses or other malicious code). Examine the files to determine their origin and the reason for their lack of an owner/group.
Search the system for files without a valid group-owner. # find / -ignore_readdir_race -nogroup If any files are found, this is a finding.
Change the group-owner for each file without a valid group-owner. # chgrp avalidgroup /tmp/a-file-without-a-valid-group-owner
Check the mode of network services daemons. # find /usr/sbin -type f -perm +022 -exec stat -c %a:%n {} \; This will return the octal permissions and name of all files that are group or world writable. If any network services daemon listed is world or group writable (either or both of the 2 lowest order digits contain a 2, 3 or 6), this is a finding. Note: Network daemons not residing in these directories (such as httpd or sshd) must also be checked for the correct permissions.
Change the mode of the network services daemon. # chmod go-w <path>
Check network services daemon files have no extended ACLs. # ls -la /usr/sbin If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding. Note: Network daemons not residing in these directories must also be checked.
Remove the extended ACL from the file. # setfacl --remove-all /usr/sbin/*
Check the permissions for files in /etc, /bin, /usr/bin, /usr/lbin, /usr/ucb, /sbin, and /usr/sbin. Procedure: # DIRS="/etc /bin /usr/bin /usr/lbin /usr/ucb /sbin /usr/sbin";for DIR in $DIRS;do find $DIR -type f -perm +022 -exec stat -c %a:%n {} \;;done This will return the octal permissions and name of all group or world writable files. If any command file is listed and is world or group writable (either or both of the 2 lowest order digits contain a 2, 3, or 6), this is a finding. Note: Elevate to Severity Code I if any command file listed is world writable.
Change the mode for system command files to 0755 or less permissive taking into account necessary GIUD and SUID bits. Procedure: # chmod go-w <filename>
Check all system command files have no extended ACLs. # ls -lL /etc /bin /usr/bin /usr/lbin /usr/usb /sbin /usr/sbin If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Remove the extended ACL from the file. # setfacl --remove-all [file with extended ACL]
Check the ownership of system files, programs, and directories. Procedure: # ls -lLa /etc /bin /usr/bin /usr/lbin /usr/usb /sbin /usr/sbin If any of the system files, programs, or directories are not owned by a system account, this is a finding.
Change the owner of system files, programs, and directories to a system account. Procedure: # chown root /some/system/file (A different system user may be used in place of root.)
Check the group-ownership of system files, programs, and directories. Procedure: # ls -lLa /etc /bin /usr/bin /usr/lbin /usr/usb /sbin /usr/sbin If any system file, program, or directory is not owned by a system group, this is a finding.
Change the group-owner of system files to a system group. Procedure: # chgrp root /path/to/system/file (System groups other than root may be used.)
Check the mode of log files. Procedure: # find /var/log /var/log/syslog /var/adm -type f -perm -640 \! -perm 640 With the exception of /var/log/wtmp, /var/log/Xorg.0.log, and /var/log/gdm/:0.log, if any of the log files have modes more permissive than 0640, this is a finding.
Change the mode of the system log file(s) to 0640 or less permissive. Procedure: # chmod 0640 /path/to/system-log-file Note: Do not confuse system log files with audit logs.
Verify system log files have no extended ACLs. Procedure: # ls -lL /var/log If the permissions include a '+', the file has an extended ACL. If an extended ACL exists, verify with the SA if the ACL is required to support authorized software and provides the minimum necessary permissions. If an extended ACL exists, providing access beyond the needs of authorized software, this is a finding.
Remove the extended ACL from the file. Procedure: # setfacl --remove-all [file with extended ACL]
Check the mode of the manual page files. Procedure: # find /usr/share/man /usr/share/info /usr/share/infopage -type f -perm +022 -exec stat -c %a:%n {} \; |> more Note: This list only displays manual files with offending permissions. If any of the manual page files have a mode more permissive than 0644, this is a finding.
Change the mode of manual page files to 0644 or less permissive. Procedure (example): # chmod 0644 /path/to/manpage
Verify all manual page files have no extended ACLs. # ls -lLR /usr/share/man /usr/share/info /usr/share/infopage If the permissions include a '+', the file has an extended ACL this is a finding.
Remove the extended ACL from the file. # setfacl --remove-all /usr/share/man/* /usr/share/info/* /usr/share/infopage/*
Check the mode of library files. Procedure: # DIRS="/usr/lib /lib /usr/lib64 /lib64";for DIR in $DIRS;do find $DIR -type f -perm +022 -exec stat -c %a:%n {} \;;done This will return the octal permissions and name of all group or world writable files. If any file listed is world or group writable (either or both of the 2 lowest order digits contain a 2, 3 or 6), this is a finding.
Change the mode of library files to 0755 or less permissive. Procedure (example): # chmod go-w </path/to/library-file> Note: Library files should have an extension of ".a" or a ".so" extension, possibly followed by a version number.
Verify system libraries have no extended ACLs. # ls -lLR /usr/lib/ /lib/ /usr/lib64 /lib64 | grep "+ " If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and has not been approved by the IAO, this is a finding.
Remove the extended ACL from the file. # setfacl --remove-all /usr/lib/* /lib/*
Perform the following to check NIS file ownership: # ls -la /var/yp/*; If the file ownership is not root, sys, or bin, this is a finding.
Change the ownership of NIS/NIS+/yp files to root, sys or bin. Procedure (example): # chown root <filename>
Perform the following to check NIS file group ownership: # ls -la /var/yp/* If the file group ownership is not root, sys, or bin, this is a finding.
Perform the following to change NIS file ownership. # chgrp root /var/yp/*
Perform the following to check NIS file permissions. # ls -la /var/yp/* If the file's mode is more permissive than 0755, this is a finding.
Change the mode of NIS/NIS+/yp command files to 0755 or less permissive. Procedure (example): # chmod 0755 <filename>
Verify NIS/NIS+/yp files have no extended ACLs. # ls -lL /var/yp/* If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Remove the extended ACL from the file. # setfacl --remove-all /var/yp/*
Verify the /etc/resolv.conf file is owned by root. # ls -l /etc/resolv.conf If the file is not owned by root, this is a finding.
Change the owner of the /etc/resolv.conf file to root. # chown root /etc/resolv.conf
Check the group ownership of the resolv.conf file. Procedure: # ls -lL /etc/resolv.conf If the file is not group-owned by root, bin, or sys, this is a finding.
Change the group-owner of the /etc/resolv.conf file to root, bin, or sys. Procedure: # chgrp root /etc/resolv.conf
Check the mode of the /etc/resolv.conf file. # ls -l /etc/resolv.conf If the file mode is not 0644, this is a finding.
Change the mode of the /etc/resolv.conf file to 0644. # chmod 0644 /etc/resolv.conf
Verify /etc/resolv.conf has no extended ACL. # ls -l /etc/resolv.conf If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Remove the extended ACL from the file. # setfacl --remove-all /etc/resolv.conf
Verify the /etc/hosts file is owned by root. # ls -l /etc/hosts If the file is not owned by root, this is a finding.
Change the owner of the /etc/hosts file to root. # chown root /etc/hosts
Check the /etc/hosts file's group ownership. Procedure: # ls -lL /etc/hosts If the file is not group-owned by root, bin, or sys, this is a finding.
Change the group-owner of the /etc/hosts file to root, sys, or bin. Procedure: # chgrp root /etc/hosts
Check the mode of the /etc/hosts file. # ls -l /etc/hosts If the file mode is not 0644, this is a finding.
Change the mode of the /etc/hosts file to 0644. # chmod 0644 /etc/hosts
Verify /etc/hosts has no extended ACL. # ls -l /etc/hosts If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Remove the extended ACL from the file. # setfacl --remove-all /etc/hosts
Verify the /etc/nsswitch.conf file is owned by root. # ls -l /etc/nsswitch.conf If the file is not owned by root, this is a finding.
Change the owner of the /etc/nsswitch.conf file to root. # chown root /etc/nsswitch.conf
Check the group ownership of the nsswitch.conf file. Procedure: # ls -lL /etc/nsswitch.conf If the file is not group-owned by root, bin or sys, this is a finding.
Change the group-owner of the /etc/nsswitch.conf file to root, bin or sys. Procedure: # chgrp root /etc/nsswitch.conf
Check the mode of the /etc/nsswitch.conf file. # ls -l /etc/nsswitch.conf If the file mode is not 0644, this is a finding.
Change the mode of the /etc/nsswitch.conf file to 0644 or less permissive. # chmod 0644 /etc/nsswitch.conf
Verify /etc/nsswitch.conf has no extended ACL. # ls -l /etc/nsswitch.conf If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Remove the extended ACL from the file. # setfacl --remove-all /etc/nsswitch.conf
Determine if DNS is enabled on the system. # grep dns /etc/nsswitch.conf If no line is returned, or any returned line is commented out, the system does not use DNS, and this is not applicable. Determine the name servers used by the system. # grep nameserver /etc/resolv.conf If less than two lines are returned that are not commented out, this is a finding.
Edit /etc/resolv.conf and add additional "nameserver" lines until at least two are present.
Verify the /etc/passwd file is owned by root. # ls -l /etc/passwd If the file is not owned by root, this is a finding.
Change the owner of the /etc/passwd file to root. # chown root /etc/passwd
Check the group ownership of the passwd file. Procedure: # ls -lL /etc/passwd If the file is not group-owned by root, bin or sys, this is a finding.
Change the group-owner of the /etc/passwd file to root, bin or sys. Procedure: # chgrp root /etc/passwd
Check the mode of the /etc/passwd file. Procedure: # ls -lL /etc/passwd If /etc/passwd has a mode more permissive than 0644, this is a finding.
Change the mode of the passwd file to 0644. Procedure: # chmod 0644 /etc/passwd
Verify /etc/passwd has no extended ACL. # ls -l /etc/passwd If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Remove the extended ACL from the file. # setfacl --remove-all /etc/passwd
Verify the /etc/group file is owned by root. # ls -l /etc/group If the file is not owned by root, this is a finding.
Change the owner of the /etc/group file to root. # chown root /etc/group
Check the group ownership of the /etc/group file. Procedure: # ls -lL /etc/group If the file is not group-owned by root, bin or sys, this is a finding.
Change the group-owner of the /etc/group file. Procedure: # chgrp root /etc/group
Check the mode of the /etc/group file. # ls -l /etc/group If the file mode is more permissive than 0644, this is a finding.
Change the mode of the /etc/group file to 0644 or less permissive. # chmod 0644 /etc/group
Verify /etc/group has no extended ACL. # ls -l /etc/group If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Remove the extended ACL from the file. # setfacl --remove-all /etc/group
Check the ownership of the /etc/shadow file. # ls -lL /etc/shadow If the /etc/shadow file is not owned by root, this is a finding.
Change the ownership of the /etc/shadow (or equivalent) file. # chown root /etc/shadow
Check the ownership of the /etc/shadow file. Procedure: # ls -lL /etc/shadow If the file is not group-owned by root, bin, or sys, this is a finding.
Change the group-owner of the /etc/shadow file. Procedure: # chgrp root /etc/shadow
Check the mode of the /etc/shadow file. # ls -lL /etc/shadow If the /etc/shadow file has a mode more permissive than 0400, this is a finding.
Change the mode of the /etc/shadow (or equivalent) file. # chmod 0400 /etc/shadow
Verify /etc/shadow has no extended ACL. # ls -l /etc/shadow If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Remove the extended ACL from the file. # setfacl --remove-all /etc/shadow
Use pwck to verify home directory assignments are present. # pwck If any user is not assigned a home directory, this is a finding.
Assign a home directory to any user without one.
Use pwck to verify assigned home directories exist. # pwck If any user's assigned home directory does not exist, this is a finding.
If a user has no home directory, determine why. If possible, delete accounts without a home directory. If the account is valid, then create the home directory using the appropriate system administration utility or manually. For instance: mkdir directoryname; copy the skeleton files into the directory; chown accountname for the new directory and the skeleton files. Document all changes.
Verify no password hashes are present in /etc/passwd. # cut -d : -f 2 /etc/passwd | egrep -v '^(x|\*)$' If any password hashes are returned, this is a finding.
Migrate /etc/passwd password hashes to /etc/shadow. # pwconv
Check the /etc/group file for password hashes. # cut -d : -f 2 /etc/group | egrep -v '^(x|!)$' If any password hashes are returned, this is a finding.
Edit /etc/group and change the password field to an exclamation point (!) to lock the group password.
Check the home directory mode of each user in /etc/passwd. Procedure: # cut -d: -f6 /etc/passwd|sort|uniq|xargs -n1 ls -ld If a user home directory's mode is more permissive than 0750, this is a finding. Note: Application directories are allowed and may need 0755 permissions (or greater) for correct operation.
Change the mode of user home directories to 0750 or less permissive. Procedure (example): # chmod 0750 <home directory> Note: Application directories are allowed and may need 0755 permissions (or greater) for correct operation.
Verify user home directories have no extended ACLs. # cut -d : -f 6 /etc/passwd | xargs -n1 ls -ld If the permissions include a '+', the file has an extended ACL this is a finding.
Remove the extended ACL from the file. # setfacl --remove-all [user home directory with extended ACL]
Check the ownership of each user home directory listed in the /etc/passwd file. Procedure: # cut -d : -f 6 /etc/passwd | xargs -n1 ls -ld If any user home directory is not owned by the assigned user, this is a finding.
Change the owner of a user's home directory to its assigned user. Procedure: # chown <user> <home directory>
Check the group ownership for each user in the /etc/passwd file. Procedure: # cut -d : -f 6 /etc/passwd | xargs -n1 ls -ld If any user home directory is not group-owned by the assigned user's primary group, this is a finding. Home directories for application accounts requiring different group ownership must be documented using site-defined procedures.
Change the group-owner for user home directories to the primary group of the assigned user. Procedure: Find the primary group of the user (GID) which is the fourth field of the user entry in /etc/passwd. # chgrp <GID> <user home directory> Document all changes.
For each user in the /etc/passwd file, check for the presence of files and directories within the user's home directory not owned by the home directory owner. Procedure: # find /<usershomedirectory> ! -fstype nfs ! -user <username> ! \( -name .bashrc -o -name .bash_login -o -name .bash_logout -o -name .bash_profile -o -name .cshrc -o -name .kshrc -o -name .login -o -name .logout -o -name .profile -o -name .tcshrc -o -name .env -o -name .dtprofile -o -name .dispatch -o -name .emacs -o -name .exrc \) -exec ls -ld {} \; If user home directories contain files or directories not owned by the home directory owner, this is a finding.
Change the ownership of files and directories in user home directories to the owner of the home directory. Procedure: # chown accountowner filename
Check the contents of user home directories for files group-owned by a group of which the home directory's owner is not a member. 1. List the user accounts. # cut -d : -f 1 /etc/passwd 2. For each user account, get a list of GIDs for files in the user's home directory. # find ~username -printf %G\\n | sort | uniq 3. Obtain the list of GIDs where the user is a member. # id -G username 4. Check the GID lists. If there are GIDs in the file list not present in the user list, this is a finding.
Change the group of a file not group-owned by a group of which the home directory's owner is a member. # chgrp <group with user as member> <file with bad group ownership> Document all changes.
For each user in the /etc/passwd file, check for files and directories with a mode more permissive than 0750. Procedure: # find /<usershomedirectory> ! -fstype nfs ! \( -name .bashrc -o -name .bash_login -o -name .bash_logout -o -name .bash_profile -o -name .cshrc -o -name .kshrc -o -name .login -o -name .logout -o -name .profile -o -name .tcshrc -o -name .env -o -name .dtprofile -o -name .dispatch -o -name .emacs -o -name .exrc \) \( -perm -0001 -o -perm -0002 -o -perm -0004 -o -perm -0020 -o -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; If user home directories contain files or directories more permissive than 0750, this is a finding.
Change the mode of files and directories within user home directories to 0750. Procedure: # chmod 0750 filename Document all changes.
Check the contents of user home directories for files with extended ACLs. # cut -d : -f 6 /etc/passwd | xargs -n1 -IDIR ls -alLR DIR If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Remove the extended ACL from the file. # setfacl --remove-all <user file with extended ACL>
Check run control script modes. # cd /etc # ls -lL rc* # cd /etc/init.d # ls -l If any run control script has a mode more permissive than 0755, this is a finding.
Ensure all system startup files have mode 0755 or less permissive. Examine the "rc" files, and all files in the rc1.d (rc2.d, and so on) directories, and in the /etc/init.d directory to ensure they are not world-writable. If they are world-writable, use the chmod command to correct the vulnerability and research why they are world-writable. Procedure: # chmod 755 <startup file>
Verify run control scripts have no extended ACLs. # ls -lL /etc/rc* /etc/init.d If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Remove the extended ACL from the file. # setfacl --remove-all <run control script with extended ACL>
Verify run control scripts' library search paths. # grep -r '\bPATH\b' /etc/rc* /etc/init.d This variable is formatted as a colon-separated list of directories. Such as a leading or trailing colon, two consecutive colons, or a single period. If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.
Edit the run control script and remove any relative path entries from the executable search path variable that are not documented with the ISSO. Remove any empty path entries that are defined in these files.
Verify run control scripts' library search paths. # grep -r LD_LIBRARY_PATH /etc/rc* /etc/init.d This variable is formatted as a colon-separated list of directories. Such as a leading or trailing colon, two consecutive colons, or a single period, this is a finding. If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.
Edit the run control script and remove the relative path entries from the library search path variables that are not documented with the ISSO. Remove any empty path entries that are defined in these files.
Verify run control scripts' library preload list. # grep -r LD_PRELOAD /etc/rc* /etc/init.d This variable is formatted as a colon-separated list of directories. Such as a leading or trailing colon, two consecutive colons, or a single period, this is a finding. If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.
Edit the run control script and remove the relative path entries from the library preload variables that are not documented with the ISSO. Remove any empty path entries that are defined in these files.
Check the permissions on the files or scripts executed from system startup scripts to see if they are world-writable. Create a list of all potential run command level scripts. ls -l /etc/init.d/* | tr '\011' ' ' | tr -s ' ' | cut -f 9,9 -d " " Create a list of world writeable files. # find / -perm -002 -type f >> worldWriteableFileList Determine if any of the world writeable files in worldWriteableFileList are called from the run command level scripts. Note: Depending upon the number of scripts vs. world writeable files, it may be easier to inspect the scripts manually. # more `ls -l /etc/init.d/* | tr '\011' ' ' | tr -s ' ' | cut -f 9,9 -d "` If any system startup script executes any file or script that is world-writable, this is a finding.
Remove the world-writable permission from programs or scripts executed by run control scripts. Procedure: # chmod o-w <program or script executed from run control script>
Check run control scripts' ownership. # ls -lL /etc/rc* /etc/init.d Alternatively: # find /etc -name "[SK][0-9]*"|xargs stat -L -c %U:%n If any run control script is not owned by root or bin, this is a finding.
Change the ownership of the run control script(s) with incorrect ownership. # find /etc -name "[SK][0-9]*"|xargs stat -L -c %U:%n|egrep -v "^root:"|cut -d: -f2|xargs chown root
Check run control scripts' group ownership. Procedure: # ls -lL /etc/rc* /etc/init.d Alternatively: # find /etc -name "[SK][0-9]*"|xargs stat -L -c %G:%n|egrep -v "^(root|sys|bin|other):" If any run control script is not group-owned by root, sys, bin, or other system groups, this is a finding.
Change the group ownership of the run control script(s) with incorrect group ownership. Procedure: # chgrp root <run control script> # find /etc -name "[SK][0-9]*"|xargs stat -L -c %G:%n|egrep -v "^(root|sys|bin|other):"|cut -d: -f2|xargs chgrp root
Determine the programs executed by system start-up files. Determine the ownership of the executed programs. # cat /etc/rc*/* /etc/init.d/* | more # ls -l <executed program> Alternatively: # for FILE in `egrep -r "/" /etc/rc.* /etc/init.d|awk '/^.*[^\/][0-9A-Za-z_\/]*/{print $2}'|egrep "^/"|sort|uniq`;do if [ -e $FILE ]; then stat -L -c '%U:%n' $FILE;fi;done This provides a list of files referenced by initialization scripts and their associated UIDs. If any file is run by an initialization file and is not owned by root, sys, bin, or in rare cases, an application account, this is a finding.
Change the ownership of the file executed from system startup scripts to root, bin, sys, or other. # chown root <executed file>
Check global initialization files permissions: # ls -l /etc/bashrc # ls -l /etc/csh.cshrc # ls -l /etc/csh.login # ls -l /etc/csh.logout # ls -l /etc/environment # ls -l /etc/ksh.kshrc # ls -l /etc/profile # ls -l /etc/suid_profile # ls -l /etc/profile.d/* If global initialization files are more permissive than 0644, this is a finding.
Change the mode of the global initialization file(s) to 0644. # chmod 0644 <global initialization file>
Check global initialization files for extended ACLs: # ls -l /etc/bashrc /etc/csh.cshrc /etc/csh.login /etc/csh.logout /etc/environment /etc/ksh.kshrc /etc/profile /etc/suid_profile /etc/profile.d/* 2>null|grep "\+ " If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Remove the extended ACL from the file. # ls -l etc/bashrc /etc/csh.cshrc /etc/csh.login /etc/csh.logout /etc/environment /etc/ksh.kshrc /etc/profile /etc/suid_profile /etc/profile.d/* 2>null|grep "\+ "|sed "s/^.* \///g"|xargs setfacl --remove-all
Check the ownership of global initialization files. Procedure: # ls -lL etc/bashrc /etc/csh.cshrc /etc/csh.login /etc/csh.logout /etc/environment /etc/ksh.kshrc /etc/profile /etc/suid_profile /etc/profile.d/* This should show information for each file. Examine to ensure the owner is always root or: # ls etc/bashrc /etc/csh.cshrc /etc/csh.login /etc/csh.logout /etc/environment /etc/ksh.kshrc /etc/profile /etc/suid_profile /etc/profile.d/* 2>null|xargs stat -L -c %U:%n|egrep -v "^root" This will show you only the owner and filename of files not owned by root. If any global initialization file is not owned by root, this is a finding.
Change the ownership of global initialization files with incorrect ownership. Procedure: # chown root <global initialization files> or: # ls etc/bashrc /etc/csh.cshrc /etc/csh.login /etc/csh.logout /etc/environment /etc/ksh.kshrc /etc/profile /etc/suid_profile /etc/profile.d/* 2>null|xargs stat -L -c %U:%n|egrep -v "^root"|cut -d: -f2|xargs chown root will set the owner of all files not currently owned by root to root.
Check the group ownership of global initialization files. Procedure: # ls -lL etc/bashrc /etc/csh.cshrc /etc/csh.login /etc/csh.logout /etc/environment /etc/ksh.kshrc /etc/profile /etc/suid_profile /etc/profile.d/* This should show information for each file. Examine to ensure the group is always root or: # ls -lL etc/bashrc /etc/csh.cshrc /etc/csh.login /etc/csh.logout /etc/environment /etc/ksh.kshrc /etc/profile /etc/suid_profile /etc/profile.d/* 2>null|sed "s/^[^\/]*//"|xargs stat -L -c %G:%n|egrep -v "^(root|sys|bin|other):" will show you only the group and filename of files not owned by one of the approved groups. If any global initialization file is not group-owned by root, sys, bin, other, system, or the system default, this is a finding.
Change the group ownership of the global initialization file(s) with incorrect group ownership. Procedure: # chgrp root <global initialization file> or: # ls -lL /etc/bashrc /etc/csh.cshrc /etc/csh.login /etc/csh.logout /etc/environment /etc/ksh.kshrc /etc/profile /etc/suid_profile /etc/profile.d/* 2>null|sed "s/^[^\/]*//"|xargs stat -L -c %G:%n|egrep -v "^(root|sys|bin|other):"|cut -d: -f2|xargs chgrp root will set the group of all files not currently owned by an approved group to root.
Check global initialization files for the presence of "mesg -n" or "mesg n". Procedure: # grep "mesg" etc/bashrc /etc/csh.cshrc /etc/csh.login /etc/csh.logout /etc/environment /etc/ksh.kshrc /etc/profile /etc/suid_profile /etc/profile.d/* If no global initialization files contain "mesg -n" or "mesg n", this is a finding.
Edit /etc/profile or another global initialization script, and add the "mesg -n" command.
Check skeleton files permissions. # ls -alL /etc/skel If a skeleton file has a mode more permissive than 0644, this is a finding.
Change the mode of skeleton files with incorrect mode: # chmod 0644 <skeleton file>
Check skeleton files for extended ACLs: # ls -alL /etc/skel If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Remove the extended ACL from the file. # setfacl --remove-all [skeleton file with extended ACL] or: # ls -lL /etc/skel|grep "\+ "|sed "s/^.* \//|xargs setfacl --remove-all will remove all ACLs from the files.
Check skeleton files ownership. # ls -alL /etc/skel If a skeleton file is not owned by root or bin, this is a finding.
Change the ownership of skeleton files with incorrect mode: # chown root <skeleton file> or # ls -L /etc/skel|xargs stat -L -c %U:%n|egrep -v "^(root|bin):"|cut -d: -f2|chown root will change all files not owned by root or bin to root.
Verify the skeleton files are group-owned by root. Procedure: # ls -alL /etc/skel If a skeleton file is not group-owned by root, bin, sys, system, or other this is a finding.
Change the group-owner of the skeleton file to root, bin, sys, system, or other. Procedure: # chgrp <group> /etc/skel/[skeleton file] or: # ls -L /etc/skel|xargs stat -L -c %G:%n|egrep -v "^(root|bin|sy|sytem|other):"|cut -d: -f2|chgrp root will change the group of all files not already one of the approved group to root.
Check the global initialization files' executable search paths. Procedure: # grep PATH /etc/bashrc /etc/csh.cshrc /etc/csh.login /etc/csh.logout /etc/environment /etc/ksh.kshrc /etc/profile /etc/suid_profile /etc/profile.d/* This variable is formatted as a colon-separated list of directories. Such as a leading or trailing colon, two consecutive colons, or a single period this is a finding. If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.
Edit the global initialization file(s) with PATH variables containing relative paths and remove any relative path from the PATH variables that have not been authorized by the ISSO. Remove any empty path entries that are defined in these files.
Check the global initialization files' library search paths. Procedure: # grep LD_LIBRARY_PATH /etc/bashrc /etc/csh.cshrc /etc/csh.login /etc/csh.logout /etc/environment /etc/ksh.kshrc /etc/profile /etc/suid_profile /etc/profile.d/* This variable is formatted as a colon-separated list of directories. Such as a leading or trailing colon, two consecutive colons, or a single period, this is a finding. If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.
Edit the global initialization file and remove the relative path entries from the library search path variables that have not been documented with the ISSO. Remove any empty path entries that are defined in these files.
Check the global initialization files' library preload list. # grep -r LD_PRELOAD /etc/bashrc /etc/csh.cshrc /etc/csh.login /etc/csh.logout /etc/environment /etc/ksh.kshrc /etc/profile /etc/suid_profile /etc/profile.d/* This variable is formatted as a colon-separated list of paths. Such as a leading or trailing colon, two consecutive colons, or a single period, this is a finding. If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.
Edit the global initialization file and remove the relative path entry from the library preload variable that has not been authorized by the ISSO. Remove any empty path entries that are defined in these files.
NOTE: The following commands must be run in the BASH shell. Check the ownership of local initialization files. Procedure: # ls -al /<usershomedirectory>/.login # ls -al /<usershomedirectory>/.cshrc # ls -al /<usershomedirectory>/.logout # ls -al /<usershomedirectory>/.profile # ls -al /<usershomedirectory>/.bash_profile # ls -al /<usershomedirectory>/.bashrc # ls -al /<usershomedirectory>/.bash_logout # ls -al /<usershomedirectory>/.env # ls -al /<usershomedirectory>/.dtprofile # ls -al /<usershomedirectory>/.dispatch # ls -al /<usershomedirectory>/.emacs # ls -al /<usershomedirectory>/.exrc # find /<usershomedirectory>/.dt ! -fstype nfs ! -user <username> -exec ls -ld {} \; If local initialization files are not owned by the home directory's user, this is a finding.
Change the ownership of the startup and login files in the user's directory to the user or root, as appropriate. Examine each user's home directory and verify all filenames beginning with "." are owned by the owner of the directory or root. If they are not, use the chown command to change the owner to the user and research the reasons why the owners were not assigned as required. Procedure: # chown username .filename Document all changes.
Check user home directories for local initialization files group-owned by a group other than the user's primary group or root. Procedure: # FILES=" .login .cshrc .logout .profile .bash_profile .bashrc .bash_logout .env .dtprofile .dispatch .emacs .exrc"; # for PWLINE in `cut -d: -f4,6 /etc/passwd`; do HOMEDIR=$(echo ${PWLINE}|cut -d: -f2);GROUP=$(echo ${PWLINE} | cut -d: -f1);for INIFILE in $FILES;do stat -c %g/%G:%n ${HOMEDIR}/${INIFILE} 2>null|egrep -v "${GROUP}";done;done If any file is not group-owned by root or the user's primary GID, this is a finding.
Change the group-owner of the local initialization file to the user's primary group, or root. # chgrp <user's primary GID> <user's local initialization file> Procedure: # FILES=".bashrc .bash_login .bash_logout .bash_profile .cshrc .kshrc .login .logout .profile .tcshrc .env .dtprofile .dispatch .emacs .exrc"; # for PWLINE in `cut -d: -f4,6 /etc/passwd`; do HOMEDIR=$(echo ${PWLINE}|cut -d: -f2);GROUP=$(echo ${PWLINE} | cut -d: -f1);for INIFILE in $FILES;do MATCH=$(stat -c %g/%G:%n ${HOMEDIR}/${INIFILE} 2>null|egrep -c -v "${GROUP}");if [ $MATCH != 0 ] ; then chgrp ${GROUP} ${HOMEDIR}/${INIFILE};fi;done;done
Check the modes of local initialization files. Procedure: # ls -al /<usershomedirectory>/.bashrc # ls -al /<usershomedirectory>/.bash_login # ls -al /<usershomedirectory>/.bash_logout # ls -al /<usershomedirectory>/.bash_profile # ls -al /<usershomedirectory>/.cshrc # ls -al /<usershomedirectory>/.kshrc # ls -al /<usershomedirectory>/.login # ls -al /<usershomedirectory>/.logout # ls -al /<usershomedirectory>/.profile # ls -al /<usershomedirectory>/.tcshrc # ls -al /<usershomedirectory>/.env # ls -al /<usershomedirectory>/.dtprofile (permissions should be 0755) # ls -al /<usershomedirectory>/.dispatch # ls -al /<usershomedirectory>/.emacs # ls -al /<usershomedirectory>/.exrc # find /<usershomedirectory>/.dt ! -fstype nfs \( -perm -0002 -o -perm -0020 \) -exec ls -ld {} \; (permissions not to be more permissive than 0755) If local initialization files are more permissive than 0740 or the .dt directory is more permissive than 0755 or the .dtprofile file is more permissive than 0755, this is a finding.
Ensure user startup files have permissions of 0740 or more restrictive. Examine each user's home directory and verify all file names beginning with "." have access permissions of 0740 or more restrictive. If they do not, use the chmod command to correct the vulnerability. Procedure: # chmod 0740 .filename Note: The period is part of the file name and is required.
Check user home directories for local initialization files with extended ACLs. # cut -d : -f 6 /etc/passwd | xargs -n1 -IDIR ls -alL DIR/.bashrc DIR/.bash_login DIR/.bash_logout DIR/.bash_profile DIR/.cshrc DIR/.kshrc DIR/.login DIR/.logout DIR/.profile DIR/.env DIR/.dtprofile DIR/.dispatch DIR/.emacs DIR/.exrc If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Remove the extended ACL from the file. # setfacl --remove-all <local initialization file with extended ACL>
Verify local initialization files have executable search path containing only absolute paths or relative paths are necessary and documented with the ISSO. Procedure: NOTE: This must be done in the BASH shell. # cut -d: -f6 /etc/passwd |xargs -n1 -IDIR find DIR -name ".*" -type f -maxdepth 1 -exec grep -l PATH {} \; This variable is formatted as a colon-separated list of directories. Such as a leading or trailing colon, two consecutive colons, or a single period this is a finding. If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.
Edit the local initialization file and remove the relative path entry from the executable search path variable. If this is not feasible, justify and document the necessity of having the relative path for a specific application with the ISSO. Remove any empty path entries that are defined in these files.
Verify local initialization files have library search path containing only authorized paths. Procedure: NOTE: This must be done in the BASH shell. # cut -d: -f6 /etc/passwd |xargs -n1 -IDIR find DIR -name ".*" -type f -maxdepth 1 -exec grep -H LD_LIBRARY_PATH {} \; This variable is formatted as a colon-separated list of directories. Such as a leading or trailing colon, two consecutive colons, or a single period, this is a finding. If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.
Edit the local initialization file and remove any relative path entries that have not been documented with the ISSO. Remove any empty path entries that are defined in these files.
Verify local initialization files have library preload list containing only absolute paths. NOTE: The following must be done in the BASH shell. Procedure: # cut -d: -f6 /etc/passwd |xargs -n1 -IDIR find DIR -name ".*" -type f -maxdepth 1 -exec grep -H LD_PRELOAD {} \; This variable is formatted as a colon-separated list of paths. Such as a leading or trailing colon, two consecutive colons, or a single period, this is a finding. If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.
Edit the local initialization file and remove any relative path entry from the library preload variable that has not been authorized by the ISSO. Remove any empty path entries that are defined in these files.
Determine the world writable files on the system (Note: ignore all files under /proc): # find / -perm -002 -a -type f -exec ls -ld {} \; | <more or redirect the output to a file> # find / -perm -002 -a -type d -exec ls -ld {} \; | <more or redirect the output to a file> View the password file to determine where the home directories for users are: # more /etc/passwd Once the directory for the human users is determined, grep for the lists of world writable files and directories within the users’ home directories. An example would be: # grep /opt/app/bin/daemon /home/*/.* where /home is the directory for the human users on the system and /opt/app/bin/daemon is a world writable file.
Remove the world-writable permission of files referenced by local initialization scripts, or remove the references to these files in the local initialization scripts.
Check system configuration files for plus (+) entries. Procedure: # find / -name .rhosts # grep + /<directorylocation>/.rhosts # find / -name .shosts # grep + /<directorylocation>/.shosts # find / -name hosts.equiv # grep + /<directorylocation>/hosts.equiv # find / -name shosts.equiv # grep + /<directorylocation>/shosts.equiv # grep + /etc/passwd # grep + /etc/shadow # grep + /etc/group If the .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/passwd, /etc/shadow, and/or /etc/group files contain a plus (+) and do not define entries for NIS+ netgroups, this is a finding.
Edit the .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/passwd, /etc/shadow, and/or /etc/group files and remove entries containing a plus (+).
Check the system for the existence of any .netrc files. Procedure: # find / -name .netrc If any .netrc file exists, this is a finding.
Remove the .netrc file(s). Procedure: # find / -name .netrc # rm <.netrc file>
Locate and examine all r-commands access control files. Procedure: # find / -name .rhosts # more /<directorylocation>/.rhosts # find / -name .shosts # more /<directorylocation>/.shosts # find / -name hosts.equiv # more /<directorylocation>/hosts.equiv # find / -name shosts.equiv # more /<directorylocation>/shosts.equiv If any .rhosts, .shosts, hosts.equiv, or shosts.equiv file contains other than host-user pairs, this is a finding.
If possible, remove the .rhosts, .shosts, hosts.equiv, and shosts.equiv files. If the files are required, remove any content from the files except for necessary host-user pairs.
Check for the existence of the files. # find / -name .rhosts # find / -name .shosts # find / -name hosts.equiv # find / -name shosts.equiv If .rhosts, .shosts, hosts.equiv, or shosts.equiv are found and their use has not been documented and approved by the IAO, this is a finding.
Remove all the r-commands access control files. Procedure: # find / -name .rhosts -exec rm {} \; # find / -name .shosts -exec rm {} \; # find / -name hosts.equiv -exec rm {} \; # find / -name shosts.equiv -exec rm {} \;
Procedure: # ls -l /etc/hosts.equiv # ls -l /etc/ssh/shosts.equiv # find / -name .rhosts # ls -al <home directory>/.rhosts # find / -name .shosts # ls -al <home directory>/.shosts # find / -name .netrc # ls -al <home directory>/.netrc If the .rhosts, .shosts, hosts.equiv, or shosts.equiv files have permissions greater than 600, then this is a finding. If the /etc/hosts.equiv, or /etc/ssh/shosts.equiv files are not owned by root, this is a finding. Any .rhosts, .shosts and .netrc files outside of home directories have no meaning and are not subject to this rule If the ~/.rhosts or ~/.shosts are not owned by the owner of the home directory where they are immediately located or by root, this is a finding.
Ensure the permission for these files is set to 600 or more restrictive and their owner is root or the same as the owner of the home directory in which they reside. Procedure: # chmod 600 /etc/hosts.equiv # chmod 600 /etc/ssh/shosts.equiv # chown root /etc/hosts.equiv # chown root /etc/ssh/shosts.equiv # find / -name .rhosts # chmod 600 /<home directory>/.rhosts # chown <home directory owner> <home directory>/.rhosts # find / -name .shosts # chmod 600 <directory location>/.shosts # chown <home directory owner> <home directory>/.shosts # find / -name .netrc # chmod 600 <directory location>/.netrc # chown <home directory owner> <home directory>/.netrc
Check the PAM configuration for rhosts_auth. Example: # grep rhosts_auth /etc/pam.d/* If a rhosts_auth entry is found, this is a finding.
Edit the file(s) in /etc/pam.d referencing the rhosts_auth module, and remove the references to the rhosts_auth module.
Verify /etc/shells exists. # ls -l /etc/shells If the file does not exist, this is a finding.
Create a /etc/shells file containing a list of valid system shells. Consult vendor documentation for an appropriate list of system shells. Procedure: # echo "/bin/bash" >> /etc/shells # echo "/bin/csh" >> /etc/shells (Repeat as necessary for other shells.)
Confirm the login shells referenced in the /etc/passwd file are listed in the /etc/shells file. Procedure: Determine which shells are permitted for use by users: # more /etc/shells Note: /usr/bin/false, /bin/false, /dev/null, /sbin/nologin, /bin/sync, /sbin/halt, /sbin/shutdown, (and equivalents) cannot be placed in the /etc/shells file. Determine which shells are being used: # more /etc/passwd (optionally shells found in /etc/passwd can be grepped for in /etc/shells) If any shells are found that are not in /etc/shells, or if false shells are found in /etc/shells, then this is a finding.
Use the "chsh" utility or edit the /etc/passwd file and correct the error by changing the default shell of the account in error to an acceptable shell name contained in the /etc/shells file. Example: # chsh -s /bin/bash testuser
Check the ownership of the system shells. # cat /etc/shells | xargs -n1 ls -l If any shell is not owned by root or bin, this is a finding.
Change the ownership of the shell with incorrect ownership. # chown root <shell>
If /etc/shells exists, check the group ownership of each shell referenced. Procedure: # cat /etc/shells | xargs -n1 ls -l Otherwise, check any shells found on the system. Procedure: # find / -name "*sh" | xargs -n1 ls -l If a shell is not group-owned by root, bin, sys, or system, this is a finding.
Change the group-owner of the shell to root, bin, sys, or system. Procedure: # chgrp root <shell>
If /etc/shells exists, check the group ownership of each shell referenced. # cat /etc/shells | xargs -n1 ls -l Otherwise, check any shells found on the system. # find / -name "*sh" | xargs -n1 ls -l If a shell has a mode more permissive than 0755, this is a finding.
Change the mode of the shell. # chmod 0755 <shell>
If /etc/shells exists, check the permissions of each shell referenced. # cat /etc/shells | xargs -n1 ls -lL Otherwise, check any shells found on the system. # find / -name "*sh" | xargs -n1 ls -lL If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Remove the extended ACL from the file. # setfacl --remove-all [shell]
Determine if there are any device files outside of /dev: # find / -type b -o -type c |more Check for the presence of an aide on the system: # rpm -qa | grep aide If aide is not installed, ask the SA what file integrity tool is being used to check the system. Check the global crontabs for the presence of an "aide" job to run at least weekly, if aide is installed. Otherwise, check for the presence of a cron job to run the alternate file integrity checking application. # grep aide /etc/cron*/* If a tool is being run, then the configuration file for the appropriate tool needs to be checked for selection lines for /dev and any other directories/subdirectories that contain device files. Review the process to determine if the system is checked for extraneous device files on a weekly basis. If no weekly automated or manual process is in place, this is a finding. If the process is not identifying extraneous device files, this is a finding.
Establish a weekly automated or manual process to create a list of device files on the system and determine if any files have been added, moved, or deleted since the last list was generated. A list of device files can be generated with this command: # find / -type b -o -type c > device-file-list
Find all world-writable device files existing anywhere on the system. Procedure: # find / -perm -2 -a \( -type b -o -type c \) > devicelist Check the permissions on the directories above subdirectories containing device files. If any of the device files or their parent directories are world-writable, excepting device files specifically intended to be world-writable such as /dev/null, this is a finding. These world-writable files on installation are intended to be world-writable: /dev/full /dev/null /selinux/null /dev/ptmx /dev/random /dev/tty /dev/vsock /dev/zero /dev/log
Remove the world-writable permission from the device file(s). Procedure: # chmod o-w <device file> Document all changes.
Check the system for world-writable device files. Procedure: # find / -perm -2 -a \( -type b -o -type c \) -exec ls -ld {} \; Ask the SA to identify any device files used for backup purposes. If any device file(s) used for backup are writable by users other than root or the designated backup user, this is a finding.
Use the chmod command to remove the world-writable bit from the backup device files. Procedure: # chmod o-w <back device filename> Document all changes.
Check the mode of audio devices. # ls -lL /dev/audio* /dev/snd/* If the mode of audio devices are more permissive than 660, this is a finding.
Change the mode of audio devices. # chmod 0660 <audio device>
Check the permissions of audio devices. # ls -lL /dev/audio* /dev/snd/* If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Remove the extended ACL from the file. # setfacl --remove-all [device file]
Check the owner of audio devices. # ls -lL /dev/audio* /dev/snd/* If the owner of any audio device file is not root, this is a finding.
Edit the /etc/security/console.perms.d/50-default.perms file and comment the following line: <console> 0600 <sound> 0660 root.audio
Check the group-owner of audio devices. Procedure: # ls -lL /dev/audio* /dev/snd/* If the group-owner of an audio device is not root, sys, bin, system, or audio this is a finding.
Change the group-owner of the audio device. Procedure: # chgrp <root, sys, bin, system, audio> <audio device>