Oracle Linux 6 Security Technical Implementation Guide

Version

OL6-00-000001

Vuln IDs

V-208793
V-50533

Rule IDs

SV-208793r505921_rule
SV-64739

The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

Checks: C-9046r357359_chk

Run the following command to determine if "/tmp" is on its own partition or logical volume: $ mount | grep "on /tmp " If "/tmp" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.

Fix: F-9046r357360_fix

The "/tmp" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.

The system must use a separate file system for /var.

CM-6 - Low - CCI-000366 - V-208794 - SV-208794r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000002

Vuln IDs

V-208794
V-50537

Rule IDs

SV-208794r505921_rule
SV-64743

Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories, installed by other software packages.

Checks: C-9047r357362_chk

Run the following command to determine if "/var" is on its own partition or logical volume: $ mount | grep "on /var " If "/var" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.

Fix: F-9047r357363_fix

The "/var" directory is used by daemons and other system services to store frequently-changing data. Ensure that "/var" has its own partition or logical volume at installation time, or migrate it using LVM.

The system must use a separate file system for /var/log.

CM-6 - Low - CCI-000366 - V-208795 - SV-208795r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000003

Vuln IDs

V-208795
V-50529

Rule IDs

SV-208795r505921_rule
SV-64735

Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".

Checks: C-9048r357365_chk

Run the following command to determine if "/var/log" is on its own partition or logical volume: $ mount | grep "on /var/log " If "/var/log" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.

Fix: F-9048r357366_fix

System logs are stored in the "/var/log" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.

The system must use a separate file system for user home directories.

CM-6 - Low - CCI-000366 - V-208796 - SV-208796r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000007

Vuln IDs

V-208796
V-50677

Rule IDs

SV-208796r505921_rule
SV-64883

Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.

Checks: C-9049r357368_chk

Run the following command to determine if "/home" is on its own partition or logical volume: $ mount | grep "on /home " If "/home" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.

Fix: F-9049r357369_fix

If user home directories will be stored locally, create a separate partition for "/home" at installation time (or migrate it later using LVM). If "/home" will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.

The Red Hat Network Service (rhnsd) service must not be running, unless it is being used to query the Oracle Unbreakable Linux Network for updates and information.

CM-7 - Low - CCI-000382 - V-208797 - SV-208797r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000009

Vuln IDs

V-208797
V-50693

Rule IDs

SV-208797r505921_rule
SV-64899

Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the system needs to communicate with the Oracle Unbreakable Linux Network for updates or information, then the "rhnsd" daemon can remain on.

Checks: C-9050r357371_chk

If the system needs to automatically communicate with the Oracle Unbreakable Linux Network for updates or information, then this is not applicable. To check that the "rhnsd" service is disabled in system boot configuration, run the following command: # chkconfig "rhnsd" --list Output should indicate the "rhnsd" service has either not been installed or has been disabled at all runlevels, as shown in the example below: # chkconfig "rhnsd" --list "rhnsd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "rhnsd" is disabled through current runtime configuration: # service rhnsd status If the service is disabled, the command will return the following output: rhnsd is stopped If the service is running, this is a finding.

Fix: F-9050r357372_fix

This service automatically queries the Oracle Unbreakable Linux Network service to determine whether there are any software updates or related information. The "rhnsd" service can be disabled with the following commands: # chkconfig rhnsd off # service rhnsd stop

System security patches and updates must be installed and up-to-date.

SI-2 - Medium - CCI-001233 - V-208798 - SV-208798r505921_rule

RMF Control

SI-2

Severity

CCI

CCI-001233

Version

OL6-00-000011

Vuln IDs

V-208798
V-50695

Rule IDs

SV-208798r505921_rule
SV-64901

Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities.

Checks: C-9051r357374_chk

If the system is joined to Oracle's Unbreakable Linux Network or an internal YUM server that provides updates, invoking the following command will indicate if updates are available.: # yum check-update If the system is not configured to update from one of these sources, run the following command to list when each package was last updated: $ rpm -qa -last Compare this to (1) http://linux.oracle.com/errata/ and (2) http://linux.oracle.com/cve/ to determine if the system is missing applicable security and bugfix updates. If updates are not installed, this is a finding. A ULN account is not required to obtain security updates Oracle also makes this content freely available on its Public YUM server at: http://public-yum.oracle.com/.

Fix: F-9051r357375_fix

If the system is joined to Oracle's Unbreakable Linux Network or an internal YUM server, run the following command to install updates # yum update If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from Oracle's Unbreakable Linux Network and installed using the "rpm" command.

The system must use a Linux Security Module at boot time.

CM-6 - Medium - CCI-000366 - V-208799 - SV-208799r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000017

Vuln IDs

V-208799
V-59347

Rule IDs

SV-208799r505921_rule
SV-73777

Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.

Checks: C-9052r357377_chk

Inspect "/boot/grub/grub.conf" for any instances of "selinux=0" in the kernel boot arguments. Presence of "selinux=0" indicates that SELinux is disabled at boot time. If SELinux is disabled at boot time, this is a finding.

Fix: F-9052r357378_fix

SELinux can be disabled at boot time by an argument in "/boot/grub/grub.conf". Remove any instances of "selinux=0" from the kernel arguments in that file to prevent SELinux from being disabled at boot.

A file integrity baseline must be created.

CM-6 - Medium - CCI-000366 - V-208800 - SV-208800r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000018

Vuln IDs

V-208800
V-59353

Rule IDs

SV-208800r505921_rule
SV-73783

For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.

Checks: C-9053r357380_chk

To find the location of the AIDE database file, run the following command: # grep DBDIR /etc/aide.conf Using the defined values of the [DBDIR] and [database] variables, verify the existence of the AIDE database file: # ls -l [DBDIR]/[database_file_name] If there is no database file, this is a finding.

Fix: F-9053r357381_fix

Run the following command to generate a new database: # /usr/sbin/aide --init By default, the database will be written to the file "/var/lib/aide/aide.db.new.gz". Storing the database, the configuration file "/etc/aide.conf", and the binary "/usr/sbin/aide" (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: # cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz To initiate a manual check, run the following command: # /usr/sbin/aide --check If this check produces any unexpected output, investigate.

The system must use a Linux Security Module configured to enforce limits on system services.

CM-6 - Medium - CCI-000366 - V-208801 - SV-208801r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000020

Vuln IDs

V-208801
V-59367

Rule IDs

SV-208801r505921_rule
SV-73797

Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.

Checks: C-9054r357383_chk

Check the file "/etc/selinux/config" and ensure the following line appears: SELINUX=enforcing If SELINUX is not set to enforcing, this is a finding.

Fix: F-9054r357384_fix

The SELinux state should be set to "enforcing" at system boot time. In the file "/etc/selinux/config", add or correct the following line to configure the system to boot into enforcing mode: SELINUX=enforcing

The system must use a Linux Security Module configured to limit the privileges of system services.

CM-6 - Low - CCI-000366 - V-208802 - SV-208802r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000023

Vuln IDs

V-208802
V-59369

Rule IDs

SV-208802r505921_rule
SV-73799

Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Checks: C-9055r357386_chk

Check the file "/etc/selinux/config" and ensure the following line appears: SELINUXTYPE=targeted If it does not, this is a finding.

Fix: F-9055r357387_fix

The SELinux "targeted" policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in "/etc/selinux/config": SELINUXTYPE=targeted Other policies, such as "mls", provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.

All device files must be monitored by the system Linux Security Module.

CM-6 - Low - CCI-000366 - V-208803 - SV-208803r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000025

Vuln IDs

V-208803
V-59371

Rule IDs

SV-208803r505921_rule
SV-73801

If a device file carries the SELinux type "unlabeled_t", then SELinux cannot properly restrict access to the device file.

Checks: C-9056r357389_chk

To check for unlabeled device files, run the following command: # ls -RZ /dev | grep unlabeled_t It should produce no output in a well-configured system. If there is output, this is a finding.

Fix: F-9056r357390_fix

Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type "unlabeled_t", investigate the cause and correct the file's context.

The system must prevent the root account from logging in from virtual consoles.

IA-2 - Medium - CCI-000770 - V-208804 - SV-208804r505921_rule

RMF Control

IA-2

Severity

CCI

CCI-000770

Version

OL6-00-000027

Vuln IDs

V-208804
V-50721

Rule IDs

SV-208804r505921_rule
SV-64927

Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account.

Checks: C-9057r357392_chk

To check for virtual console entries which permit root login, run the following command: # grep '^vc/[0-9]' /etc/securetty If any output is returned, then root logins over virtual console devices is permitted. If root login over virtual console devices is permitted, this is a finding.

Fix: F-9057r357393_fix

To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in "/etc/securetty": vc/1 vc/2 vc/3 vc/4 Note: Virtual console entries are not limited to those listed above. Any lines starting with "vc/" followed by numerals should be removed.

The system must prevent the root account from logging in from serial consoles.

IA-2 - Low - CCI-000770 - V-208805 - SV-208805r505921_rule

RMF Control

IA-2

Severity

CCI

CCI-000770

Version

OL6-00-000028

Vuln IDs

V-208805
V-50725

Rule IDs

SV-208805r505921_rule
SV-64931

Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.

Checks: C-9058r357395_chk

To check for serial port entries which permit root login, run the following command: # grep '^ttyS[0-9]' /etc/securetty If any output is returned, then root login over serial ports is permitted. If root login over serial ports is permitted, this is a finding.

Fix: F-9058r357396_fix

To restrict root logins on serial ports, ensure lines of this form do not appear in "/etc/securetty": ttyS0 ttyS1 Note: Serial port entries are not limited to those listed above. Any lines starting with "ttyS" followed by numerals should be removed.

Default operating system accounts, other than root, must be locked.

CM-6 - Medium - CCI-000366 - V-208806 - SV-208806r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000029

Vuln IDs

V-208806
V-50731

Rule IDs

SV-208806r505921_rule
SV-64937

Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.

Checks: C-9059r357398_chk

To obtain a listing of all users and the contents of their shadow password field, run the command: $ awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 ":" $2}' /etc/shadow Identify the operating system accounts from this listing. These will primarily be the accounts with UID numbers less than 500, other than root. If any default operating system account (other than root) has a valid password hash, this is a finding.

Fix: F-9059r357399_fix

Some accounts are not associated with a human user of the system, and exist to perform some administrative function. An attacker should not be able to log into these accounts. Disable logon access to these accounts with the command: # passwd -l [SYSACCT]

The system must not have accounts configured with blank or null passwords.

CM-6 - High - CCI-000366 - V-208807 - SV-208807r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000030

Vuln IDs

V-208807
V-50737

Rule IDs

SV-208807r505921_rule
SV-64943

If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

Checks: C-9060r357401_chk

To verify that null passwords cannot be used, run the following command: # grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth If this produces any output, it may be possible to log on to accounts with empty passwords. If null passwords can be used, this is a finding.

Fix: F-9060r357402_fix

If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authentication. Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords.

The /etc/passwd file must not contain password hashes.

CM-6 - Medium - CCI-000366 - V-208808 - SV-208808r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000031

Vuln IDs

V-208808
V-50741

Rule IDs

SV-208808r505921_rule
SV-64947

The hashes for all user account passwords should be stored in the file "/etc/shadow" and never in "/etc/passwd", which is readable by all users.

Checks: C-9061r357404_chk

To check that no password hashes are stored in "/etc/passwd", run the following command: # awk -F: '($2 != "x") {print}' /etc/passwd If it produces any output, then a password hash is stored in "/etc/passwd". If any stored hashes are found in /etc/passwd, this is a finding.

Fix: F-9061r357405_fix

If any password hashes are stored in "/etc/passwd" (in the second field, instead of an "x"), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.

The root account must be the only account having a UID of 0.

CM-6 - Medium - CCI-000366 - V-208809 - SV-208809r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000032

Vuln IDs

V-208809
V-50747

Rule IDs

SV-208809r505921_rule
SV-64953

An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.

Checks: C-9062r357407_chk

To list all password file entries for accounts with UID 0, run the following command: # awk -F: '($3 == 0) {print}' /etc/passwd This should print only one line, for the user root. If any account other than root has a UID of 0, this is a finding.

Fix: F-9062r357408_fix

If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.

The /etc/shadow file must be owned by root.

CM-6 - Medium - CCI-000366 - V-208810 - SV-208810r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000033

Vuln IDs

V-208810
V-50753

Rule IDs

SV-208810r505921_rule
SV-64959

The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

Checks: C-9063r357410_chk

To check the ownership of "/etc/shadow", run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.

Fix: F-9063r357411_fix

To properly set the owner of "/etc/shadow", run the command: # chown root /etc/shadow

The /etc/shadow file must be group-owned by root.

CM-6 - Medium - CCI-000366 - V-208811 - SV-208811r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000034

Vuln IDs

V-208811
V-50755

Rule IDs

SV-208811r505921_rule
SV-64961

The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.

Checks: C-9064r357413_chk

To check the group ownership of "/etc/shadow", run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.

Fix: F-9064r357414_fix

To properly set the group owner of "/etc/shadow", run the command: # chgrp root /etc/shadow

The /etc/shadow file must have mode 0000.

CM-6 - Medium - CCI-000366 - V-208812 - SV-208812r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000035

Vuln IDs

V-208812
V-50757

Rule IDs

SV-208812r505921_rule
SV-64963

Checks: C-9065r357416_chk

To check the permissions of "/etc/shadow", run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following permissions: "----------" If it does not, this is a finding.

Fix: F-9065r357417_fix

To properly set the permissions of "/etc/shadow", run the command: # chmod 0000 /etc/shadow

The /etc/gshadow file must be owned by root.

CM-6 - Medium - CCI-000366 - V-208813 - SV-208813r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000036

Vuln IDs

V-208813
V-50759

Rule IDs

SV-208813r505921_rule
SV-64965

The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.

Checks: C-9066r357419_chk

To check the ownership of "/etc/gshadow", run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.

Fix: F-9066r357420_fix

To properly set the owner of "/etc/gshadow", run the command: # chown root /etc/gshadow

The /etc/gshadow file must be group-owned by root.

CM-6 - Medium - CCI-000366 - V-208814 - SV-208814r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000037

Vuln IDs

V-208814
V-50763

Rule IDs

SV-208814r505921_rule
SV-64969

The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.

Checks: C-9067r357422_chk

To check the group ownership of "/etc/gshadow", run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.

Fix: F-9067r357423_fix

To properly set the group owner of "/etc/gshadow", run the command: # chgrp root /etc/gshadow

The /etc/gshadow file must have mode 0000.

CM-6 - Medium - CCI-000366 - V-208815 - SV-208815r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000038

Vuln IDs

V-208815
V-50765

Rule IDs

SV-208815r505921_rule
SV-64971

The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.

Checks: C-9068r357425_chk

To check the permissions of "/etc/gshadow", run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following permissions: "----------" If it does not, this is a finding.

Fix: F-9068r357426_fix

To properly set the permissions of "/etc/gshadow", run the command: # chmod 0000 /etc/gshadow

The /etc/passwd file must be owned by root.

CM-6 - Medium - CCI-000366 - V-208816 - SV-208816r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000039

Vuln IDs

V-208816
V-50769

Rule IDs

SV-208816r505921_rule
SV-64975

The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.

Checks: C-9069r357428_chk

To check the ownership of "/etc/passwd", run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.

Fix: F-9069r357429_fix

To properly set the owner of "/etc/passwd", run the command: # chown root /etc/passwd

The /etc/passwd file must be group-owned by root.

CM-6 - Medium - CCI-000366 - V-208817 - SV-208817r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000040

Vuln IDs

V-208817
V-50771

Rule IDs

SV-208817r505921_rule
SV-64977

The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.

Checks: C-9070r357431_chk

To check the group ownership of "/etc/passwd", run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.

Fix: F-9070r357432_fix

To properly set the group owner of "/etc/passwd", run the command: # chgrp root /etc/passwd

The /etc/passwd file must have mode 0644 or less permissive.

CM-6 - Medium - CCI-000366 - V-208818 - SV-208818r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000041

Vuln IDs

V-208818
V-50773

Rule IDs

SV-208818r505921_rule
SV-64979

If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.

Checks: C-9071r357434_chk

To check the permissions of "/etc/passwd", run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following permissions: "-rw-r--r--" If it does not, this is a finding.

Fix: F-9071r357435_fix

To properly set the permissions of "/etc/passwd", run the command: # chmod 0644 /etc/passwd

The /etc/group file must be owned by root.

CM-6 - Medium - CCI-000366 - V-208819 - SV-208819r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000042

Vuln IDs

V-208819
V-50775

Rule IDs

SV-208819r505921_rule
SV-64981

The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Checks: C-9072r357437_chk

To check the ownership of "/etc/group", run the command: $ ls -l /etc/group If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.

Fix: F-9072r357438_fix

To properly set the owner of "/etc/group", run the command: # chown root /etc/group

The /etc/group file must be group-owned by root.

CM-6 - Medium - CCI-000366 - V-208820 - SV-208820r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000043

Vuln IDs

V-208820
V-50777

Rule IDs

SV-208820r505921_rule
SV-64983

The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Checks: C-9073r357440_chk

To check the group ownership of "/etc/group", run the command: $ ls -l /etc/group If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.

Fix: F-9073r357441_fix

To properly set the group owner of "/etc/group", run the command: # chgrp root /etc/group

The /etc/group file must have mode 0644 or less permissive.

CM-6 - Medium - CCI-000366 - V-208821 - SV-208821r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000044

Vuln IDs

V-208821
V-50779

Rule IDs

SV-208821r505921_rule
SV-64985

The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Checks: C-9074r357443_chk

To check the permissions of "/etc/group", run the command: $ ls -l /etc/group If properly configured, the output should indicate the following permissions: "-rw-r--r--" If it does not, this is a finding.

Fix: F-9074r357444_fix

To properly set the permissions of "/etc/group", run the command: # chmod 644 /etc/group

Library files must have mode 0755 or less permissive.

CM-5 - Medium - CCI-001499 - V-208822 - SV-208822r505921_rule

RMF Control

CM-5

Severity

CCI

Version

OL6-00-000045

Vuln IDs

V-208822
V-50783

Rule IDs

SV-208822r505921_rule
SV-64989

Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system.

Checks: C-9075r357446_chk

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in "/lib/modules". All files in these directories should not be group-writable or world-writable. To find shared libraries that are group-writable or world-writable, run the following command for each directory [DIR] which contains shared libraries: $ find -L [DIR] -perm /022 -type f If any of these files (excluding broken symlinks) are group-writable or world-writable, this is a finding.

Fix: F-9075r357447_fix

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: # chmod go-w [FILE]

Library files must be owned by a system account.

CM-5 - Medium - CCI-001499 - V-208823 - SV-208823r505921_rule

RMF Control

CM-5

Severity

CCI

Version

OL6-00-000046

Vuln IDs

V-208823
V-50785

Rule IDs

SV-208823r505921_rule
SV-64991

Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.

Checks: C-9076r357449_chk

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 /usr/local/lib /usr/local/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in "/lib/modules". All files in these directories should not be group-writable or world-writable. To find shared libraries that are not owned by "root" and do not match what is expected by the RPM, run the following command: for i in /lib /lib64 /usr/lib /usr/lib64 /usr/local/lib /usr/local/lib64 do for j in `find -L $i \! -user root` do rpm -V -f $j | grep '^.....U' done done If the command returns any results, this is a finding.

Fix: F-9076r357450_fix

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 /usr/local/lib /usr/local/lib64 If any file in these directories is found to be owned by a user other than “root” and does not match what is expected by the RPM, correct its ownership by running one of the following commands: # rpm --setugids [PACKAGE_NAME] Or # chown root [FILE]

All system command files must have mode 755 or less permissive.

CM-5 - Medium - CCI-001499 - V-208824 - SV-208824r505921_rule

RMF Control

CM-5

Severity

CCI

Version

OL6-00-000047

Vuln IDs

V-208824
V-50787

Rule IDs

SV-208824r505921_rule
SV-64993

System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.

Checks: C-9077r357452_chk

System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin All files in these directories should not be group-writable or world-writable. To find system executables that are group-writable or world-writable, run the following command for each directory [DIR] which contains system executables: $ find -L [DIR] -perm /022 -type f If any system executables are found to be group-writable or world-writable, this is a finding.

Fix: F-9077r357453_fix

System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: # chmod go-w [FILE]

All system command files must be owned by root.

CM-5 - Medium - CCI-001499 - V-208825 - SV-208825r505921_rule

RMF Control

CM-5

Severity

CCI

Version

OL6-00-000048

Vuln IDs

V-208825
V-50789

Rule IDs

SV-208825r505921_rule
SV-64995

System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.

Checks: C-9078r357455_chk

System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin To find system executables that are not owned by "root", run the following command for each directory [DIR] which contains system executables: $ find -L [DIR] \! -user root If any system executables are found to not be owned by root, this is a finding.

Fix: F-9078r357456_fix

System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin If any file [FILE] in these directories is found to be owned by a user other than root, correct its ownership with the following command: # chown root [FILE]

The system must require passwords to contain a minimum of 15 characters.

IA-5 - Medium - CCI-000205 - V-208826 - SV-208826r505921_rule

RMF Control

IA-5

Severity

CCI

CCI-000205

Version

OL6-00-000050

Vuln IDs

V-208826
V-50791

Rule IDs

SV-208826r505921_rule
SV-64997

Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. While it does not negate the password length requirement, it is preferable to migrate from a password-based authentication scheme to a stronger one based on PKI (public key infrastructure).

Checks: C-9079r357458_chk

To check the minimum password length, run the command: $ grep PASS_MIN_LEN /etc/login.defs The DoD requirement is "15". If it is not set to the required value, this is a finding. $ grep –E ‘pam_cracklib.so.*minlen’ /etc/pam.d/* If no results are returned, this is not a finding. If any results are returned and are not set to “15” or greater, this is a finding.

Fix: F-9079r357459_fix

To specify password length requirements for new accounts, edit the file "/etc/login.defs" and add or correct the following lines: PASS_MIN_LEN 15 The DoD requirement is "15". If a program consults "/etc/login.defs" and also another PAM module (such as "pam_cracklib") during a password change operation, then the most restrictive must be satisfied.

Users must not be able to change passwords more than once every 24 hours.

IA-5 - Medium - CCI-000198 - V-208827 - SV-208827r505921_rule

RMF Control

IA-5

Severity

CCI

CCI-000198

Version

OL6-00-000051

Vuln IDs

V-208827
V-50793

Rule IDs

SV-208827r505921_rule
SV-64999

Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.

Checks: C-9080r357461_chk

To check the minimum password age, run the command: $ grep PASS_MIN_DAYS /etc/login.defs The DoD requirement is 1. If it is not set to the required value, this is a finding.

Fix: F-9080r357462_fix

To specify password minimum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MIN_DAYS [DAYS] A value of 1 day is considered sufficient for many environments. The DoD requirement is 1.

User passwords must be changed at least every 60 days.

IA-5 - Medium - CCI-000199 - V-208828 - SV-208828r505921_rule

RMF Control

IA-5

Severity

CCI

CCI-000199

Version

OL6-00-000053

Vuln IDs

V-208828
V-50795

Rule IDs

SV-208828r505921_rule
SV-65001

Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.

Checks: C-9081r357464_chk

To check the maximum password age, run the command: $ grep PASS_MAX_DAYS /etc/login.defs The DoD requirement is 60. If it is not set to the required value, this is a finding.

Fix: F-9081r357465_fix

To specify password maximum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MAX_DAYS [DAYS] The DoD requirement is 60.

Users must be warned 7 days in advance of password expiration.

CM-6 - Low - CCI-000366 - V-208829 - SV-208829r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000054

Vuln IDs

V-208829
V-50907

Rule IDs

SV-208829r505921_rule
SV-65113

Setting the password warning age enables users to make the change at a practical time.

Checks: C-9082r357467_chk

To check the password warning age, run the command: $ grep PASS_WARN_AGE /etc/login.defs The DoD requirement is 7. If it is not set to the required value, this is a finding.

Fix: F-9082r357468_fix

To specify how many days prior to password expiration that a warning will be issued to users, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_WARN_AGE [DAYS] The DoD requirement is 7.

System and application account passwords must be changed at least annually.

IA-5 - Medium - CCI-000199 - V-208830 - SV-208830r505921_rule

RMF Control

IA-5

Severity

CCI

CCI-000199

Version

OL6-00-000055

Vuln IDs

V-208830
V-92247

Rule IDs

SV-208830r505921_rule
SV-102349

Any password, no matter how complex, can eventually be cracked. Therefore, system and application account passwords need to be changed periodically. If an organization fails to change the system and application account passwords at least annually, there is the risk that the account passwords could be compromised.

Checks: C-9083r357470_chk

Obtain a list of approved system and application accounts from the ISSO. For each system and application account identified, run the following command: # chage -l <application_account> Last password change : Nov 05, 2018 Password expires : Nov 04, 2019 Password inactive : Dec 10, 2019 Account expires : never Minimum number of days between password change : 1 Maximum number of days between password change : 365 Number of days of warning before password expires : 7 If "Maximum number of days between password change" is greater than "365", this is a finding. If the date of "Last password change" exceeds 365 days, this is a finding. If the date of "Password expires" is greater than 365 days from the date of "Last password change", this is a finding.

Fix: F-9083r357471_fix

Set the "Maximum number of days between password change" to "365": # chage -M 365 <application_account> Change the password for the system/application account: #passwd <application_account>

The system must require passwords to contain at least one numeric character.

IA-5 - Low - CCI-000194 - V-208831 - SV-208831r505921_rule

RMF Control

IA-5

Severity

CCI

CCI-000194

Version

OL6-00-000056

Vuln IDs

V-208831
V-50911

Rule IDs

SV-208831r505921_rule
SV-65117

Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.

Checks: C-9084r357473_chk

To check how many digits are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth The "dcredit" parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as "dcredit=-1". If the “dcredit” parameter is not found or not set to the required value, this is a finding.

Fix: F-9084r357474_fix

The pam_cracklib module's "dcredit" parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "dcredit=-1" after pam_cracklib.so to require use of a digit in passwords.

The system must require passwords to contain at least one uppercase alphabetic character.

IA-5 - Low - CCI-000192 - V-208832 - SV-208832r505921_rule

RMF Control

IA-5

Severity

CCI

CCI-000192

Version

OL6-00-000057

Vuln IDs

V-208832
V-50913

Rule IDs

SV-208832r505921_rule
SV-65119

Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.

Checks: C-9085r357476_chk

To check how many uppercase characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth The "ucredit" parameter (as a negative number) will indicate how many uppercase characters are required. The DoD requires at least one uppercase character in a password. This would appear as "ucredit=-1". If the “ucredit” parameter is not found or not set to the required value, this is a finding.

Fix: F-9085r357477_fix

The pam_cracklib module's "ucredit=" parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "ucredit=-1" after pam_cracklib.so to require use of an uppercase character in passwords.

The system must require passwords to contain at least one special character.

IA-5 - Low - CCI-001619 - V-208833 - SV-208833r505921_rule

RMF Control

IA-5

Severity

CCI

CCI-001619

Version

OL6-00-000058

Vuln IDs

V-208833
V-50915

Rule IDs

SV-208833r505921_rule
SV-65121

Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.

Checks: C-9086r357479_chk

To check how many special characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth The "ocredit" parameter (as a negative number) will indicate how many special characters are required. The DoD requires at least one special character in a password. This would appear as "ocredit=-1". If the “ocredit” parameter is not found or not set to the required value, this is a finding.

Fix: F-9086r357480_fix

The pam_cracklib module's "ocredit=" parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "ocredit=-1" after pam_cracklib.so to require use of a special character in passwords.

The system must require passwords to contain at least one lower-case alphabetic character.

IA-5 - Low - CCI-000193 - V-208834 - SV-208834r505921_rule

RMF Control

IA-5

Severity

CCI

CCI-000193

Version

OL6-00-000059

Vuln IDs

V-208834
V-50917

Rule IDs

SV-208834r505921_rule
SV-65123

Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.

Checks: C-9087r357482_chk

To check how many lower-case characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth The "lcredit" parameter (as a negative number) will indicate how many lower-case characters are required. The DoD requires at least one lower-case character in a password. This would appear as "lcredit=-1". If the “lcredit” parameter is not found or not set to the required value, this is a finding.

Fix: F-9087r357483_fix

The pam_cracklib module's "lcredit=" parameter controls requirements for usage of lower-case letters in a password. When set to a negative number, any password will be required to contain that many lower-case characters. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "lcredit=-1" after pam_cracklib.so to require use of a lower-case character in passwords.

The system must require at least eight characters be changed between the old and new passwords during a password change.

IA-5 - Low - CCI-000195 - V-208835 - SV-208835r505921_rule

RMF Control

IA-5

Severity

CCI

CCI-000195

Version

OL6-00-000060

Vuln IDs

V-208835
V-50919

Rule IDs

SV-208835r505921_rule
SV-65125

Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note: Passwords which are changed on compromised systems will still be compromised.

Checks: C-9088r357485_chk

To check how many characters must differ during a password change, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth The "difok" parameter will indicate how many characters must differ. The DoD requires eight characters differ during a password change. This would appear as "difok=8". If the “difok” parameter is not found or not set to the required value, this is a finding.

Fix: F-9088r357486_fix

The pam_cracklib module's "difok" parameter controls requirements for usage of different characters during a password change. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "difok=[NUM]" after pam_cracklib.so to require differing characters when changing passwords, substituting [NUM] appropriately. The DoD requirement is “8”.

The system must disable accounts after three consecutive unsuccessful logon attempts.

AC-7 - Medium - CCI-000044 - V-208836 - SV-208836r505921_rule

RMF Control

AC-7

Severity

CCI

CCI-000044

Version

OL6-00-000061

Vuln IDs

V-208836
V-50921

Rule IDs

SV-208836r505921_rule
SV-65127

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.

Checks: C-9089r499651_chk

To ensure the failed password attempt policy is configured correctly, run the following command: # grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth The output should show "deny=3" for both files. If that is not the case, this is a finding.

Fix: F-9089r499652_fix

To configure the system to lock out accounts after a number of incorrect logon attempts using "pam_faillock.so", modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.

The system must use a FIPS 140-2-approved cryptographic hashing algorithm for generating account password hashes (system-auth).

IA-7 - Medium - CCI-000803 - V-208837 - SV-208837r505921_rule

RMF Control

IA-7

Severity

CCI

CCI-000803

Version

OL6-00-000062

Vuln IDs

V-208837
V-50923

Rule IDs

SV-208837r505921_rule
SV-65129

Using a stronger hashing algorithm makes password-cracking attacks more difficult.

Checks: C-9090r357491_chk

Inspect the "password" section of "/etc/pam.d/system-auth", "/etc/pam.d/system-auth-ac", "/etc/pam.d/password-auth", "/etc/pam.d/password-auth-ac", and other files in "/etc/pam.d" to identify the number of occurrences where the “pam_unix.so” module is used in the “password” section. $ grep -E -c 'password.*pam_unix.so' /etc/pam.d/* /etc/pam.d/atd:0 /etc/pam.d/config-util:0 /etc/pam.d/crond:0 /etc/pam.d/login:0 /etc/pam.d/other:0 /etc/pam.d/passwd:0 /etc/pam.d/password-auth:1 /etc/pam.d/password-auth-ac:1 /etc/pam.d/sshd:0 /etc/pam.d/su:0 /etc/pam.d/sudo:0 /etc/pam.d/system-auth:1 /etc/pam.d/system-auth-ac:1 /etc/pam.d/vlock:0 Note: The number adjacent to the file name indicates how many occurrences of the “pam_unix.so” module are found in the password section. If the “pam_unix.so” module is not defined in the “password” section of “/etc/pam.d/system-auth”, “/etc/pam.d/system-auth-ac”, “/etc/pam.d/password-auth”, and “/etc/pam.d/password-auth-ac” at a minimum, this is a finding. Verify that the “sha512” variable is used with each instance of the “pam_unix.so” module in the “password” section: $ grep password /etc/pam.d/* | grep pam_unix.so | grep sha512 /etc/pam.d/password-auth:password sufficient pam_unix.so sha512 [other arguments…] /etc/pam.d/password-auth-ac:password sufficient pam_unix.so sha512 [other arguments…] /etc/pam.d/system-auth:password sufficient pam_unix.so sha512 [other arguments…] /etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 [other arguments…] If this list of files does not coincide with the previous command, this is a finding. If any of the identified “pam_unix.so” modules do not use the “sha512” variable, this is a finding.

Fix: F-9090r357492_fix

In "/etc/pam.d/system-auth”, "/etc/pam.d/system-auth-ac", “/etc/pam.d/password-auth”, and “/etc/pam.d/password-auth-ac”, among potentially other files, the "password" section of the files control which PAM modules execute during a password change. Set the "pam_unix.so" module in the "password" section to include the argument "sha512", as shown below: password sufficient pam_unix.so sha512 [other arguments...] This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. Note: Any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" will be overwritten by the "authconfig" program. The "authconfig" program should not be used.

The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).

IA-7 - Medium - CCI-000803 - V-208838 - SV-208838r505921_rule

RMF Control

IA-7

Severity

CCI

CCI-000803

Version

OL6-00-000063

Vuln IDs

V-208838
V-50927

Rule IDs

SV-208838r505921_rule
SV-65133

Using a stronger hashing algorithm makes password cracking attacks more difficult.

Checks: C-9091r357494_chk

Inspect "/etc/login.defs" and ensure the following line appears: ENCRYPT_METHOD SHA512 If it does not, this is a finding.

Fix: F-9091r357495_fix

In "/etc/login.defs", add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: ENCRYPT_METHOD SHA512

The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).

IA-7 - Medium - CCI-000803 - V-208839 - SV-208839r505921_rule

RMF Control

IA-7

Severity

CCI

CCI-000803

Version

OL6-00-000064

Vuln IDs

V-208839
V-50937

Rule IDs

SV-208839r505921_rule
SV-65143

Using a stronger hashing algorithm makes password cracking attacks more difficult.

Checks: C-9092r357497_chk

Inspect "/etc/libuser.conf" and ensure the following line appears in the "[default]" section: crypt_style = sha512 If it does not, this is a finding.

Fix: F-9092r357498_fix

In "/etc/libuser.conf", add or correct the following line in its "[defaults]" section to ensure the system will use the SHA-512 algorithm for password hashing: crypt_style = sha512

The system boot loader configuration file(s) must be owned by root.

CM-6 - Medium - CCI-000366 - V-208840 - SV-208840r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000065

Vuln IDs

V-208840
V-50933

Rule IDs

SV-208840r505921_rule
SV-65139

Only root should be able to modify important boot parameters.

Checks: C-9093r357500_chk

To check the ownership of "/boot/grub/grub.conf", run the command: $ ls -lL /boot/grub/grub.conf If properly configured, the output should indicate that the owner is "root". If it does not, this is a finding.

Fix: F-9093r357501_fix

The file "/boot/grub/grub.conf" should be owned by the "root" user to prevent destruction or modification of the file. To properly set the owner of "/boot/grub/grub.conf", run the command: # chown root /boot/grub/grub.conf

The system boot loader configuration file(s) must be group-owned by root.

CM-6 - Medium - CCI-000366 - V-208841 - SV-208841r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000066

Vuln IDs

V-208841
V-50939

Rule IDs

SV-208841r505921_rule
SV-65145

The "root" group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.

Checks: C-9094r462331_chk

To check the group ownership of "/boot/grub/grub.conf", run the command: $ ls -lL /boot/grub/grub.conf If properly configured, the output should indicate the group-owner is "root". If it does not, this is a finding.

Fix: F-9094r462332_fix

The file "/boot/grub/grub.conf" should be group-owned by the "root" group to prevent destruction or modification of the file. To properly set the group owner of "/boot/grub/grub.conf", run the command: # chgrp root /boot/grub/grub.conf

The system boot loader configuration file(s) must have mode 0600 or less permissive.

CM-6 - Medium - CCI-000366 - V-208842 - SV-208842r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000067

Vuln IDs

V-208842
V-50943

Rule IDs

SV-208842r505921_rule
SV-65149

Proper permissions ensure that only the root user can modify important boot parameters.

Checks: C-9095r357506_chk

To check the permissions of "/boot/grub/grub.conf", run the command: $ sudo ls -lL /boot/grub/grub.conf If properly configured, the output should indicate the following permissions: "-rw-------" If it does not, this is a finding.

Fix: F-9095r357507_fix

File permissions for "/boot/grub/grub.conf" should be set to 600, which is the default. To properly set the permissions of "/boot/grub/grub.conf", run the command: # chmod 600 /boot/grub/grub.conf Boot partitions based on VFAT, NTFS, or other non-standard configurations may require alternative measures.

The system boot loader must require authentication.

AC-3 - Medium - CCI-000213 - V-208843 - SV-208843r505921_rule

RMF Control

AC-3

Severity

CCI

CCI-000213

Version

OL6-00-000068

Vuln IDs

V-208843
V-50945

Rule IDs

SV-208843r505921_rule
SV-65151

Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.

Checks: C-9096r357509_chk

To verify the boot loader password has been set and encrypted, run the following command: # grep password /boot/grub/grub.conf The output should show the following: password --encrypted $6$[rest-of-the-password-hash] If it does not, this is a finding.

Fix: F-9096r357510_fix

The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command: # grub-crypt --sha-512 When prompted to enter a password, insert the following line into "/boot/grub/grub.conf" immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]): password --encrypted [password-hash]

The system must require authentication upon booting into single-user and maintenance modes.

AC-3 - Medium - CCI-000213 - V-208844 - SV-208844r505921_rule

RMF Control

AC-3

Severity

CCI

CCI-000213

Version

OL6-00-000069

Vuln IDs

V-208844
V-50947

Rule IDs

SV-208844r505921_rule
SV-65153

This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.

Checks: C-9097r357512_chk

To check if authentication is required for single-user mode, run the following command: $ grep SINGLE /etc/sysconfig/init The output should be the following: SINGLE=/sbin/sulogin If the output is different, this is a finding.

Fix: F-9097r357513_fix

Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file "/etc/sysconfig/init": SINGLE=/sbin/sulogin

The system must not permit interactive boot.

AC-3 - Medium - CCI-000213 - V-208845 - SV-208845r505921_rule

RMF Control

AC-3

Severity

CCI

CCI-000213

Version

OL6-00-000070

Vuln IDs

V-208845
V-50951

Rule IDs

SV-208845r505921_rule
SV-65157

Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.

Checks: C-9098r357515_chk

To check whether interactive boot is disabled, run the following command: $ grep PROMPT /etc/sysconfig/init If interactive boot is disabled, the output will show: PROMPT=no If it does not, this is a finding.

Fix: F-9098r357516_fix

To disable the ability for users to perform interactive startups, edit the file "/etc/sysconfig/init". Add or correct the line: PROMPT=no The "PROMPT" option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot.

The system must be configured so all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.

AC-11 - Low - CCI-000058 - V-208846 - SV-208846r505921_rule

RMF Control

AC-11

Severity

CCI

CCI-000058

Version

OL6-00-000071

Vuln IDs

V-208846
V-50953

Rule IDs

SV-208846r505921_rule
SV-65159

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000163-GPOS-00072

Checks: C-9099r462522_chk

Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity. Check the value of the system inactivity timeout with the following command: # grep -i tmout /etc/profile.d/* etc/profile.d/tmout.sh:TMOUT=900 /etc/profile.d/tmout.sh:readonly TMOUT /etc/profile.d/tmout.sh:export TMOUT If "TMOUT" is not set to "900" or less in a script located in the /etc/profile.d/ directory to enforce session termination after inactivity, this is a finding.

Fix: F-9099r462523_fix

Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity. Create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as: #!/bin/bash TMOUT=900 readonly TMOUT export TMOUT

The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.

AC-8 - Medium - CCI-001384 - V-208847 - SV-208847r505921_rule

RMF Control

AC-8

Severity

CCI

CCI-001384

Version

OL6-00-000073

Vuln IDs

V-208847
V-50955

Rule IDs

SV-208847r505921_rule
SV-65161

An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.

Checks: C-9100r357521_chk

To check if the system login banner is compliant, run the following command: $ cat /etc/issue Note: The full text banner must be implemented unless there are character limitations that prevent the display of the full DoD logon banner. If the required DoD logon banner is not displayed, this is a finding.

Fix: F-9100r357522_fix

To configure the system login banner: Edit "/etc/issue". Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the device cannot support the full DoD logon banner due to character limitations, the following text can be used: "I've read & consent to terms in IS user agreem't."

The system must implement virtual address space randomization.

CM-6 - Medium - CCI-000366 - V-208848 - SV-208848r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000078

Vuln IDs

V-208848
V-50957

Rule IDs

SV-208848r505921_rule
SV-65163

Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return oriented programming (ROP) techniques.

Checks: C-9101r357524_chk

The status of the "kernel.randomize_va_space" kernel parameter can be queried by running the following commands: $ sysctl kernel.randomize_va_space $ grep kernel.randomize_va_space /etc/sysctl.conf The output of the command should indicate a value of at least "1" (preferably "2"). If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding.

Fix: F-9101r357525_fix

To set the runtime status of the "kernel.randomize_va_space" kernel parameter, run the following command: # sysctl -w kernel.randomize_va_space=2 If this is not the system's default value, add the following line to "/etc/sysctl.conf": kernel.randomize_va_space = 2

The system must limit the ability of processes to have simultaneous write and execute access to memory.

CM-6 - Medium - CCI-000366 - V-208849 - SV-208849r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000079

Vuln IDs

V-208849
V-50959

Rule IDs

SV-208849r505921_rule
SV-65165

A common type of exploit is the stack buffer overflow. An application receives from an attacker more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack.

Checks: C-9102r357527_chk

If the system being evaluated is running a Red Hat-compatible operating system kernel, check that the "kernel.exec-shield" kernel parameter is set to "1" in /etc/sysctl.conf. If the system is running an Oracle Unbreakable Enterprise kernel, verify that Oracle's Data Execution Prevention is enabled. First, determine if the system is operating an Oracle Unbreakable Enterprise Kernel (UEK): # uname -r | grep uek If no value is returned, the system is running a Red Hat-compatible kernel. Verify that the "kernel.exec-shield" kernel parameter is set to "1" in the running kernel and /etc/sysctl.conf: # sysctl kernel.exec-shield # grep ^kernel\.exec-shield /etc/sysctl.conf | awk -F= '{ print $2 }' kernel.exec-shield = 1 If there is no value returned, or if a value is returned that is not "1", this is a finding. If the system was found to be running an Unbreakable Enterprise Kernel, verify that DEP is enabled: # dmesg | grep 'NX.*protection:' If there is no value returned, or if a value is returned that is not "NX (Execute Disable) protection: active", this is a finding. Note that this is not a finding when the underlying processor architecture does not support the "Execute Disable" (NX) capability. To determine if the processor supports the NX capability, run the following: # grep nx /proc/cpuinfo If there is no value returned, this is not applicable.

Fix: F-9102r357528_fix

If the system being evaluated is running a Red Hat-compatible operating system kernel, then ensure that the "kernel.exec-shield" kernel parameter is set to "1". If the system is running an Oracle Unbreakable Enterprise Kernel, this parameter does not exist. When an Unbreakable Enterprise Kernel is booted, Oracle's Data Execution Prevention (DEP) feature will leverage the hardware-enforced NX (never execute) bit of compatible CPUs to protect against code being executed from the stack. By default, DEP is enabled. If DEP is not enabled, ensure that the string "noexec=off" does not appear in /boot/grub/grub.conf. First, determine if the system is operating an Oracle Unbreakable Enterprise Kernel (UEK): # uname -r | grep uek If no value is returned, the system is running a Red Hat-compatible kernel. Edit (or add if necessary) the entry in /etc/sysctl.conf for the "kernel.exec-shield" kernel parameter. Ensure that this parameter is set to "1" as in: kernel.exec-shield = 1 If this was not already the default, reboot the system for the change to take effect. If the system was found to be running an Unbreakable Enterprise Kernel, then ensure that the string "noexec=off" is not found in /boot/grub/grub.conf: # grep noexec=off /boot/grub/grub.conf If found, remove the offending kernels from /boot/grub/grub.conf.

The system must not send ICMPv4 redirects by default.

CM-6 - Medium - CCI-000366 - V-208850 - SV-208850r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000080

Vuln IDs

V-208850
V-50961

Rule IDs

SV-208850r505921_rule
SV-65167

Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.

Checks: C-9103r357530_chk

The status of the "net.ipv4.conf.default.send_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.send_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.default.send_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding.

Fix: F-9103r357531_fix

To set the runtime status of the "net.ipv4.conf.default.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.send_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.send_redirects = 0

The system must not send ICMPv4 redirects from any interface.

CM-6 - Medium - CCI-000366 - V-208851 - SV-208851r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000081

Vuln IDs

V-208851
V-50963

Rule IDs

SV-208851r505921_rule
SV-65169

Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.

Checks: C-9104r357533_chk

The status of the "net.ipv4.conf.all.send_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.send_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.all.send_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding.

Fix: F-9104r357534_fix

To set the runtime status of the "net.ipv4.conf.all.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.send_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.send_redirects = 0

IP forwarding for IPv4 must not be enabled, unless the system is a router.

CM-6 - Medium - CCI-000366 - V-208852 - SV-208852r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000082

Vuln IDs

V-208852
V-50967

Rule IDs

SV-208852r505921_rule
SV-65173

IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.

Checks: C-9105r357536_chk

The status of the "net.ipv4.ip_forward" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.ip_forward The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.ip_forward /etc/sysctl.conf The ability to forward packets is only appropriate for routers. If the correct value is not returned, this is a finding.

Fix: F-9105r357537_fix

To set the runtime status of the "net.ipv4.ip_forward" kernel parameter, run the following command: # sysctl -w net.ipv4.ip_forward=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.ip_forward = 0

The system must not accept IPv4 source-routed packets on any interface.

CM-6 - Medium - CCI-000366 - V-208853 - SV-208853r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000083

Vuln IDs

V-208853
V-50969

Rule IDs

SV-208853r505921_rule
SV-65175

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Checks: C-9106r357539_chk

The status of the "net.ipv4.conf.all.accept_source_route" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_source_route The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf If the correct value is not returned, this is a finding.

Fix: F-9106r357540_fix

To set the runtime status of the "net.ipv4.conf.all.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_source_route=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.accept_source_route = 0

The system must not accept ICMPv4 redirect packets on any interface.

CM-6 - Medium - CCI-000366 - V-208854 - SV-208854r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000084

Vuln IDs

V-208854
V-50971

Rule IDs

SV-208854r505921_rule
SV-65177

Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.

Checks: C-9107r357542_chk

The status of the "net.ipv4.conf.all.accept_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.all.accept_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding.

Fix: F-9107r357543_fix

To set the runtime status of the "net.ipv4.conf.all.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.accept_redirects = 0

The system must not accept ICMPv4 secure redirect packets on any interface.

CM-6 - Medium - CCI-000366 - V-208855 - SV-208855r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000086

Vuln IDs

V-208855
V-50621

Rule IDs

SV-208855r505921_rule
SV-64827

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Checks: C-9108r357545_chk

The status of the "net.ipv4.conf.all.secure_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.secure_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.all.secure_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding.

Fix: F-9108r357546_fix

To set the runtime status of the "net.ipv4.conf.all.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.secure_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.secure_redirects = 0

The system must log Martian packets.

CM-6 - Low - CCI-000366 - V-208856 - SV-208856r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000088

Vuln IDs

V-208856
V-50625

Rule IDs

SV-208856r505921_rule
SV-64831

The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

Checks: C-9109r357548_chk

The status of the "net.ipv4.conf.all.log_martians" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.log_martians The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.all.log_martians /etc/sysctl.conf If the correct value is not returned, this is a finding.

Fix: F-9109r357549_fix

To set the runtime status of the "net.ipv4.conf.all.log_martians" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.log_martians=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.log_martians = 1

The system must not accept IPv4 source-routed packets by default.

CM-6 - Medium - CCI-000366 - V-208857 - SV-208857r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000089

Vuln IDs

V-208857
V-50647

Rule IDs

SV-208857r505921_rule
SV-64853

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Checks: C-9110r357551_chk

The status of the "net.ipv4.conf.default.accept_source_route" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_source_route The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf If the correct value is not returned, this is a finding.

Fix: F-9110r357552_fix

To set the runtime status of the "net.ipv4.conf.default.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_source_route=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.accept_source_route = 0

The system must not accept ICMPv4 secure redirect packets by default.

CM-6 - Medium - CCI-000366 - V-208858 - SV-208858r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000090

Vuln IDs

V-208858
V-50651

Rule IDs

SV-208858r505921_rule
SV-64857

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Checks: C-9111r357554_chk

The status of the "net.ipv4.conf.default.secure_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.secure_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.default.secure_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding.

Fix: F-9111r357555_fix

To set the runtime status of the "net.ipv4.conf.default.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.secure_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.secure_redirects = 0

The system must ignore ICMPv4 redirect messages by default.

CM-6 - Low - CCI-000366 - V-208859 - SV-208859r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000091

Vuln IDs

V-208859
V-50655

Rule IDs

SV-208859r505921_rule
SV-64861

This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Checks: C-9112r357557_chk

The status of the "net.ipv4.conf.default.accept_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.default.accept_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding.

Fix: F-9112r357558_fix

To set the runtime status of the "net.ipv4.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.accept_redirects = 0

The system must not respond to ICMPv4 sent to a broadcast address.

CM-6 - Low - CCI-000366 - V-208860 - SV-208860r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000092

Vuln IDs

V-208860
V-50657

Rule IDs

SV-208860r505921_rule
SV-64863

Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.

Checks: C-9113r357560_chk

The status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_echo_ignore_broadcasts The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf If the correct value is not returned, this is a finding.

Fix: F-9113r357561_fix

To set the runtime status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.icmp_echo_ignore_broadcasts = 1

The system must ignore ICMPv4 bogus error responses.

CM-6 - Low - CCI-000366 - V-208861 - SV-208861r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000093

Vuln IDs

V-208861
V-50663

Rule IDs

SV-208861r505921_rule
SV-64869

Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.

Checks: C-9114r357563_chk

The status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_ignore_bogus_error_responses The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf If the correct value is not returned, this is a finding.

Fix: F-9114r357564_fix

To set the runtime status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.icmp_ignore_bogus_error_responses = 1

The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.

SC-5 - Medium - CCI-001095 - V-208862 - SV-208862r505921_rule

RMF Control

SC-5

Severity

CCI

CCI-001095

Version

OL6-00-000095

Vuln IDs

V-208862
V-50683

Rule IDs

SV-208862r505921_rule
SV-64889

A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.

Checks: C-9115r357566_chk

The status of the "net.ipv4.tcp_syncookies" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.tcp_syncookies The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.tcp_syncookies /etc/sysctl.conf If the correct value is not returned, this is a finding.

Fix: F-9115r357567_fix

To set the runtime status of the "net.ipv4.tcp_syncookies" kernel parameter, run the following command: # sysctl -w net.ipv4.tcp_syncookies=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.tcp_syncookies = 1

The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.

CM-6 - Medium - CCI-000366 - V-208863 - SV-208863r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000096

Vuln IDs

V-208863
V-50685

Rule IDs

SV-208863r505921_rule
SV-64891

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

Checks: C-9116r357569_chk

The status of the "net.ipv4.conf.all.rp_filter" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.rp_filter The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf If the correct value is not returned, this is a finding.

Fix: F-9116r357570_fix

To set the runtime status of the "net.ipv4.conf.all.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.rp_filter=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.rp_filter = 1

The system must use a reverse-path filter for IPv4 network traffic when possible by default.

CM-6 - Medium - CCI-000366 - V-208864 - SV-208864r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000097

Vuln IDs

V-208864
V-50699

Rule IDs

SV-208864r505921_rule
SV-64905

Checks: C-9117r357572_chk

The status of the "net.ipv4.conf.default.rp_filter" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.rp_filter The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf If the correct value is not returned, this is a finding.

Fix: F-9117r357573_fix

To set the runtime status of the "net.ipv4.conf.default.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.rp_filter=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.rp_filter = 1

The system must ignore ICMPv6 redirects by default.

CM-6 - Medium - CCI-000366 - V-208865 - SV-208865r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000099

Vuln IDs

V-208865
V-50711

Rule IDs

SV-208865r505921_rule
SV-64917

An illicit ICMP redirect message could result in a man-in-the-middle attack.

Checks: C-9118r357575_chk

If IPv6 is disabled, this is not applicable. The status of the "net.ipv6.conf.default.accept_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.default.accept_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv6.conf.default.accept_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding.

Fix: F-9118r357576_fix

To set the runtime status of the "net.ipv6.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv6.conf.default.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv6.conf.default.accept_redirects = 0

The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.

CM-7 - Medium - CCI-000382 - V-208866 - SV-208866r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000124

Vuln IDs

V-208866
V-50989

Rule IDs

SV-208866r505921_rule
SV-65195

Disabling DCCP protects the system against exploitation of any flaws in its implementation.

Checks: C-9119r357578_chk

If the system is configured to prevent the loading of the "dccp" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": grep -r dccp /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true” If no line is returned, this is a finding.

Fix: F-9119r357579_fix

The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the "dccp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install dccp /bin/true

The Stream Control Transmission Protocol (SCTP) must be disabled unless required.

CM-7 - Medium - CCI-000382 - V-208867 - SV-208867r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000125

Vuln IDs

V-208867
V-50997

Rule IDs

SV-208867r505921_rule
SV-65203

Disabling SCTP protects the system against exploitation of any flaws in its implementation.

Checks: C-9120r357581_chk

If the system is configured to prevent the loading of the "sctp" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r sctp /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true” If no line is returned, this is a finding.

Fix: F-9120r357582_fix

The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the "sctp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install sctp /bin/true

The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.

CM-7 - Low - CCI-000382 - V-208868 - SV-208868r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000126

Vuln IDs

V-208868
V-51001

Rule IDs

SV-208868r505921_rule
SV-65207

Disabling RDS protects the system against exploitation of any flaws in its implementation.

Checks: C-9121r357584_chk

If the system is configured to prevent the loading of the "rds" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module-loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r rds /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding. This is not a finding if the RDS service is required for proper system or application operation. Oracle Engineered Systems such as Exadata use the RDS service for InfiniBand-based communication with storage services.

Fix: F-9121r357585_fix

The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high- bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the "rds" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install rds /bin/true

The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.

CM-7 - Medium - CCI-000382 - V-208869 - SV-208869r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000127

Vuln IDs

V-208869
V-51005

Rule IDs

SV-208869r505921_rule
SV-65211

Disabling TIPC protects the system against exploitation of any flaws in its implementation.

Checks: C-9122r357587_chk

If the system is configured to prevent the loading of the "tipc" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r tipc /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true” If no line is returned, this is a finding.

Fix: F-9122r357588_fix

The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the "tipc" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install tipc /bin/true

All rsyslog-generated log files must be owned by root.

SI-11 - Medium - CCI-001314 - V-208870 - SV-208870r505921_rule

RMF Control

SI-11

Severity

CCI

CCI-001314

Version

OL6-00-000133

Vuln IDs

V-208870
V-51007

Rule IDs

SV-208870r505921_rule
SV-65213

The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.

Checks: C-9123r357590_chk

The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". To see the owner of a given log file, run the following command: $ ls -l [LOGFILE] Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration. If the owner is not root, this is a finding.

Fix: F-9123r357591_fix

The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's owner: $ ls -l [LOGFILE] If the owner is not "root", run the following command to correct this: # chown root [LOGFILE]

All rsyslog-generated log files must be group-owned by root.

SI-11 - Medium - CCI-001314 - V-208871 - SV-208871r505921_rule

RMF Control

SI-11

Severity

CCI

CCI-001314

Version

OL6-00-000134

Vuln IDs

V-208871
V-51009

Rule IDs

SV-208871r505921_rule
SV-65215

Checks: C-9124r357593_chk

The group-owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". To see the group-owner of a given log file, run the following command: $ ls -l [LOGFILE] Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration. If the group-owner is not root, this is a finding.

Fix: F-9124r357594_fix

The group-owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's group owner: $ ls -l [LOGFILE] If the owner is not "root", run the following command to correct this: # chgrp root [LOGFILE]

All rsyslog-generated log files must have mode 0600 or less permissive.

SI-11 - Medium - CCI-001314 - V-208872 - SV-208872r505921_rule

RMF Control

SI-11

Severity

CCI

CCI-001314

Version

OL6-00-000135

Vuln IDs

V-208872
V-51013

Rule IDs

SV-208872r505921_rule
SV-65219

Log files can contain valuable information regarding system configuration. If the system log files are not protected, unauthorized users could change the logged data, eliminating their forensic value.

Checks: C-9125r357596_chk

The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's permissions: $ ls -l [LOGFILE] The permissions should be 600, or more restrictive. Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration. If the permissions are not correct, this is a finding.

Fix: F-9125r357597_fix

The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's permissions: $ ls -l [LOGFILE] If the permissions are not 600 or more restrictive, run the following command to correct this: # chmod 0600 [LOGFILE]

The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.

AU-9 - Medium - CCI-001348 - V-208873 - SV-208873r505921_rule

RMF Control

AU-9

Severity

CCI

CCI-001348

Version

OL6-00-000136

Vuln IDs

V-208873
V-51015

Rule IDs

SV-208873r505921_rule
SV-65221

A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.

Checks: C-9126r357599_chk

To ensure logs are sent to a remote host, examine the file "/etc/rsyslog.conf". If using UDP, a line similar to the following should be present: *.* @[loghost.example.com] If using TCP, a line similar to the following should be present: *.* @@[loghost.example.com] If using RELP, a line similar to the following should be present: *.* :omrelp:[loghost.example.com] If none of these are present, this is a finding.

Fix: F-9126r357600_fix

To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: *.* @[loghost.example.com] To use TCP for log message delivery: *.* @@[loghost.example.com] To use RELP for log message delivery: *.* :omrelp:[loghost.example.com]

System logs must be rotated daily.

CM-6 - Low - CCI-000366 - V-208874 - SV-208874r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000138

Vuln IDs

V-208874
V-51021

Rule IDs

SV-208874r505921_rule
SV-65227

Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.

Checks: C-9127r357602_chk

Run the following commands to determine the current status of the "logrotate" service: # grep logrotate /var/log/cron* If the logrotate service is not run on a daily basis by cron, this is a finding.

Fix: F-9127r357603_fix

The "logrotate" service should be installed or reinstalled if it is not installed and operating properly, by running the following command: # yum reinstall logrotate

The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.

AU-3 - Medium - CCI-001487 - V-208875 - SV-208875r505921_rule

RMF Control

AU-3

Severity

CCI

CCI-001487

Version

OL6-00-000145

Vuln IDs

V-208875
V-51027

Rule IDs

SV-208875r505921_rule
SV-65233

Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.

Checks: C-9128r357605_chk

Run the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, it should return the following: auditd is running... If the service is not running, this is a finding.

Fix: F-9128r357606_fix

The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands: # chkconfig auditd on # service auditd start

The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.

AC-17 - Medium - CCI-000067 - V-208876 - SV-208876r505921_rule

RMF Control

AC-17

Severity

CCI

CCI-000067

Version

OL6-00-000148

Vuln IDs

V-208876
V-51033

Rule IDs

SV-208876r505921_rule
SV-65239

Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.

Checks: C-9129r357608_chk

Fix: F-9129r357609_fix

The operating system must produce audit records containing sufficient information to establish what type of events occurred.

AU-3 - Medium - CCI-000130 - V-208877 - SV-208877r505921_rule

RMF Control

AU-3

Severity

CCI

CCI-000130

Version

OL6-00-000154

Vuln IDs

V-208877
V-51039

Rule IDs

SV-208877r505921_rule
SV-65245

Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.

Checks: C-9130r357611_chk

Fix: F-9130r357612_fix

The system must retain enough rotated audit logs to cover the required log retention period.

CM-6 - Medium - CCI-000366 - V-208878 - SV-208878r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000159

Vuln IDs

V-208878
V-51043

Rule IDs

SV-208878r505921_rule
SV-65249

The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.

Checks: C-9131r357614_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine how many logs the system is configured to retain after rotation: "# grep num_logs /etc/audit/auditd.conf" num_logs = 5 If the overall system log file(s) retention hasn't been properly set up, this is a finding.

Fix: F-9131r357615_fix

Determine how many log files "auditd" should retain when it rotates logs. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [NUMLOGS] with the correct value: num_logs = [NUMLOGS] Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.

The system must set a maximum audit log file size.

CM-6 - Medium - CCI-000366 - V-208879 - SV-208879r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000160

Vuln IDs

V-208879
V-51049

Rule IDs

SV-208879r505921_rule
SV-65255

The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.

Checks: C-9132r357617_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine how much data the system will retain in each audit log file: "# grep max_log_file /etc/audit/auditd.conf" max_log_file = 6 If the system audit data threshold hasn't been properly set up, this is a finding.

Fix: F-9132r357618_fix

Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting the correct value for [STOREMB]: max_log_file = [STOREMB] Set the value to "6" (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.

The system must rotate audit log files that reach the maximum file size.

CM-6 - Medium - CCI-000366 - V-208880 - SV-208880r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000161

Vuln IDs

V-208880
V-51053

Rule IDs

SV-208880r505921_rule
SV-65259

Automatically rotating logs (by setting this to "rotate") minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, "keep_logs" can be employed.

Checks: C-9133r357620_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to rotate logs when they reach their maximum size: # grep max_log_file_action /etc/audit/auditd.conf max_log_file_action = rotate If the "keep_logs" option is configured for the "max_log_file_action" line in "/etc/audit/auditd.conf" and an alternate process is in place to ensure audit data does not overwhelm local audit storage, this is not a finding. If the system has not been properly set up to rotate audit logs, this is a finding.

Fix: F-9133r357621_fix

The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by "auditd", add or correct the line in "/etc/audit/auditd.conf": max_log_file_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "suspend" "rotate" "keep_logs" Set the "[ACTION]" to "rotate" to ensure log rotation occurs. This is the default. The setting is case-insensitive.

The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.

CM-6 - Medium - CCI-000366 - V-208881 - SV-208881r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000163

Vuln IDs

V-208881
V-59373

Rule IDs

SV-208881r505921_rule
SV-73803

Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.

Checks: C-9134r357623_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to either suspend, switch to single-user mode, or halt when disk space has run low: admin_space_left_action = single If the system is not configured to switch to single-user mode, suspend, or halt for corrective action, this is a finding.

Fix: F-9134r357624_fix

The "auditd" service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [ACTION] appropriately: admin_space_left_action = [ACTION] Set this value to "single" to cause the system to switch to single-user mode for corrective action. Acceptable values also include "suspend" and "halt". For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for [ACTION] are described in the "auditd.conf" man page.

The audit system must be configured to audit all attempts to alter system time through adjtimex.

AU-12 - Low - CCI-000169 - V-208882 - SV-208882r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000165

Vuln IDs

V-208882
V-51061

Rule IDs

SV-208882r505921_rule
SV-65267

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Checks: C-9135r357626_chk

To determine if the system is configured to audit calls to the "adjtimex" system call, run the following command: $ sudo grep -w "adjtimex" /etc/audit/audit.rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules -a always,exit -F arch=b64 -S adjtimex -k audit_time_rules If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "adjtimex" system call, this is a finding.

Fix: F-9135r357627_fix

On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S adjtimex -k audit_time_rules

The audit system must be configured to audit all attempts to alter system time through settimeofday.

AU-12 - Low - CCI-000169 - V-208883 - SV-208883r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000167

Vuln IDs

V-208883
V-51063

Rule IDs

SV-208883r505921_rule
SV-65269

Checks: C-9136r357629_chk

To determine if the system is configured to audit calls to the "settimeofday" system call, run the following command: $ sudo grep -w "settimeofday" /etc/audit/audit.rules -a always,exit -F arch=b32 -S settimeofday -k audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "settimeofday" system call, this is a finding.

Fix: F-9136r357630_fix

On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S settimeofday -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules

The audit system must be configured to audit all attempts to alter system time through stime.

AU-12 - Low - CCI-000169 - V-208884 - SV-208884r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000169

Vuln IDs

V-208884
V-51067

Rule IDs

SV-208884r505921_rule
SV-65273

Checks: C-9137r357632_chk

If the system is 64-bit only, this is not applicable. To determine if the system is configured to audit calls to the "stime" system call, run the following command: $ sudo grep -w "stime" /etc/audit/audit.rules -a always,exit -F arch=b32 -S stime -k audit_time_rules If the system is not configured to audit the "stime" system call, this is a finding.

Fix: F-9137r357633_fix

On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S stime -k audit_time_rules Note: On a 64-bit system, it is not necessary to define a rule for "stime".

The audit system must be configured to audit all attempts to alter system time through clock_settime.

AU-12 - Low - CCI-000169 - V-208885 - SV-208885r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000171

Vuln IDs

V-208885
V-51069

Rule IDs

SV-208885r505921_rule
SV-65275

Checks: C-9138r357635_chk

To determine if the system is configured to audit calls to the "clock_settime" system call, run the following command: $ sudo grep -w "clock_settime" /etc/audit/audit.rules -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "clock_settime" system call, this is a finding.

Fix: F-9138r357636_fix

On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules

The audit system must be configured to audit all attempts to alter system time through /etc/localtime.

AU-12 - Low - CCI-000169 - V-208886 - SV-208886r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000173

Vuln IDs

V-208886
V-51071

Rule IDs

SV-208886r505921_rule
SV-65277

Checks: C-9139r357638_chk

To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command: $ sudo grep -w "/etc/localtime" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding.

Fix: F-9139r357639_fix

Add the following to "/etc/audit/audit.rules": -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.

The operating system must automatically audit account creation.

AC-2 - Low - CCI-000018 - V-208887 - SV-208887r505921_rule

RMF Control

AC-2

Severity

CCI

CCI-000018

Version

OL6-00-000174

Vuln IDs

V-208887
V-51073

Rule IDs

SV-208887r505921_rule
SV-65279

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

Checks: C-9140r357641_chk

To determine if the system is configured to audit account changes, run the following command: $ sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding.

Fix: F-9140r357642_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

The operating system must automatically audit account modification.

AC-2 - Low - CCI-001403 - V-208888 - SV-208888r505921_rule

RMF Control

AC-2

Severity

CCI

CCI-001403

Version

OL6-00-000175

Vuln IDs

V-208888
V-51077

Rule IDs

SV-208888r505921_rule
SV-65283

Checks: C-9141r357644_chk

To determine if the system is configured to audit account changes, run the following command: $sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding.

Fix: F-9141r357645_fix

The operating system must automatically audit account disabling actions.

AC-2 - Low - CCI-001404 - V-208889 - SV-208889r505921_rule

RMF Control

AC-2

Severity

CCI

CCI-001404

Version

OL6-00-000176

Vuln IDs

V-208889
V-51083

Rule IDs

SV-208889r505921_rule
SV-65291

Checks: C-9142r357647_chk

To determine if the system is configured to audit account changes, run the following command: $sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding.

Fix: F-9142r357648_fix

The operating system must automatically audit account termination.

AC-2 - Low - CCI-001405 - V-208890 - SV-208890r505921_rule

RMF Control

AC-2

Severity

CCI

CCI-001405

Version

OL6-00-000177

Vuln IDs

V-208890
V-51087

Rule IDs

SV-208890r505921_rule
SV-65295

Checks: C-9143r357650_chk

To determine if the system is configured to audit account changes, run the following command: $sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding.

Fix: F-9143r357651_fix

The audit system must be configured to audit modifications to the systems network configuration.

CM-6 - Low - CCI-000366 - V-208891 - SV-208891r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000182

Vuln IDs

V-208891
V-51093

Rule IDs

SV-208891r505921_rule
SV-65301

The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.

Checks: C-9144r357653_chk

If you are running x86_64 architecture, determine the values for sethostname: $ uname -m; ausyscall i386 sethostname; ausyscall x86_64 sethostname If the values returned are not identical verify that the system is configured to monitor network configuration changes for the i386 and x86_64 architectures: $ sudo egrep -w '(sethostname|setdomainname|/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)' /etc/audit/audit.rules -a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications -a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit changes of the network configuration, this is a finding.

Fix: F-9144r364838_fix

Add the following to "/etc/audit/audit.rules": # audit_network_modifications -a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications If the system is 64-bit, then also add the following: # audit_network_modifications -a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications

The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).

CM-6 - Low - CCI-000366 - V-208892 - SV-208892r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000183

Vuln IDs

V-208892
V-51171

Rule IDs

SV-208892r505921_rule
SV-65381

The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.

Checks: C-9145r357656_chk

To determine if the system is configured to audit changes to its SELinux configuration files, run the following command: $ sudo grep -w "/etc/selinux" /etc/audit/audit.rules If the system is configured to watch for changes to its SELinux configuration, a line should be returned (including "-p wa" indicating permissions that are watched). If the system is not configured to audit attempts to change the MAC policy, this is a finding.

Fix: F-9145r357657_fix

Add the following to "/etc/audit/audit.rules": -w /etc/selinux/ -p wa -k MAC-policy

The audit system must be configured to audit all discretionary access control permission modifications using chmod.

AU-12 - Low - CCI-000172 - V-208893 - SV-208893r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000184

Vuln IDs

V-208893
V-51169

Rule IDs

SV-208893r505921_rule
SV-65379

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Checks: C-9146r357659_chk

To determine if the system is configured to audit calls to the "chmod" system call, run the following command: $ sudo grep -w "chmod" /etc/audit/audit.rules -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "chmod" system call, this is a finding.

Fix: F-9146r357660_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using chown.

AU-12 - Low - CCI-000172 - V-208894 - SV-208894r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000185

Vuln IDs

V-208894
V-51167

Rule IDs

SV-208894r505921_rule
SV-65377

Checks: C-9147r357662_chk

To determine if the system is configured to audit calls to the "chown" system call, run the following command: $ sudo grep -w "chown" /etc/audit/audit.rules -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "chown" system call, this is a finding.

Fix: F-9147r357663_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using fchmod.

AU-12 - Low - CCI-000172 - V-208895 - SV-208895r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000186

Vuln IDs

V-208895
V-51165

Rule IDs

SV-208895r505921_rule
SV-65375

Checks: C-9148r357665_chk

To determine if the system is configured to audit calls to the "fchmod" system call, run the following command: $ sudo grep -w "fchmod" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fchmod" system call, this is a finding.

Fix: F-9148r357666_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.

AU-12 - Low - CCI-000172 - V-208896 - SV-208896r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000187

Vuln IDs

V-208896
V-51163

Rule IDs

SV-208896r505921_rule
SV-65373

Checks: C-9149r357668_chk

To determine if the system is configured to audit calls to the "fchmodat" system call, run the following command: $ sudo grep -w "fchmodat" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fchmodat" system call, this is a finding.

Fix: F-9149r357669_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using fchown.

AU-12 - Low - CCI-000172 - V-208897 - SV-208897r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000188

Vuln IDs

V-208897
V-51161

Rule IDs

SV-208897r505921_rule
SV-65371

Checks: C-9150r357671_chk

To determine if the system is configured to audit calls to the "fchown" system call, run the following command: $ sudo grep -w "fchown" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fchown" system call, this is a finding.

Fix: F-9150r357672_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using fchownat.

AU-12 - Low - CCI-000172 - V-208898 - SV-208898r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000189

Vuln IDs

V-208898
V-51159

Rule IDs

SV-208898r505921_rule
SV-65369

Checks: C-9151r357674_chk

To determine if the system is configured to audit calls to the "fchownat" system call, run the following command: $ sudo grep -w "fchownat" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fchownat" system call, this is a finding.

Fix: F-9151r357675_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.

AU-12 - Low - CCI-000172 - V-208899 - SV-208899r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000190

Vuln IDs

V-208899
V-51157

Rule IDs

SV-208899r505921_rule
SV-65367

Checks: C-9152r357677_chk

To determine if the system is configured to audit calls to the "fremovexattr" system call, run the following command: $ sudo grep -w "fremovexattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fremovexattr" system call, this is a finding.

Fix: F-9152r357678_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.

AU-12 - Low - CCI-000172 - V-208900 - SV-208900r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000191

Vuln IDs

V-208900
V-51155

Rule IDs

SV-208900r505921_rule
SV-65365

Checks: C-9153r357680_chk

To determine if the system is configured to audit calls to the "fsetxattr" system call, run the following command: $ sudo grep -w "fsetxattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fsetxattr" system call, this is a finding.

Fix: F-9153r357681_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using lchown.

AU-12 - Low - CCI-000172 - V-208901 - SV-208901r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000192

Vuln IDs

V-208901
V-51153

Rule IDs

SV-208901r505921_rule
SV-65363

Checks: C-9154r357683_chk

To determine if the system is configured to audit calls to the "lchown" system call, run the following command: $ sudo grep -w "lchown" /etc/audit/audit.rules -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "lchown" system call, this is a finding.

Fix: F-9154r357684_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.

AU-12 - Low - CCI-000172 - V-208902 - SV-208902r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000193

Vuln IDs

V-208902
V-51151

Rule IDs

SV-208902r505921_rule
SV-65361

Checks: C-9155r357686_chk

To determine if the system is configured to audit calls to the "lremovexattr" system call, run the following command: $ sudo grep -w "lremovexattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "lremovexattr" system call, this is a finding.

Fix: F-9155r357687_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.

AU-12 - Low - CCI-000172 - V-208903 - SV-208903r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000194

Vuln IDs

V-208903
V-51149

Rule IDs

SV-208903r505921_rule
SV-65359

Checks: C-9156r357689_chk

To determine if the system is configured to audit calls to the "lsetxattr" system call, run the following command: $ sudo grep -w "lsetxattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "lsetxattr" system call, this is a finding.

Fix: F-9156r357690_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using removexattr.

AU-12 - Low - CCI-000172 - V-208904 - SV-208904r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000195

Vuln IDs

V-208904
V-51147

Rule IDs

SV-208904r505921_rule
SV-65357

Checks: C-9157r357692_chk

To determine if the system is configured to audit calls to the "removexattr" system call, run the following command: $ sudo grep -w "removexattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "removexattr" system call, this is a finding.

Fix: F-9157r357693_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using setxattr.

AU-12 - Low - CCI-000172 - V-208905 - SV-208905r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000196

Vuln IDs

V-208905
V-51145

Rule IDs

SV-208905r505921_rule
SV-65355

Checks: C-9158r357695_chk

To determine if the system is configured to audit calls to the "setxattr" system call, run the following command: $ sudo grep -w "setxattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "setxattr" system call, this is a finding.

Fix: F-9158r357696_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod

The audit system must be configured to audit failed attempts to access files and programs.

AU-12 - Low - CCI-000172 - V-208906 - SV-208906r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000197

Vuln IDs

V-208906
V-51143

Rule IDs

SV-208906r505921_rule
SV-65353

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Checks: C-9159r357698_chk

To verify that the audit system collects unauthorized file accesses, run the following commands: # grep EACCES /etc/audit/audit.rules -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access # grep EPERM /etc/audit/audit.rules -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding. If either command lacks output, this is a finding.

Fix: F-9159r357699_fix

At a minimum, the audit system should collect unauthorized file accesses for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access

The audit system must be configured to audit successful file system mounts.

AU-12 - Low - CCI-000172 - V-208907 - SV-208907r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000199

Vuln IDs

V-208907
V-51139

Rule IDs

SV-208907r505921_rule
SV-65349

The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.

Checks: C-9160r357701_chk

To verify that auditing is configured for all media exportation events, run the following command: $ sudo grep -w "mount" /etc/audit/audit.rules -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b32 -S mount -F auid=0 -k export -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b64 -S mount -F auid=0 -k export If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding. If no line is returned, this is a finding.

Fix: F-9160r357702_fix

At a minimum, the audit system should collect media exportation events for all users and root. Add the following to "/etc/audit/audit.rules: -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b32 -S mount -F auid=0 -k export If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b64 -S mount -F auid=0 -k export

The audit system must be configured to audit user deletions of files and programs.

AU-12 - Low - CCI-000172 - V-208908 - SV-208908r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000200

Vuln IDs

V-208908
V-51137

Rule IDs

SV-208908r505921_rule
SV-65347

Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as detecting malicious processes that attempt to delete log files to conceal their presence.

Checks: C-9161r357704_chk

To determine if the system is configured to audit user deletions of files and programs, run the following command: $ sudo egrep -w 'rmdir|unlink|unlinkat|rename|renameat' /etc/audit/audit.rules -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit "rmdir", this is a finding. If the system is not configured to audit "unlink", this is a finding. If the system is not configured to audit "unlinkat", this is a finding. If the system is not configured to audit "rename", this is a finding. If the system is not configured to audit "renameat", this is a finding. If no line is returned, this is a finding.

Fix: F-9161r357705_fix

At a minimum, the audit system should collect file deletion events for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete

The audit system must be configured to audit changes to the /etc/sudoers file.

AU-12 - Low - CCI-000172 - V-208909 - SV-208909r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000201

Vuln IDs

V-208909
V-51135

Rule IDs

SV-208909r505921_rule
SV-65345

The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.

Checks: C-9162r357707_chk

To verify that auditing is configured for system administrator actions, run the following command: $ sudo grep -w "/etc/sudoers" /etc/audit/audit.rules If the system is configured to watch for changes to its sudoers configuration, a line should be returned (including "-p wa" indicating permissions that are watched). If there is no output, this is a finding.

Fix: F-9162r357708_fix

At a minimum, the audit system should collect administrator actions for all users and root. Add the following to "/etc/audit/audit.rules": -w /etc/sudoers -p wa -k actions

The audit system must be configured to audit the loading and unloading of dynamic kernel modules.

AU-12 - Medium - CCI-000172 - V-208910 - SV-208910r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000202

Vuln IDs

V-208910
V-50545

Rule IDs

SV-208910r505921_rule
SV-64751

The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

Checks: C-9163r357710_chk

To determine if the system is configured to audit execution of module management programs, run the following commands: sudo egrep -e "(-w |-F path=)/sbin/insmod|(-w |-F path=)/sbin/rmmod|(-w |-F path=)/sbin/modprobe" /etc/audit/audit.rules -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules If "/sbin/insmod" is not being audited, this is a finding. If "/sbin/rmmod" is not being audited, this is a finding. If "/sbin/modprobe" is not being audited, this is a finding. To determine if the system is configured to audit calls to the "init_module" and "delete_module" system calls, run the following command: $ sudo egrep -w "init_module|delete_module" /etc/audit/audit.rules -a always,exit -F arch=b32 -S init_module -S delete_module -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit "init_module" this is a finding. If the system is not configured to audit "delete_module", this is a finding. If no line is returned, this is a finding.

Fix: F-9163r357711_fix

Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b32 -S init_module -S delete_module -k modules If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S init_module -S delete_module -k modules

The xinetd service must be disabled if no network services utilizing it are enabled.

CM-7 - Medium - CCI-000382 - V-208911 - SV-208911r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000203

Vuln IDs

V-208911
V-50547

Rule IDs

SV-208911r505921_rule
SV-64753

The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.

Checks: C-9164r357713_chk

If network services are using the xinetd service, this is not applicable. To check that the "xinetd" service is disabled in system boot configuration, run the following command: # chkconfig "xinetd" --list Output should indicate the "xinetd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "xinetd" --list "xinetd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "xinetd" is disabled through current runtime configuration: # service xinetd status If the service is disabled the command will return the following output: xinetd is stopped If the service is running, this is a finding.

Fix: F-9164r357714_fix

The "xinetd" service can be disabled with the following commands: # chkconfig xinetd off # service xinetd stop

The xinetd service must be uninstalled if no network services utilizing it are enabled.

CM-7 - Low - CCI-000382 - V-208912 - SV-208912r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000204

Vuln IDs

V-208912
V-50549

Rule IDs

SV-208912r505921_rule
SV-64755

Removing the "xinetd" package decreases the risk of the xinetd service's accidental (or intentional) activation.

Checks: C-9165r357716_chk

If network services are using the xinetd service, this is not applicable. Run the following command to determine if the "xinetd" package is installed: # rpm -q xinetd If the package is installed, this is a finding.

Fix: F-9165r357717_fix

The "xinetd" package can be uninstalled with the following command: # yum erase xinetd

The telnet-server package must not be installed.

CM-7 - High - CCI-000381 - V-208913 - SV-208913r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000206

Vuln IDs

V-208913
V-50551

Rule IDs

SV-208913r505921_rule
SV-64757

Removing the "telnet-server" package decreases the risk of the unencrypted telnet service's accidental (or intentional) activation. Mitigation: If the telnet-server package is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.

Checks: C-9166r357719_chk

Run the following command to determine if the "telnet-server" package is installed: # rpm -q telnet-server If the package is installed, this is a finding.

Fix: F-9166r357720_fix

The "telnet-server" package can be uninstalled with the following command: # yum erase telnet-server

The rsh-server package must not be installed.

CM-7 - High - CCI-000381 - V-208914 - SV-208914r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000213

Vuln IDs

V-208914
V-50555

Rule IDs

SV-208914r505921_rule
SV-64761

The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.

Checks: C-9167r357722_chk

Run the following command to determine if the "rsh-server" package is installed: # rpm -q rsh-server If the package is installed, this is a finding.

Fix: F-9167r357723_fix

The "rsh-server" package can be uninstalled with the following command: # yum erase rsh-server

The rshd service must not be running.

AC-17 - High - CCI-000068 - V-208915 - SV-208915r505921_rule

RMF Control

AC-17

Severity

CCI

CCI-000068

Version

OL6-00-000214

Vuln IDs

V-208915
V-50557

Rule IDs

SV-208915r505921_rule
SV-64763

The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.

Checks: C-9168r357725_chk

To check that the "rsh" service is disabled in system boot configuration, run the following command: # chkconfig "rsh" --list Output should indicate the "rsh" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "rsh" --list rsh off OR error reading information on service rsh: No such file or directory If the service is running, this is a finding.

Fix: F-9168r357726_fix

The "rsh" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rsh" service can be disabled with the following command: # chkconfig rsh off

The rexecd service must not be running.

AC-17 - High - CCI-000068 - V-208916 - SV-208916r505921_rule

RMF Control

AC-17

Severity

CCI

CCI-000068

Version

OL6-00-000216

Vuln IDs

V-208916
V-50559

Rule IDs

SV-208916r505921_rule
SV-64765

The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.

Checks: C-9169r357728_chk

To check that the "rexec" service is disabled in system boot configuration, run the following command: # chkconfig "rexec" --list Output should indicate the "rexec" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "rexec" --list rexec off OR error reading information on service rexec: No such file or directory If the service is running, this is a finding.

Fix: F-9169r357729_fix

The "rexec" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rexec" service can be disabled with the following command: # chkconfig rexec off

The ypserv package must not be installed.

CM-7 - Medium - CCI-000381 - V-208917 - SV-208917r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000220

Vuln IDs

V-208917
V-50563

Rule IDs

SV-208917r505921_rule
SV-64769

Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.

Checks: C-9170r357731_chk

Run the following command to determine if the "ypserv" package is installed: # rpm -q ypserv If the package is installed, this is a finding.

Fix: F-9170r357732_fix

The "ypserv" package can be uninstalled with the following command: # yum erase ypserv

The ypbind service must not be running.

CM-7 - Medium - CCI-000382 - V-208918 - SV-208918r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000221

Vuln IDs

V-208918
V-50565

Rule IDs

SV-208918r505921_rule
SV-64771

Disabling the "ypbind" service ensures the system is not acting as a client in a NIS or NIS+ domain.

Checks: C-9171r357734_chk

To check that the "ypbind" service is disabled in system boot configuration, run the following command: # chkconfig "ypbind" --list Output should indicate the "ypbind" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "ypbind" --list "ypbind" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "ypbind" is disabled through current runtime configuration: # service ypbind status If the service is disabled the command will return the following output: ypbind is stopped If the service is running, this is a finding.

Fix: F-9171r357735_fix

The "ypbind" service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The "ypbind" service can be disabled with the following commands: # chkconfig ypbind off # service ypbind stop

The tftp-server package must not be installed unless required.

CM-7 - Medium - CCI-000381 - V-208919 - SV-208919r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000222

Vuln IDs

V-208919
V-50567

Rule IDs

SV-208919r505921_rule
SV-64773

Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.

Checks: C-9172r357737_chk

Run the following command to determine if the "tftp-server" package is installed: # rpm -q tftp-server If the package is installed and not documented and approved by the ISSO, this is a finding.

Fix: F-9172r357738_fix

The "tftp-server" package can be removed with the following command: # yum erase tftp-server

The cron service must be running.

CM-6 - Medium - CCI-000366 - V-208920 - SV-208920r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000224

Vuln IDs

V-208920
V-50571

Rule IDs

SV-208920r505921_rule
SV-64777

Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.

Checks: C-9173r357740_chk

Run the following command to determine the current status of the "crond" service: # service crond status If the service is enabled, it should return the following: crond is running... If the service is not running, this is a finding.

Fix: F-9173r357741_fix

The "crond" service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The "crond" service can be enabled with the following commands: # chkconfig crond on # service crond start

The SSH daemon must set a timeout interval on idle sessions.

SC-10 - Low - CCI-001133 - V-208921 - SV-208921r505921_rule

RMF Control

SC-10

Severity

CCI

CCI-001133

Version

OL6-00-000230

Vuln IDs

V-208921
V-50575

Rule IDs

SV-208921r505921_rule
SV-64781

Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.

Checks: C-9174r364842_chk

Run the following command to see what the timeout interval is: # grep ClientAliveInterval /etc/ssh/sshd_config ClientAliveInterval 900 If "ClientAliveInterval" has a value greater than "900", this is a finding.

Fix: F-9174r357744_fix

SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in "/etc/ssh/sshd_config" as follows: ClientAliveInterval [interval] The timeout [interval] is given in seconds. To have a timeout of 15 minutes, set [interval] to 900. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.

The SSH daemon must set a timeout count on idle sessions.

MA-4 - Low - CCI-000879 - V-208922 - SV-208922r505921_rule

RMF Control

MA-4

Severity

CCI

CCI-000879

Version

OL6-00-000231

Vuln IDs

V-208922
V-50577

Rule IDs

SV-208922r505921_rule
SV-64783

This ensures a user login will be terminated as soon as the "ClientAliveCountMax" is reached.

Checks: C-9175r357746_chk

To ensure the SSH idle timeout will occur when the "ClientAliveCountMax" is set, run the following command: # grep ClientAliveCountMax /etc/ssh/sshd_config If properly configured, output should be: ClientAliveCountMax 0 If it is not, this is a finding.

Fix: F-9175r357747_fix

To ensure the SSH idle timeout occurs precisely when the "ClientAliveCountMax" is set, edit "/etc/ssh/sshd_config" as follows: ClientAliveCountMax 0

The SSH daemon must ignore .rhosts files.

IA-2 - Medium - CCI-000766 - V-208923 - SV-208923r505921_rule

RMF Control

IA-2

Severity

CCI

CCI-000766

Version

OL6-00-000234

Vuln IDs

V-208923
V-50579

Rule IDs

SV-208923r505921_rule
SV-64785

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

Checks: C-9176r357749_chk

To determine how the SSH daemon's "IgnoreRhosts" option is set, run the following command: # grep -i IgnoreRhosts /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value "yes" is returned, then the required value is set. If the required value is not set, this is a finding.

Fix: F-9176r357750_fix

SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via ".rhosts" files. To ensure this behavior is disabled, add or correct the following line in "/etc/ssh/sshd_config": IgnoreRhosts yes

The SSH daemon must not allow host-based authentication.

IA-2 - Medium - CCI-000766 - V-208924 - SV-208924r505921_rule

RMF Control

IA-2

Severity

CCI

CCI-000766

Version

OL6-00-000236

Vuln IDs

V-208924
V-50581

Rule IDs

SV-208924r505921_rule
SV-64787

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

Checks: C-9177r357752_chk

To determine how the SSH daemon's "HostbasedAuthentication" option is set, run the following command: # grep -i HostbasedAuthentication /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value "no" is returned, then the required value is set. If the required value is not set, this is a finding.

Fix: F-9177r357753_fix

SSH's cryptographic host-based authentication is more secure than ".rhosts" authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization. To disable host-based authentication, add or correct the following line in "/etc/ssh/sshd_config": HostbasedAuthentication no

The system must not permit root logins using remote access programs such as ssh.

IA-2 - Medium - CCI-000770 - V-208925 - SV-208925r505921_rule

RMF Control

IA-2

Severity

CCI

CCI-000770

Version

OL6-00-000237

Vuln IDs

V-208925
V-50799

Rule IDs

SV-208925r505921_rule
SV-65005

Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.

Checks: C-9178r357755_chk

To determine how the SSH daemon's "PermitRootLogin" option is set, run the following command: # grep -i PermitRootLogin /etc/ssh/sshd_config If a line indicating "no" is returned, then the required value is set. If the required value is not set, this is a finding.

Fix: F-9178r357756_fix

The root user should never be allowed to log in to a system directly over a network. To disable root login via SSH, add or correct the following line in "/etc/ssh/sshd_config": PermitRootLogin no

The SSH daemon must not allow authentication using an empty password.

IA-2 - High - CCI-000766 - V-208926 - SV-208926r505921_rule

RMF Control

IA-2

Severity

CCI

CCI-000766

Version

OL6-00-000239

Vuln IDs

V-208926
V-50801

Rule IDs

SV-208926r505921_rule
SV-65007

Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.

Checks: C-9179r357758_chk

To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command: # grep -i PermitEmptyPasswords /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value "no" is returned, then the required value is set. If the required value is not set, this is a finding.

Fix: F-9179r357759_fix

To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config": PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.

The SSH daemon must be configured with the Department of Defense (DoD) login banner.

AC-8 - Medium - CCI-000048 - V-208927 - SV-208927r505921_rule

RMF Control

AC-8

Severity

CCI

CCI-000048

Version

OL6-00-000240

Vuln IDs

V-208927
V-50803

Rule IDs

SV-208927r505921_rule
SV-65009

The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.

Checks: C-9180r357761_chk

To determine how the SSH daemon's "Banner" option is set, run the following command: # grep -i Banner /etc/ssh/sshd_config If a line indicating /etc/issue is returned, then the required value is set. If the required value is not set, this is a finding.

Fix: F-9180r357762_fix

To enable the warning banner and ensure it is consistent across the system, add or correct the following line in "/etc/ssh/sshd_config": Banner /etc/issue Another section contains information on how to create an appropriate system-wide warning banner.

The SSH daemon must not permit user environment settings.

AC-4 - Low - CCI-001414 - V-208928 - SV-208928r505921_rule

RMF Control

AC-4

Severity

CCI

CCI-001414

Version

OL6-00-000241

Vuln IDs

V-208928
V-50805

Rule IDs

SV-208928r505921_rule
SV-65011

SSH environment options potentially allow users to bypass access restriction in some configurations.

Checks: C-9181r357764_chk

To ensure users are not able to present environment daemons, run the following command: # grep PermitUserEnvironment /etc/ssh/sshd_config If properly configured, output should be: PermitUserEnvironment no If it is not, this is a finding.

Fix: F-9181r357765_fix

To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in "/etc/ssh/sshd_config": PermitUserEnvironment no

The avahi service must be disabled.

CM-6 - Low - CCI-000366 - V-208929 - SV-208929r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000246

Vuln IDs

V-208929
V-50809

Rule IDs

SV-208929r505921_rule
SV-65015

Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.

Checks: C-9182r357767_chk

To check that the "avahi-daemon" service is disabled in system boot configuration, run the following command: # chkconfig "avahi-daemon" --list Output should indicate the "avahi-daemon" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "avahi-daemon" --list "avahi-daemon" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "avahi-daemon" is disabled through current runtime configuration: # service avahi-daemon status If the service is disabled the command will return the following output: avahi-daemon is stopped If the service is running, this is a finding.

Fix: F-9182r357768_fix

The "avahi-daemon" service can be disabled with the following commands: # chkconfig avahi-daemon off # service avahi-daemon stop

Mail relaying must be restricted.

CM-7 - Medium - CCI-000382 - V-208930 - SV-208930r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000249

Vuln IDs

V-208930
V-50815

Rule IDs

SV-208930r505921_rule
SV-65021

This ensures "postfix" accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.

Checks: C-9183r357770_chk

If the system is an authorized mail relay host, this is not applicable. Run the following command to ensure postfix accepts mail messages from only the local system: $ grep inet_interfaces /etc/postfix/main.cf If properly configured, the output should show only "localhost". If it does not, this is a finding.

Fix: F-9183r357771_fix

Edit the file "/etc/postfix/main.cf" to ensure that only the following "inet_interfaces" line appears: inet_interfaces = localhost

If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.

AC-17 - Medium - CCI-001453 - V-208931 - SV-208931r505921_rule

RMF Control

AC-17

Severity

CCI

Version

OL6-00-000252

Vuln IDs

V-208931
V-50817

Rule IDs

SV-208931r505921_rule
SV-65023

The ssl directive specifies whether to use ssl or not. If not specified it will default to "no". It should be set to "start_tls" rather than doing LDAP over SSL.

Checks: C-9184r357773_chk

If the system does not use LDAP for authentication or account information, this is not applicable. To ensure LDAP is configured to use TLS for all transactions, run the following command: $ grep start_tls /etc/pam_ldap.conf If no lines are returned, this is a finding.

Fix: F-9184r357774_fix

Configure LDAP to enforce TLS use. First, edit the file "/etc/pam_ldap.conf", and add or correct the following lines: ssl start_tls Then review the LDAP server and ensure TLS has been configured.

The openldap-servers package must not be installed unless required.

CM-6 - Low - CCI-000366 - V-208932 - SV-208932r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000256

Vuln IDs

V-208932
V-50821

Rule IDs

SV-208932r505921_rule
SV-65027

Unnecessary packages should not be installed to decrease the attack surface of the system.

Checks: C-9185r357776_chk

To verify the "openldap-servers" package is not installed, run the following command: $ rpm -q openldap-servers The output should show the following. package openldap-servers is not installed If it does not, this is a finding.

Fix: F-9185r357777_fix

The "openldap-servers" package should be removed if not in use. Is this machine the OpenLDAP server? If not, remove the package. # yum erase openldap-servers The openldap-servers RPM may be installed. It is needed only by the OpenLDAP server, not by clients which use LDAP for authentication. If the system is not intended for use as an LDAP server, it should be removed.

The graphical desktop environment must set the idle timeout to no more than 15 minutes.

AC-11 - Medium - CCI-000057 - V-208933 - SV-208933r505921_rule

RMF Control

AC-11

Severity

CCI

CCI-000057

Version

OL6-00-000257

Vuln IDs

V-208933
V-50823

Rule IDs

SV-208933r505921_rule
SV-65029

Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.

Checks: C-9186r357779_chk

If the GConf2 package is not installed, this is not applicable. To check the current idle time-out value, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_delay If properly configured, the output should be "15". If it is not, this is a finding.

Fix: F-9186r357780_fix

Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes: # gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /apps/gnome-screensaver/idle_delay 15

The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.

AC-11 - Medium - CCI-000057 - V-208934 - SV-208934r505921_rule

RMF Control

AC-11

Severity

CCI

CCI-000057

Version

OL6-00-000258

Vuln IDs

V-208934
V-50825

Rule IDs

SV-208934r505921_rule
SV-65031

Enabling idle activation of the screen saver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.

Checks: C-9187r357782_chk

If the GConf2 package is not installed, this is not applicable. To check the screensaver mandatory use status, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_activation_enabled If properly configured, the output should be "true". If it is not, this is a finding.

Fix: F-9187r357783_fix

Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true

The graphical desktop environment must have automatic lock enabled.

AC-11 - Medium - CCI-000057 - V-208935 - SV-208935r505921_rule

RMF Control

AC-11

Severity

CCI

CCI-000057

Version

OL6-00-000259

Vuln IDs

V-208935
V-50827

Rule IDs

SV-208935r505921_rule
SV-65033

Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby.

Checks: C-9188r357785_chk

If the GConf2 package is not installed, this is not applicable. To check the status of the idle screen lock activation, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/lock_enabled If properly configured, the output should be "true". If it is not, this is a finding.

Fix: F-9188r357786_fix

Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/lock_enabled true

The system must display a publicly-viewable pattern during a graphical desktop environment session lock.

AC-11 - Low - CCI-000060 - V-208936 - SV-208936r505921_rule

RMF Control

AC-11

Severity

CCI

CCI-000060

Version

OL6-00-000260

Vuln IDs

V-208936
V-50829

Rule IDs

SV-208936r505921_rule
SV-65035

Setting the screensaver mode to blank-only conceals the contents of the display from passersby.

Checks: C-9189r357788_chk

If the GConf2 package is not installed, this is not applicable. To ensure the screensaver is configured to be blank, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode If properly configured, the output should be "blank-only". If it is not, this is a finding.

Fix: F-9189r357789_fix

Run the following command to set the screensaver mode in the GNOME desktop to a blank screen: # gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome-screensaver/mode blank-only

The Automatic Bug Reporting Tool (abrtd) service must not be running.

CM-7 - Low - CCI-000382 - V-208937 - SV-208937r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000261

Vuln IDs

V-208937
V-50831

Rule IDs

SV-208937r505921_rule
SV-65037

Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers.

Checks: C-9190r357791_chk

To check that the "abrtd" service is disabled in system boot configuration, run the following command: # chkconfig "abrtd" --list Output should indicate the "abrtd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "abrtd" --list "abrtd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "abrtd" is disabled through current runtime configuration: # service abrtd status If the service is disabled the command will return the following output: abrtd is stopped If the service is running, this is a finding.

Fix: F-9190r357792_fix

The Automatic Bug Reporting Tool ("abrtd") daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue-tracking system such as the operating system vendor's centralized issue-tracking system. The "abrtd" service can be disabled with the following commands: # chkconfig abrtd off # service abrtd stop

The atd service must be disabled.

CM-7 - Low - CCI-000382 - V-208938 - SV-208938r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000262

Vuln IDs

V-208938
V-50835

Rule IDs

SV-208938r505921_rule
SV-65041

The "atd" service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with "at" or "batch" is not common.

Checks: C-9191r357794_chk

If the system requires the use of the "atd" service to support an organizational requirement, this is not applicable. To check that the "atd" service is disabled in system boot configuration, run the following command: # chkconfig "atd" --list Output should indicate the "atd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "atd" --list "atd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "atd" is disabled through current runtime configuration: # service atd status If the service is disabled the command will return the following output: atd is stopped If the service is running, this is a finding.

Fix: F-9191r357795_fix

The "at" and "batch" commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon "atd" keeps track of tasks scheduled via "at" and "batch", and executes them at the specified time. The "atd" service can be disabled with the following commands: # chkconfig atd off # service atd stop

The ntpdate service must not be running.

CM-7 - Low - CCI-000382 - V-208939 - SV-208939r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000265

Vuln IDs

V-208939
V-50837

Rule IDs

SV-208939r505921_rule
SV-65043

The "ntpdate" service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.

Checks: C-9192r357797_chk

To check that the "ntpdate" service is disabled in system boot configuration, run the following command: # chkconfig "ntpdate" --list Output should indicate the "ntpdate" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "ntpdate" --list "ntpdate" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "ntpdate" is disabled through current runtime configuration: # service ntpdate status If the service is disabled the command will return the following output: ntpdate is stopped If the service is running, this is a finding.

Fix: F-9192r357798_fix

The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in "/etc/ntp/step-tickers" or "/etc/ntp.conf" and then sets the local hardware clock to the newly synchronized system time. The "ntpdate" service can be disabled with the following commands: # chkconfig ntpdate off # service ntpdate stop

The oddjobd service must not be running.

CM-7 - Low - CCI-000382 - V-208940 - SV-208940r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000266

Vuln IDs

V-208940
V-50839

Rule IDs

SV-208940r505921_rule
SV-65045

The "oddjobd" service may provide necessary functionality in some environments but it can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.

Checks: C-9193r357800_chk

To check that the "oddjobd" service is disabled in system boot configuration, run the following command: # chkconfig "oddjobd" --list Output should indicate the "oddjobd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "oddjobd" --list "oddjobd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "oddjobd" is disabled through current runtime configuration: # service oddjobd status If the service is disabled the command will return the following output: oddjobd is stopped If the service is running, this is a finding.

Fix: F-9193r357801_fix

The "oddjobd" service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with "oddjobd" is through the system message bus. The "oddjobd" service can be disabled with the following commands: # chkconfig oddjobd off # service oddjobd stop

The qpidd service must not be running.

CM-7 - Low - CCI-000382 - V-208941 - SV-208941r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000267

Vuln IDs

V-208941
V-50841

Rule IDs

SV-208941r505921_rule
SV-65047

The qpidd service is automatically installed when the "base" package selection is selected during installation. The qpidd service listens for network connections, which increases the attack surface of the system. If the system is not intended to receive AMQP, traffic then the "qpidd" service is not needed and should be disabled or removed.

Checks: C-9194r357803_chk

To check that the "qpidd" service is disabled in system boot configuration, run the following command: # chkconfig "qpidd" --list Output should indicate the "qpidd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "qpidd" --list "qpidd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "qpidd" is disabled through current runtime configuration: # service qpidd status If the service is disabled the command will return the following output: qpidd is stopped If the service is running, this is a finding.

Fix: F-9194r357804_fix

The "qpidd" service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The "qpidd" service can be disabled with the following commands: # chkconfig qpidd off # service qpidd stop

The rdisc service must not be running.

CM-7 - Low - CCI-000382 - V-208942 - SV-208942r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000268

Vuln IDs

V-208942
V-50843

Rule IDs

SV-208942r505921_rule
SV-65049

General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.

Checks: C-9195r357806_chk

To check that the "rdisc" service is disabled in system boot configuration, run the following command: # chkconfig "rdisc" --list Output should indicate the "rdisc" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "rdisc" --list "rdisc" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "rdisc" is disabled through current runtime configuration: # service rdisc status If the service is disabled the command will return the following output: rdisc is stopped If the service is running, this is a finding.

Fix: F-9195r357807_fix

The "rdisc" service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. The "rdisc" service can be disabled with the following commands: # chkconfig rdisc off # service rdisc stop

Remote file systems must be mounted with the nodev option.

CM-6 - Medium - CCI-000366 - V-209008 - SV-209008r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000269

Vuln IDs

V-209008
V-50845

Rule IDs

SV-209008r505921_rule
SV-65051

Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.

Checks: C-9261r357809_chk

To verify the "nodev" option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the "nodev" setting in parentheses, along with other mount options. If the setting does not show, this is a finding.

Fix: F-9261r357810_fix

Add the "nodev" option to the fourth column of "/etc/fstab" for the line which controls mounting of any NFS mounts.

Remote file systems must be mounted with the nosuid option.

CM-6 - Medium - CCI-000366 - V-209009 - SV-209009r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000270

Vuln IDs

V-209009
V-50847

Rule IDs

SV-209009r505921_rule
SV-65053

NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.

Checks: C-9262r357812_chk

To verify the "nosuid" option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the "nosuid" setting in parentheses, along with other mount options. If the setting does not show, this is a finding.

Fix: F-9262r357813_fix

Add the "nosuid" option to the fourth column of "/etc/fstab" for the line which controls mounting of any NFS mounts.

The system must use SMB client signing for connecting to samba servers using smbclient.

CM-6 - Low - CCI-000366 - V-209010 - SV-209010r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000272

Vuln IDs

V-209010
V-50851

Rule IDs

SV-209010r505921_rule
SV-65057

Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.

Checks: C-9263r357815_chk

To verify that Samba clients running smbclient must use packet signing, run the following command: # grep signing /etc/samba/smb.conf The output should show: client signing = mandatory If it is not, this is a finding.

Fix: F-9263r357816_fix

To require samba clients running "smbclient" to use packet signing, add the following to the "[global]" section of the Samba configuration file in "/etc/samba/smb.conf": client signing = mandatory Requiring samba clients such as "smbclient" to use packet signing ensures they can only communicate with servers that support packet signing.

The system must use SMB client signing for connecting to samba servers using mount.cifs.

CM-6 - Low - CCI-000366 - V-209011 - SV-209011r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000273

Vuln IDs

V-209011
V-50853

Rule IDs

SV-209011r505921_rule
SV-65059

Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.

Checks: C-9264r357818_chk

If Samba is not in use, this is not applicable. To verify that Samba clients using mount.cifs must use packet signing, run the following command: # grep sec /etc/fstab /etc/mtab The output should show either "krb5i" or "ntlmv2i" in use. If it does not, this is a finding.

Fix: F-9264r357819_fix

Require packet signing of clients who mount Samba shares using the "mount.cifs" program (e.g., those who specify shares in "/etc/fstab"). To do so, ensure signing options (either "sec=krb5i" or "sec=ntlmv2i") are used. See the "mount.cifs(8)" man page for more information. A Samba client should only communicate with servers who can support SMB packet signing.

The system must prohibit the reuse of passwords within five iterations.

IA-5 - Medium - CCI-000200 - V-209012 - SV-209012r505921_rule

RMF Control

IA-5

Severity

CCI

CCI-000200

Version

OL6-00-000274

Vuln IDs

V-209012
V-50855

Rule IDs

SV-209012r505921_rule
SV-65061

Preventing reuse of previous passwords helps ensure that a compromised password is not reused by a user.

Checks: C-9265r357821_chk

To verify the password reuse setting is compliant, run the following command: # grep remember /etc/pam.d/system-auth /etc/pam.d/password-auth The output must be a line beginning with "password required pam_pwhistory.so" and ending with "remember=5". If the line is commented out, the line does not contain the specified elements, or the value for "remember" is less than “5”, this is a finding.

Fix: F-9265r357822_fix

Do not allow users to reuse recent passwords. This can be accomplished by using the "remember" option for the "pam_pwhistory" PAM module. In the file "/etc/pam.d/system-auth", append "remember=5" to the line which refers to the "pam_pwhistory.so" module, as shown: password required pam_pwhistory.so [existing_options] remember=5 The DoD requirement is five passwords.

The operating system must protect the confidentiality and integrity of data at rest.

SC-28 - Low - CCI-001199 - V-209013 - SV-209013r505921_rule

RMF Control

SC-28

Severity

CCI

CCI-001199

Version

OL6-00-000276

Vuln IDs

V-209013
V-50859

Rule IDs

SV-209013r505921_rule
SV-65065

The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.

Checks: C-9266r357824_chk

Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding.

Fix: F-9266r357825_fix

The operating system natively supports partition encryption through the Linux Unified Key Setup (LUKS) on-disk-format technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected, the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE] Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. Detailed information on encrypting partitions using LUKS can be found in the Oracle Linux documentation at: http://docs.oracle.com/cd/E37670_01/E36387/html/index.html Additional information is available from: http://linux.oracle.com/documentation/OL6/Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf

The system package management tool must verify permissions on all files and directories associated with the audit package.

AU-9 - Medium - CCI-001493 - V-209014 - SV-209014r505921_rule

RMF Control

AU-9

Severity

CCI

CCI-001493

Version

OL6-00-000278

Vuln IDs

V-209014
V-50863

Rule IDs

SV-209014r505921_rule
SV-65069

Permissions on audit binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Checks: C-9267r357827_chk

The following command will list which audit files on the system have permissions different from what is expected by the RPM database: # rpm -V audit | grep '^.M' If there is any output, for each file or directory found, compare the RPM-expected permissions with the permissions on the file or directory: # rpm -q --queryformat "[%{FILENAMES} %{FILEMODES:perms}\n]" audit | grep [filename] # ls -lL [filename] If the existing permissions are more permissive than those expected by RPM, this is a finding.

Fix: F-9267r357828_fix

The RPM package management system can restore file access permissions of the audit package files and directories. The following command will update audit files with permissions different from what is expected by the RPM database: # rpm --setperms audit

The system package management tool must verify ownership on all files and directories associated with the audit package.

AU-9 - Medium - CCI-001494 - V-209015 - SV-209015r505921_rule

RMF Control

AU-9

Severity

CCI

CCI-001494

Version

OL6-00-000279

Vuln IDs

V-209015
V-50865

Rule IDs

SV-209015r505921_rule
SV-65071

Ownership of audit binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Checks: C-9268r357830_chk

The following command will list which audit files on the system have ownership different from what is expected by the RPM database: # rpm -V audit | grep '^.....U' If there is output, this is a finding.

Fix: F-9268r357831_fix

The RPM package management system can restore file ownership of the audit package files and directories. The following command will update audit files with ownership different from what is expected by the RPM database: # rpm --setugids audit

The system package management tool must verify group-ownership on all files and directories associated with the audit package.

AU-9 - Medium - CCI-001495 - V-209016 - SV-209016r505921_rule

RMF Control

AU-9

Severity

CCI

CCI-001495

Version

OL6-00-000280

Vuln IDs

V-209016
V-50867

Rule IDs

SV-209016r505921_rule
SV-65073

Group-ownership of audit binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The group-ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Checks: C-9269r357833_chk

The following command will list which audit files on the system have group-ownership different from what is expected by the RPM database: # rpm -V audit | grep '^......G' If there is output, this is a finding.

Fix: F-9269r357834_fix

The RPM package management system can restore file group-ownership of the audit package files and directories. The following command will update audit files with group-ownership different from what is expected by the RPM database: # rpm --setugids audit

The system package management tool must verify contents of all files associated with the audit package.

AU-9 - Medium - CCI-001496 - V-209017 - SV-209017r505921_rule

RMF Control

AU-9

Severity

CCI

CCI-001496

Version

OL6-00-000281

Vuln IDs

V-209017
V-50869

Rule IDs

SV-209017r505921_rule
SV-65075

The hash on important files like audit system executables should match the information given by the RPM database. Audit executables with erroneous hashes could be a sign of nefarious activity on the system.

Checks: C-9270r357836_chk

The following command will list which audit files on the system have file hashes different from what is expected by the RPM database. # rpm -V audit | awk '$1 ~ /..5/ && $2 != "c"' If there is output, this is a finding.

Fix: F-9270r357837_fix

The RPM package management system can check the hashes of audit system package files. Run the following command to list which audit files on the system have hashes that differ from what is expected by the RPM database: # rpm -V audit | grep '^..5' A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file that has changed was not expected to then refresh from distribution media or online repositories. rpm -Uvh [affected_package] OR yum reinstall [affected_package]

There must be no world-writable files on the system.

CM-6 - Medium - CCI-000366 - V-209018 - SV-209018r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000282

Vuln IDs

V-209018
V-50871

Rule IDs

SV-209018r505921_rule
SV-65077

Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.

Checks: C-9271r357839_chk

To find world-writable files, run the following command for each local partition [PART], excluding special filesystems such as /selinux, /proc, or /sys: # find [PART] -xdev -type f -perm -002 If there is output, this is a finding.

Fix: F-9271r357840_fix

It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account.

The x86 Ctrl-Alt-Delete key sequence must be disabled.

CM-6 - High - CCI-000366 - V-209019 - SV-209019r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000286

Vuln IDs

V-209019
V-50877

Rule IDs

SV-209019r505921_rule
SV-65083

A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.

Checks: C-9272r357842_chk

To ensure the system is configured to log a message instead of rebooting the system when “Ctrl-Alt-Delete” is pressed, ensure the following line is in "/etc/init/control-alt-delete.override": exec /usr/bin/logger -p authpriv.notice "Ctrl-Alt-Delete pressed" If the system is not configured to block the shutdown command when “Ctrl-Alt-Delete” is pressed, this is a finding.

Fix: F-9272r357843_fix

By default, the system includes the following line in "/etc/init/control-alt-delete.conf" to reboot the system when the “Ctrl-Alt-Delete” key sequence is pressed: exec /sbin/shutdown -r now "Ctrl-Alt-Delete pressed" To configure the system to log a message instead of rebooting the system, add the following line to "/etc/init/control-alt-delete.override" to read as follows: exec /usr/bin/logger -p authpriv.notice "Ctrl-Alt-Delete pressed"

The postfix service must be enabled for mail delivery.

CM-6 - Low - CCI-000366 - V-209020 - SV-209020r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000287

Vuln IDs

V-209020
V-50879

Rule IDs

SV-209020r505921_rule
SV-65085

Local mail delivery is essential to some system maintenance and notification tasks.

Checks: C-9273r357845_chk

Run the following command to determine the current status of the "postfix" service: # service postfix status If the service is enabled, it should return the following: postfix is running... If the service is not enabled, this is a finding.

Fix: F-9273r357846_fix

The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The "postfix" service can be enabled with the following command: # chkconfig postfix on # service postfix start

The sendmail package must be removed.

CM-6 - Medium - CCI-000366 - V-209021 - SV-209021r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000288

Vuln IDs

V-209021
V-50881

Rule IDs

SV-209021r505921_rule
SV-65087

The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.

Checks: C-9274r357848_chk

Run the following command to determine if the "sendmail" package is installed: # rpm -q sendmail If the package is installed, this is a finding.

Fix: F-9274r357849_fix

Sendmail is not the default mail transfer agent and is not installed by default. The "sendmail" package can be removed with the following command: # yum erase sendmail

The netconsole service must be disabled unless required.

CM-7 - Low - CCI-000382 - V-209022 - SV-209022r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000289

Vuln IDs

V-209022
V-50883

Rule IDs

SV-209022r505921_rule
SV-65089

The "netconsole" service is not necessary unless there is a need to debug kernel panics, which is not common.

Checks: C-9275r357851_chk

To check that the "netconsole" service is disabled in system boot configuration, run the following command: # chkconfig "netconsole" --list Output should indicate the "netconsole" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "netconsole" --list "netconsole" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "netconsole" is disabled through current runtime configuration: # service netconsole status If the service is disabled the command will return the following output: netconsole is stopped If the service is running, this is a finding.

Fix: F-9275r357852_fix

The "netconsole" service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. The "netconsole" service can be disabled with the following commands: # chkconfig netconsole off # service netconsole stop

The xorg-x11-server-common (X Windows) package must not be installed, unless required.

CM-6 - Low - CCI-000366 - V-209023 - SV-209023r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000291

Vuln IDs

V-209023
V-50887

Rule IDs

SV-209023r505921_rule
SV-65093

Unnecessary packages should not be installed to decrease the attack surface of the system.

Checks: C-9276r357854_chk

To ensure the X Windows package group is removed, run the following command: $ rpm -qi xorg-x11-server-common The output should be: package xorg-x11-server-common is not installed If it is not, this is a finding.

Fix: F-9276r357855_fix

Removing all packages which constitute the X Window System ensures users or malicious software cannot start X. To do so, run the following command: # yum groupremove "X Window System"

The DHCP client must be disabled if not needed.

CM-6 - Medium - CCI-000366 - V-209024 - SV-209024r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000292

Vuln IDs

V-209024
V-50889

Rule IDs

SV-209024r505921_rule
SV-65095

DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances.

Checks: C-9277r357857_chk

To verify that DHCP is not being used, examine the following file for each interface. # /etc/sysconfig/network-scripts/ifcfg-[IFACE] If there is any network interface without a associated "ifcfg" file, this is a finding. Look for the following: BOOTPROTO=none Also verify the following, substituting the appropriate values based on your site's addressing scheme: NETMASK=[local LAN netmask] IPADDR=[assigned IP address] GATEWAY=[local LAN default gateway] If it does not, this is a finding.

Fix: F-9277r357858_fix

For each interface [IFACE] on the system (e.g. eth0), edit "/etc/sysconfig/network-scripts/ifcfg-[IFACE]" and make the following changes. Correct the BOOTPROTO line to read: BOOTPROTO=none Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: NETMASK=[local LAN netmask] IPADDR=[assigned IP address] GATEWAY=[local LAN default gateway]

All GIDs referenced in /etc/passwd must be defined in /etc/group.

CM-6 - Low - CCI-000366 - V-209025 - SV-209025r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000294

Vuln IDs

V-209025
V-50973

Rule IDs

SV-209025r505921_rule
SV-65179

Inconsistency in GIDs between /etc/passwd and /etc/group could lead to a user having unintended rights.

Checks: C-9278r357860_chk

To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, run the following command: # pwck -r | grep 'no group' There should be no output. If there is output, this is a finding.

Fix: F-9278r357861_fix

Add a group to the system for each GID referenced without a corresponding group.

All accounts on the system must have unique user or account names.

IA-8 - Low - CCI-000804 - V-209026 - SV-209026r505921_rule

RMF Control

IA-8

Severity

CCI

CCI-000804

Version

OL6-00-000296

Vuln IDs

V-209026
V-50985

Rule IDs

SV-209026r505921_rule
SV-65191

Unique usernames allow for accountability on the system.

Checks: C-9279r357863_chk

Run the following command to check for duplicate account names: # pwck -rq If there are no duplicate names, no line will be returned. If a line is returned, this is a finding.

Fix: F-9279r357864_fix

Change usernames, or delete accounts, so each has a unique name.

Temporary accounts must be provisioned with an expiration date.

AC-2 - Low - CCI-000016 - V-209027 - SV-209027r505921_rule

RMF Control

AC-2

Severity

CCI

CCI-000016

Version

OL6-00-000297

Vuln IDs

V-209027
V-50991

Rule IDs

SV-209027r505921_rule
SV-65197

When temporary accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked.

Checks: C-9280r357866_chk

For every temporary account, run the following command to obtain its account aging and expiration information: # chage -l [USER] Verify each of these accounts has an expiration date set as documented. If any temporary accounts have no expiration date set or do not expire within a documented time frame, this is a finding.

Fix: F-9280r357867_fix

In the event temporary accounts are required, configure the system to terminate them after a documented time period. For every temporary account, run the following command to set an expiration date on it, substituting "[USER]" and "[YYYY-MM-DD]" appropriately: # chage -E [YYYY-MM-DD] [USER] "[YYYY-MM-DD]" indicates the documented expiration date for the account.

Emergency accounts must be provisioned with an expiration date.

AC-2 - Low - CCI-001682 - V-209028 - SV-209028r505921_rule

RMF Control

AC-2

Severity

CCI

CCI-001682

Version

OL6-00-000298

Vuln IDs

V-209028
V-50993

Rule IDs

SV-209028r505921_rule
SV-65199

When emergency accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked.

Checks: C-9281r357869_chk

For every emergency account, run the following command to obtain its account aging and expiration information: # chage -l [USER] Verify each of these accounts has an expiration date set as documented. If any emergency accounts have no expiration date set or do not expire within a documented time frame, this is a finding.

Fix: F-9281r357870_fix

In the event emergency accounts are required, configure the system to terminate them after a documented time period. For every emergency account, run the following command to set an expiration date on it, substituting "[USER]" and "[YYYY-MM-DD]" appropriately: # chage -E [YYYY-MM-DD] [USER] "[YYYY-MM-DD]" indicates the documented expiration date for the account.

The system must require passwords to contain no more than three consecutive repeating characters.

CM-6 - Low - CCI-000366 - V-209029 - SV-209029r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000299

Vuln IDs

V-209029
V-50995

Rule IDs

SV-209029r505921_rule
SV-65201

Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.

Checks: C-9282r357872_chk

To check the maximum value for consecutive repeating characters, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth Look for the value of the "maxrepeat" parameter. The DoD requirement is “3”. If "maxrepeat" is not found, is set to zero, or is set to a value greater than “3”, this is a finding.

Fix: F-9282r357873_fix

The pam_cracklib module's ”maxrepeat” parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords that contain more than the number of consecutive characters. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "maxrepeat=3" after pam_cracklib.so to prevent a run of (3 + 1) or more identical characters. password required pam_cracklib.so maxrepeat=3

Process core dumps must be disabled unless needed.

CM-6 - Low - CCI-000366 - V-209030 - SV-209030r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000308

Vuln IDs

V-209030
V-51041

Rule IDs

SV-209030r505921_rule
SV-65247

A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.

Checks: C-9283r357875_chk

To verify that core dumps are disabled for all users, run the following command: $ grep core /etc/security/limits.conf /etc/security/limits.d/*.conf The output should be: * hard core 0 If it is not, this is a finding.

Fix: F-9283r357876_fix

To disable core dumps for all users, add the following line to "/etc/security/limits.conf": * hard core 0

The NFS server must not have the insecure file locking option enabled.

IA-2 - High - CCI-000764 - V-209031 - SV-209031r505921_rule

RMF Control

IA-2

Severity

CCI

CCI-000764

Version

OL6-00-000309

Vuln IDs

V-209031
V-51047

Rule IDs

SV-209031r505921_rule
SV-65253

Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user.

Checks: C-9284r357878_chk

To verify insecure file locking has been disabled, run the following command: # grep insecure_locks /etc/exports If there is output, this is a finding.

Fix: F-9284r357879_fix

By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files. To get around this, the "insecure_locks" option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. Remove any instances of the "insecure_locks" option from the file "/etc/exports".

The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.

AU-5 - Medium - CCI-000139 - V-209032 - SV-209032r505921_rule

RMF Control

AU-5

Severity

CCI

CCI-000139

Version

OL6-00-000313

Vuln IDs

V-209032
V-51057

Rule IDs

SV-209032r505921_rule
SV-65263

Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.

Checks: C-9285r357881_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator: action_mail_acct = root If auditd is not configured to send emails per identified actions, this is a finding.

Fix: F-9285r357882_fix

The "auditd" service can be configured to send email to a designated account in certain situations. Add or correct the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations: action_mail_acct = root

The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.

AC-10 - Low - CCI-000054 - V-209033 - SV-209033r505921_rule

RMF Control

AC-10

Severity

CCI

CCI-000054

Version

OL6-00-000319

Vuln IDs

V-209033
V-51115

Rule IDs

SV-209033r505921_rule
SV-65325

Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.

Checks: C-9286r357884_chk

Run the following command to ensure the "maxlogins" value is configured for all users on the system: $ grep "maxlogins" /etc/security/limits.conf /etc/security/limits.d/*.conf You should receive output similar to the following: * hard maxlogins 10 If it is not similar, this is a finding.

Fix: F-9286r357885_fix

Limiting the number of allowed users and sessions per user can limit risks related to denial of service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in "/etc/security/limits.conf": * hard maxlogins 10 A documented site-defined number may be substituted for 10 in the above.

A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.

AC-8 - Medium - CCI-000050 - V-209034 - SV-209034r505921_rule

RMF Control

AC-8

Severity

CCI

CCI-000050

Version

OL6-00-000324

Vuln IDs

V-209034
V-51123

Rule IDs

SV-209034r505921_rule
SV-65333

An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.

Checks: C-9287r357887_chk

If the GConf2 package is not installed, this is not applicable. To ensure a login warning banner is enabled, run the following: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_enable Search for the "banner_message_enable" schema. If properly configured, the "default" value should be "true". If it is not, this is a finding.

Fix: F-9287r357888_fix

To enable displaying a login warning banner in the GNOME Display Manager's login screen, run the following command: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gdm/simple-greeter/banner_message_enable true To display a banner, this setting must be enabled and then banner text must also be set.

The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.

AC-8 - Medium - CCI-001388 - V-209035 - SV-209035r505921_rule

RMF Control

AC-8

Severity

CCI

CCI-001388

Version

OL6-00-000326

Vuln IDs

V-209035
V-51125

Rule IDs

SV-209035r505921_rule
SV-65335

An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.

Checks: C-9288r357890_chk

If the GConf2 package is not installed, this is not applicable. To ensure login warning banner text is properly set, run the following: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_text If properly configured, the proper banner text will appear within this schema. The DoD required text is either: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." OR: "I've read & consent to terms in IS user agreem't." If the DoD required banner text does not appear in the schema, this is a finding.

Fix: F-9288r357891_fix

To set the text shown by the GNOME Display Manager in the login screen, run the following command: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gdm/simple-greeter/banner_message_text \ "[DoD required text]" Where the DoD required text is either: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." OR: "I've read & consent to terms in IS user agreem't." When entering a warning banner that spans several lines, remember to begin and end the string with """. This command writes directly to the file "/etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml", and this file can later be edited directly if necessary.

Accounts must be locked upon 35 days of inactivity.

AC-2 - Low - CCI-000017 - V-209036 - SV-209036r505921_rule

RMF Control

AC-2

Severity

CCI

CCI-000017

Version

OL6-00-000334

Vuln IDs

V-209036
V-51129

Rule IDs

SV-209036r505921_rule
SV-65339

Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.

Checks: C-9289r357893_chk

To verify the "INACTIVE" setting, run the following command: grep "INACTIVE" /etc/default/useradd The output should indicate the "INACTIVE" configuration option is set to an appropriate integer as shown in the example below: # grep "INACTIVE" /etc/default/useradd INACTIVE=35 If it does not, this is a finding.

Fix: F-9289r357894_fix

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately: INACTIVE=[NUM_DAYS] A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the "useradd" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.

The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.

IA-4 - Low - CCI-000795 - V-209037 - SV-209037r505921_rule

RMF Control

IA-4

Severity

CCI

CCI-000795

Version

OL6-00-000335

Vuln IDs

V-209037
V-51131

Rule IDs

SV-209037r505921_rule
SV-65341

Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.

Checks: C-9290r357896_chk

Fix: F-9290r357897_fix

The sticky bit must be set on all public directories.

CM-6 - Low - CCI-000366 - V-209038 - SV-209038r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000336

Vuln IDs

V-209038
V-51133

Rule IDs

SV-209038r505921_rule
SV-65343

Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, and by users for temporary file storage - such as /tmp - and for directories requiring global read/write access.

Checks: C-9291r357899_chk

To find world-writable directories that lack the sticky bit, run the following command for each local partition [PART]: # find [PART] -xdev -type d -perm -002 ! -perm -1000 If any world-writable directories are missing the sticky bit, this is a finding.

Fix: F-9291r357900_fix

When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes. To set the sticky bit on a world-writable directory [DIR], run the following command: # chmod +t [DIR]

All public directories must be owned by a system account.

CM-6 - Low - CCI-000366 - V-209039 - SV-209039r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000337

Vuln IDs

V-209039
V-51423

Rule IDs

SV-209039r505921_rule
SV-65633

Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.

Checks: C-9292r357902_chk

The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 500. Run it once for each local partition [PART]: # find [PART] -xdev -type d -perm -0002 -uid +500 -print If there is output, this is a finding.

Fix: F-9292r357903_fix

All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.

The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.

CM-6 - High - CCI-000366 - V-209040 - SV-209040r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000338

Vuln IDs

V-209040
V-50751

Rule IDs

SV-209040r505921_rule
SV-64957

Using the "-s" option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally specified directory reduces the risk of sharing files which should remain private.

Checks: C-9293r357905_chk

Verify the "tftp" package is installed: # rpm -qa | grep -i tftp tftp-5.2-22.e16.x86_64 If the "tftp" package is not installed, this is Not Applicable. Verify "tftp" is configured by with the "-s" option by running the following command: grep "server_args" /etc/xinetd.d/tftp The output should indicate the "server_args" variable is configured with the "-s" flag, matching the example below: # grep "server_args" /etc/xinetd.d/tftp server_args = -s /var/lib/tftpboot If it does not, this is a finding.

Fix: F-9293r357906_fix

If running the "tftp" service is necessary, it should be configured to change its root directory at startup. To do so, ensure "/etc/xinetd.d/tftp" includes "-s" as a command line argument, as shown in the following example (which is also the default): server_args = -s /var/lib/tftpboot

The FTP daemon must be configured for logging or verbose mode.

AU-3 - Low - CCI-000130 - V-209041 - SV-209041r505921_rule

RMF Control

AU-3

Severity

CCI

CCI-000130

Version

OL6-00-000339

Vuln IDs

V-209041
V-50739

Rule IDs

SV-209041r505921_rule
SV-64945

To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to the ftp server are logged using the verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log.

Checks: C-9294r357908_chk

Verify the "vsftpd" package is installed: # rpm -qa | grep -i vsftpd vsftpd-3.0.2-22.e16.x86_64 If the "vsftpd" package is not installed, this is Not Applicable. Find if logging is applied to the ftp daemon. Procedures: If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file. # grep vsftpd /etc/xinetd.d/* # grep server_args [vsftpd xinetd.d startup file] This will indicate the vsftpd config file used when starting through xinetd. If the [server_args]line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used. # grep xferlog_enable [vsftpd config file] If xferlog_enable is missing, or is not set to yes, this is a finding.

Fix: F-9294r357909_fix

Add or correct the following configuration options within the "vsftpd" configuration file, located at "/etc/vsftpd/vsftpd.conf". xferlog_enable=YES xferlog_std_format=NO log_ftp_protocol=YES

The snmpd service must use only SNMP protocol version 3 or newer.

CM-6 - Medium - CCI-000366 - V-209042 - SV-209042r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000340

Vuln IDs

V-209042
V-50717

Rule IDs

SV-209042r505921_rule
SV-64923

Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information.

Checks: C-9295r357911_chk

To ensure only SNMPv3 or newer is used, run the following command: # grep 'v1\|v2c\|com2sec' /etc/snmp/snmpd.conf | grep -v '^#' There should be no output. If there is output, this is a finding.

Fix: F-9295r357912_fix

Edit "/etc/snmp/snmpd.conf", removing any references to "v1", "v2c", or "com2sec". Upon doing that, restart the SNMP service: # service snmpd restart

The snmpd service must not use a default password.

CM-6 - High - CCI-000366 - V-209043 - SV-209043r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000341

Vuln IDs

V-209043
V-50713

Rule IDs

SV-209043r505921_rule
SV-64919

Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system.

Checks: C-9296r357914_chk

To ensure the default password is not set, run the following command: # grep -v "^#" /etc/snmp/snmpd.conf| grep public There should be no output. If there is output, this is a finding.

Fix: F-9296r357915_fix

Edit "/etc/snmp/snmpd.conf", remove default community string "public". Upon doing that, restart the SNMP service: # service snmpd restart

The system default umask for the bash shell must be 077.

CM-6 - Low - CCI-000366 - V-209044 - SV-209044r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000342

Vuln IDs

V-209044
V-50707

Rule IDs

SV-209044r505921_rule
SV-64913

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.

Checks: C-9297r357917_chk

Verify the "umask" setting is configured correctly in the "/etc/bashrc" file by running the following command: # grep "umask" /etc/bashrc All output must show the value of "umask" set to 077, as shown below: # grep "umask" /etc/bashrc umask 077 umask 077 If the above command returns no output, or if the umask is configured incorrectly, this is a finding.

Fix: F-9297r357918_fix

To ensure the default umask for users of the Bash shell is set properly, add or correct the "umask" setting in "/etc/bashrc" to read as follows: umask 077

The system default umask for the csh shell must be 077.

CM-6 - Low - CCI-000366 - V-209045 - SV-209045r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000343

Vuln IDs

V-209045
V-50673

Rule IDs

SV-209045r505921_rule
SV-64879

Checks: C-9298r357920_chk

Verify the "umask" setting is configured correctly in the "/etc/csh.cshrc" file by running the following command: # grep "umask" /etc/csh.cshrc All output must show the value of "umask" set to 077, as shown in the below: # grep "umask" /etc/csh.cshrc umask 077 If the above command returns no output, or if the umask is configured incorrectly, this is a finding.

Fix: F-9298r357921_fix

To ensure the default umask for users of the C shell is set properly, add or correct the "umask" setting in "/etc/csh.cshrc" to read as follows: umask 077

The system default umask in /etc/profile must be 077.

CM-6 - Low - CCI-000366 - V-209046 - SV-209046r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000344

Vuln IDs

V-209046
V-50669

Rule IDs

SV-209046r505921_rule
SV-64875

Checks: C-9299r357923_chk

Verify the "umask" setting is configured correctly in the "/etc/profile" file by running the following command: # grep "umask" /etc/profile All output must show the value of "umask" set to 077, as shown in the below: # grep "umask" /etc/profile umask 077 If the above command returns no output, or if the umask is configured incorrectly, this is a finding.

Fix: F-9299r357924_fix

To ensure the default umask controlled by "/etc/profile" is set properly, add or correct the "umask" setting in "/etc/profile" to read as follows: umask 077

The system default umask in /etc/login.defs must be 077.

CM-6 - Low - CCI-000366 - V-209047 - SV-209047r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000345

Vuln IDs

V-209047
V-50667

Rule IDs

SV-209047r505921_rule
SV-64873

Checks: C-9300r357926_chk

Verify the "umask" setting is configured correctly in the "/etc/login.defs" file by running the following command: # grep -i "umask" /etc/login.defs All output must show the value of "umask" set to 077, as shown in the below: # grep -i "umask" /etc/login.defs UMASK 077 If the above command returns no output, or if the umask is configured incorrectly, this is a finding.

Fix: F-9300r357927_fix

To ensure the default umask controlled by "/etc/login.defs" is set properly, add or correct the "umask" setting in "/etc/login.defs" to read as follows: UMASK 077

The system default umask for daemons must be 027 or 022.

CM-6 - Low - CCI-000366 - V-209048 - SV-209048r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000346

Vuln IDs

V-209048
V-50665

Rule IDs

SV-209048r505921_rule
SV-64871

The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.

Checks: C-9301r357929_chk

To check the value of the "umask", run the following command: $ grep umask /etc/init.d/functions The output should show either "022" or "027". If it does not, this is a finding.

Fix: F-9301r357930_fix

The file "/etc/init.d/functions" includes initialization parameters for most or all daemons started at boot time. The default umask of 022 prevents creation of group- or world-writable files. To set the default umask for daemons, edit the following line, inserting 022 or 027 for [UMASK] appropriately: umask [UMASK] Setting the umask to too restrictive a setting can cause serious errors at runtime. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts.

There must be no .netrc files on the system.

IA-5 - Medium - CCI-000196 - V-209049 - SV-209049r505921_rule

RMF Control

IA-5

Severity

CCI

CCI-000196

Version

OL6-00-000347

Vuln IDs

V-209049
V-50643

Rule IDs

SV-209049r505921_rule
SV-64849

Unencrypted passwords for remote FTP servers may be stored in ".netrc" files. DoD policy requires passwords be encrypted in storage and not used in access scripts.

Checks: C-9302r357932_chk

To check the system for the existence of any ".netrc" files, run the following command: $ sudo find /root /home -xdev -name .netrc If any .netrc files exist, this is a finding.

Fix: F-9302r357933_fix

The ".netrc" files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any ".netrc" files should be removed.

The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.

AC-8 - Medium - CCI-000048 - V-209050 - SV-209050r505921_rule

RMF Control

AC-8

Severity

CCI

CCI-000048

Version

OL6-00-000348

Vuln IDs

V-209050
V-50641

Rule IDs

SV-209050r505921_rule
SV-64847

This setting will cause the system greeting banner to be used for FTP connections as well.

Checks: C-9303r357935_chk

Verify the "vsftpd" package is installed: # rpm -qa | grep -i vsftpd vsftpd-3.0.2-22.e16.x86_64 If the "vsftpd" package is not installed, this is Not Applicable. To verify this configuration, run the following command: grep "banner_file" /etc/vsftpd/vsftpd.conf The output should show the value of "banner_file" is set to "/etc/issue", an example of which is shown below. # grep "banner_file" /etc/vsftpd/vsftpd.conf banner_file=/etc/issue If it does not, this is a finding.

Fix: F-9303r357936_fix

Edit the vsftpd configuration file, which resides at "/etc/vsftpd/vsftpd.conf" by default. Add or correct the following configuration options. banner_file=/etc/issue Restart the vsftpd daemon. # service vsftpd restart

The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.

IA-2 - Medium - CCI-000765 - V-209051 - SV-209051r505921_rule

RMF Control

IA-2

Severity

CCI

CCI-000765

Version

OL6-00-000349

Vuln IDs

V-209051
V-50639

Rule IDs

SV-209051r505921_rule
SV-64845

Smart card login provides two-factor authentication stronger than that provided by a username/password combination. Smart cards leverage a PKI (public key infrastructure) in order to provide and verify credentials.

Checks: C-9304r357938_chk

Interview the SA to determine if all accounts not exempted by policy are using CAC authentication. For DoD systems, the following systems and accounts are exempt from using smart card (CAC) authentication: Standalone systems Application accounts Temporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIV Operational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALT Test systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT. If non-exempt accounts are not using CAC authentication, this is a finding.

Fix: F-9304r357939_fix

To enable smart card authentication, consult the documentation at: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273

The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.

CM-6 - Medium - CCI-000366 - V-209052 - SV-209052r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000372

Vuln IDs

V-209052
V-59375

Rule IDs

SV-209052r505921_rule
SV-73805

Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.

Checks: C-9305r357941_chk

To ensure that last logon/access notification is configured correctly, run the following command: # grep pam_lastlog.so /etc/pam.d/system-auth The output should show output "showfailed". If that is not the case, this is a finding.

Fix: F-9305r357942_fix

To configure the system to notify users of last logon/access using "pam_lastlog", add the following line immediately after "session required pam_limits.so": session required pam_lastlog.so showfailed

Audit log files must have mode 0640 or less permissive.

AU-9 - Medium - CCI-000163 - V-209053 - SV-209053r505921_rule

RMF Control

AU-9

Severity

CCI

CCI-000163

Version

OL6-00-000383

Vuln IDs

V-209053
V-50631

Rule IDs

SV-209053r505921_rule
SV-64837

If users can write to audit logs, audit trails can be modified or destroyed.

Checks: C-9306r357944_chk

Run the following command to check the mode of the system audit logs: grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %a:%n Audit logs must be mode 0640 or less permissive. If any are more permissive, this is a finding.

Fix: F-9306r357945_fix

Change the mode of the audit log files with the following command: # chmod 0640 [audit_file]

Audit log files must be owned by root.

AU-9 - Medium - CCI-000162 - V-209054 - SV-209054r505921_rule

RMF Control

AU-9

Severity

CCI

CCI-000162

Version

OL6-00-000384

Vuln IDs

V-209054
V-50629

Rule IDs

SV-209054r505921_rule
SV-64835

If non-privileged users can write to audit logs, audit trails can be modified or destroyed.

Checks: C-9307r357947_chk

Run the following command to check the owner of the system audit logs: grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %U:%n Audit logs must be owned by root. If they are not, this is a finding.

Fix: F-9307r357948_fix

Change the owner of the audit log files with the following command: # chown root [audit_file]

Audit log directories must have mode 0755 or less permissive.

AU-9 - Medium - CCI-000164 - V-209055 - SV-209055r505921_rule

RMF Control

AU-9

Severity

CCI

CCI-000164

Version

OL6-00-000385

Vuln IDs

V-209055
V-50627

Rule IDs

SV-209055r505921_rule
SV-64833

If users can delete audit logs, audit trails can be modified or destroyed.

Checks: C-9308r357950_chk

Run the following command to check the mode of the system audit directories: grep "^log_file" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//'|xargs stat -c %a:%n Audit directories must be mode 0755 or less permissive. If any are more permissive, this is a finding.

Fix: F-9308r357951_fix

Change the mode of the audit log directories with the following command: # chmod go-w [audit_directory]

The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh.

AC-9 - Medium - CCI-000052 - V-209056 - SV-209056r505921_rule

RMF Control

AC-9

Severity

CCI

CCI-000052

Version

OL6-00-000507

Vuln IDs

V-209056
V-50609

Rule IDs

SV-209056r505921_rule
SV-64815

Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. At ssh login, a user must be presented with the last successful login date and time.

Checks: C-9309r357953_chk

Verify the value associated with the "PrintLastLog" keyword in /etc/ssh/sshd_config: # grep -i "^PrintLastLog" /etc/ssh/sshd_config If the "PrintLastLog" keyword is not present, this is not a finding. If the value is not set to "yes", this is a finding.

Fix: F-9309r357954_fix

Update the "PrintLastLog" keyword to "yes" in /etc/ssh/sshd_config: PrintLastLog yes While it is acceptable to remove the keyword entirely since the default action for the SSH daemon is to print the last login date and time, it is preferred to have the value explicitly documented.

The system must allow locking of graphical desktop sessions.

AC-11 - Low - CCI-000058 - V-209057 - SV-209057r505921_rule

RMF Control

AC-11

Severity

CCI

CCI-000058

Version

OL6-00-000508

Vuln IDs

V-209057
V-50607

Rule IDs

SV-209057r505921_rule
SV-64813

The ability to lock graphical desktop sessions manually allows users to easily secure their accounts should they need to depart from their workstations temporarily.

Checks: C-9310r357956_chk

If the GConf2 package is not installed, this is not applicable. Verify the keybindings for the Gnome screensaver: # gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome_settings_daemon/keybindings/screensaver If no output is visible, this is a finding.

Fix: F-9310r357957_fix

Run the following command to set the Gnome desktop keybinding for locking the screen: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome_settings_daemon/keybindings/screensaver "<Control><Alt>l" Another keyboard sequence may be substituted for "<Control><Alt>l", which is the default for the Gnome desktop.

The audit system must take appropriate action when the audit storage volume is full.

AU-5 - Medium - CCI-000140 - V-209058 - SV-209058r505921_rule

RMF Control

AU-5

Severity

CCI

CCI-000140

Version

OL6-00-000510

Vuln IDs

V-209058
V-50601

Rule IDs

SV-209058r505921_rule
SV-64807

Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.

Checks: C-9311r357959_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when the audit storage volume is full: # grep disk_full_action /etc/audit/auditd.conf disk_full_action = [ACTION] If the system is configured to "suspend" when the volume is full or "ignore" that it is full, this is a finding.

Fix: F-9311r357960_fix

The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: disk_full_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "exec" "suspend" "single" "halt" Set this to "syslog", "exec", "single", or "halt".

The audit system must take appropriate action when there are disk errors on the audit storage volume.

AU-5 - Medium - CCI-000140 - V-209059 - SV-209059r505921_rule

RMF Control

AU-5

Severity

CCI

CCI-000140

Version

OL6-00-000511

Vuln IDs

V-209059
V-50599

Rule IDs

SV-209059r505921_rule
SV-64805

Taking appropriate action in case of disk errors will minimize the possibility of losing audit records.

Checks: C-9312r357962_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when disk errors occur: # grep disk_error_action /etc/audit/auditd.conf disk_error_action = [ACTION] If the system is configured to "suspend" when disk errors occur or "ignore" them, this is a finding.

Fix: F-9312r357963_fix

Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: disk_error_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "exec" "suspend" "single" "halt" Set this to "syslog", "exec", "single", or "halt".

The NFS server must not have the all_squash option enabled.

IA-2 - Low - CCI-000764 - V-209060 - SV-209060r505921_rule

RMF Control

IA-2

Severity

CCI

CCI-000764

Version

OL6-00-000515

Vuln IDs

V-209060
V-50595

Rule IDs

SV-209060r505921_rule
SV-64801

The "all_squash" option maps all client requests to a single anonymous uid/gid on the NFS server, negating the ability to track file access by user ID.

Checks: C-9313r357965_chk

If the NFS server is read-only, in support of unrestricted access to organizational content, this is not applicable. The related "root_squash" option provides protection against remote administrator-level access to NFS server content. Its use is not a finding. To verify the "all_squash" option has been disabled, run the following command: # grep all_squash /etc/exports If there is output, this is a finding.

Fix: F-9313r357966_fix

Remove any instances of the "all_squash" option from the file "/etc/exports". Restart the NFS daemon for the changes to take effect. # service nfs restart

The system package management tool must verify ownership on all files and directories associated with packages.

CM-6 - Low - CCI-000366 - V-209061 - SV-209061r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000516

Vuln IDs

V-209061
V-50593

Rule IDs

SV-209061r505921_rule
SV-64799

Ownership of system binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Checks: C-9314r357968_chk

The following command will list which files on the system have ownership different from what is expected by the RPM database: # rpm -Va | grep '^.....U' If any output is produced, verify that the changes were due to STIG application and have been documented with the ISSO. If any output has not been documented with the ISSO, this is a finding.

Fix: F-9314r357969_fix

The RPM package management system can restore ownership of package files and directories. The following command will update files and directories with ownership different from what is expected by the RPM database: # rpm -qf [file or directory name] # rpm --setugids [package]

The system package management tool must verify group-ownership on all files and directories associated with packages.

CM-6 - Low - CCI-000366 - V-209062 - SV-209062r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000517

Vuln IDs

V-209062
V-50591

Rule IDs

SV-209062r505921_rule
SV-64797

Group-ownership of system binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The group-ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Checks: C-9315r357971_chk

The following command will list which files on the system have group-ownership different from what is expected by the RPM database: # rpm -Va | grep '^......G' If any output is produced, verify that the changes were due to STIG application and have been documented with the ISSO. If any output has not been documented with the ISSO, this is a finding.

Fix: F-9315r357972_fix

The RPM package management system can restore group-ownership of the package files and directories. The following command will update files and directories with group-ownership different from what is expected by the RPM database: # rpm -qf [file or directory name] # rpm --setugids [package]

The system package management tool must verify permissions on all files and directories associated with packages.

CM-6 - Low - CCI-000366 - V-209063 - SV-209063r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000518

Vuln IDs

V-209063
V-50539

Rule IDs

SV-209063r505921_rule
SV-64745

Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Checks: C-9316r357974_chk

The following command will list which files and directories on the system have permissions different from what is expected by the RPM database: # rpm -Va | grep '^.M' If there is any output, for each file or directory found, find the associated RPM package and compare the RPM-expected permissions with the actual permissions on the file or directory: # rpm -qf [file or directory name] # rpm -q --queryformat "[%{FILENAMES} %{FILEMODES:perms}\n]" [package] | grep [filename] # ls -dlL [filename] If the existing permissions are more permissive than those expected by RPM, this is a finding.

Fix: F-9316r357975_fix

The RPM package management system can restore file access permissions of package files and directories. The following command will update permissions on files and directories with permissions different from what is expected by the RPM database: # rpm --setperms [package]

The system package management tool must verify contents of all files associated with packages.

CM-6 - Low - CCI-000366 - V-209064 - SV-209064r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000519

Vuln IDs

V-209064
V-50535

Rule IDs

SV-209064r505921_rule
SV-64741

The hash on important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.

Checks: C-9317r357977_chk

The following command will list which files on the system have file hashes different from what is expected by the RPM database. # rpm -Va | awk '$1 ~ /..5/ && $2 != "c"' If any output is produced, verify that the changes were due to STIG application and have been documented with the ISSO. If any output has not been documented with the ISSO, this is a finding.

Fix: F-9317r357978_fix

The RPM package management system can check the hashes of installed software packages, including many that are important to system security. Run the following command to list which files on the system have hashes that differ from what is expected by the RPM database: # rpm -Va | grep '^..5' A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file that has changed was not expected to then refresh from distribution media or online repositories. rpm -Uvh [affected_package] OR yum reinstall [affected_package]

The mail system must forward all mail for root to one or more system administrators.

CM-6 - Medium - CCI-000366 - V-209065 - SV-209065r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000521

Vuln IDs

V-209065
V-50525

Rule IDs

SV-209065r505921_rule
SV-64731

A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address.

Checks: C-9318r357980_chk

Find the list of alias maps used by the Postfix mail server: # postconf alias_maps Query the Postfix alias maps for an alias for "root": # postmap -q root hash:/etc/aliases If there are no aliases configured for root that forward to a monitored email address, this is a finding.

Fix: F-9318r357981_fix

Set up an alias for root that forwards to a monitored email address: # echo "root: <system.administrator>@mail.mil" >> /etc/aliases # newaliases

Audit log files must be group-owned by root.

AU-9 - Medium - CCI-000162 - V-209066 - SV-209066r505921_rule

RMF Control

AU-9

Severity

CCI

CCI-000162

Version

OL6-00-000522

Vuln IDs

V-209066
V-50523

Rule IDs

SV-209066r505921_rule
SV-64729

If non-privileged users can write to audit logs, audit trails can be modified or destroyed.

Checks: C-9319r357983_chk

Run the following command to check the group owner of the system audit logs: grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %G:%n Audit logs must be group-owned by root. If they are not, this is a finding.

Fix: F-9319r357984_fix

Change the group owner of the audit log files with the following command: # chgrp root [audit_file]

The system must provide automated support for account management functions.

AC-2 - Medium - CCI-000015 - V-209067 - SV-209067r505921_rule

RMF Control

AC-2

Severity

CCI

CCI-000015

Version

OL6-00-000524

Vuln IDs

V-209067
V-50519

Rule IDs

SV-209067r505921_rule
SV-64725

A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. Enterprise environments make user account management challenging and complex. A user management process requiring administrators to manually address account management functions adds risk of potential oversight.

Checks: C-9320r357986_chk

Interview the SA to determine if there is an automated system for managing user accounts, preferably integrated with an existing enterprise user management system. If there is not, this is a finding.

Fix: F-9320r357987_fix

Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. If possible, this system should integrate with an existing enterprise user management system, such as, one based Active Directory or Kerberos.

Auditing must be enabled at boot by setting a kernel parameter.

AU-12 - Low - CCI-000169 - V-209068 - SV-209068r505921_rule

RMF Control

AU-12

Severity

CCI

Version

OL6-00-000525

Vuln IDs

V-209068
V-50517

Rule IDs

SV-209068r505921_rule
SV-64723

Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although "auditd" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.

Checks: C-9321r357989_chk

Inspect the kernel boot arguments (which follow the word "kernel") in "/etc/grub.conf". If they include "audit=1", then auditing is enabled at boot time. If auditing is not enabled at boot time, this is a finding.

Fix: F-9321r357990_fix

To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument "audit=1" to the kernel line in "/boot/grub/grub.conf", in the manner below: kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1 UEFI systems may prepend "/boot" to the "/vmlinuz-version" argument.

Automated file system mounting tools must not be enabled unless needed.

CM-6 - Low - CCI-000366 - V-209069 - SV-209069r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000526

Vuln IDs

V-209069
V-50515

Rule IDs

SV-209069r505921_rule
SV-64721

All filesystems that are required for the successful operation of the system should be explicitly listed in "/etc/fstab" by an administrator. New filesystems should not be arbitrarily introduced via the automounter. The "autofs" daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as "/misc/cd". However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it is almost always possible to configure filesystem mounts statically by editing "/etc/fstab" rather than relying on the automounter.

Checks: C-9322r357992_chk

To verify the "autofs" service is disabled, run the following command: chkconfig --list autofs If properly configured, the output should be the following: autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off Verify the "autofs" service is not running: # service autofs status If the autofs service is enabled or running, this is a finding.

Fix: F-9322r357993_fix

If the "autofs" service is not needed to dynamically mount NFS filesystems or removable media, disable the service for all runlevels: # chkconfig --level 0123456 autofs off Stop the service if it is already running: # service autofs stop

The login user list must be disabled.

CM-6 - Medium - CCI-000366 - V-209070 - SV-209070r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000527

Vuln IDs

V-209070
V-59377

Rule IDs

SV-209070r505921_rule
SV-73807

Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in.

Checks: C-9323r357995_chk

If the GConf2 package is not installed, this is not applicable. To ensure the user list is disabled, run the following command: $ gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --get /apps/gdm/simple-greeter/disable_user_list The output should be "true". If it is not, this is a finding.

Fix: F-9323r357996_fix

In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled. Run the following command to disable the user list: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool --set /apps/gdm/simple-greeter/disable_user_list true

The noexec option must be added to the /tmp partition.

CM-6 - Medium - CCI-000366 - V-209071 - SV-209071r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000528

Vuln IDs

V-209071
V-59379

Rule IDs

SV-209071r505921_rule
SV-73809

Allowing users to execute binaries from world-writable directories such as "/tmp" should never be necessary in normal operation and can expose the system to potential compromise.

Checks: C-9324r357998_chk

To verify that binaries cannot be directly executed from the /tmp directory, run the following command: $ grep '\s/tmp' /etc/fstab The resulting output will show whether the /tmp partition has the "noexec" flag set. If the /tmp partition does not have the noexec flag set, this is a finding.

Fix: F-9324r357999_fix

The "noexec" mount option can be used to prevent binaries from being executed out of "/tmp". Add the "noexec" option to the fourth column of "/etc/fstab" for the line which controls mounting of "/tmp".

The sudo command must require authentication.

IA-11 - Medium - CCI-002038 - V-209072 - SV-209072r505921_rule

RMF Control

IA-11

Severity

CCI

CCI-002038

Version

OL6-00-000529

Vuln IDs

V-209072
V-60819

Rule IDs

SV-209072r505921_rule
SV-75275

The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts.

Checks: C-9325r499660_chk

Verify neither the "NOPASSWD" option nor the "!authenticate" option is configured for use in "/etc/sudoers" and associated files. Note that the "#include" and "#includedir" directives may be used to include configuration data from locations other than the defaults enumerated here. # egrep '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/* # egrep '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/* If any occurrences of "NOPASSWD" or “!authenticate” are returned from these commands and have not been documented with the ISSO as an organizationally defined administrative group utilizing MFA, this is a finding.

Fix: F-9325r499661_fix

Update the "/etc/sudoers" or other sudo configuration files to remove or comment out lines utilizing the "NOPASSWD" and "!authenticate" options. # visudo # visudo -f [other sudo configuration file]

The Oracle Linux operating system must mount /dev/shm with the nodev option.

CM-7 - Low - CCI-001764 - V-209073 - SV-209073r505921_rule

RMF Control

CM-7

Severity

CCI

CCI-001764

Version

OL6-00-000530

Vuln IDs

V-209073
V-81457

Rule IDs

SV-209073r505921_rule
SV-96171

The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Checks: C-9326r358004_chk

Verify that the "nodev" option is configured for /dev/shm. Check that the operating system is configured to use the "nodev" option for /dev/shm with the following command: # cat /etc/fstab | grep /dev/shm | grep nodev tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 If the "nodev" option is not present on the line for "/dev/shm", this is a finding. Verify "/dev/shm" is mounted with the "nodev" option: # mount | grep "/dev/shm" | grep nodev If no results are returned, this is a finding.

Fix: F-9326r358005_fix

Configure the "/etc/fstab" to use the "nodev" option for all lines containing "/dev/shm".

The Oracle Linux operating system must mount /dev/shm with the nosuid option.

CM-7 - Low - CCI-001764 - V-209074 - SV-209074r505921_rule

RMF Control

CM-7

Severity

CCI

CCI-001764

Version

OL6-00-000531

Vuln IDs

V-209074
V-81459

Rule IDs

SV-209074r505921_rule
SV-96173

The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Checks: C-9327r358007_chk

Verify that the "nosuid" option is configured for /dev/shm. Check that the operating system is configured to use the "nosuid" option for /dev/shm with the following command: # cat /etc/fstab | grep /dev/shm | grep nosuid tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 If the "nosuid" option is not present on the line for "/dev/shm", this is a finding. Verify "/dev/shm" is mounted with the "nosuid" option: # mount | grep "/dev/shm" | grep nosuid If no results are returned, this is a finding.

Fix: F-9327r358008_fix

Configure the "/etc/fstab" to use the "nosuid" option for all lines containing "/dev/shm".

The Oracle Linux operating system must mount /dev/shm with the noexec option.

CM-7 - Low - CCI-001764 - V-209075 - SV-209075r505921_rule

RMF Control

CM-7

Severity

CCI

CCI-001764

Version

OL6-00-000532

Vuln IDs

V-209075
V-81461

Rule IDs

SV-209075r505921_rule
SV-96175

The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Checks: C-9328r358010_chk

Verify that the "noexec" option is configured for /dev/shm. Check that the operating system is configured to use the "noexec" option for /dev/shm with the following command: # cat /etc/fstab | grep /dev/shm | grep noexec tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 If the "noexec" option is not present on the line for "/dev/shm", this is a finding. Verify "/dev/shm" is mounted with the "noexec" option: # mount | grep "/dev/shm" | grep noexec If no results are returned, this is a finding.

Fix: F-9328r358011_fix

Configure the "/etc/fstab" to use the "noexec" option for all lines containing "/dev/shm".

The Oracle Linux 6 operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

SC-13 - High - CCI-002450 - V-209076 - SV-209076r505921_rule

RMF Control

SC-13

Severity

CCI

CCI-002450

Version

OL6-00-000534

Vuln IDs

V-209076
V-97233

Rule IDs

SV-209076r505921_rule
SV-106371

Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223

Checks: C-9329r462525_chk

Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions. Check to see if the "dracut-fips" package is installed with the following command: # yum list installed dracut-fips dracut-fips-004-411.el6.noarch.rpm If a "dracut-fips" package is installed, check to see if the kernel command line is configured to use FIPS mode with the following command: # grep fips /boot/grub/grub.conf kernel /boot/vmlinuz-4.1.12-124.18.5.el6uek.x86_64 ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=uk LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 rd_LVM_LV=VolGroup/lv_root rd_NO_DM rhgb quiet fips=1 boot=/dev/sda1 If the kernel command line is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command: # cat /proc/sys/crypto/fips_enabled 1 If a "dracut-fips" package is not installed, the kernel command line does not have a fips entry, or the system has a value of "0" for "fips_enabled" in "/proc/sys/crypto", this is a finding.

Fix: F-9329r462526_fix

Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package. To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Configure the operating system to implement DoD-approved encryption by following the steps below: The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a non-unique key. Install the dracut-fips package with the following command: # yum install dracut-fips Existing prelinking, if any, should be undone on all system files using the following command: # prelink -u -a Recreate the "initramfs" file with the following command: Note: This command will overwrite the existing "initramfs" file. # dracut -f Modify the kernel command line of the current kernel in the "grub.conf" file by adding the following option to the "grub.conf" file: fips=1 If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition of /boot or /boot/efi> must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command: # df /boot Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda1 495844 53780 416464 12% /boot To ensure the "boot=" configuration option will work even if device naming changes occur between boots, identify the universally unique identifier (UUID) of the partition with the following command: # blkid /dev/sda1 /dev/sda1: UUID="05c000f1-a213-759e-c7a2-f11b7424c797" TYPE="ext4" For the example above, append the following string to the kernel command line: boot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797 Reboot the system for the changes to take effect.

The system must use a separate file system for the system audit data path.

CM-6 - Low - CCI-000366 - V-219541 - SV-219541r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000004

Vuln IDs

V-219541
V-50661

Rule IDs

SV-219541r505921_rule
SV-64867

Placing "/var/log/audit" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.

Checks: C-21266r358163_chk

Run the following command to determine if "/var/log/audit" is on its own partition or logical volume: $ mount | grep "on /var/log/audit " If "/var/log/audit" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.

Fix: F-21265r358164_fix

Audit logs are stored in the "/var/log/audit" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

The audit system must alert designated staff members when the audit storage volume approaches capacity.

AU-5 - Medium - CCI-001855 - V-219542 - SV-219542r505921_rule

RMF Control

AU-5

Severity

CCI

CCI-001855

Version

OL6-00-000005

Vuln IDs

V-219542
V-50671

Rule IDs

SV-219542r505921_rule
SV-64877

Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

Checks: C-21267r358166_chk

Inspect '/etc/audit/auditd.conf' and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low: # grep space_left_action /etc/audit/auditd.conf space_left_action = email If the system is not configured to send an email to the system administrator when disk space is starting to run low, this is a finding. The 'syslog' option is acceptable when it can be demonstrated that the local log management infrastructure notifies an appropriate administrator in a timely manner.

Fix: F-21266r358167_fix

The 'auditd' service can be configured to take an action when disk space starts to run low. Edit the file '/etc/audit/auditd.conf'. Modify the following line, substituting [ACTION] appropriately: space_left_action = [ACTION] Possible values for [ACTION] are described in the 'auditd.conf' man page. These include: 'ignore', 'syslog', 'email', 'exec', 'suspend', 'single', and 'halt'. Set this to 'email' (instead of the default, which is 'suspend') as it is more likely to get prompt attention. The 'syslog' option is acceptable, provided the local log management infrastructure notifies an appropriate administrator in a timely manner. OL6-00-000521 ensures that the email generated through the operation "space_left_action" will be sent to an administrator.

Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.

CM-5 - High - CCI-001749 - V-219543 - SV-219543r505921_rule

RMF Control

CM-5

Severity

CCI

CCI-001749

Version

OL6-00-000008

Vuln IDs

V-219543
V-50689

Rule IDs

SV-219543r505921_rule
SV-64895

This key is necessary to cryptographically verify packages that packages are from the operating system vendor.

Checks: C-21268r358169_chk

To ensure that the GPG key is installed, run: # rpm -qi gpg-pubkey-ec551f03 | gpg --keyid-format long | grep oracle.com | cut -f3 -d" " |cut -f2 -d"/" The command should return the string below: 72F97B74EC551F03 If the operating system vendor GPG Key is not installed, this is a finding.

Fix: F-21267r358170_fix

To ensure the system can cryptographically verify the software packages come from the operating system vendor (and connect to the vendor's network software repository to receive them if desired), the vendor GPG key must properly be installed. To ensure the GPG key is installed, run: # wget http://public-yum.oracle.com/RPM-GPG-KEY-oracle-ol6 # rpm --import RPM-GPG-KEY-oracle-ol6

The system package management tool must cryptographically verify the authenticity of system software packages during installation.

CM-5 - Medium - CCI-001749 - V-219544 - SV-219544r505921_rule

RMF Control

CM-5

Severity

CCI

CCI-001749

Version

OL6-00-000013

Vuln IDs

V-219544
V-50701

Rule IDs

SV-219544r505921_rule
SV-64907

Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering.

Checks: C-21269r358172_chk

To determine whether "yum" is configured to use "gpgcheck", inspect "/etc/yum.conf" and ensure the following appears in the "[main]" section: gpgcheck=1 A value of "1" indicates that "gpgcheck" is enabled. Absence of a "gpgcheck" line or a setting of "0" indicates that it is disabled. If GPG checking is not enabled, this is a finding. If the "yum" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed.

Fix: F-21268r358173_fix

The "gpgcheck" option should be used to ensure checking of an RPM package's signature always occurs prior to its installation. To configure yum to check package signatures before installing them, ensure the following line appears in "/etc/yum.conf" in the "[main]" section: gpgcheck=1

The system package management tool must cryptographically verify the authenticity of all software packages during installation.

CM-5 - Low - CCI-001749 - V-219545 - SV-219545r505921_rule

RMF Control

CM-5

Severity

CCI

CCI-001749

Version

OL6-00-000015

Vuln IDs

V-219545
V-50709

Rule IDs

SV-219545r505921_rule
SV-64915

Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.

Checks: C-21270r358175_chk

To determine whether "yum" has been configured to disable "gpgcheck" for any repos, inspect all files in "/etc/yum.repos.d" and ensure the following does not appear in any sections: gpgcheck=0 A value of "0" indicates that "gpgcheck" has been disabled for that repo. If GPG checking is disabled, this is a finding. If the "yum" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed.

Fix: F-21269r358176_fix

To ensure signature checking is not disabled for any repos, remove any lines from files in "/etc/yum.repos.d" of the form: gpgcheck=0

A file integrity tool must be installed.

CM-3 - Medium - CCI-001744 - V-219546 - SV-219546r505921_rule

RMF Control

CM-3

Severity

CCI

Version

OL6-00-000016

Vuln IDs

V-219546
V-50715

Rule IDs

SV-219546r505921_rule
SV-64921

The AIDE package must be installed if it is to be available for integrity checking.

Checks: C-21271r358178_chk

If another file integrity tool is installed, this is not a finding. Run the following command to determine if the "aide" package is installed: # rpm -q aide If the package is not installed, this is a finding.

Fix: F-21270r358179_fix

Install the AIDE package with the command: # yum install aide

There must be no .rhosts or hosts.equiv files on the system.

CM-6 - High - CCI-000366 - V-219547 - SV-219547r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000019

Vuln IDs

V-219547
V-50719

Rule IDs

SV-219547r505921_rule
SV-64925

Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.

Checks: C-21272r358181_chk

The existence of the file "/etc/hosts.equiv" or a file named ".rhosts" inside a user home directory indicates the presence of an Rsh trust relationship. If these files exist, this is a finding.

Fix: F-21271r358182_fix

The files "/etc/hosts.equiv" and "~/.rhosts" (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location. # rm /etc/hosts.equiv $ rm ~/.rhosts

The system must employ a local IPv6 firewall.

CM-6 - Medium - CCI-000366 - V-219548 - SV-219548r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000103

Vuln IDs

V-219548
V-50761

Rule IDs

SV-219548r505921_rule
SV-64967

The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.

Checks: C-21273r358184_chk

If the system is a cross-domain system, this is not applicable. If IPv6 is disabled, this is not applicable. Run the following command to determine the current status of the "ip6tables" service: # service ip6tables status If the service is not running, it should return the following: ip6tables: Firewall is not running. If the service is not running, this is a finding.

Fix: F-21272r358185_fix

The "ip6tables" service can be enabled with the following commands: # chkconfig ip6tables on # service ip6tables start

The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

CM-6 - Medium - CCI-000366 - V-219549 - SV-219549r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000106

Vuln IDs

V-219549
V-50767

Rule IDs

SV-219549r505921_rule
SV-64973

The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.

Checks: C-21274r358187_chk

Fix: F-21273r358188_fix

The "ip6tables" service can be enabled with the following commands: # chkconfig ip6tables on # service ip6tables start

The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.

CM-6 - Medium - CCI-000366 - V-219550 - SV-219550r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000107

Vuln IDs

V-219550
V-50781

Rule IDs

SV-219550r505921_rule
SV-64987

The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.

Checks: C-21275r358190_chk

Fix: F-21274r358191_fix

The "ip6tables" service can be enabled with the following commands: # chkconfig ip6tables on # service ip6tables start

The system must employ a local IPv4 firewall.

CM-6 - Medium - CCI-000366 - V-219551 - SV-219551r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000113

Vuln IDs

V-219551
V-50797

Rule IDs

SV-219551r505921_rule
SV-65003

The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.

Checks: C-21276r358193_chk

If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the "iptables" service: # service iptables status If the service is not running, it should return the following: iptables: Firewall is not running. If the service is not running, this is a finding.

Fix: F-21275r358194_fix

The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start

The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

CM-6 - Medium - CCI-000366 - V-219552 - SV-219552r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000116

Vuln IDs

V-219552
V-50903

Rule IDs

SV-219552r505921_rule
SV-65109

The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.

Checks: C-21277r358196_chk

Fix: F-21276r358197_fix

The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start

The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.

CM-6 - Medium - CCI-000366 - V-219553 - SV-219553r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000117

Vuln IDs

V-219553
V-50979

Rule IDs

SV-219553r505921_rule
SV-65185

The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.

Checks: C-21278r358199_chk

Fix: F-21277r358200_fix

The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start

The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.

CM-6 - Medium - CCI-000366 - V-219554 - SV-219554r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000120

Vuln IDs

V-219554
V-50987

Rule IDs

SV-219554r505921_rule
SV-65193

In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.

Checks: C-21279r462334_chk

Inspect the file "/etc/sysconfig/iptables" to determine the default policy for the INPUT chain. It should be set to DROP. # grep ":INPUT" /etc/sysconfig/iptables If the default policy for the INPUT chain is not set to DROP, this is a finding.

Fix: F-21278r462335_fix

To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/iptables": :INPUT DROP [0:0]

The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.

AU-4 - Medium - CCI-001851 - V-219555 - SV-219555r505921_rule

RMF Control

AU-4

Severity

CCI

CCI-001851

Version

OL6-00-000137

Vuln IDs

V-219555
V-51019

Rule IDs

SV-219555r505921_rule
SV-65225

Checks: C-21280r462337_chk

Fix: F-21279r462338_fix

The audit system must be configured to audit all use of setuid and setgid programs.

AC-6 - Low - CCI-002234 - V-219556 - SV-219556r505921_rule

RMF Control

AC-6

Severity

CCI

CCI-002234

Version

OL6-00-000198

Vuln IDs

V-219556
V-51141

Rule IDs

SV-219556r505921_rule
SV-65351

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Checks: C-21281r358208_chk

To verify that auditing of privileged command use is configured, run the following command once for each local partition [PART] to find relevant setuid / setgid programs: $ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: $ sudo grep path /etc/audit/audit.rules It should be the case that all relevant setuid / setgid programs have a line in the audit rules. If that is not the case, this is a finding.

Fix: F-21280r358209_fix

At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition [PART]: $ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null Then, for each setuid / setgid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid / setgid program in the list: -a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged

The telnet daemon must not be running.

CM-7 - High - CCI-000381 - V-219557 - SV-219557r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000211

Vuln IDs

V-219557
V-50553

Rule IDs

SV-219557r505921_rule
SV-64759

The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. Mitigation: If an enabled telnet daemon is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.

Checks: C-21282r462340_chk

To check that the "telnet" service is disabled in system boot configuration, run the following command: # chkconfig "telnet" --list Output should indicate the "telnet" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "telnet" --list telnet off OR error reading information on service telnet: No such file or directory If the service is running, this is a finding.

Fix: F-21281r462341_fix

The "telnet" service can be disabled with the following command: # chkconfig telnet off

The rlogind service must not be running.

CM-7 - High - CCI-000381 - V-219558 - SV-219558r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000218

Vuln IDs

V-219558
V-50561

Rule IDs

SV-219558r505921_rule
SV-64767

The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.

Checks: C-21283r358214_chk

To check that the "rlogin" service is disabled in system boot configuration, run the following command: # chkconfig "rlogin" --list Output should indicate the "rlogin" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "rlogin" --list rlogin off OR error reading information on service rlogin: No such file or directory If the service is running, this is a finding.

Fix: F-21282r358215_fix

The "rlogin" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rlogin" service can be disabled with the following command: # chkconfig rlogin off

The TFTP service must not be running.

CM-7 - Medium - CCI-000381 - V-219559 - SV-219559r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000223

Vuln IDs

V-219559
V-50569

Rule IDs

SV-219559r505921_rule
SV-64775

Disabling the "tftp" service ensures the system is not acting as a tftp server, which does not provide encryption or authentication.

Checks: C-21284r358217_chk

To check that the "tftp" service is disabled in system boot configuration, run the following command: # chkconfig "tftp" --list Output should indicate the "tftp" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "tftp" --list tftp off OR error reading information on service tftp: No such file or directory If the service is running, this is a finding.

Fix: F-21283r358218_fix

The "tftp" service should be disabled. The "tftp" service can be disabled with the following command: # chkconfig tftp off

The SSH daemon must be configured to use only the SSHv2 protocol.

IA-5 - High - CCI-000197 - V-219560 - SV-219560r505921_rule

RMF Control

IA-5

Severity

CCI

CCI-000197

Version

OL6-00-000227

Vuln IDs

V-219560
V-50573

Rule IDs

SV-219560r505921_rule
SV-64779

SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.

Checks: C-21285r358220_chk

To check which SSH protocol version is allowed, run the following command: # grep Protocol /etc/ssh/sshd_config If configured properly, output should be Protocol 2 If it is not, this is a finding.

Fix: F-21284r358221_fix

Only SSH protocol version 2 connections should be permitted. The default setting in "/etc/ssh/sshd_config" is correct, and can be verified by ensuring that the following line appears: Protocol 2

The SSH daemon must be configured to use only FIPS 140-2 approved ciphers.

AC-17 - Medium - CCI-001453 - V-219561 - SV-219561r505921_rule

RMF Control

AC-17

Severity

CCI

Version

OL6-00-000243

Vuln IDs

V-219561
V-50807

Rule IDs

SV-219561r505921_rule
SV-65013

Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance.

Checks: C-21286r358223_chk

Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: # grep -i Ciphers /etc/ssh/sshd_config Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc If any ciphers listed are not FIPS-approved, this is a finding.

Fix: F-21285r358224_fix

Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in "/etc/ssh/sshd_config" demonstrates use of FIPS-approved ciphers: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc Note: The man page "sshd_config(5)" contains a list of supported ciphers.

The system clock must be synchronized continuously, or at least daily.

AU-8 - Medium - CCI-001891 - V-219562 - SV-219562r505921_rule

RMF Control

AU-8

Severity

CCI

CCI-001891

Version

OL6-00-000247

Vuln IDs

V-219562
V-50811

Rule IDs

SV-219562r505921_rule
SV-65017

Enabling the "ntpd" service ensures that the "ntpd" service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.

Checks: C-21287r462343_chk

Run the following command to determine the current status of the "ntpd" service: # service ntpd status If the service is enabled, it should return the following: ntpd is running... If the service is not running, this is a finding.

Fix: F-21286r462344_fix

The "ntpd" service can be enabled with the following command: # chkconfig ntpd on # service ntpd start

The system clock must be synchronized to an authoritative DoD time source.

AU-8 - Medium - CCI-001891 - V-219563 - SV-219563r505921_rule

RMF Control

AU-8

Severity

CCI

CCI-001891

Version

OL6-00-000248

Vuln IDs

V-219563
V-50813

Rule IDs

SV-219563r505921_rule
SV-65019

Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is recommended.

Checks: C-21288r358229_chk

A remote NTP server should be configured for time synchronization. To verify one is configured, open the following file. /etc/ntp.conf In the file, there should be a section similar to the following: # --- OUR TIMESERVERS ----- server [ntpserver] If this is not the case, this is a finding.

Fix: F-21287r358230_fix

To specify a remote NTP server for time synchronization, edit the file "/etc/ntp.conf". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver. server [ntpserver] This instructs the NTP software to contact that remote server to obtain time data.

The LDAP client must use a TLS connection using trust certificates signed by the site CA.

AC-17 - Medium - CCI-001453 - V-219564 - SV-219564r505921_rule

RMF Control

AC-17

Severity

CCI

Version

OL6-00-000253

Vuln IDs

V-219564
V-50819

Rule IDs

SV-219564r505921_rule
SV-65025

The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA.

Checks: C-21289r358232_chk

If the system does not use LDAP for authentication or account information, this is not applicable. To ensure TLS is configured with trust certificates, run the following command: # grep cert /etc/pam_ldap.conf If there is no output, or the lines are commented out, this is a finding.

Fix: F-21288r358233_fix

Ensure a copy of the site's CA certificate has been placed in the file "/etc/pki/tls/CA/cacert.pem". Configure LDAP to enforce TLS use and to trust certificates signed by the site's CA. First, edit the file "/etc/pam_ldap.conf", and add or correct either of the following lines: tls_cacertdir /etc/pki/tls/CA or tls_cacertfile /etc/pki/tls/CA/cacert.pem Then review the LDAP server and ensure TLS has been configured.

The noexec option must be added to removable media partitions.

CM-6 - Low - CCI-000366 - V-219565 - SV-219565r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000271

Vuln IDs

V-219565
V-50849

Rule IDs

SV-219565r505921_rule
SV-65055

Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.

Checks: C-21290r358235_chk

Identify any removable media that is configured on the system: # cat /etc/fstab /dev/mapper/vg_rhel6-lv_root / ext4 defaults 1 1 UUID=0be9b205-f8e6-4bf4-b0ba-1f235fc55936 /boot ext4 defaults 1 2 UUID=5D49-30B2 /boot/efi vfat umask=0077,shortname=winnt 0 0 /dev/mapper/vg_rhel6-lv_home /home ext4 defaults 1 2 /dev/mapper/vg_rhel6-lv_tmp /tmp ext4 defaults 1 2 /dev/mapper/vg_rhel6-lv_var /var ext4 defaults 1 2 /dev/mapper/vg_rhel6-lv_swap swap swap defaults 0 0 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 /dev/sdc1 /media/usb vfat defaults,rw,noexec 0 0 If any of the identified removable media devices do not have "noexec" defined, this is a finding.

Fix: F-21289r358236_fix

The "noexec" mount option prevents the direct execution of binaries on the mounted filesystem. Users should not be allowed to execute binaries that exist on partitions mounted from removable media (such as a USB key). The "noexec" option prevents code from being executed directly from the media itself, and may therefore provide a line of defense against certain types of worms or malicious code. Add the "noexec" option to the fourth column of "/etc/fstab" for the line which controls mounting of any removable media partitions.

The operating system must employ cryptographic mechanisms to protect information in storage.

CM-6 - Low - CCI-000366 - V-219566 - SV-219566r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000275

Vuln IDs

V-219566
V-50857

Rule IDs

SV-219566r505921_rule
SV-65063

Checks: C-21291r358238_chk

Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding.

Fix: F-21290r358239_fix

The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures.

CM-6 - Low - CCI-000366 - V-219567 - SV-219567r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000277

Vuln IDs

V-219567
V-50861

Rule IDs

SV-219567r505921_rule
SV-65067

Checks: C-21292r358241_chk

Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding.

Fix: F-21291r358242_fix

The operating system natively supports partition encryption through the Linux Unified Key Setup (LUKS) on-disk-format technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected, the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE] Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. Detailed information on encrypting partitions using LUKS can be found in the Oracle Linux documentation at: http://docs.oracle.com/cd/E37670_01/E36387/html/index.html. Additional information is available from: http://linux.oracle.com/documentation/OL6/Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf"

The system must have a host-based intrusion detection tool installed.

SI-2 - Medium - CCI-001233 - V-219568 - SV-219568r505921_rule

RMF Control

SI-2

Severity

CCI

CCI-001233

Version

OL6-00-000285

Vuln IDs

V-219568
V-50875

Rule IDs

SV-219568r505921_rule
SV-65081

Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of system, which may not otherwise exist in an organization's systems management regime.

Checks: C-21293r462346_chk

Ask the SA or ISSO if a host-based intrusion detection application is loaded on the system. Per OPORD 16-0080 the preferred intrusion detection system is McAfee HBSS available through Cybercom. If another host-based intrusion detection application is in use, such as SELinux, this must be documented and approved by the local Authorizing Official. Procedure: Examine the system to see if the Host Intrusion Prevention System (HIPS) is installed: # rpm -qa | grep MFEhiplsm Verify that the McAfee HIPS module is active on the system: # ps -ef | grep -i “hipclient” If the MFEhiplsm package is not installed, check for another intrusion detection system: # find / -name <daemon name> Where <daemon name> is the name of the primary application daemon to determine if the application is loaded on the system. Determine if the application is active on the system: # ps -ef | grep -i <daemon name> If the MFEhiplsm package is not installed and an alternate host-based intrusion detection application has not been documented for use, this is a finding. If no host-based intrusion detection system is installed and running on the system, this is a finding.

Fix: F-21292r462347_fix

Install and enable the latest McAfee HIPS package, available from Cybercom. If the system does not support the McAfee HIPS package, install and enable a supported intrusion detection system application and document its use with the Authorizing Official.

X Windows must not be enabled unless required.

CM-7 - Medium - CCI-000381 - V-219569 - SV-219569r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000290

Vuln IDs

V-219569
V-50885

Rule IDs

SV-219569r505921_rule
SV-65091

Unnecessary services should be disabled to decrease the attack surface of the system.

Checks: C-21294r358247_chk

To verify the default runlevel is 3, run the following command: # grep initdefault /etc/inittab The output should show the following: id:3:initdefault: If it does not, this is a finding.

Fix: F-21293r358248_fix

Setting the system's runlevel to 3 will prevent automatic startup of the X server. To do so, ensure the following line in "/etc/inittab" features a "3" as shown: id:3:initdefault:

Wireless network adapters must be disabled.

SC-8 - Medium - CCI-002421 - V-219570 - SV-219570r505921_rule

RMF Control

SC-8

Severity

CCI

CCI-002421

Version

OL6-00-000293

Vuln IDs

V-219570
V-72823

Rule IDs

SV-219570r505921_rule
SV-87469

The use of wireless networking can introduce many different attack vectors into the organization’s network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.

Checks: C-21295r462349_chk

This is N/A for systems that do not have wireless network adapters. Verify that there are no wireless interfaces configured on the system: # ifconfig -a eth0 Link encap:Ethernet HWaddr b8:ac:6f:65:31:e5 inet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0 inet6 addr: fe80::baac:6fff:fe65:31e5/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2697529 errors:0 dropped:0 overruns:0 frame:0 TX packets:2630541 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2159382827 (2.0 GiB) TX bytes:1389552776 (1.2 GiB) Interrupt:17 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:2849 errors:0 dropped:0 overruns:0 frame:0 TX packets:2849 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2778290 (2.6 MiB) TX bytes:2778290 (2.6 MiB) If a wireless interface is configured, it must be documented and approved by the local Authorizing Official. If a wireless interface is configured and has not been documented and approved, this is a finding.

Fix: F-21294r462350_fix

Configure the system to disable all wireless network interfaces.

A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.

CM-3 - Medium - CCI-001744 - V-219571 - SV-219571r505921_rule

RMF Control

CM-3

Severity

CCI

Version

OL6-00-000302

Vuln IDs

V-219571
V-51011

Rule IDs

SV-219571r505921_rule
SV-65217

By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.

Checks: C-21296r358253_chk

To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, or if aide is not run at least weekly, this is a finding.

Fix: F-21295r358254_fix

AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.

The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system.

CM-3 - Medium - CCI-001744 - V-219572 - SV-219572r505921_rule

RMF Control

CM-3

Severity

CCI

Version

OL6-00-000303

Vuln IDs

V-219572
V-51017

Rule IDs

SV-219572r505921_rule
SV-65223

By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.

Checks: C-21297r358256_chk

To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding.

Fix: F-21296r358257_fix

The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.

CM-3 - Medium - CCI-001744 - V-219573 - SV-219573r505921_rule

RMF Control

CM-3

Severity

CCI

Version

OL6-00-000304

Vuln IDs

V-219573
V-51023

Rule IDs

SV-219573r505921_rule
SV-65229

By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.

Checks: C-21298r358259_chk

To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding.

Fix: F-21297r358260_fix

The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.

CM-3 - Medium - CCI-001744 - V-219574 - SV-219574r505921_rule

RMF Control

CM-3

Severity

CCI

Version

OL6-00-000305

Vuln IDs

V-219574
V-51029

Rule IDs

SV-219574r505921_rule
SV-65235

By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.

Checks: C-21299r358262_chk

To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding.

Fix: F-21298r358263_fix

The operating system must detect unauthorized changes to software and information.

CM-3 - Medium - CCI-001744 - V-219575 - SV-219575r505921_rule

RMF Control

CM-3

Severity

CCI

Version

OL6-00-000306

Vuln IDs

V-219575
V-51035

Rule IDs

SV-219575r505921_rule
SV-65241

By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.

Checks: C-21300r358265_chk

To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding.

Fix: F-21299r358266_fix

The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.

CM-3 - Medium - CCI-001744 - V-219576 - SV-219576r505921_rule

RMF Control

CM-3

Severity

CCI

Version

OL6-00-000307

Vuln IDs

V-219576
V-51037

Rule IDs

SV-219576r505921_rule
SV-65243

By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.

Checks: C-21301r358268_chk

To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding.

Fix: F-21300r358269_fix

The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.

AU-5 - Medium - CCI-001855 - V-219577 - SV-219577r505921_rule

RMF Control

AU-5

Severity

CCI

CCI-001855

Version

OL6-00-000311

Vuln IDs

V-219577
V-51051

Rule IDs

SV-219577r505921_rule
SV-65257

Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

Checks: C-21302r358271_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine whether the system is configured to email the administrator when disk space is starting to run low: # grep space_left /etc/audit/auditd.conf space_left = [num_megabytes] If the "num_megabytes" value does not correspond to a documented value for remaining audit partition capacity or if there is no locally documented value for remaining audit partition capacity, this is a finding.

Fix: F-21301r358272_fix

The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [num_megabytes] appropriately: space_left = [num_megabytes] The "num_megabytes" value should be set to a fraction of the total audit storage capacity available that will allow a system administrator to be notified with enough time to respond to the situation causing the capacity issues. This value must also be documented locally.

The Bluetooth kernel module must be disabled.

CM-7 - Medium - CCI-000381 - V-219578 - SV-219578r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000315

Vuln IDs

V-219578
V-51111

Rule IDs

SV-219578r505921_rule
SV-65321

If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

Checks: C-21303r358274_chk

If the system is configured to prevent the loading of the "bluetooth" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true” If no line is returned, this is a finding. If the system is configured to prevent the loading of the "net-pf-31" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r net-pf-31 /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true” If no line is returned, this is a finding.

Fix: F-21302r358275_fix

The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate "/etc/modprobe.d" configuration file to prevent the loading of the Bluetooth module: install net-pf-31 /bin/true install bluetooth /bin/true

The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets.

CM-6 - Medium - CCI-000366 - V-219579 - SV-219579r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000320

Vuln IDs

V-219579
V-51117

Rule IDs

SV-219579r505921_rule
SV-65327

Checks: C-21304r462352_chk

Run the following command to ensure the default "FORWARD" policy is "DROP": grep ":FORWARD" /etc/sysconfig/iptables The output must be the following: # grep ":FORWARD" /etc/sysconfig/iptables :FORWARD DROP [0:0] If it is not, this is a finding.

Fix: F-21303r462353_fix

To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in "/etc/sysconfig/iptables": :FORWARD DROP [0:0]

The system must provide VPN connectivity for communications over untrusted networks.

CM-6 - Low - CCI-000366 - V-219580 - SV-219580r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000321

Vuln IDs

V-219580
V-51121

Rule IDs

SV-219580r505921_rule
SV-65331

Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.

Checks: C-21305r358280_chk

If the system does not communicate over untrusted networks, this is not applicable. Run the following command to determine if the "libreswan" package is installed: # rpm -q libreswan If the package is not installed, this is a finding.

Fix: F-21304r358281_fix

The Libreswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The "libreswan" package can be installed with the following command: # yum install libreswan

The Bluetooth service must be disabled.

CM-7 - Medium - CCI-000381 - V-219581 - SV-219581r505921_rule

RMF Control

CM-7

Severity

CCI

Version

OL6-00-000331

Vuln IDs

V-219581
V-51127

Rule IDs

SV-219581r505921_rule
SV-65337

Disabling the "bluetooth" service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.

Checks: C-21306r462355_chk

To check that the "bluetooth" service is disabled in system boot configuration, run the following command: # chkconfig "bluetooth" --list Output should indicate the "bluetooth" service has either not been installed or has been disabled at all runlevels, as shown in the example below: # chkconfig "bluetooth" --list "bluetooth" 0:off 1:off 2:off 3:off 4:off 5:off 6:off If the service is configured to run, this is a finding.

Fix: F-21305r462356_fix

The "bluetooth" service can be disabled with the following command: # chkconfig bluetooth off # service bluetooth stop

The system must require administrator action to unlock an account locked by excessive failed login attempts.

AC-7 - Medium - CCI-002238 - V-219582 - SV-219582r505921_rule

RMF Control

AC-7

Severity

CCI

CCI-002238

Version

OL6-00-000356

Vuln IDs

V-219582
V-50637

Rule IDs

SV-219582r505921_rule
SV-64843

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.

Checks: C-21307r499654_chk

To ensure the failed password attempt policy is configured correctly, run the following command: # grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth If the "unlock_time" parameter is set to a value other than "0", "never", or less than "900" on "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. Note: The maximum configurable value for "unlock_time" is "604800".

Fix: F-21306r499655_fix

To configure the system to lock out accounts after a number of incorrect logon attempts and require an administrator to unlock the account using "pam_faillock.so", modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.

The system must disable accounts after excessive login failures within a 15-minute interval.

AC-7 - Medium - CCI-002238 - V-219583 - SV-219583r505921_rule

RMF Control

AC-7

Severity

CCI

CCI-002238

Version

OL6-00-000357

Vuln IDs

V-219583
V-50635

Rule IDs

SV-219583r505921_rule
SV-64841

Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks.

Checks: C-21308r499657_chk

To ensure the failed password attempt policy is configured correctly, run the following command: $ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth For each file, the output should show "fail_interval=<interval-in-seconds>" where "interval-in-seconds" is 900 (15 minutes) or greater. If the "fail_interval" parameter is not set, the default setting of 900 seconds is acceptable. If that is not the case, this is a finding.

Fix: F-21307r499658_fix

Utilizing "pam_faillock.so", the "fail_interval" directive configures the system to lock out accounts after a number of incorrect logon attempts. Modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.

The operating system must enforce requirements for the connection of mobile devices to operating systems.

IA-3 - Medium - CCI-000778 - V-219584 - SV-219584r505921_rule

RMF Control

IA-3

Severity

CCI

CCI-000778

Version

OL6-00-000503

Vuln IDs

V-219584
V-50617

Rule IDs

SV-219584r505921_rule
SV-64823

USB storage devices such as thumb drives can be used to introduce unauthorized software and other vulnerabilities. Support for these devices should be disabled and the devices themselves should be tightly controlled.

Checks: C-21309r358292_chk

If the system is configured to prevent the loading of the "usb-storage" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true” If no line is returned, this is a finding.

Fix: F-21308r358293_fix

To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the "usb-storage" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install usb-storage /bin/true This will prevent the "modprobe" program from loading the "usb-storage" module, but will not prevent an administrator (or another program) from using the "insmod" program to load the module manually.

The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.

CM-6 - Medium - CCI-000366 - V-219585 - SV-219585r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000504

Vuln IDs

V-219585
V-50615

Rule IDs

SV-219585r505921_rule
SV-64821

Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be consistent with organizational recovery time and recovery point objectives.

Checks: C-21310r462698_chk

Ask an administrator if a process exists to back up user data from the system. If such a process does not exist, this is a finding.

Fix: F-21309r462699_fix

Procedures to back up user data from the system must be established and executed. The operating system provides utilities for automating such a process. Commercial and open-source products are also available. Implement a process whereby user data is backed up from the system in accordance with local policies.

The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.

CM-6 - Medium - CCI-000366 - V-219586 - SV-219586r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000505

Vuln IDs

V-219586
V-50613

Rule IDs

SV-219586r505921_rule
SV-64819

Operating system backup is a critical step in maintaining data assurance and availability. System-level information includes system-state information, operating system and application software, and licenses. Backups must be consistent with organizational recovery time and recovery point objectives.

Checks: C-21311r462358_chk

Ask an administrator if a process exists to back up OS data from the system, including configuration data. If such a process does not exist, this is a finding.

Fix: F-21310r462359_fix

Procedures to back up operating system data from the system must be established and executed. The operating system provides utilities for automating such a process. Commercial and open-source products are also available. Implement a process whereby OS data is backed up from the system in accordance with local policies.

The system must forward audit records to the syslog service.

AU-4 - Low - CCI-001851 - V-219587 - SV-219587r505921_rule

RMF Control

AU-4

Severity

CCI

CCI-001851

Version

OL6-00-000509

Vuln IDs

V-219587
V-50603

Rule IDs

SV-219587r505921_rule
SV-64809

The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include an audit event multiplexor plugin (audispd) to pass audit records to the local syslog server.

Checks: C-21312r358301_chk

Verify the audispd plugin is active: # grep active /etc/audisp/plugins.d/syslog.conf If the "active" setting is missing or set to "no", this is a finding.

Fix: F-21311r358302_fix

Set the "active" line in "/etc/audisp/plugins.d/syslog.conf" to "yes". Restart the auditd process. # service auditd restart

The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.

CM-6 - Medium - CCI-000366 - V-219588 - SV-219588r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000523

Vuln IDs

V-219588
V-50521

Rule IDs

SV-219588r505921_rule
SV-64727

In "ip6tables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.

Checks: C-21313r462361_chk

If IPv6 is disabled, this is not applicable. Inspect the file "/etc/sysconfig/ip6tables" to determine the default policy for the INPUT chain. It should be set to DROP: # grep ":INPUT" /etc/sysconfig/ip6tables If the default policy for the INPUT chain is not set to DROP, this is a finding.

Fix: F-21312r462362_fix

To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/ip6tables": :INPUT DROP [0:0] Restart the IPv6 firewall: # service ip6tables restart

The Oracle Linux 6 operating system must use a virus scan program.

CM-6 - Medium - CCI-000366 - V-219589 - SV-219589r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000533

Vuln IDs

V-219589
V-81453

Rule IDs

SV-219589r505921_rule
SV-96167

Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis. If the system processes inbound SMTP mail, the virus scanner must be configured to scan all received mail.

Checks: C-21314r462364_chk

Verify an antivirus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. If there is no antivirus solution installed on the system, this is a finding.

Fix: F-21313r466211_fix

Install an antivirus solution on the system.

The Oracle Linux operating system must not contain .shosts or shosts.equiv files.

CM-6 - High - CCI-000366 - V-219957 - SV-219957r505921_rule

RMF Control

CM-6

Severity

CCI

Version

OL6-00-000021

Vuln IDs

V-219957
V-100007

Rule IDs

SV-219957r505921_rule
SV-109111

The .shosts and shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.

Checks: C-19343r462695_chk

Verify there are no ".shosts" or "shosts.equiv" files on the system. # find / -name '*.shosts' # find / -name shosts.equiv If any ".shosts" or "shosts.equiv" files are found on the system, this is a finding.

Fix: F-19341r462696_fix

Remove any found ".shosts" or "shosts.equiv" files from the system. # rm /[path]/[to]/[file]/.shosts # rm /[path]/[to]/[file]/shosts.equiv

The Oracle Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

AC-17 - Medium - CCI-001453 - V-219958 - SV-219958r505921_rule

RMF Control

AC-17

Severity

CCI

Version

OL6-00-000228

Vuln IDs

V-219958
V-100009

Rule IDs

SV-219958r505921_rule
SV-109113

DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA.

Checks: C-21668r364851_chk

Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers. Note: If OL6-00-000534 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes. Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers with the following command: # grep -i macs /etc/ssh/sshd_config MACs hmac-sha2-256,hmac-sha2-512 If any ciphers other than "hmac-sha2-256" or "hmac-sha2-512" are listed or the returned line is commented out, this is a finding.

Fix: F-21667r364852_fix

Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-256" and/or "hmac-sha2-512" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): MACs hmac-sha2-256,hmac-sha2-512 The SSH service must be restarted for changes to take effect. # sudo service sshd restart

The Oracle Linux operating system must be a vendor-supported release.

CM-6 - High - CCI-000366 - V-224675 - SV-224675r505921_rule

RMF Control

CM-6

Severity

CCI