Oracle Linux 6 Security Technical Implementation Guide
Pick two releases to diff their requirements.
Open a previous version of this STIG.
Digest of Updates +3 ✎ 1
Comparison against the immediately-prior release (V2R2). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.
Added rules 3
- V-237624 Medium The Oracle Linux operating system must restrict privilege elevation to authorized personnel.
- V-237625 Medium The Oracle Linux operating system must use the invoking user's password for privilege escalation when using "sudo".
- V-237626 Medium The Oracle Linux operating system must require re-authentication when using the "sudo" command.
Content changes 1
- V-208846 Low checkfix The system must be configured so all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000001
- Vuln IDs
-
- V-208793
- V-50533
- Rule IDs
-
- SV-208793r603263_rule
- SV-64739
Checks: C-9046r357359_chk
Run the following command to determine if "/tmp" is on its own partition or logical volume: $ mount | grep "on /tmp " If "/tmp" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.
Fix: F-9046r357360_fix
The "/tmp" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000002
- Vuln IDs
-
- V-208794
- V-50537
- Rule IDs
-
- SV-208794r603263_rule
- SV-64743
Checks: C-9047r357362_chk
Run the following command to determine if "/var" is on its own partition or logical volume: $ mount | grep "on /var " If "/var" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.
Fix: F-9047r357363_fix
The "/var" directory is used by daemons and other system services to store frequently-changing data. Ensure that "/var" has its own partition or logical volume at installation time, or migrate it using LVM.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000003
- Vuln IDs
-
- V-208795
- V-50529
- Rule IDs
-
- SV-208795r603263_rule
- SV-64735
Checks: C-9048r357365_chk
Run the following command to determine if "/var/log" is on its own partition or logical volume: $ mount | grep "on /var/log " If "/var/log" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.
Fix: F-9048r357366_fix
System logs are stored in the "/var/log" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000007
- Vuln IDs
-
- V-208796
- V-50677
- Rule IDs
-
- SV-208796r603263_rule
- SV-64883
Checks: C-9049r357368_chk
Run the following command to determine if "/home" is on its own partition or logical volume: $ mount | grep "on /home " If "/home" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.
Fix: F-9049r357369_fix
If user home directories will be stored locally, create a separate partition for "/home" at installation time (or migrate it later using LVM). If "/home" will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000382
- Version
- OL6-00-000009
- Vuln IDs
-
- V-208797
- V-50693
- Rule IDs
-
- SV-208797r603263_rule
- SV-64899
Checks: C-9050r357371_chk
If the system needs to automatically communicate with the Oracle Unbreakable Linux Network for updates or information, then this is not applicable. To check that the "rhnsd" service is disabled in system boot configuration, run the following command: # chkconfig "rhnsd" --list Output should indicate the "rhnsd" service has either not been installed or has been disabled at all runlevels, as shown in the example below: # chkconfig "rhnsd" --list "rhnsd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "rhnsd" is disabled through current runtime configuration: # service rhnsd status If the service is disabled, the command will return the following output: rhnsd is stopped If the service is running, this is a finding.
Fix: F-9050r357372_fix
This service automatically queries the Oracle Unbreakable Linux Network service to determine whether there are any software updates or related information. The "rhnsd" service can be disabled with the following commands: # chkconfig rhnsd off # service rhnsd stop
- RMF Control
- SI-2
- Severity
- M
- CCI
- CCI-001233
- Version
- OL6-00-000011
- Vuln IDs
-
- V-208798
- V-50695
- Rule IDs
-
- SV-208798r603263_rule
- SV-64901
Checks: C-9051r357374_chk
If the system is joined to Oracle's Unbreakable Linux Network or an internal YUM server that provides updates, invoking the following command will indicate if updates are available.: # yum check-update If the system is not configured to update from one of these sources, run the following command to list when each package was last updated: $ rpm -qa -last Compare this to (1) http://linux.oracle.com/errata/ and (2) http://linux.oracle.com/cve/ to determine if the system is missing applicable security and bugfix updates. If updates are not installed, this is a finding. A ULN account is not required to obtain security updates Oracle also makes this content freely available on its Public YUM server at: http://public-yum.oracle.com/.
Fix: F-9051r357375_fix
If the system is joined to Oracle's Unbreakable Linux Network or an internal YUM server, run the following command to install updates # yum update If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from Oracle's Unbreakable Linux Network and installed using the "rpm" command.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000017
- Vuln IDs
-
- V-208799
- V-59347
- Rule IDs
-
- SV-208799r603263_rule
- SV-73777
Checks: C-9052r357377_chk
Inspect "/boot/grub/grub.conf" for any instances of "selinux=0" in the kernel boot arguments. Presence of "selinux=0" indicates that SELinux is disabled at boot time. If SELinux is disabled at boot time, this is a finding.
Fix: F-9052r357378_fix
SELinux can be disabled at boot time by an argument in "/boot/grub/grub.conf". Remove any instances of "selinux=0" from the kernel arguments in that file to prevent SELinux from being disabled at boot.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000018
- Vuln IDs
-
- V-208800
- V-59353
- Rule IDs
-
- SV-208800r603263_rule
- SV-73783
Checks: C-9053r357380_chk
To find the location of the AIDE database file, run the following command: # grep DBDIR /etc/aide.conf Using the defined values of the [DBDIR] and [database] variables, verify the existence of the AIDE database file: # ls -l [DBDIR]/[database_file_name] If there is no database file, this is a finding.
Fix: F-9053r357381_fix
Run the following command to generate a new database: # /usr/sbin/aide --init By default, the database will be written to the file "/var/lib/aide/aide.db.new.gz". Storing the database, the configuration file "/etc/aide.conf", and the binary "/usr/sbin/aide" (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: # cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz To initiate a manual check, run the following command: # /usr/sbin/aide --check If this check produces any unexpected output, investigate.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000020
- Vuln IDs
-
- V-208801
- V-59367
- Rule IDs
-
- SV-208801r603263_rule
- SV-73797
Checks: C-9054r357383_chk
Check the file "/etc/selinux/config" and ensure the following line appears: SELINUX=enforcing If SELINUX is not set to enforcing, this is a finding.
Fix: F-9054r357384_fix
The SELinux state should be set to "enforcing" at system boot time. In the file "/etc/selinux/config", add or correct the following line to configure the system to boot into enforcing mode: SELINUX=enforcing
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000023
- Vuln IDs
-
- V-208802
- V-59369
- Rule IDs
-
- SV-208802r603263_rule
- SV-73799
Checks: C-9055r357386_chk
Check the file "/etc/selinux/config" and ensure the following line appears: SELINUXTYPE=targeted If it does not, this is a finding.
Fix: F-9055r357387_fix
The SELinux "targeted" policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in "/etc/selinux/config": SELINUXTYPE=targeted Other policies, such as "mls", provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000025
- Vuln IDs
-
- V-208803
- V-59371
- Rule IDs
-
- SV-208803r603263_rule
- SV-73801
Checks: C-9056r357389_chk
To check for unlabeled device files, run the following command: # ls -RZ /dev | grep unlabeled_t It should produce no output in a well-configured system. If there is output, this is a finding.
Fix: F-9056r357390_fix
Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type "unlabeled_t", investigate the cause and correct the file's context.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000770
- Version
- OL6-00-000027
- Vuln IDs
-
- V-208804
- V-50721
- Rule IDs
-
- SV-208804r603263_rule
- SV-64927
Checks: C-9057r357392_chk
To check for virtual console entries which permit root login, run the following command: # grep '^vc/[0-9]' /etc/securetty If any output is returned, then root logins over virtual console devices is permitted. If root login over virtual console devices is permitted, this is a finding.
Fix: F-9057r357393_fix
To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in "/etc/securetty": vc/1 vc/2 vc/3 vc/4 Note: Virtual console entries are not limited to those listed above. Any lines starting with "vc/" followed by numerals should be removed.
- RMF Control
- IA-2
- Severity
- L
- CCI
- CCI-000770
- Version
- OL6-00-000028
- Vuln IDs
-
- V-208805
- V-50725
- Rule IDs
-
- SV-208805r603263_rule
- SV-64931
Checks: C-9058r357395_chk
To check for serial port entries which permit root login, run the following command: # grep '^ttyS[0-9]' /etc/securetty If any output is returned, then root login over serial ports is permitted. If root login over serial ports is permitted, this is a finding.
Fix: F-9058r357396_fix
To restrict root logins on serial ports, ensure lines of this form do not appear in "/etc/securetty": ttyS0 ttyS1 Note: Serial port entries are not limited to those listed above. Any lines starting with "ttyS" followed by numerals should be removed.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000029
- Vuln IDs
-
- V-208806
- V-50731
- Rule IDs
-
- SV-208806r603263_rule
- SV-64937
Checks: C-9059r357398_chk
To obtain a listing of all users and the contents of their shadow password field, run the command: $ awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 ":" $2}' /etc/shadow Identify the operating system accounts from this listing. These will primarily be the accounts with UID numbers less than 500, other than root. If any default operating system account (other than root) has a valid password hash, this is a finding.
Fix: F-9059r357399_fix
Some accounts are not associated with a human user of the system, and exist to perform some administrative function. An attacker should not be able to log into these accounts. Disable logon access to these accounts with the command: # passwd -l [SYSACCT]
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- OL6-00-000030
- Vuln IDs
-
- V-208807
- V-50737
- Rule IDs
-
- SV-208807r603263_rule
- SV-64943
Checks: C-9060r357401_chk
To verify that null passwords cannot be used, run the following command: # grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth If this produces any output, it may be possible to log on to accounts with empty passwords. If null passwords can be used, this is a finding.
Fix: F-9060r357402_fix
If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authentication. Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000031
- Vuln IDs
-
- V-208808
- V-50741
- Rule IDs
-
- SV-208808r603263_rule
- SV-64947
Checks: C-9061r357404_chk
To check that no password hashes are stored in "/etc/passwd", run the following command: # awk -F: '($2 != "x") {print}' /etc/passwd If it produces any output, then a password hash is stored in "/etc/passwd". If any stored hashes are found in /etc/passwd, this is a finding.
Fix: F-9061r357405_fix
If any password hashes are stored in "/etc/passwd" (in the second field, instead of an "x"), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000032
- Vuln IDs
-
- V-208809
- V-50747
- Rule IDs
-
- SV-208809r603263_rule
- SV-64953
Checks: C-9062r357407_chk
To list all password file entries for accounts with UID 0, run the following command: # awk -F: '($3 == 0) {print}' /etc/passwd This should print only one line, for the user root. If any account other than root has a UID of 0, this is a finding.
Fix: F-9062r357408_fix
If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000033
- Vuln IDs
-
- V-208810
- V-50753
- Rule IDs
-
- SV-208810r603263_rule
- SV-64959
Checks: C-9063r357410_chk
To check the ownership of "/etc/shadow", run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.
Fix: F-9063r357411_fix
To properly set the owner of "/etc/shadow", run the command: # chown root /etc/shadow
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000034
- Vuln IDs
-
- V-208811
- V-50755
- Rule IDs
-
- SV-208811r603263_rule
- SV-64961
Checks: C-9064r357413_chk
To check the group ownership of "/etc/shadow", run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.
Fix: F-9064r357414_fix
To properly set the group owner of "/etc/shadow", run the command: # chgrp root /etc/shadow
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000035
- Vuln IDs
-
- V-208812
- V-50757
- Rule IDs
-
- SV-208812r603263_rule
- SV-64963
Checks: C-9065r357416_chk
To check the permissions of "/etc/shadow", run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following permissions: "----------" If it does not, this is a finding.
Fix: F-9065r357417_fix
To properly set the permissions of "/etc/shadow", run the command: # chmod 0000 /etc/shadow
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000036
- Vuln IDs
-
- V-208813
- V-50759
- Rule IDs
-
- SV-208813r603263_rule
- SV-64965
Checks: C-9066r357419_chk
To check the ownership of "/etc/gshadow", run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.
Fix: F-9066r357420_fix
To properly set the owner of "/etc/gshadow", run the command: # chown root /etc/gshadow
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000037
- Vuln IDs
-
- V-208814
- V-50763
- Rule IDs
-
- SV-208814r603263_rule
- SV-64969
Checks: C-9067r357422_chk
To check the group ownership of "/etc/gshadow", run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.
Fix: F-9067r357423_fix
To properly set the group owner of "/etc/gshadow", run the command: # chgrp root /etc/gshadow
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000038
- Vuln IDs
-
- V-208815
- V-50765
- Rule IDs
-
- SV-208815r603263_rule
- SV-64971
Checks: C-9068r357425_chk
To check the permissions of "/etc/gshadow", run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following permissions: "----------" If it does not, this is a finding.
Fix: F-9068r357426_fix
To properly set the permissions of "/etc/gshadow", run the command: # chmod 0000 /etc/gshadow
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000039
- Vuln IDs
-
- V-208816
- V-50769
- Rule IDs
-
- SV-208816r603263_rule
- SV-64975
Checks: C-9069r357428_chk
To check the ownership of "/etc/passwd", run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.
Fix: F-9069r357429_fix
To properly set the owner of "/etc/passwd", run the command: # chown root /etc/passwd
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000040
- Vuln IDs
-
- V-208817
- V-50771
- Rule IDs
-
- SV-208817r603263_rule
- SV-64977
Checks: C-9070r357431_chk
To check the group ownership of "/etc/passwd", run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.
Fix: F-9070r357432_fix
To properly set the group owner of "/etc/passwd", run the command: # chgrp root /etc/passwd
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000041
- Vuln IDs
-
- V-208818
- V-50773
- Rule IDs
-
- SV-208818r603263_rule
- SV-64979
Checks: C-9071r357434_chk
To check the permissions of "/etc/passwd", run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following permissions: "-rw-r--r--" If it does not, this is a finding.
Fix: F-9071r357435_fix
To properly set the permissions of "/etc/passwd", run the command: # chmod 0644 /etc/passwd
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000042
- Vuln IDs
-
- V-208819
- V-50775
- Rule IDs
-
- SV-208819r603263_rule
- SV-64981
Checks: C-9072r357437_chk
To check the ownership of "/etc/group", run the command: $ ls -l /etc/group If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.
Fix: F-9072r357438_fix
To properly set the owner of "/etc/group", run the command: # chown root /etc/group
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000043
- Vuln IDs
-
- V-208820
- V-50777
- Rule IDs
-
- SV-208820r603263_rule
- SV-64983
Checks: C-9073r357440_chk
To check the group ownership of "/etc/group", run the command: $ ls -l /etc/group If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.
Fix: F-9073r357441_fix
To properly set the group owner of "/etc/group", run the command: # chgrp root /etc/group
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000044
- Vuln IDs
-
- V-208821
- V-50779
- Rule IDs
-
- SV-208821r603263_rule
- SV-64985
Checks: C-9074r357443_chk
To check the permissions of "/etc/group", run the command: $ ls -l /etc/group If properly configured, the output should indicate the following permissions: "-rw-r--r--" If it does not, this is a finding.
Fix: F-9074r357444_fix
To properly set the permissions of "/etc/group", run the command: # chmod 644 /etc/group
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- OL6-00-000045
- Vuln IDs
-
- V-208822
- V-50783
- Rule IDs
-
- SV-208822r603263_rule
- SV-64989
Checks: C-9075r357446_chk
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in "/lib/modules". All files in these directories should not be group-writable or world-writable. To find shared libraries that are group-writable or world-writable, run the following command for each directory [DIR] which contains shared libraries: $ find -L [DIR] -perm /022 -type f If any of these files (excluding broken symlinks) are group-writable or world-writable, this is a finding.
Fix: F-9075r357447_fix
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: # chmod go-w [FILE]
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- OL6-00-000046
- Vuln IDs
-
- V-208823
- V-50785
- Rule IDs
-
- SV-208823r603263_rule
- SV-64991
Checks: C-9076r357449_chk
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 /usr/local/lib /usr/local/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in "/lib/modules". All files in these directories should not be group-writable or world-writable. To find shared libraries that are not owned by "root" and do not match what is expected by the RPM, run the following command: for i in /lib /lib64 /usr/lib /usr/lib64 /usr/local/lib /usr/local/lib64 do for j in `find -L $i \! -user root` do rpm -V -f $j | grep '^.....U' done done If the command returns any results, this is a finding.
Fix: F-9076r357450_fix
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 /usr/local/lib /usr/local/lib64 If any file in these directories is found to be owned by a user other than “root” and does not match what is expected by the RPM, correct its ownership by running one of the following commands: # rpm --setugids [PACKAGE_NAME] Or # chown root [FILE]
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- OL6-00-000047
- Vuln IDs
-
- V-208824
- V-50787
- Rule IDs
-
- SV-208824r603263_rule
- SV-64993
Checks: C-9077r357452_chk
System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin All files in these directories should not be group-writable or world-writable. To find system executables that are group-writable or world-writable, run the following command for each directory [DIR] which contains system executables: $ find -L [DIR] -perm /022 -type f If any system executables are found to be group-writable or world-writable, this is a finding.
Fix: F-9077r357453_fix
System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: # chmod go-w [FILE]
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- OL6-00-000048
- Vuln IDs
-
- V-208825
- V-50789
- Rule IDs
-
- SV-208825r603263_rule
- SV-64995
Checks: C-9078r357455_chk
System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin To find system executables that are not owned by "root", run the following command for each directory [DIR] which contains system executables: $ find -L [DIR] \! -user root If any system executables are found to not be owned by root, this is a finding.
Fix: F-9078r357456_fix
System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin If any file [FILE] in these directories is found to be owned by a user other than root, correct its ownership with the following command: # chown root [FILE]
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000205
- Version
- OL6-00-000050
- Vuln IDs
-
- V-208826
- V-50791
- Rule IDs
-
- SV-208826r603263_rule
- SV-64997
Checks: C-9079r357458_chk
To check the minimum password length, run the command: $ grep PASS_MIN_LEN /etc/login.defs The DoD requirement is "15". If it is not set to the required value, this is a finding. $ grep –E ‘pam_cracklib.so.*minlen’ /etc/pam.d/* If no results are returned, this is not a finding. If any results are returned and are not set to “15” or greater, this is a finding.
Fix: F-9079r357459_fix
To specify password length requirements for new accounts, edit the file "/etc/login.defs" and add or correct the following lines: PASS_MIN_LEN 15 The DoD requirement is "15". If a program consults "/etc/login.defs" and also another PAM module (such as "pam_cracklib") during a password change operation, then the most restrictive must be satisfied.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000198
- Version
- OL6-00-000051
- Vuln IDs
-
- V-208827
- V-50793
- Rule IDs
-
- SV-208827r603263_rule
- SV-64999
Checks: C-9080r357461_chk
To check the minimum password age, run the command: $ grep PASS_MIN_DAYS /etc/login.defs The DoD requirement is 1. If it is not set to the required value, this is a finding.
Fix: F-9080r357462_fix
To specify password minimum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MIN_DAYS [DAYS] A value of 1 day is considered sufficient for many environments. The DoD requirement is 1.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000199
- Version
- OL6-00-000053
- Vuln IDs
-
- V-208828
- V-50795
- Rule IDs
-
- SV-208828r603263_rule
- SV-65001
Checks: C-9081r357464_chk
To check the maximum password age, run the command: $ grep PASS_MAX_DAYS /etc/login.defs The DoD requirement is 60. If it is not set to the required value, this is a finding.
Fix: F-9081r357465_fix
To specify password maximum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MAX_DAYS [DAYS] The DoD requirement is 60.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000054
- Vuln IDs
-
- V-208829
- V-50907
- Rule IDs
-
- SV-208829r603263_rule
- SV-65113
Checks: C-9082r357467_chk
To check the password warning age, run the command: $ grep PASS_WARN_AGE /etc/login.defs The DoD requirement is 7. If it is not set to the required value, this is a finding.
Fix: F-9082r357468_fix
To specify how many days prior to password expiration that a warning will be issued to users, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_WARN_AGE [DAYS] The DoD requirement is 7.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000199
- Version
- OL6-00-000055
- Vuln IDs
-
- V-208830
- V-92247
- Rule IDs
-
- SV-208830r603263_rule
- SV-102349
Checks: C-9083r357470_chk
Obtain a list of approved system and application accounts from the ISSO. For each system and application account identified, run the following command: # chage -l <application_account> Last password change : Nov 05, 2018 Password expires : Nov 04, 2019 Password inactive : Dec 10, 2019 Account expires : never Minimum number of days between password change : 1 Maximum number of days between password change : 365 Number of days of warning before password expires : 7 If "Maximum number of days between password change" is greater than "365", this is a finding. If the date of "Last password change" exceeds 365 days, this is a finding. If the date of "Password expires" is greater than 365 days from the date of "Last password change", this is a finding.
Fix: F-9083r357471_fix
Set the "Maximum number of days between password change" to "365": # chage -M 365 <application_account> Change the password for the system/application account: #passwd <application_account>
- RMF Control
- IA-5
- Severity
- L
- CCI
- CCI-000194
- Version
- OL6-00-000056
- Vuln IDs
-
- V-208831
- V-50911
- Rule IDs
-
- SV-208831r603263_rule
- SV-65117
Checks: C-9084r357473_chk
To check how many digits are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth The "dcredit" parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as "dcredit=-1". If the “dcredit” parameter is not found or not set to the required value, this is a finding.
Fix: F-9084r357474_fix
The pam_cracklib module's "dcredit" parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "dcredit=-1" after pam_cracklib.so to require use of a digit in passwords.
- RMF Control
- IA-5
- Severity
- L
- CCI
- CCI-000192
- Version
- OL6-00-000057
- Vuln IDs
-
- V-208832
- V-50913
- Rule IDs
-
- SV-208832r603263_rule
- SV-65119
Checks: C-9085r357476_chk
To check how many uppercase characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth The "ucredit" parameter (as a negative number) will indicate how many uppercase characters are required. The DoD requires at least one uppercase character in a password. This would appear as "ucredit=-1". If the “ucredit” parameter is not found or not set to the required value, this is a finding.
Fix: F-9085r357477_fix
The pam_cracklib module's "ucredit=" parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "ucredit=-1" after pam_cracklib.so to require use of an uppercase character in passwords.
- RMF Control
- IA-5
- Severity
- L
- CCI
- CCI-001619
- Version
- OL6-00-000058
- Vuln IDs
-
- V-208833
- V-50915
- Rule IDs
-
- SV-208833r603263_rule
- SV-65121
Checks: C-9086r357479_chk
To check how many special characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth The "ocredit" parameter (as a negative number) will indicate how many special characters are required. The DoD requires at least one special character in a password. This would appear as "ocredit=-1". If the “ocredit” parameter is not found or not set to the required value, this is a finding.
Fix: F-9086r357480_fix
The pam_cracklib module's "ocredit=" parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "ocredit=-1" after pam_cracklib.so to require use of a special character in passwords.
- RMF Control
- IA-5
- Severity
- L
- CCI
- CCI-000193
- Version
- OL6-00-000059
- Vuln IDs
-
- V-208834
- V-50917
- Rule IDs
-
- SV-208834r603263_rule
- SV-65123
Checks: C-9087r357482_chk
To check how many lower-case characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth The "lcredit" parameter (as a negative number) will indicate how many lower-case characters are required. The DoD requires at least one lower-case character in a password. This would appear as "lcredit=-1". If the “lcredit” parameter is not found or not set to the required value, this is a finding.
Fix: F-9087r357483_fix
The pam_cracklib module's "lcredit=" parameter controls requirements for usage of lower-case letters in a password. When set to a negative number, any password will be required to contain that many lower-case characters. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "lcredit=-1" after pam_cracklib.so to require use of a lower-case character in passwords.
- RMF Control
- IA-5
- Severity
- L
- CCI
- CCI-000195
- Version
- OL6-00-000060
- Vuln IDs
-
- V-208835
- V-50919
- Rule IDs
-
- SV-208835r603263_rule
- SV-65125
Checks: C-9088r357485_chk
To check how many characters must differ during a password change, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth The "difok" parameter will indicate how many characters must differ. The DoD requires eight characters differ during a password change. This would appear as "difok=8". If the “difok” parameter is not found or not set to the required value, this is a finding.
Fix: F-9088r357486_fix
The pam_cracklib module's "difok" parameter controls requirements for usage of different characters during a password change. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "difok=[NUM]" after pam_cracklib.so to require differing characters when changing passwords, substituting [NUM] appropriately. The DoD requirement is “8”.
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-000044
- Version
- OL6-00-000061
- Vuln IDs
-
- V-208836
- V-50921
- Rule IDs
-
- SV-208836r603263_rule
- SV-65127
Checks: C-36260r602374_chk
To ensure the failed password attempt policy is configured correctly, run the following command: # grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth The output should show "deny=3" for both files. If that is not the case, this is a finding.
Fix: F-36224r602375_fix
To configure the system to lock out accounts after a number of incorrect logon attempts using "pam_faillock.so", modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.
- RMF Control
- IA-7
- Severity
- M
- CCI
- CCI-000803
- Version
- OL6-00-000062
- Vuln IDs
-
- V-208837
- V-50923
- Rule IDs
-
- SV-208837r603263_rule
- SV-65129
Checks: C-9090r357491_chk
Inspect the "password" section of "/etc/pam.d/system-auth", "/etc/pam.d/system-auth-ac", "/etc/pam.d/password-auth", "/etc/pam.d/password-auth-ac", and other files in "/etc/pam.d" to identify the number of occurrences where the “pam_unix.so” module is used in the “password” section. $ grep -E -c 'password.*pam_unix.so' /etc/pam.d/* /etc/pam.d/atd:0 /etc/pam.d/config-util:0 /etc/pam.d/crond:0 /etc/pam.d/login:0 /etc/pam.d/other:0 /etc/pam.d/passwd:0 /etc/pam.d/password-auth:1 /etc/pam.d/password-auth-ac:1 /etc/pam.d/sshd:0 /etc/pam.d/su:0 /etc/pam.d/sudo:0 /etc/pam.d/system-auth:1 /etc/pam.d/system-auth-ac:1 /etc/pam.d/vlock:0 Note: The number adjacent to the file name indicates how many occurrences of the “pam_unix.so” module are found in the password section. If the “pam_unix.so” module is not defined in the “password” section of “/etc/pam.d/system-auth”, “/etc/pam.d/system-auth-ac”, “/etc/pam.d/password-auth”, and “/etc/pam.d/password-auth-ac” at a minimum, this is a finding. Verify that the “sha512” variable is used with each instance of the “pam_unix.so” module in the “password” section: $ grep password /etc/pam.d/* | grep pam_unix.so | grep sha512 /etc/pam.d/password-auth:password sufficient pam_unix.so sha512 [other arguments…] /etc/pam.d/password-auth-ac:password sufficient pam_unix.so sha512 [other arguments…] /etc/pam.d/system-auth:password sufficient pam_unix.so sha512 [other arguments…] /etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 [other arguments…] If this list of files does not coincide with the previous command, this is a finding. If any of the identified “pam_unix.so” modules do not use the “sha512” variable, this is a finding.
Fix: F-9090r357492_fix
In "/etc/pam.d/system-auth”, "/etc/pam.d/system-auth-ac", “/etc/pam.d/password-auth”, and “/etc/pam.d/password-auth-ac”, among potentially other files, the "password" section of the files control which PAM modules execute during a password change. Set the "pam_unix.so" module in the "password" section to include the argument "sha512", as shown below: password sufficient pam_unix.so sha512 [other arguments...] This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. Note: Any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" will be overwritten by the "authconfig" program. The "authconfig" program should not be used.
- RMF Control
- IA-7
- Severity
- M
- CCI
- CCI-000803
- Version
- OL6-00-000063
- Vuln IDs
-
- V-208838
- V-50927
- Rule IDs
-
- SV-208838r603263_rule
- SV-65133
Checks: C-9091r357494_chk
Inspect "/etc/login.defs" and ensure the following line appears: ENCRYPT_METHOD SHA512 If it does not, this is a finding.
Fix: F-9091r357495_fix
In "/etc/login.defs", add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: ENCRYPT_METHOD SHA512
- RMF Control
- IA-7
- Severity
- M
- CCI
- CCI-000803
- Version
- OL6-00-000064
- Vuln IDs
-
- V-208839
- V-50937
- Rule IDs
-
- SV-208839r603263_rule
- SV-65143
Checks: C-9092r357497_chk
Inspect "/etc/libuser.conf" and ensure the following line appears in the "[default]" section: crypt_style = sha512 If it does not, this is a finding.
Fix: F-9092r357498_fix
In "/etc/libuser.conf", add or correct the following line in its "[defaults]" section to ensure the system will use the SHA-512 algorithm for password hashing: crypt_style = sha512
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000065
- Vuln IDs
-
- V-208840
- V-50933
- Rule IDs
-
- SV-208840r603263_rule
- SV-65139
Checks: C-9093r357500_chk
To check the ownership of "/boot/grub/grub.conf", run the command: $ ls -lL /boot/grub/grub.conf If properly configured, the output should indicate that the owner is "root". If it does not, this is a finding.
Fix: F-9093r357501_fix
The file "/boot/grub/grub.conf" should be owned by the "root" user to prevent destruction or modification of the file. To properly set the owner of "/boot/grub/grub.conf", run the command: # chown root /boot/grub/grub.conf
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000066
- Vuln IDs
-
- V-208841
- V-50939
- Rule IDs
-
- SV-208841r603263_rule
- SV-65145
Checks: C-9094r462331_chk
To check the group ownership of "/boot/grub/grub.conf", run the command: $ ls -lL /boot/grub/grub.conf If properly configured, the output should indicate the group-owner is "root". If it does not, this is a finding.
Fix: F-9094r462332_fix
The file "/boot/grub/grub.conf" should be group-owned by the "root" group to prevent destruction or modification of the file. To properly set the group owner of "/boot/grub/grub.conf", run the command: # chgrp root /boot/grub/grub.conf
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000067
- Vuln IDs
-
- V-208842
- V-50943
- Rule IDs
-
- SV-208842r603263_rule
- SV-65149
Checks: C-9095r357506_chk
To check the permissions of "/boot/grub/grub.conf", run the command: $ sudo ls -lL /boot/grub/grub.conf If properly configured, the output should indicate the following permissions: "-rw-------" If it does not, this is a finding.
Fix: F-9095r357507_fix
File permissions for "/boot/grub/grub.conf" should be set to 600, which is the default. To properly set the permissions of "/boot/grub/grub.conf", run the command: # chmod 600 /boot/grub/grub.conf Boot partitions based on VFAT, NTFS, or other non-standard configurations may require alternative measures.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- OL6-00-000068
- Vuln IDs
-
- V-208843
- V-50945
- Rule IDs
-
- SV-208843r603263_rule
- SV-65151
Checks: C-9096r357509_chk
To verify the boot loader password has been set and encrypted, run the following command: # grep password /boot/grub/grub.conf The output should show the following: password --encrypted $6$[rest-of-the-password-hash] If it does not, this is a finding.
Fix: F-9096r357510_fix
The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command: # grub-crypt --sha-512 When prompted to enter a password, insert the following line into "/boot/grub/grub.conf" immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]): password --encrypted [password-hash]
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- OL6-00-000069
- Vuln IDs
-
- V-208844
- V-50947
- Rule IDs
-
- SV-208844r603263_rule
- SV-65153
Checks: C-9097r357512_chk
To check if authentication is required for single-user mode, run the following command: $ grep SINGLE /etc/sysconfig/init The output should be the following: SINGLE=/sbin/sulogin If the output is different, this is a finding.
Fix: F-9097r357513_fix
Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file "/etc/sysconfig/init": SINGLE=/sbin/sulogin
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- OL6-00-000070
- Vuln IDs
-
- V-208845
- V-50951
- Rule IDs
-
- SV-208845r603263_rule
- SV-65157
Checks: C-9098r357515_chk
To check whether interactive boot is disabled, run the following command: $ grep PROMPT /etc/sysconfig/init If interactive boot is disabled, the output will show: PROMPT=no If it does not, this is a finding.
Fix: F-9098r357516_fix
To disable the ability for users to perform interactive startups, edit the file "/etc/sysconfig/init". Add or correct the line: PROMPT=no The "PROMPT" option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot.
- RMF Control
- AC-11
- Severity
- L
- CCI
- CCI-000058
- Version
- OL6-00-000071
- Vuln IDs
-
- V-208846
- V-50953
- Rule IDs
-
- SV-208846r646940_rule
- SV-65159
Checks: C-9099r646938_chk
Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity. Check the value of the system inactivity timeout with the following command: # grep -i tmout /etc/profile.d/* etc/profile.d/tmout.sh:declare -xr TMOUT=900 If "TMOUT" is not set to "900" or less in a script located in the /etc/profile.d/ directory to enforce session termination after inactivity, this is a finding.
Fix: F-9099r646939_fix
Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity. Create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as: #!/bin/bash declare -xr TMOUT=900
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-001385
- Version
- OL6-00-000073
- Vuln IDs
-
- V-208847
- V-50955
- Rule IDs
-
- SV-208847r603263_rule
- SV-65161
Checks: C-9100r357521_chk
To check if the system login banner is compliant, run the following command: $ cat /etc/issue Note: The full text banner must be implemented unless there are character limitations that prevent the display of the full DoD logon banner. If the required DoD logon banner is not displayed, this is a finding.
Fix: F-9100r357522_fix
To configure the system login banner: Edit "/etc/issue". Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the device cannot support the full DoD logon banner due to character limitations, the following text can be used: "I've read & consent to terms in IS user agreem't."
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000078
- Vuln IDs
-
- V-208848
- V-50957
- Rule IDs
-
- SV-208848r603263_rule
- SV-65163
Checks: C-9101r357524_chk
The status of the "kernel.randomize_va_space" kernel parameter can be queried by running the following commands: $ sysctl kernel.randomize_va_space $ grep kernel.randomize_va_space /etc/sysctl.conf The output of the command should indicate a value of at least "1" (preferably "2"). If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding.
Fix: F-9101r357525_fix
To set the runtime status of the "kernel.randomize_va_space" kernel parameter, run the following command: # sysctl -w kernel.randomize_va_space=2 If this is not the system's default value, add the following line to "/etc/sysctl.conf": kernel.randomize_va_space = 2
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000079
- Vuln IDs
-
- V-208849
- V-50959
- Rule IDs
-
- SV-208849r603263_rule
- SV-65165
Checks: C-9102r357527_chk
If the system being evaluated is running a Red Hat-compatible operating system kernel, check that the "kernel.exec-shield" kernel parameter is set to "1" in /etc/sysctl.conf. If the system is running an Oracle Unbreakable Enterprise kernel, verify that Oracle's Data Execution Prevention is enabled. First, determine if the system is operating an Oracle Unbreakable Enterprise Kernel (UEK): # uname -r | grep uek If no value is returned, the system is running a Red Hat-compatible kernel. Verify that the "kernel.exec-shield" kernel parameter is set to "1" in the running kernel and /etc/sysctl.conf: # sysctl kernel.exec-shield # grep ^kernel\.exec-shield /etc/sysctl.conf | awk -F= '{ print $2 }' kernel.exec-shield = 1 If there is no value returned, or if a value is returned that is not "1", this is a finding. If the system was found to be running an Unbreakable Enterprise Kernel, verify that DEP is enabled: # dmesg | grep 'NX.*protection:' If there is no value returned, or if a value is returned that is not "NX (Execute Disable) protection: active", this is a finding. Note that this is not a finding when the underlying processor architecture does not support the "Execute Disable" (NX) capability. To determine if the processor supports the NX capability, run the following: # grep nx /proc/cpuinfo If there is no value returned, this is not applicable.
Fix: F-9102r357528_fix
If the system being evaluated is running a Red Hat-compatible operating system kernel, then ensure that the "kernel.exec-shield" kernel parameter is set to "1". If the system is running an Oracle Unbreakable Enterprise Kernel, this parameter does not exist. When an Unbreakable Enterprise Kernel is booted, Oracle's Data Execution Prevention (DEP) feature will leverage the hardware-enforced NX (never execute) bit of compatible CPUs to protect against code being executed from the stack. By default, DEP is enabled. If DEP is not enabled, ensure that the string "noexec=off" does not appear in /boot/grub/grub.conf. First, determine if the system is operating an Oracle Unbreakable Enterprise Kernel (UEK): # uname -r | grep uek If no value is returned, the system is running a Red Hat-compatible kernel. Edit (or add if necessary) the entry in /etc/sysctl.conf for the "kernel.exec-shield" kernel parameter. Ensure that this parameter is set to "1" as in: kernel.exec-shield = 1 If this was not already the default, reboot the system for the change to take effect. If the system was found to be running an Unbreakable Enterprise Kernel, then ensure that the string "noexec=off" is not found in /boot/grub/grub.conf: # grep noexec=off /boot/grub/grub.conf If found, remove the offending kernels from /boot/grub/grub.conf.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000080
- Vuln IDs
-
- V-208850
- V-50961
- Rule IDs
-
- SV-208850r603263_rule
- SV-65167
Checks: C-9103r357530_chk
The status of the "net.ipv4.conf.default.send_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.send_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.default.send_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding.
Fix: F-9103r357531_fix
To set the runtime status of the "net.ipv4.conf.default.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.send_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.send_redirects = 0
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000081
- Vuln IDs
-
- V-208851
- V-50963
- Rule IDs
-
- SV-208851r603263_rule
- SV-65169
Checks: C-9104r357533_chk
The status of the "net.ipv4.conf.all.send_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.send_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.all.send_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding.
Fix: F-9104r357534_fix
To set the runtime status of the "net.ipv4.conf.all.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.send_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.send_redirects = 0
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000082
- Vuln IDs
-
- V-208852
- V-50967
- Rule IDs
-
- SV-208852r603263_rule
- SV-65173
Checks: C-9105r357536_chk
The status of the "net.ipv4.ip_forward" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.ip_forward The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.ip_forward /etc/sysctl.conf The ability to forward packets is only appropriate for routers. If the correct value is not returned, this is a finding.
Fix: F-9105r357537_fix
To set the runtime status of the "net.ipv4.ip_forward" kernel parameter, run the following command: # sysctl -w net.ipv4.ip_forward=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.ip_forward = 0
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000083
- Vuln IDs
-
- V-208853
- V-50969
- Rule IDs
-
- SV-208853r603263_rule
- SV-65175
Checks: C-9106r357539_chk
The status of the "net.ipv4.conf.all.accept_source_route" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_source_route The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf If the correct value is not returned, this is a finding.
Fix: F-9106r357540_fix
To set the runtime status of the "net.ipv4.conf.all.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_source_route=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.accept_source_route = 0
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000084
- Vuln IDs
-
- V-208854
- V-50971
- Rule IDs
-
- SV-208854r603263_rule
- SV-65177
Checks: C-9107r357542_chk
The status of the "net.ipv4.conf.all.accept_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.all.accept_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding.
Fix: F-9107r357543_fix
To set the runtime status of the "net.ipv4.conf.all.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.accept_redirects = 0
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000086
- Vuln IDs
-
- V-208855
- V-50621
- Rule IDs
-
- SV-208855r603263_rule
- SV-64827
Checks: C-9108r357545_chk
The status of the "net.ipv4.conf.all.secure_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.secure_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.all.secure_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding.
Fix: F-9108r357546_fix
To set the runtime status of the "net.ipv4.conf.all.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.secure_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.secure_redirects = 0
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000088
- Vuln IDs
-
- V-208856
- V-50625
- Rule IDs
-
- SV-208856r603263_rule
- SV-64831
Checks: C-9109r357548_chk
The status of the "net.ipv4.conf.all.log_martians" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.log_martians The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.all.log_martians /etc/sysctl.conf If the correct value is not returned, this is a finding.
Fix: F-9109r357549_fix
To set the runtime status of the "net.ipv4.conf.all.log_martians" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.log_martians=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.log_martians = 1
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000089
- Vuln IDs
-
- V-208857
- V-50647
- Rule IDs
-
- SV-208857r603263_rule
- SV-64853
Checks: C-9110r357551_chk
The status of the "net.ipv4.conf.default.accept_source_route" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_source_route The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf If the correct value is not returned, this is a finding.
Fix: F-9110r357552_fix
To set the runtime status of the "net.ipv4.conf.default.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_source_route=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.accept_source_route = 0
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000090
- Vuln IDs
-
- V-208858
- V-50651
- Rule IDs
-
- SV-208858r603263_rule
- SV-64857
Checks: C-9111r357554_chk
The status of the "net.ipv4.conf.default.secure_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.secure_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.default.secure_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding.
Fix: F-9111r357555_fix
To set the runtime status of the "net.ipv4.conf.default.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.secure_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.secure_redirects = 0
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000091
- Vuln IDs
-
- V-208859
- V-50655
- Rule IDs
-
- SV-208859r603263_rule
- SV-64861
Checks: C-9112r357557_chk
The status of the "net.ipv4.conf.default.accept_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.default.accept_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding.
Fix: F-9112r357558_fix
To set the runtime status of the "net.ipv4.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.accept_redirects = 0
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000092
- Vuln IDs
-
- V-208860
- V-50657
- Rule IDs
-
- SV-208860r603263_rule
- SV-64863
Checks: C-9113r357560_chk
The status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_echo_ignore_broadcasts The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf If the correct value is not returned, this is a finding.
Fix: F-9113r357561_fix
To set the runtime status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.icmp_echo_ignore_broadcasts = 1
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000093
- Vuln IDs
-
- V-208861
- V-50663
- Rule IDs
-
- SV-208861r603263_rule
- SV-64869
Checks: C-9114r357563_chk
The status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_ignore_bogus_error_responses The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf If the correct value is not returned, this is a finding.
Fix: F-9114r357564_fix
To set the runtime status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.icmp_ignore_bogus_error_responses = 1
- RMF Control
- SC-5
- Severity
- M
- CCI
- CCI-001095
- Version
- OL6-00-000095
- Vuln IDs
-
- V-208862
- V-50683
- Rule IDs
-
- SV-208862r603263_rule
- SV-64889
Checks: C-9115r357566_chk
The status of the "net.ipv4.tcp_syncookies" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.tcp_syncookies The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.tcp_syncookies /etc/sysctl.conf If the correct value is not returned, this is a finding.
Fix: F-9115r357567_fix
To set the runtime status of the "net.ipv4.tcp_syncookies" kernel parameter, run the following command: # sysctl -w net.ipv4.tcp_syncookies=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.tcp_syncookies = 1
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000096
- Vuln IDs
-
- V-208863
- V-50685
- Rule IDs
-
- SV-208863r603263_rule
- SV-64891
Checks: C-9116r357569_chk
The status of the "net.ipv4.conf.all.rp_filter" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.rp_filter The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf If the correct value is not returned, this is a finding.
Fix: F-9116r357570_fix
To set the runtime status of the "net.ipv4.conf.all.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.rp_filter=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.rp_filter = 1
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000097
- Vuln IDs
-
- V-208864
- V-50699
- Rule IDs
-
- SV-208864r603263_rule
- SV-64905
Checks: C-9117r357572_chk
The status of the "net.ipv4.conf.default.rp_filter" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.rp_filter The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf If the correct value is not returned, this is a finding.
Fix: F-9117r357573_fix
To set the runtime status of the "net.ipv4.conf.default.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.rp_filter=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.rp_filter = 1
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000099
- Vuln IDs
-
- V-208865
- V-50711
- Rule IDs
-
- SV-208865r603263_rule
- SV-64917
Checks: C-9118r357575_chk
If IPv6 is disabled, this is not applicable. The status of the "net.ipv6.conf.default.accept_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.default.accept_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.ipv6.conf.default.accept_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding.
Fix: F-9118r357576_fix
To set the runtime status of the "net.ipv6.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv6.conf.default.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv6.conf.default.accept_redirects = 0
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- OL6-00-000124
- Vuln IDs
-
- V-208866
- V-50989
- Rule IDs
-
- SV-208866r603263_rule
- SV-65195
Checks: C-9119r357578_chk
If the system is configured to prevent the loading of the "dccp" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": grep -r dccp /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true” If no line is returned, this is a finding.
Fix: F-9119r357579_fix
The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the "dccp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install dccp /bin/true
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- OL6-00-000125
- Vuln IDs
-
- V-208867
- V-50997
- Rule IDs
-
- SV-208867r603263_rule
- SV-65203
Checks: C-9120r357581_chk
If the system is configured to prevent the loading of the "sctp" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r sctp /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true” If no line is returned, this is a finding.
Fix: F-9120r357582_fix
The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the "sctp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install sctp /bin/true
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000382
- Version
- OL6-00-000126
- Vuln IDs
-
- V-208868
- V-51001
- Rule IDs
-
- SV-208868r603263_rule
- SV-65207
Checks: C-9121r357584_chk
If the system is configured to prevent the loading of the "rds" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module-loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r rds /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding. This is not a finding if the RDS service is required for proper system or application operation. Oracle Engineered Systems such as Exadata use the RDS service for InfiniBand-based communication with storage services.
Fix: F-9121r357585_fix
The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high- bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the "rds" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install rds /bin/true
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- OL6-00-000127
- Vuln IDs
-
- V-208869
- V-51005
- Rule IDs
-
- SV-208869r603263_rule
- SV-65211
Checks: C-9122r357587_chk
If the system is configured to prevent the loading of the "tipc" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r tipc /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true” If no line is returned, this is a finding.
Fix: F-9122r357588_fix
The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the "tipc" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install tipc /bin/true
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- OL6-00-000133
- Vuln IDs
-
- V-208870
- V-51007
- Rule IDs
-
- SV-208870r603263_rule
- SV-65213
Checks: C-9123r357590_chk
The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". To see the owner of a given log file, run the following command: $ ls -l [LOGFILE] Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration. If the owner is not root, this is a finding.
Fix: F-9123r357591_fix
The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's owner: $ ls -l [LOGFILE] If the owner is not "root", run the following command to correct this: # chown root [LOGFILE]
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- OL6-00-000134
- Vuln IDs
-
- V-208871
- V-51009
- Rule IDs
-
- SV-208871r603263_rule
- SV-65215
Checks: C-9124r357593_chk
The group-owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". To see the group-owner of a given log file, run the following command: $ ls -l [LOGFILE] Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration. If the group-owner is not root, this is a finding.
Fix: F-9124r357594_fix
The group-owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's group owner: $ ls -l [LOGFILE] If the owner is not "root", run the following command to correct this: # chgrp root [LOGFILE]
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- OL6-00-000135
- Vuln IDs
-
- V-208872
- V-51013
- Rule IDs
-
- SV-208872r603263_rule
- SV-65219
Checks: C-9125r357596_chk
The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's permissions: $ ls -l [LOGFILE] The permissions should be 600, or more restrictive. Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration. If the permissions are not correct, this is a finding.
Fix: F-9125r357597_fix
The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's permissions: $ ls -l [LOGFILE] If the permissions are not 600 or more restrictive, run the following command to correct this: # chmod 0600 [LOGFILE]
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001348
- Version
- OL6-00-000136
- Vuln IDs
-
- V-208873
- V-51015
- Rule IDs
-
- SV-208873r603263_rule
- SV-65221
Checks: C-9126r357599_chk
To ensure logs are sent to a remote host, examine the file "/etc/rsyslog.conf". If using UDP, a line similar to the following should be present: *.* @[loghost.example.com] If using TCP, a line similar to the following should be present: *.* @@[loghost.example.com] If using RELP, a line similar to the following should be present: *.* :omrelp:[loghost.example.com] If none of these are present, this is a finding.
Fix: F-9126r357600_fix
To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: *.* @[loghost.example.com] To use TCP for log message delivery: *.* @@[loghost.example.com] To use RELP for log message delivery: *.* :omrelp:[loghost.example.com]
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000138
- Vuln IDs
-
- V-208874
- V-51021
- Rule IDs
-
- SV-208874r603263_rule
- SV-65227
Checks: C-9127r357602_chk
Run the following commands to determine the current status of the "logrotate" service: # grep logrotate /var/log/cron* If the logrotate service is not run on a daily basis by cron, this is a finding.
Fix: F-9127r357603_fix
The "logrotate" service should be installed or reinstalled if it is not installed and operating properly, by running the following command: # yum reinstall logrotate
- RMF Control
- AU-3
- Severity
- M
- CCI
- CCI-001487
- Version
- OL6-00-000145
- Vuln IDs
-
- V-208875
- V-51027
- Rule IDs
-
- SV-208875r603263_rule
- SV-65233
Checks: C-9128r357605_chk
Run the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, it should return the following: auditd is running... If the service is not running, this is a finding.
Fix: F-9128r357606_fix
The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands: # chkconfig auditd on # service auditd start
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000067
- Version
- OL6-00-000148
- Vuln IDs
-
- V-208876
- V-51033
- Rule IDs
-
- SV-208876r603263_rule
- SV-65239
Checks: C-9129r357608_chk
Run the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, it should return the following: auditd is running... If the service is not running, this is a finding.
Fix: F-9129r357609_fix
The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands: # chkconfig auditd on # service auditd start
- RMF Control
- AU-3
- Severity
- M
- CCI
- CCI-000130
- Version
- OL6-00-000154
- Vuln IDs
-
- V-208877
- V-51039
- Rule IDs
-
- SV-208877r603263_rule
- SV-65245
Checks: C-9130r357611_chk
Run the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, it should return the following: auditd is running... If the service is not running, this is a finding.
Fix: F-9130r357612_fix
The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands: # chkconfig auditd on # service auditd start
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000159
- Vuln IDs
-
- V-208878
- V-51043
- Rule IDs
-
- SV-208878r603263_rule
- SV-65249
Checks: C-9131r357614_chk
Inspect "/etc/audit/auditd.conf" and locate the following line to determine how many logs the system is configured to retain after rotation: "# grep num_logs /etc/audit/auditd.conf" num_logs = 5 If the overall system log file(s) retention hasn't been properly set up, this is a finding.
Fix: F-9131r357615_fix
Determine how many log files "auditd" should retain when it rotates logs. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [NUMLOGS] with the correct value: num_logs = [NUMLOGS] Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000160
- Vuln IDs
-
- V-208879
- V-51049
- Rule IDs
-
- SV-208879r603263_rule
- SV-65255
Checks: C-9132r357617_chk
Inspect "/etc/audit/auditd.conf" and locate the following line to determine how much data the system will retain in each audit log file: "# grep max_log_file /etc/audit/auditd.conf" max_log_file = 6 If the system audit data threshold hasn't been properly set up, this is a finding.
Fix: F-9132r357618_fix
Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting the correct value for [STOREMB]: max_log_file = [STOREMB] Set the value to "6" (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000161
- Vuln IDs
-
- V-208880
- V-51053
- Rule IDs
-
- SV-208880r603263_rule
- SV-65259
Checks: C-9133r357620_chk
Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to rotate logs when they reach their maximum size: # grep max_log_file_action /etc/audit/auditd.conf max_log_file_action = rotate If the "keep_logs" option is configured for the "max_log_file_action" line in "/etc/audit/auditd.conf" and an alternate process is in place to ensure audit data does not overwhelm local audit storage, this is not a finding. If the system has not been properly set up to rotate audit logs, this is a finding.
Fix: F-9133r357621_fix
The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by "auditd", add or correct the line in "/etc/audit/auditd.conf": max_log_file_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "suspend" "rotate" "keep_logs" Set the "[ACTION]" to "rotate" to ensure log rotation occurs. This is the default. The setting is case-insensitive.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000163
- Vuln IDs
-
- V-208881
- V-59373
- Rule IDs
-
- SV-208881r603263_rule
- SV-73803
Checks: C-9134r357623_chk
Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to either suspend, switch to single-user mode, or halt when disk space has run low: admin_space_left_action = single If the system is not configured to switch to single-user mode, suspend, or halt for corrective action, this is a finding.
Fix: F-9134r357624_fix
The "auditd" service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [ACTION] appropriately: admin_space_left_action = [ACTION] Set this value to "single" to cause the system to switch to single-user mode for corrective action. Acceptable values also include "suspend" and "halt". For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for [ACTION] are described in the "auditd.conf" man page.
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000169
- Version
- OL6-00-000165
- Vuln IDs
-
- V-208882
- V-51061
- Rule IDs
-
- SV-208882r603263_rule
- SV-65267
Checks: C-9135r357626_chk
To determine if the system is configured to audit calls to the "adjtimex" system call, run the following command: $ sudo grep -w "adjtimex" /etc/audit/audit.rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules -a always,exit -F arch=b64 -S adjtimex -k audit_time_rules If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "adjtimex" system call, this is a finding.
Fix: F-9135r357627_fix
On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S adjtimex -k audit_time_rules
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000169
- Version
- OL6-00-000167
- Vuln IDs
-
- V-208883
- V-51063
- Rule IDs
-
- SV-208883r603263_rule
- SV-65269
Checks: C-9136r357629_chk
To determine if the system is configured to audit calls to the "settimeofday" system call, run the following command: $ sudo grep -w "settimeofday" /etc/audit/audit.rules -a always,exit -F arch=b32 -S settimeofday -k audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "settimeofday" system call, this is a finding.
Fix: F-9136r357630_fix
On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S settimeofday -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000169
- Version
- OL6-00-000169
- Vuln IDs
-
- V-208884
- V-51067
- Rule IDs
-
- SV-208884r603263_rule
- SV-65273
Checks: C-9137r357632_chk
If the system is 64-bit only, this is not applicable. To determine if the system is configured to audit calls to the "stime" system call, run the following command: $ sudo grep -w "stime" /etc/audit/audit.rules -a always,exit -F arch=b32 -S stime -k audit_time_rules If the system is not configured to audit the "stime" system call, this is a finding.
Fix: F-9137r357633_fix
On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S stime -k audit_time_rules Note: On a 64-bit system, it is not necessary to define a rule for "stime".
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000169
- Version
- OL6-00-000171
- Vuln IDs
-
- V-208885
- V-51069
- Rule IDs
-
- SV-208885r603263_rule
- SV-65275
Checks: C-9138r357635_chk
To determine if the system is configured to audit calls to the "clock_settime" system call, run the following command: $ sudo grep -w "clock_settime" /etc/audit/audit.rules -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "clock_settime" system call, this is a finding.
Fix: F-9138r357636_fix
On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000169
- Version
- OL6-00-000173
- Vuln IDs
-
- V-208886
- V-51071
- Rule IDs
-
- SV-208886r603263_rule
- SV-65277
Checks: C-9139r357638_chk
To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command: $ sudo grep -w "/etc/localtime" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding.
Fix: F-9139r357639_fix
Add the following to "/etc/audit/audit.rules": -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.
- RMF Control
- AC-2
- Severity
- L
- CCI
- CCI-000018
- Version
- OL6-00-000174
- Vuln IDs
-
- V-208887
- V-51073
- Rule IDs
-
- SV-208887r603263_rule
- SV-65279
Checks: C-9140r357641_chk
To determine if the system is configured to audit account changes, run the following command: $ sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding.
Fix: F-9140r357642_fix
Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes
- RMF Control
- AC-2
- Severity
- L
- CCI
- CCI-001403
- Version
- OL6-00-000175
- Vuln IDs
-
- V-208888
- V-51077
- Rule IDs
-
- SV-208888r603263_rule
- SV-65283
Checks: C-9141r357644_chk
To determine if the system is configured to audit account changes, run the following command: $sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding.
Fix: F-9141r357645_fix
Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes
- RMF Control
- AC-2
- Severity
- L
- CCI
- CCI-001404
- Version
- OL6-00-000176
- Vuln IDs
-
- V-208889
- V-51083
- Rule IDs
-
- SV-208889r603263_rule
- SV-65291
Checks: C-9142r357647_chk
To determine if the system is configured to audit account changes, run the following command: $sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding.
Fix: F-9142r357648_fix
Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes
- RMF Control
- AC-2
- Severity
- L
- CCI
- CCI-001405
- Version
- OL6-00-000177
- Vuln IDs
-
- V-208890
- V-51087
- Rule IDs
-
- SV-208890r603263_rule
- SV-65295
Checks: C-9143r357650_chk
To determine if the system is configured to audit account changes, run the following command: $sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding.
Fix: F-9143r357651_fix
Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000182
- Vuln IDs
-
- V-208891
- V-51093
- Rule IDs
-
- SV-208891r603263_rule
- SV-65301
Checks: C-9144r357653_chk
If you are running x86_64 architecture, determine the values for sethostname: $ uname -m; ausyscall i386 sethostname; ausyscall x86_64 sethostname If the values returned are not identical verify that the system is configured to monitor network configuration changes for the i386 and x86_64 architectures: $ sudo egrep -w '(sethostname|setdomainname|/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)' /etc/audit/audit.rules -a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications -a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit changes of the network configuration, this is a finding.
Fix: F-9144r364838_fix
Add the following to "/etc/audit/audit.rules": # audit_network_modifications -a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications If the system is 64-bit, then also add the following: # audit_network_modifications -a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000183
- Vuln IDs
-
- V-208892
- V-51171
- Rule IDs
-
- SV-208892r603263_rule
- SV-65381
Checks: C-9145r357656_chk
To determine if the system is configured to audit changes to its SELinux configuration files, run the following command: $ sudo grep -w "/etc/selinux" /etc/audit/audit.rules If the system is configured to watch for changes to its SELinux configuration, a line should be returned (including "-p wa" indicating permissions that are watched). If the system is not configured to audit attempts to change the MAC policy, this is a finding.
Fix: F-9145r357657_fix
Add the following to "/etc/audit/audit.rules": -w /etc/selinux/ -p wa -k MAC-policy
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- OL6-00-000184
- Vuln IDs
-
- V-208893
- V-51169
- Rule IDs
-
- SV-208893r603263_rule
- SV-65379
Checks: C-9146r357659_chk
To determine if the system is configured to audit calls to the "chmod" system call, run the following command: $ sudo grep -w "chmod" /etc/audit/audit.rules -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "chmod" system call, this is a finding.
Fix: F-9146r357660_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- OL6-00-000185
- Vuln IDs
-
- V-208894
- V-51167
- Rule IDs
-
- SV-208894r603263_rule
- SV-65377
Checks: C-9147r357662_chk
To determine if the system is configured to audit calls to the "chown" system call, run the following command: $ sudo grep -w "chown" /etc/audit/audit.rules -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "chown" system call, this is a finding.
Fix: F-9147r357663_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- OL6-00-000186
- Vuln IDs
-
- V-208895
- V-51165
- Rule IDs
-
- SV-208895r603263_rule
- SV-65375
Checks: C-9148r357665_chk
To determine if the system is configured to audit calls to the "fchmod" system call, run the following command: $ sudo grep -w "fchmod" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fchmod" system call, this is a finding.
Fix: F-9148r357666_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- OL6-00-000187
- Vuln IDs
-
- V-208896
- V-51163
- Rule IDs
-
- SV-208896r603263_rule
- SV-65373
Checks: C-9149r357668_chk
To determine if the system is configured to audit calls to the "fchmodat" system call, run the following command: $ sudo grep -w "fchmodat" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fchmodat" system call, this is a finding.
Fix: F-9149r357669_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- OL6-00-000188
- Vuln IDs
-
- V-208897
- V-51161
- Rule IDs
-
- SV-208897r603263_rule
- SV-65371
Checks: C-9150r357671_chk
To determine if the system is configured to audit calls to the "fchown" system call, run the following command: $ sudo grep -w "fchown" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fchown" system call, this is a finding.
Fix: F-9150r357672_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- OL6-00-000189
- Vuln IDs
-
- V-208898
- V-51159
- Rule IDs
-
- SV-208898r603263_rule
- SV-65369
Checks: C-9151r357674_chk
To determine if the system is configured to audit calls to the "fchownat" system call, run the following command: $ sudo grep -w "fchownat" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fchownat" system call, this is a finding.
Fix: F-9151r357675_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- OL6-00-000190
- Vuln IDs
-
- V-208899
- V-51157
- Rule IDs
-
- SV-208899r603263_rule
- SV-65367
Checks: C-9152r357677_chk
To determine if the system is configured to audit calls to the "fremovexattr" system call, run the following command: $ sudo grep -w "fremovexattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fremovexattr" system call, this is a finding.
Fix: F-9152r357678_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- OL6-00-000191
- Vuln IDs
-
- V-208900
- V-51155
- Rule IDs
-
- SV-208900r603263_rule
- SV-65365
Checks: C-9153r357680_chk
To determine if the system is configured to audit calls to the "fsetxattr" system call, run the following command: $ sudo grep -w "fsetxattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fsetxattr" system call, this is a finding.
Fix: F-9153r357681_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- OL6-00-000192
- Vuln IDs
-
- V-208901
- V-51153
- Rule IDs
-
- SV-208901r603263_rule
- SV-65363
Checks: C-9154r357683_chk
To determine if the system is configured to audit calls to the "lchown" system call, run the following command: $ sudo grep -w "lchown" /etc/audit/audit.rules -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "lchown" system call, this is a finding.
Fix: F-9154r357684_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- OL6-00-000193
- Vuln IDs
-
- V-208902
- V-51151
- Rule IDs
-
- SV-208902r603263_rule
- SV-65361
Checks: C-9155r357686_chk
To determine if the system is configured to audit calls to the "lremovexattr" system call, run the following command: $ sudo grep -w "lremovexattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "lremovexattr" system call, this is a finding.
Fix: F-9155r357687_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- OL6-00-000194
- Vuln IDs
-
- V-208903
- V-51149
- Rule IDs
-
- SV-208903r603263_rule
- SV-65359
Checks: C-9156r357689_chk
To determine if the system is configured to audit calls to the "lsetxattr" system call, run the following command: $ sudo grep -w "lsetxattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "lsetxattr" system call, this is a finding.
Fix: F-9156r357690_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- OL6-00-000195
- Vuln IDs
-
- V-208904
- V-51147
- Rule IDs
-
- SV-208904r603263_rule
- SV-65357
Checks: C-9157r357692_chk
To determine if the system is configured to audit calls to the "removexattr" system call, run the following command: $ sudo grep -w "removexattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "removexattr" system call, this is a finding.
Fix: F-9157r357693_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- OL6-00-000196
- Vuln IDs
-
- V-208905
- V-51145
- Rule IDs
-
- SV-208905r603263_rule
- SV-65355
Checks: C-9158r357695_chk
To determine if the system is configured to audit calls to the "setxattr" system call, run the following command: $ sudo grep -w "setxattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "setxattr" system call, this is a finding.
Fix: F-9158r357696_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- OL6-00-000197
- Vuln IDs
-
- V-208906
- V-51143
- Rule IDs
-
- SV-208906r603263_rule
- SV-65353
Checks: C-9159r357698_chk
To verify that the audit system collects unauthorized file accesses, run the following commands: # grep EACCES /etc/audit/audit.rules -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access # grep EPERM /etc/audit/audit.rules -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding. If either command lacks output, this is a finding.
Fix: F-9159r357699_fix
At a minimum, the audit system should collect unauthorized file accesses for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- OL6-00-000199
- Vuln IDs
-
- V-208907
- V-51139
- Rule IDs
-
- SV-208907r603263_rule
- SV-65349
Checks: C-9160r357701_chk
To verify that auditing is configured for all media exportation events, run the following command: $ sudo grep -w "mount" /etc/audit/audit.rules -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b32 -S mount -F auid=0 -k export -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b64 -S mount -F auid=0 -k export If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding. If no line is returned, this is a finding.
Fix: F-9160r357702_fix
At a minimum, the audit system should collect media exportation events for all users and root. Add the following to "/etc/audit/audit.rules: -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b32 -S mount -F auid=0 -k export If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b64 -S mount -F auid=0 -k export
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- OL6-00-000200
- Vuln IDs
-
- V-208908
- V-51137
- Rule IDs
-
- SV-208908r603263_rule
- SV-65347
Checks: C-9161r357704_chk
To determine if the system is configured to audit user deletions of files and programs, run the following command: $ sudo egrep -w 'rmdir|unlink|unlinkat|rename|renameat' /etc/audit/audit.rules -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit "rmdir", this is a finding. If the system is not configured to audit "unlink", this is a finding. If the system is not configured to audit "unlinkat", this is a finding. If the system is not configured to audit "rename", this is a finding. If the system is not configured to audit "renameat", this is a finding. If no line is returned, this is a finding.
Fix: F-9161r357705_fix
At a minimum, the audit system should collect file deletion events for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000172
- Version
- OL6-00-000201
- Vuln IDs
-
- V-208909
- V-51135
- Rule IDs
-
- SV-208909r603263_rule
- SV-65345
Checks: C-9162r357707_chk
To verify that auditing is configured for system administrator actions, run the following command: $ sudo grep -w "/etc/sudoers" /etc/audit/audit.rules If the system is configured to watch for changes to its sudoers configuration, a line should be returned (including "-p wa" indicating permissions that are watched). If there is no output, this is a finding.
Fix: F-9162r357708_fix
At a minimum, the audit system should collect administrator actions for all users and root. Add the following to "/etc/audit/audit.rules": -w /etc/sudoers -p wa -k actions
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- OL6-00-000202
- Vuln IDs
-
- V-208910
- V-50545
- Rule IDs
-
- SV-208910r603263_rule
- SV-64751
Checks: C-9163r357710_chk
To determine if the system is configured to audit execution of module management programs, run the following commands: sudo egrep -e "(-w |-F path=)/sbin/insmod|(-w |-F path=)/sbin/rmmod|(-w |-F path=)/sbin/modprobe" /etc/audit/audit.rules -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules If "/sbin/insmod" is not being audited, this is a finding. If "/sbin/rmmod" is not being audited, this is a finding. If "/sbin/modprobe" is not being audited, this is a finding. To determine if the system is configured to audit calls to the "init_module" and "delete_module" system calls, run the following command: $ sudo egrep -w "init_module|delete_module" /etc/audit/audit.rules -a always,exit -F arch=b32 -S init_module -S delete_module -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit "init_module" this is a finding. If the system is not configured to audit "delete_module", this is a finding. If no line is returned, this is a finding.
Fix: F-9163r357711_fix
Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b32 -S init_module -S delete_module -k modules If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S init_module -S delete_module -k modules
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- OL6-00-000203
- Vuln IDs
-
- V-208911
- V-50547
- Rule IDs
-
- SV-208911r603263_rule
- SV-64753
Checks: C-9164r357713_chk
If network services are using the xinetd service, this is not applicable. To check that the "xinetd" service is disabled in system boot configuration, run the following command: # chkconfig "xinetd" --list Output should indicate the "xinetd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "xinetd" --list "xinetd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "xinetd" is disabled through current runtime configuration: # service xinetd status If the service is disabled the command will return the following output: xinetd is stopped If the service is running, this is a finding.
Fix: F-9164r357714_fix
The "xinetd" service can be disabled with the following commands: # chkconfig xinetd off # service xinetd stop
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000382
- Version
- OL6-00-000204
- Vuln IDs
-
- V-208912
- V-50549
- Rule IDs
-
- SV-208912r603263_rule
- SV-64755
Checks: C-9165r357716_chk
If network services are using the xinetd service, this is not applicable. Run the following command to determine if the "xinetd" package is installed: # rpm -q xinetd If the package is installed, this is a finding.
Fix: F-9165r357717_fix
The "xinetd" package can be uninstalled with the following command: # yum erase xinetd
- RMF Control
- CM-7
- Severity
- H
- CCI
- CCI-000381
- Version
- OL6-00-000206
- Vuln IDs
-
- V-208913
- V-50551
- Rule IDs
-
- SV-208913r603263_rule
- SV-64757
Checks: C-9166r357719_chk
Run the following command to determine if the "telnet-server" package is installed: # rpm -q telnet-server If the package is installed, this is a finding.
Fix: F-9166r357720_fix
The "telnet-server" package can be uninstalled with the following command: # yum erase telnet-server
- RMF Control
- CM-7
- Severity
- H
- CCI
- CCI-000381
- Version
- OL6-00-000213
- Vuln IDs
-
- V-208914
- V-50555
- Rule IDs
-
- SV-208914r603263_rule
- SV-64761
Checks: C-9167r357722_chk
Run the following command to determine if the "rsh-server" package is installed: # rpm -q rsh-server If the package is installed, this is a finding.
Fix: F-9167r357723_fix
The "rsh-server" package can be uninstalled with the following command: # yum erase rsh-server
- RMF Control
- AC-17
- Severity
- H
- CCI
- CCI-000068
- Version
- OL6-00-000214
- Vuln IDs
-
- V-208915
- V-50557
- Rule IDs
-
- SV-208915r603263_rule
- SV-64763
Checks: C-9168r357725_chk
To check that the "rsh" service is disabled in system boot configuration, run the following command: # chkconfig "rsh" --list Output should indicate the "rsh" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "rsh" --list rsh off OR error reading information on service rsh: No such file or directory If the service is running, this is a finding.
Fix: F-9168r357726_fix
The "rsh" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rsh" service can be disabled with the following command: # chkconfig rsh off
- RMF Control
- AC-17
- Severity
- H
- CCI
- CCI-000068
- Version
- OL6-00-000216
- Vuln IDs
-
- V-208916
- V-50559
- Rule IDs
-
- SV-208916r603263_rule
- SV-64765
Checks: C-9169r357728_chk
To check that the "rexec" service is disabled in system boot configuration, run the following command: # chkconfig "rexec" --list Output should indicate the "rexec" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "rexec" --list rexec off OR error reading information on service rexec: No such file or directory If the service is running, this is a finding.
Fix: F-9169r357729_fix
The "rexec" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rexec" service can be disabled with the following command: # chkconfig rexec off
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- OL6-00-000220
- Vuln IDs
-
- V-208917
- V-50563
- Rule IDs
-
- SV-208917r603263_rule
- SV-64769
Checks: C-9170r357731_chk
Run the following command to determine if the "ypserv" package is installed: # rpm -q ypserv If the package is installed, this is a finding.
Fix: F-9170r357732_fix
The "ypserv" package can be uninstalled with the following command: # yum erase ypserv
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- OL6-00-000221
- Vuln IDs
-
- V-208918
- V-50565
- Rule IDs
-
- SV-208918r603263_rule
- SV-64771
Checks: C-9171r357734_chk
To check that the "ypbind" service is disabled in system boot configuration, run the following command: # chkconfig "ypbind" --list Output should indicate the "ypbind" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "ypbind" --list "ypbind" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "ypbind" is disabled through current runtime configuration: # service ypbind status If the service is disabled the command will return the following output: ypbind is stopped If the service is running, this is a finding.
Fix: F-9171r357735_fix
The "ypbind" service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The "ypbind" service can be disabled with the following commands: # chkconfig ypbind off # service ypbind stop
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- OL6-00-000222
- Vuln IDs
-
- V-208919
- V-50567
- Rule IDs
-
- SV-208919r603263_rule
- SV-64773
Checks: C-9172r357737_chk
Run the following command to determine if the "tftp-server" package is installed: # rpm -q tftp-server If the package is installed and not documented and approved by the ISSO, this is a finding.
Fix: F-9172r357738_fix
The "tftp-server" package can be removed with the following command: # yum erase tftp-server
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000224
- Vuln IDs
-
- V-208920
- V-50571
- Rule IDs
-
- SV-208920r603263_rule
- SV-64777
Checks: C-9173r357740_chk
Run the following command to determine the current status of the "crond" service: # service crond status If the service is enabled, it should return the following: crond is running... If the service is not running, this is a finding.
Fix: F-9173r357741_fix
The "crond" service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The "crond" service can be enabled with the following commands: # chkconfig crond on # service crond start
- RMF Control
- SC-10
- Severity
- L
- CCI
- CCI-001133
- Version
- OL6-00-000230
- Vuln IDs
-
- V-208921
- V-50575
- Rule IDs
-
- SV-208921r603340_rule
- SV-64781
Checks: C-9174r622242_chk
Run the following command to see what the timeout interval is: # grep ClientAliveInterval /etc/ssh/sshd_config ClientAliveInterval 600 If "ClientAliveInterval" has a value greater than "600", this is a finding.
Fix: F-9174r622243_fix
SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in "/etc/ssh/sshd_config" as follows: ClientAliveInterval [interval] The timeout [interval] is given in seconds. To have a timeout of ten minutes, set [interval] to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
- RMF Control
- MA-4
- Severity
- L
- CCI
- CCI-000879
- Version
- OL6-00-000231
- Vuln IDs
-
- V-208922
- V-50577
- Rule IDs
-
- SV-208922r603263_rule
- SV-64783
Checks: C-9175r357746_chk
To ensure the SSH idle timeout will occur when the "ClientAliveCountMax" is set, run the following command: # grep ClientAliveCountMax /etc/ssh/sshd_config If properly configured, output should be: ClientAliveCountMax 0 If it is not, this is a finding.
Fix: F-9175r357747_fix
To ensure the SSH idle timeout occurs precisely when the "ClientAliveCountMax" is set, edit "/etc/ssh/sshd_config" as follows: ClientAliveCountMax 0
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000766
- Version
- OL6-00-000234
- Vuln IDs
-
- V-208923
- V-50579
- Rule IDs
-
- SV-208923r603263_rule
- SV-64785
Checks: C-9176r357749_chk
To determine how the SSH daemon's "IgnoreRhosts" option is set, run the following command: # grep -i IgnoreRhosts /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value "yes" is returned, then the required value is set. If the required value is not set, this is a finding.
Fix: F-9176r357750_fix
SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via ".rhosts" files. To ensure this behavior is disabled, add or correct the following line in "/etc/ssh/sshd_config": IgnoreRhosts yes
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000766
- Version
- OL6-00-000236
- Vuln IDs
-
- V-208924
- V-50581
- Rule IDs
-
- SV-208924r603263_rule
- SV-64787
Checks: C-9177r357752_chk
To determine how the SSH daemon's "HostbasedAuthentication" option is set, run the following command: # grep -i HostbasedAuthentication /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value "no" is returned, then the required value is set. If the required value is not set, this is a finding.
Fix: F-9177r357753_fix
SSH's cryptographic host-based authentication is more secure than ".rhosts" authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization. To disable host-based authentication, add or correct the following line in "/etc/ssh/sshd_config": HostbasedAuthentication no
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000770
- Version
- OL6-00-000237
- Vuln IDs
-
- V-208925
- V-50799
- Rule IDs
-
- SV-208925r603263_rule
- SV-65005
Checks: C-9178r357755_chk
To determine how the SSH daemon's "PermitRootLogin" option is set, run the following command: # grep -i PermitRootLogin /etc/ssh/sshd_config If a line indicating "no" is returned, then the required value is set. If the required value is not set, this is a finding.
Fix: F-9178r357756_fix
The root user should never be allowed to log in to a system directly over a network. To disable root login via SSH, add or correct the following line in "/etc/ssh/sshd_config": PermitRootLogin no
- RMF Control
- IA-2
- Severity
- H
- CCI
- CCI-000766
- Version
- OL6-00-000239
- Vuln IDs
-
- V-208926
- V-50801
- Rule IDs
-
- SV-208926r603263_rule
- SV-65007
Checks: C-9179r357758_chk
To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command: # grep -i PermitEmptyPasswords /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value "no" is returned, then the required value is set. If the required value is not set, this is a finding.
Fix: F-9179r357759_fix
To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config": PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-000048
- Version
- OL6-00-000240
- Vuln IDs
-
- V-208927
- V-50803
- Rule IDs
-
- SV-208927r603263_rule
- SV-65009
Checks: C-9180r357761_chk
To determine how the SSH daemon's "Banner" option is set, run the following command: # grep -i Banner /etc/ssh/sshd_config If a line indicating /etc/issue is returned, then the required value is set. If the required value is not set, this is a finding.
Fix: F-9180r357762_fix
To enable the warning banner and ensure it is consistent across the system, add or correct the following line in "/etc/ssh/sshd_config": Banner /etc/issue Another section contains information on how to create an appropriate system-wide warning banner.
- RMF Control
- AC-4
- Severity
- L
- CCI
- CCI-001414
- Version
- OL6-00-000241
- Vuln IDs
-
- V-208928
- V-50805
- Rule IDs
-
- SV-208928r603263_rule
- SV-65011
Checks: C-9181r357764_chk
To ensure users are not able to present environment daemons, run the following command: # grep PermitUserEnvironment /etc/ssh/sshd_config If properly configured, output should be: PermitUserEnvironment no If it is not, this is a finding.
Fix: F-9181r357765_fix
To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in "/etc/ssh/sshd_config": PermitUserEnvironment no
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000246
- Vuln IDs
-
- V-208929
- V-50809
- Rule IDs
-
- SV-208929r603263_rule
- SV-65015
Checks: C-9182r357767_chk
To check that the "avahi-daemon" service is disabled in system boot configuration, run the following command: # chkconfig "avahi-daemon" --list Output should indicate the "avahi-daemon" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "avahi-daemon" --list "avahi-daemon" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "avahi-daemon" is disabled through current runtime configuration: # service avahi-daemon status If the service is disabled the command will return the following output: avahi-daemon is stopped If the service is running, this is a finding.
Fix: F-9182r357768_fix
The "avahi-daemon" service can be disabled with the following commands: # chkconfig avahi-daemon off # service avahi-daemon stop
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- OL6-00-000249
- Vuln IDs
-
- V-208930
- V-50815
- Rule IDs
-
- SV-208930r603263_rule
- SV-65021
Checks: C-9183r357770_chk
If the system is an authorized mail relay host, this is not applicable. Run the following command to ensure postfix accepts mail messages from only the local system: $ grep inet_interfaces /etc/postfix/main.cf If properly configured, the output should show only "localhost". If it does not, this is a finding.
Fix: F-9183r357771_fix
Edit the file "/etc/postfix/main.cf" to ensure that only the following "inet_interfaces" line appears: inet_interfaces = localhost
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-001453
- Version
- OL6-00-000252
- Vuln IDs
-
- V-208931
- V-50817
- Rule IDs
-
- SV-208931r603263_rule
- SV-65023
Checks: C-9184r357773_chk
If the system does not use LDAP for authentication or account information, this is not applicable. To ensure LDAP is configured to use TLS for all transactions, run the following command: $ grep start_tls /etc/pam_ldap.conf If no lines are returned, this is a finding.
Fix: F-9184r357774_fix
Configure LDAP to enforce TLS use. First, edit the file "/etc/pam_ldap.conf", and add or correct the following lines: ssl start_tls Then review the LDAP server and ensure TLS has been configured.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000256
- Vuln IDs
-
- V-208932
- V-50821
- Rule IDs
-
- SV-208932r603263_rule
- SV-65027
Checks: C-9185r357776_chk
To verify the "openldap-servers" package is not installed, run the following command: $ rpm -q openldap-servers The output should show the following. package openldap-servers is not installed If it does not, this is a finding.
Fix: F-9185r357777_fix
The "openldap-servers" package should be removed if not in use. Is this machine the OpenLDAP server? If not, remove the package. # yum erase openldap-servers The openldap-servers RPM may be installed. It is needed only by the OpenLDAP server, not by clients which use LDAP for authentication. If the system is not intended for use as an LDAP server, it should be removed.
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000057
- Version
- OL6-00-000257
- Vuln IDs
-
- V-208933
- V-50823
- Rule IDs
-
- SV-208933r603263_rule
- SV-65029
Checks: C-9186r357779_chk
If the GConf2 package is not installed, this is not applicable. To check the current idle time-out value, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_delay If properly configured, the output should be "15". If it is not, this is a finding.
Fix: F-9186r357780_fix
Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes: # gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /apps/gnome-screensaver/idle_delay 15
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000057
- Version
- OL6-00-000258
- Vuln IDs
-
- V-208934
- V-50825
- Rule IDs
-
- SV-208934r603263_rule
- SV-65031
Checks: C-9187r357782_chk
If the GConf2 package is not installed, this is not applicable. To check the screensaver mandatory use status, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_activation_enabled If properly configured, the output should be "true". If it is not, this is a finding.
Fix: F-9187r357783_fix
Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000057
- Version
- OL6-00-000259
- Vuln IDs
-
- V-208935
- V-50827
- Rule IDs
-
- SV-208935r603263_rule
- SV-65033
Checks: C-9188r357785_chk
If the GConf2 package is not installed, this is not applicable. To check the status of the idle screen lock activation, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/lock_enabled If properly configured, the output should be "true". If it is not, this is a finding.
Fix: F-9188r357786_fix
Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/lock_enabled true
- RMF Control
- AC-11
- Severity
- L
- CCI
- CCI-000060
- Version
- OL6-00-000260
- Vuln IDs
-
- V-208936
- V-50829
- Rule IDs
-
- SV-208936r603263_rule
- SV-65035
Checks: C-9189r357788_chk
If the GConf2 package is not installed, this is not applicable. To ensure the screensaver is configured to be blank, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode If properly configured, the output should be "blank-only". If it is not, this is a finding.
Fix: F-9189r357789_fix
Run the following command to set the screensaver mode in the GNOME desktop to a blank screen: # gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome-screensaver/mode blank-only
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000382
- Version
- OL6-00-000261
- Vuln IDs
-
- V-208937
- V-50831
- Rule IDs
-
- SV-208937r603263_rule
- SV-65037
Checks: C-9190r357791_chk
To check that the "abrtd" service is disabled in system boot configuration, run the following command: # chkconfig "abrtd" --list Output should indicate the "abrtd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "abrtd" --list "abrtd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "abrtd" is disabled through current runtime configuration: # service abrtd status If the service is disabled the command will return the following output: abrtd is stopped If the service is running, this is a finding.
Fix: F-9190r357792_fix
The Automatic Bug Reporting Tool ("abrtd") daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue-tracking system such as the operating system vendor's centralized issue-tracking system. The "abrtd" service can be disabled with the following commands: # chkconfig abrtd off # service abrtd stop
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000382
- Version
- OL6-00-000262
- Vuln IDs
-
- V-208938
- V-50835
- Rule IDs
-
- SV-208938r603263_rule
- SV-65041
Checks: C-9191r357794_chk
If the system requires the use of the "atd" service to support an organizational requirement, this is not applicable. To check that the "atd" service is disabled in system boot configuration, run the following command: # chkconfig "atd" --list Output should indicate the "atd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "atd" --list "atd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "atd" is disabled through current runtime configuration: # service atd status If the service is disabled the command will return the following output: atd is stopped If the service is running, this is a finding.
Fix: F-9191r357795_fix
The "at" and "batch" commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon "atd" keeps track of tasks scheduled via "at" and "batch", and executes them at the specified time. The "atd" service can be disabled with the following commands: # chkconfig atd off # service atd stop
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000382
- Version
- OL6-00-000265
- Vuln IDs
-
- V-208939
- V-50837
- Rule IDs
-
- SV-208939r603263_rule
- SV-65043
Checks: C-9192r357797_chk
To check that the "ntpdate" service is disabled in system boot configuration, run the following command: # chkconfig "ntpdate" --list Output should indicate the "ntpdate" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "ntpdate" --list "ntpdate" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "ntpdate" is disabled through current runtime configuration: # service ntpdate status If the service is disabled the command will return the following output: ntpdate is stopped If the service is running, this is a finding.
Fix: F-9192r357798_fix
The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in "/etc/ntp/step-tickers" or "/etc/ntp.conf" and then sets the local hardware clock to the newly synchronized system time. The "ntpdate" service can be disabled with the following commands: # chkconfig ntpdate off # service ntpdate stop
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000382
- Version
- OL6-00-000266
- Vuln IDs
-
- V-208940
- V-50839
- Rule IDs
-
- SV-208940r603263_rule
- SV-65045
Checks: C-9193r357800_chk
To check that the "oddjobd" service is disabled in system boot configuration, run the following command: # chkconfig "oddjobd" --list Output should indicate the "oddjobd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "oddjobd" --list "oddjobd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "oddjobd" is disabled through current runtime configuration: # service oddjobd status If the service is disabled the command will return the following output: oddjobd is stopped If the service is running, this is a finding.
Fix: F-9193r357801_fix
The "oddjobd" service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with "oddjobd" is through the system message bus. The "oddjobd" service can be disabled with the following commands: # chkconfig oddjobd off # service oddjobd stop
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000382
- Version
- OL6-00-000267
- Vuln IDs
-
- V-208941
- V-50841
- Rule IDs
-
- SV-208941r603263_rule
- SV-65047
Checks: C-9194r357803_chk
To check that the "qpidd" service is disabled in system boot configuration, run the following command: # chkconfig "qpidd" --list Output should indicate the "qpidd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "qpidd" --list "qpidd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "qpidd" is disabled through current runtime configuration: # service qpidd status If the service is disabled the command will return the following output: qpidd is stopped If the service is running, this is a finding.
Fix: F-9194r357804_fix
The "qpidd" service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The "qpidd" service can be disabled with the following commands: # chkconfig qpidd off # service qpidd stop
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000382
- Version
- OL6-00-000268
- Vuln IDs
-
- V-208942
- V-50843
- Rule IDs
-
- SV-208942r603263_rule
- SV-65049
Checks: C-9195r357806_chk
To check that the "rdisc" service is disabled in system boot configuration, run the following command: # chkconfig "rdisc" --list Output should indicate the "rdisc" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "rdisc" --list "rdisc" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "rdisc" is disabled through current runtime configuration: # service rdisc status If the service is disabled the command will return the following output: rdisc is stopped If the service is running, this is a finding.
Fix: F-9195r357807_fix
The "rdisc" service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. The "rdisc" service can be disabled with the following commands: # chkconfig rdisc off # service rdisc stop
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000269
- Vuln IDs
-
- V-209008
- V-50845
- Rule IDs
-
- SV-209008r603263_rule
- SV-65051
Checks: C-9261r357809_chk
To verify the "nodev" option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the "nodev" setting in parentheses, along with other mount options. If the setting does not show, this is a finding.
Fix: F-9261r357810_fix
Add the "nodev" option to the fourth column of "/etc/fstab" for the line which controls mounting of any NFS mounts.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000270
- Vuln IDs
-
- V-209009
- V-50847
- Rule IDs
-
- SV-209009r603263_rule
- SV-65053
Checks: C-9262r357812_chk
To verify the "nosuid" option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the "nosuid" setting in parentheses, along with other mount options. If the setting does not show, this is a finding.
Fix: F-9262r357813_fix
Add the "nosuid" option to the fourth column of "/etc/fstab" for the line which controls mounting of any NFS mounts.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000272
- Vuln IDs
-
- V-209010
- V-50851
- Rule IDs
-
- SV-209010r603263_rule
- SV-65057
Checks: C-9263r357815_chk
To verify that Samba clients running smbclient must use packet signing, run the following command: # grep signing /etc/samba/smb.conf The output should show: client signing = mandatory If it is not, this is a finding.
Fix: F-9263r357816_fix
To require samba clients running "smbclient" to use packet signing, add the following to the "[global]" section of the Samba configuration file in "/etc/samba/smb.conf": client signing = mandatory Requiring samba clients such as "smbclient" to use packet signing ensures they can only communicate with servers that support packet signing.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000273
- Vuln IDs
-
- V-209011
- V-50853
- Rule IDs
-
- SV-209011r603263_rule
- SV-65059
Checks: C-9264r357818_chk
If Samba is not in use, this is not applicable. To verify that Samba clients using mount.cifs must use packet signing, run the following command: # grep sec /etc/fstab /etc/mtab The output should show either "krb5i" or "ntlmv2i" in use. If it does not, this is a finding.
Fix: F-9264r357819_fix
Require packet signing of clients who mount Samba shares using the "mount.cifs" program (e.g., those who specify shares in "/etc/fstab"). To do so, ensure signing options (either "sec=krb5i" or "sec=ntlmv2i") are used. See the "mount.cifs(8)" man page for more information. A Samba client should only communicate with servers who can support SMB packet signing.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000200
- Version
- OL6-00-000274
- Vuln IDs
-
- V-209012
- V-50855
- Rule IDs
-
- SV-209012r603263_rule
- SV-65061
Checks: C-9265r357821_chk
To verify the password reuse setting is compliant, run the following command: # grep remember /etc/pam.d/system-auth /etc/pam.d/password-auth The output must be a line beginning with "password required pam_pwhistory.so" and ending with "remember=5". If the line is commented out, the line does not contain the specified elements, or the value for "remember" is less than “5”, this is a finding.
Fix: F-9265r357822_fix
Do not allow users to reuse recent passwords. This can be accomplished by using the "remember" option for the "pam_pwhistory" PAM module. In the file "/etc/pam.d/system-auth", append "remember=5" to the line which refers to the "pam_pwhistory.so" module, as shown: password required pam_pwhistory.so [existing_options] remember=5 The DoD requirement is five passwords.
- RMF Control
- SC-28
- Severity
- L
- CCI
- CCI-001199
- Version
- OL6-00-000276
- Vuln IDs
-
- V-209013
- V-50859
- Rule IDs
-
- SV-209013r603263_rule
- SV-65065
Checks: C-9266r357824_chk
Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding.
Fix: F-9266r357825_fix
The operating system natively supports partition encryption through the Linux Unified Key Setup (LUKS) on-disk-format technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected, the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE] Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. Detailed information on encrypting partitions using LUKS can be found in the Oracle Linux documentation at: http://docs.oracle.com/cd/E37670_01/E36387/html/index.html Additional information is available from: http://linux.oracle.com/documentation/OL6/Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001493
- Version
- OL6-00-000278
- Vuln IDs
-
- V-209014
- V-50863
- Rule IDs
-
- SV-209014r603263_rule
- SV-65069
Checks: C-9267r357827_chk
The following command will list which audit files on the system have permissions different from what is expected by the RPM database: # rpm -V audit | grep '^.M' If there is any output, for each file or directory found, compare the RPM-expected permissions with the permissions on the file or directory: # rpm -q --queryformat "[%{FILENAMES} %{FILEMODES:perms}\n]" audit | grep [filename] # ls -lL [filename] If the existing permissions are more permissive than those expected by RPM, this is a finding.
Fix: F-9267r357828_fix
The RPM package management system can restore file access permissions of the audit package files and directories. The following command will update audit files with permissions different from what is expected by the RPM database: # rpm --setperms audit
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001494
- Version
- OL6-00-000279
- Vuln IDs
-
- V-209015
- V-50865
- Rule IDs
-
- SV-209015r603263_rule
- SV-65071
Checks: C-9268r357830_chk
The following command will list which audit files on the system have ownership different from what is expected by the RPM database: # rpm -V audit | grep '^.....U' If there is output, this is a finding.
Fix: F-9268r357831_fix
The RPM package management system can restore file ownership of the audit package files and directories. The following command will update audit files with ownership different from what is expected by the RPM database: # rpm --setugids audit
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001495
- Version
- OL6-00-000280
- Vuln IDs
-
- V-209016
- V-50867
- Rule IDs
-
- SV-209016r603263_rule
- SV-65073
Checks: C-9269r357833_chk
The following command will list which audit files on the system have group-ownership different from what is expected by the RPM database: # rpm -V audit | grep '^......G' If there is output, this is a finding.
Fix: F-9269r357834_fix
The RPM package management system can restore file group-ownership of the audit package files and directories. The following command will update audit files with group-ownership different from what is expected by the RPM database: # rpm --setugids audit
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001496
- Version
- OL6-00-000281
- Vuln IDs
-
- V-209017
- V-50869
- Rule IDs
-
- SV-209017r603263_rule
- SV-65075
Checks: C-9270r357836_chk
The following command will list which audit files on the system have file hashes different from what is expected by the RPM database. # rpm -V audit | awk '$1 ~ /..5/ && $2 != "c"' If there is output, this is a finding.
Fix: F-9270r357837_fix
The RPM package management system can check the hashes of audit system package files. Run the following command to list which audit files on the system have hashes that differ from what is expected by the RPM database: # rpm -V audit | grep '^..5' A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file that has changed was not expected to then refresh from distribution media or online repositories. rpm -Uvh [affected_package] OR yum reinstall [affected_package]
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000282
- Vuln IDs
-
- V-209018
- V-50871
- Rule IDs
-
- SV-209018r603263_rule
- SV-65077
Checks: C-9271r357839_chk
To find world-writable files, run the following command for each local partition [PART], excluding special filesystems such as /selinux, /proc, or /sys: # find [PART] -xdev -type f -perm -002 If there is output, this is a finding.
Fix: F-9271r357840_fix
It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- OL6-00-000286
- Vuln IDs
-
- V-209019
- V-50877
- Rule IDs
-
- SV-209019r603263_rule
- SV-65083
Checks: C-9272r357842_chk
To ensure the system is configured to log a message instead of rebooting the system when “Ctrl-Alt-Delete” is pressed, ensure the following line is in "/etc/init/control-alt-delete.override": exec /usr/bin/logger -p authpriv.notice "Ctrl-Alt-Delete pressed" If the system is not configured to block the shutdown command when “Ctrl-Alt-Delete” is pressed, this is a finding.
Fix: F-9272r357843_fix
By default, the system includes the following line in "/etc/init/control-alt-delete.conf" to reboot the system when the “Ctrl-Alt-Delete” key sequence is pressed: exec /sbin/shutdown -r now "Ctrl-Alt-Delete pressed" To configure the system to log a message instead of rebooting the system, add the following line to "/etc/init/control-alt-delete.override" to read as follows: exec /usr/bin/logger -p authpriv.notice "Ctrl-Alt-Delete pressed"
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000287
- Vuln IDs
-
- V-209020
- V-50879
- Rule IDs
-
- SV-209020r603263_rule
- SV-65085
Checks: C-9273r357845_chk
Run the following command to determine the current status of the "postfix" service: # service postfix status If the service is enabled, it should return the following: postfix is running... If the service is not enabled, this is a finding.
Fix: F-9273r357846_fix
The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The "postfix" service can be enabled with the following command: # chkconfig postfix on # service postfix start
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000288
- Vuln IDs
-
- V-209021
- V-50881
- Rule IDs
-
- SV-209021r603263_rule
- SV-65087
Checks: C-9274r357848_chk
Run the following command to determine if the "sendmail" package is installed: # rpm -q sendmail If the package is installed, this is a finding.
Fix: F-9274r357849_fix
Sendmail is not the default mail transfer agent and is not installed by default. The "sendmail" package can be removed with the following command: # yum erase sendmail
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000382
- Version
- OL6-00-000289
- Vuln IDs
-
- V-209022
- V-50883
- Rule IDs
-
- SV-209022r603263_rule
- SV-65089
Checks: C-9275r357851_chk
To check that the "netconsole" service is disabled in system boot configuration, run the following command: # chkconfig "netconsole" --list Output should indicate the "netconsole" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "netconsole" --list "netconsole" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "netconsole" is disabled through current runtime configuration: # service netconsole status If the service is disabled the command will return the following output: netconsole is stopped If the service is running, this is a finding.
Fix: F-9275r357852_fix
The "netconsole" service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. The "netconsole" service can be disabled with the following commands: # chkconfig netconsole off # service netconsole stop
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000291
- Vuln IDs
-
- V-209023
- V-50887
- Rule IDs
-
- SV-209023r603263_rule
- SV-65093
Checks: C-9276r357854_chk
To ensure the X Windows package group is removed, run the following command: $ rpm -qi xorg-x11-server-common The output should be: package xorg-x11-server-common is not installed If it is not, this is a finding.
Fix: F-9276r357855_fix
Removing all packages which constitute the X Window System ensures users or malicious software cannot start X. To do so, run the following command: # yum groupremove "X Window System"
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000292
- Vuln IDs
-
- V-209024
- V-50889
- Rule IDs
-
- SV-209024r603263_rule
- SV-65095
Checks: C-9277r357857_chk
To verify that DHCP is not being used, examine the following file for each interface. # /etc/sysconfig/network-scripts/ifcfg-[IFACE] If there is any network interface without a associated "ifcfg" file, this is a finding. Look for the following: BOOTPROTO=none Also verify the following, substituting the appropriate values based on your site's addressing scheme: NETMASK=[local LAN netmask] IPADDR=[assigned IP address] GATEWAY=[local LAN default gateway] If it does not, this is a finding.
Fix: F-9277r357858_fix
For each interface [IFACE] on the system (e.g. eth0), edit "/etc/sysconfig/network-scripts/ifcfg-[IFACE]" and make the following changes. Correct the BOOTPROTO line to read: BOOTPROTO=none Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: NETMASK=[local LAN netmask] IPADDR=[assigned IP address] GATEWAY=[local LAN default gateway]
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000294
- Vuln IDs
-
- V-209025
- V-50973
- Rule IDs
-
- SV-209025r603263_rule
- SV-65179
Checks: C-9278r357860_chk
To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, run the following command: # pwck -r | grep 'no group' There should be no output. If there is output, this is a finding.
Fix: F-9278r357861_fix
Add a group to the system for each GID referenced without a corresponding group.
- RMF Control
- IA-8
- Severity
- L
- CCI
- CCI-000804
- Version
- OL6-00-000296
- Vuln IDs
-
- V-209026
- V-50985
- Rule IDs
-
- SV-209026r603263_rule
- SV-65191
Checks: C-9279r357863_chk
Run the following command to check for duplicate account names: # pwck -rq If there are no duplicate names, no line will be returned. If a line is returned, this is a finding.
Fix: F-9279r357864_fix
Change usernames, or delete accounts, so each has a unique name.
- RMF Control
- AC-2
- Severity
- L
- CCI
- CCI-000016
- Version
- OL6-00-000297
- Vuln IDs
-
- V-209027
- V-50991
- Rule IDs
-
- SV-209027r603263_rule
- SV-65197
Checks: C-9280r357866_chk
For every temporary account, run the following command to obtain its account aging and expiration information: # chage -l [USER] Verify each of these accounts has an expiration date set as documented. If any temporary accounts have no expiration date set or do not expire within a documented time frame, this is a finding.
Fix: F-9280r357867_fix
In the event temporary accounts are required, configure the system to terminate them after a documented time period. For every temporary account, run the following command to set an expiration date on it, substituting "[USER]" and "[YYYY-MM-DD]" appropriately: # chage -E [YYYY-MM-DD] [USER] "[YYYY-MM-DD]" indicates the documented expiration date for the account.
- RMF Control
- AC-2
- Severity
- L
- CCI
- CCI-001682
- Version
- OL6-00-000298
- Vuln IDs
-
- V-209028
- V-50993
- Rule IDs
-
- SV-209028r603263_rule
- SV-65199
Checks: C-9281r357869_chk
For every emergency account, run the following command to obtain its account aging and expiration information: # chage -l [USER] Verify each of these accounts has an expiration date set as documented. If any emergency accounts have no expiration date set or do not expire within a documented time frame, this is a finding.
Fix: F-9281r357870_fix
In the event emergency accounts are required, configure the system to terminate them after a documented time period. For every emergency account, run the following command to set an expiration date on it, substituting "[USER]" and "[YYYY-MM-DD]" appropriately: # chage -E [YYYY-MM-DD] [USER] "[YYYY-MM-DD]" indicates the documented expiration date for the account.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000299
- Vuln IDs
-
- V-209029
- V-50995
- Rule IDs
-
- SV-209029r603263_rule
- SV-65201
Checks: C-9282r357872_chk
To check the maximum value for consecutive repeating characters, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth Look for the value of the "maxrepeat" parameter. The DoD requirement is “3”. If "maxrepeat" is not found, is set to zero, or is set to a value greater than “3”, this is a finding.
Fix: F-9282r357873_fix
The pam_cracklib module's ”maxrepeat” parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords that contain more than the number of consecutive characters. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "maxrepeat=3" after pam_cracklib.so to prevent a run of (3 + 1) or more identical characters. password required pam_cracklib.so maxrepeat=3
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000308
- Vuln IDs
-
- V-209030
- V-51041
- Rule IDs
-
- SV-209030r603263_rule
- SV-65247
Checks: C-9283r357875_chk
To verify that core dumps are disabled for all users, run the following command: $ grep core /etc/security/limits.conf /etc/security/limits.d/*.conf The output should be: * hard core 0 If it is not, this is a finding.
Fix: F-9283r357876_fix
To disable core dumps for all users, add the following line to "/etc/security/limits.conf": * hard core 0
- RMF Control
- IA-2
- Severity
- H
- CCI
- CCI-000764
- Version
- OL6-00-000309
- Vuln IDs
-
- V-209031
- V-51047
- Rule IDs
-
- SV-209031r603263_rule
- SV-65253
Checks: C-9284r357878_chk
To verify insecure file locking has been disabled, run the following command: # grep insecure_locks /etc/exports If there is output, this is a finding.
Fix: F-9284r357879_fix
By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files. To get around this, the "insecure_locks" option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. Remove any instances of the "insecure_locks" option from the file "/etc/exports".
- RMF Control
- AU-5
- Severity
- M
- CCI
- CCI-000139
- Version
- OL6-00-000313
- Vuln IDs
-
- V-209032
- V-51057
- Rule IDs
-
- SV-209032r603263_rule
- SV-65263
Checks: C-9285r357881_chk
Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator: action_mail_acct = root If auditd is not configured to send emails per identified actions, this is a finding.
Fix: F-9285r357882_fix
The "auditd" service can be configured to send email to a designated account in certain situations. Add or correct the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations: action_mail_acct = root
- RMF Control
- AC-10
- Severity
- L
- CCI
- CCI-000054
- Version
- OL6-00-000319
- Vuln IDs
-
- V-209033
- V-51115
- Rule IDs
-
- SV-209033r603263_rule
- SV-65325
Checks: C-9286r357884_chk
Run the following command to ensure the "maxlogins" value is configured for all users on the system: $ grep "maxlogins" /etc/security/limits.conf /etc/security/limits.d/*.conf You should receive output similar to the following: * hard maxlogins 10 If it is not similar, this is a finding.
Fix: F-9286r357885_fix
Limiting the number of allowed users and sessions per user can limit risks related to denial of service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in "/etc/security/limits.conf": * hard maxlogins 10 A documented site-defined number may be substituted for 10 in the above.
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-000050
- Version
- OL6-00-000324
- Vuln IDs
-
- V-209034
- V-51123
- Rule IDs
-
- SV-209034r603263_rule
- SV-65333
Checks: C-9287r357887_chk
If the GConf2 package is not installed, this is not applicable. To ensure a login warning banner is enabled, run the following: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_enable Search for the "banner_message_enable" schema. If properly configured, the "default" value should be "true". If it is not, this is a finding.
Fix: F-9287r357888_fix
To enable displaying a login warning banner in the GNOME Display Manager's login screen, run the following command: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gdm/simple-greeter/banner_message_enable true To display a banner, this setting must be enabled and then banner text must also be set.
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-001388
- Version
- OL6-00-000326
- Vuln IDs
-
- V-209035
- V-51125
- Rule IDs
-
- SV-209035r603263_rule
- SV-65335
Checks: C-9288r357890_chk
If the GConf2 package is not installed, this is not applicable. To ensure login warning banner text is properly set, run the following: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_text If properly configured, the proper banner text will appear within this schema. The DoD required text is either: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." OR: "I've read & consent to terms in IS user agreem't." If the DoD required banner text does not appear in the schema, this is a finding.
Fix: F-9288r357891_fix
To set the text shown by the GNOME Display Manager in the login screen, run the following command: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gdm/simple-greeter/banner_message_text \ "[DoD required text]" Where the DoD required text is either: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." OR: "I've read & consent to terms in IS user agreem't." When entering a warning banner that spans several lines, remember to begin and end the string with """. This command writes directly to the file "/etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml", and this file can later be edited directly if necessary.
- RMF Control
- AC-2
- Severity
- L
- CCI
- CCI-000017
- Version
- OL6-00-000334
- Vuln IDs
-
- V-209036
- V-51129
- Rule IDs
-
- SV-209036r603263_rule
- SV-65339
Checks: C-9289r357893_chk
To verify the "INACTIVE" setting, run the following command: grep "INACTIVE" /etc/default/useradd The output should indicate the "INACTIVE" configuration option is set to an appropriate integer as shown in the example below: # grep "INACTIVE" /etc/default/useradd INACTIVE=35 If it does not, this is a finding.
Fix: F-9289r357894_fix
To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately: INACTIVE=[NUM_DAYS] A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the "useradd" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.
- RMF Control
- IA-4
- Severity
- L
- CCI
- CCI-000795
- Version
- OL6-00-000335
- Vuln IDs
-
- V-209037
- V-51131
- Rule IDs
-
- SV-209037r603263_rule
- SV-65341
Checks: C-9290r357896_chk
To verify the "INACTIVE" setting, run the following command: grep "INACTIVE" /etc/default/useradd The output should indicate the "INACTIVE" configuration option is set to an appropriate integer as shown in the example below: # grep "INACTIVE" /etc/default/useradd INACTIVE=35 If it does not, this is a finding.
Fix: F-9290r357897_fix
To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately: INACTIVE=[NUM_DAYS] A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the "useradd" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000336
- Vuln IDs
-
- V-209038
- V-51133
- Rule IDs
-
- SV-209038r603263_rule
- SV-65343
Checks: C-9291r357899_chk
To find world-writable directories that lack the sticky bit, run the following command for each local partition [PART]: # find [PART] -xdev -type d -perm -002 ! -perm -1000 If any world-writable directories are missing the sticky bit, this is a finding.
Fix: F-9291r357900_fix
When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes. To set the sticky bit on a world-writable directory [DIR], run the following command: # chmod +t [DIR]
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000337
- Vuln IDs
-
- V-209039
- V-51423
- Rule IDs
-
- SV-209039r603263_rule
- SV-65633
Checks: C-9292r357902_chk
The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 500. Run it once for each local partition [PART]: # find [PART] -xdev -type d -perm -0002 -uid +500 -print If there is output, this is a finding.
Fix: F-9292r357903_fix
All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- OL6-00-000338
- Vuln IDs
-
- V-209040
- V-50751
- Rule IDs
-
- SV-209040r603263_rule
- SV-64957
Checks: C-9293r357905_chk
Verify the "tftp" package is installed: # rpm -qa | grep -i tftp tftp-5.2-22.e16.x86_64 If the "tftp" package is not installed, this is Not Applicable. Verify "tftp" is configured by with the "-s" option by running the following command: grep "server_args" /etc/xinetd.d/tftp The output should indicate the "server_args" variable is configured with the "-s" flag, matching the example below: # grep "server_args" /etc/xinetd.d/tftp server_args = -s /var/lib/tftpboot If it does not, this is a finding.
Fix: F-9293r357906_fix
If running the "tftp" service is necessary, it should be configured to change its root directory at startup. To do so, ensure "/etc/xinetd.d/tftp" includes "-s" as a command line argument, as shown in the following example (which is also the default): server_args = -s /var/lib/tftpboot
- RMF Control
- AU-3
- Severity
- L
- CCI
- CCI-000130
- Version
- OL6-00-000339
- Vuln IDs
-
- V-209041
- V-50739
- Rule IDs
-
- SV-209041r603263_rule
- SV-64945
Checks: C-9294r357908_chk
Verify the "vsftpd" package is installed: # rpm -qa | grep -i vsftpd vsftpd-3.0.2-22.e16.x86_64 If the "vsftpd" package is not installed, this is Not Applicable. Find if logging is applied to the ftp daemon. Procedures: If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file. # grep vsftpd /etc/xinetd.d/* # grep server_args [vsftpd xinetd.d startup file] This will indicate the vsftpd config file used when starting through xinetd. If the [server_args]line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used. # grep xferlog_enable [vsftpd config file] If xferlog_enable is missing, or is not set to yes, this is a finding.
Fix: F-9294r357909_fix
Add or correct the following configuration options within the "vsftpd" configuration file, located at "/etc/vsftpd/vsftpd.conf". xferlog_enable=YES xferlog_std_format=NO log_ftp_protocol=YES
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000340
- Vuln IDs
-
- V-209042
- V-50717
- Rule IDs
-
- SV-209042r603263_rule
- SV-64923
Checks: C-9295r357911_chk
To ensure only SNMPv3 or newer is used, run the following command: # grep 'v1\|v2c\|com2sec' /etc/snmp/snmpd.conf | grep -v '^#' There should be no output. If there is output, this is a finding.
Fix: F-9295r357912_fix
Edit "/etc/snmp/snmpd.conf", removing any references to "v1", "v2c", or "com2sec". Upon doing that, restart the SNMP service: # service snmpd restart
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- OL6-00-000341
- Vuln IDs
-
- V-209043
- V-50713
- Rule IDs
-
- SV-209043r603263_rule
- SV-64919
Checks: C-9296r357914_chk
To ensure the default password is not set, run the following command: # grep -v "^#" /etc/snmp/snmpd.conf| grep public There should be no output. If there is output, this is a finding.
Fix: F-9296r357915_fix
Edit "/etc/snmp/snmpd.conf", remove default community string "public". Upon doing that, restart the SNMP service: # service snmpd restart
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000342
- Vuln IDs
-
- V-209044
- V-50707
- Rule IDs
-
- SV-209044r603263_rule
- SV-64913
Checks: C-9297r357917_chk
Verify the "umask" setting is configured correctly in the "/etc/bashrc" file by running the following command: # grep "umask" /etc/bashrc All output must show the value of "umask" set to 077, as shown below: # grep "umask" /etc/bashrc umask 077 umask 077 If the above command returns no output, or if the umask is configured incorrectly, this is a finding.
Fix: F-9297r357918_fix
To ensure the default umask for users of the Bash shell is set properly, add or correct the "umask" setting in "/etc/bashrc" to read as follows: umask 077
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000343
- Vuln IDs
-
- V-209045
- V-50673
- Rule IDs
-
- SV-209045r603263_rule
- SV-64879
Checks: C-9298r357920_chk
Verify the "umask" setting is configured correctly in the "/etc/csh.cshrc" file by running the following command: # grep "umask" /etc/csh.cshrc All output must show the value of "umask" set to 077, as shown in the below: # grep "umask" /etc/csh.cshrc umask 077 If the above command returns no output, or if the umask is configured incorrectly, this is a finding.
Fix: F-9298r357921_fix
To ensure the default umask for users of the C shell is set properly, add or correct the "umask" setting in "/etc/csh.cshrc" to read as follows: umask 077
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000344
- Vuln IDs
-
- V-209046
- V-50669
- Rule IDs
-
- SV-209046r603263_rule
- SV-64875
Checks: C-9299r357923_chk
Verify the "umask" setting is configured correctly in the "/etc/profile" file by running the following command: # grep "umask" /etc/profile All output must show the value of "umask" set to 077, as shown in the below: # grep "umask" /etc/profile umask 077 If the above command returns no output, or if the umask is configured incorrectly, this is a finding.
Fix: F-9299r357924_fix
To ensure the default umask controlled by "/etc/profile" is set properly, add or correct the "umask" setting in "/etc/profile" to read as follows: umask 077
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000345
- Vuln IDs
-
- V-209047
- V-50667
- Rule IDs
-
- SV-209047r603263_rule
- SV-64873
Checks: C-9300r357926_chk
Verify the "umask" setting is configured correctly in the "/etc/login.defs" file by running the following command: # grep -i "umask" /etc/login.defs All output must show the value of "umask" set to 077, as shown in the below: # grep -i "umask" /etc/login.defs UMASK 077 If the above command returns no output, or if the umask is configured incorrectly, this is a finding.
Fix: F-9300r357927_fix
To ensure the default umask controlled by "/etc/login.defs" is set properly, add or correct the "umask" setting in "/etc/login.defs" to read as follows: UMASK 077
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000346
- Vuln IDs
-
- V-209048
- V-50665
- Rule IDs
-
- SV-209048r603263_rule
- SV-64871
Checks: C-9301r357929_chk
To check the value of the "umask", run the following command: $ grep umask /etc/init.d/functions The output should show either "022" or "027". If it does not, this is a finding.
Fix: F-9301r357930_fix
The file "/etc/init.d/functions" includes initialization parameters for most or all daemons started at boot time. The default umask of 022 prevents creation of group- or world-writable files. To set the default umask for daemons, edit the following line, inserting 022 or 027 for [UMASK] appropriately: umask [UMASK] Setting the umask to too restrictive a setting can cause serious errors at runtime. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000196
- Version
- OL6-00-000347
- Vuln IDs
-
- V-209049
- V-50643
- Rule IDs
-
- SV-209049r603263_rule
- SV-64849
Checks: C-9302r357932_chk
To check the system for the existence of any ".netrc" files, run the following command: $ sudo find /root /home -xdev -name .netrc If any .netrc files exist, this is a finding.
Fix: F-9302r357933_fix
The ".netrc" files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any ".netrc" files should be removed.
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-000048
- Version
- OL6-00-000348
- Vuln IDs
-
- V-209050
- V-50641
- Rule IDs
-
- SV-209050r603263_rule
- SV-64847
Checks: C-9303r357935_chk
Verify the "vsftpd" package is installed: # rpm -qa | grep -i vsftpd vsftpd-3.0.2-22.e16.x86_64 If the "vsftpd" package is not installed, this is Not Applicable. To verify this configuration, run the following command: grep "banner_file" /etc/vsftpd/vsftpd.conf The output should show the value of "banner_file" is set to "/etc/issue", an example of which is shown below. # grep "banner_file" /etc/vsftpd/vsftpd.conf banner_file=/etc/issue If it does not, this is a finding.
Fix: F-9303r357936_fix
Edit the vsftpd configuration file, which resides at "/etc/vsftpd/vsftpd.conf" by default. Add or correct the following configuration options. banner_file=/etc/issue Restart the vsftpd daemon. # service vsftpd restart
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000765
- Version
- OL6-00-000349
- Vuln IDs
-
- V-209051
- V-50639
- Rule IDs
-
- SV-209051r603263_rule
- SV-64845
Checks: C-9304r357938_chk
Interview the SA to determine if all accounts not exempted by policy are using CAC authentication. For DoD systems, the following systems and accounts are exempt from using smart card (CAC) authentication: Standalone systems Application accounts Temporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIV Operational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALT Test systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT. If non-exempt accounts are not using CAC authentication, this is a finding.
Fix: F-9304r357939_fix
To enable smart card authentication, consult the documentation at: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000372
- Vuln IDs
-
- V-209052
- V-59375
- Rule IDs
-
- SV-209052r603263_rule
- SV-73805
Checks: C-9305r357941_chk
To ensure that last logon/access notification is configured correctly, run the following command: # grep pam_lastlog.so /etc/pam.d/system-auth The output should show output "showfailed". If that is not the case, this is a finding.
Fix: F-9305r357942_fix
To configure the system to notify users of last logon/access using "pam_lastlog", add the following line immediately after "session required pam_limits.so": session required pam_lastlog.so showfailed
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000163
- Version
- OL6-00-000383
- Vuln IDs
-
- V-209053
- V-50631
- Rule IDs
-
- SV-209053r603263_rule
- SV-64837
Checks: C-9306r357944_chk
Run the following command to check the mode of the system audit logs: grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %a:%n Audit logs must be mode 0640 or less permissive. If any are more permissive, this is a finding.
Fix: F-9306r357945_fix
Change the mode of the audit log files with the following command: # chmod 0640 [audit_file]
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- OL6-00-000384
- Vuln IDs
-
- V-209054
- V-50629
- Rule IDs
-
- SV-209054r603263_rule
- SV-64835
Checks: C-9307r357947_chk
Run the following command to check the owner of the system audit logs: grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %U:%n Audit logs must be owned by root. If they are not, this is a finding.
Fix: F-9307r357948_fix
Change the owner of the audit log files with the following command: # chown root [audit_file]
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000164
- Version
- OL6-00-000385
- Vuln IDs
-
- V-209055
- V-50627
- Rule IDs
-
- SV-209055r603263_rule
- SV-64833
Checks: C-9308r357950_chk
Run the following command to check the mode of the system audit directories: grep "^log_file" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//'|xargs stat -c %a:%n Audit directories must be mode 0755 or less permissive. If any are more permissive, this is a finding.
Fix: F-9308r357951_fix
Change the mode of the audit log directories with the following command: # chmod go-w [audit_directory]
- RMF Control
- AC-9
- Severity
- M
- CCI
- CCI-000052
- Version
- OL6-00-000507
- Vuln IDs
-
- V-209056
- V-50609
- Rule IDs
-
- SV-209056r603263_rule
- SV-64815
Checks: C-9309r357953_chk
Verify the value associated with the "PrintLastLog" keyword in /etc/ssh/sshd_config: # grep -i "^PrintLastLog" /etc/ssh/sshd_config If the "PrintLastLog" keyword is not present, this is not a finding. If the value is not set to "yes", this is a finding.
Fix: F-9309r357954_fix
Update the "PrintLastLog" keyword to "yes" in /etc/ssh/sshd_config: PrintLastLog yes While it is acceptable to remove the keyword entirely since the default action for the SSH daemon is to print the last login date and time, it is preferred to have the value explicitly documented.
- RMF Control
- AC-11
- Severity
- L
- CCI
- CCI-000058
- Version
- OL6-00-000508
- Vuln IDs
-
- V-209057
- V-50607
- Rule IDs
-
- SV-209057r603263_rule
- SV-64813
Checks: C-9310r357956_chk
If the GConf2 package is not installed, this is not applicable. Verify the keybindings for the Gnome screensaver: # gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome_settings_daemon/keybindings/screensaver If no output is visible, this is a finding.
Fix: F-9310r357957_fix
Run the following command to set the Gnome desktop keybinding for locking the screen: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome_settings_daemon/keybindings/screensaver "<Control><Alt>l" Another keyboard sequence may be substituted for "<Control><Alt>l", which is the default for the Gnome desktop.
- RMF Control
- AU-5
- Severity
- M
- CCI
- CCI-000140
- Version
- OL6-00-000510
- Vuln IDs
-
- V-209058
- V-50601
- Rule IDs
-
- SV-209058r603263_rule
- SV-64807
Checks: C-9311r357959_chk
Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when the audit storage volume is full: # grep disk_full_action /etc/audit/auditd.conf disk_full_action = [ACTION] If the system is configured to "suspend" when the volume is full or "ignore" that it is full, this is a finding.
Fix: F-9311r357960_fix
The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: disk_full_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "exec" "suspend" "single" "halt" Set this to "syslog", "exec", "single", or "halt".
- RMF Control
- AU-5
- Severity
- M
- CCI
- CCI-000140
- Version
- OL6-00-000511
- Vuln IDs
-
- V-209059
- V-50599
- Rule IDs
-
- SV-209059r603263_rule
- SV-64805
Checks: C-9312r357962_chk
Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when disk errors occur: # grep disk_error_action /etc/audit/auditd.conf disk_error_action = [ACTION] If the system is configured to "suspend" when disk errors occur or "ignore" them, this is a finding.
Fix: F-9312r357963_fix
Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: disk_error_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "exec" "suspend" "single" "halt" Set this to "syslog", "exec", "single", or "halt".
- RMF Control
- IA-2
- Severity
- L
- CCI
- CCI-000764
- Version
- OL6-00-000515
- Vuln IDs
-
- V-209060
- V-50595
- Rule IDs
-
- SV-209060r603263_rule
- SV-64801
Checks: C-9313r357965_chk
If the NFS server is read-only, in support of unrestricted access to organizational content, this is not applicable. The related "root_squash" option provides protection against remote administrator-level access to NFS server content. Its use is not a finding. To verify the "all_squash" option has been disabled, run the following command: # grep all_squash /etc/exports If there is output, this is a finding.
Fix: F-9313r357966_fix
Remove any instances of the "all_squash" option from the file "/etc/exports". Restart the NFS daemon for the changes to take effect. # service nfs restart
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000516
- Vuln IDs
-
- V-209061
- V-50593
- Rule IDs
-
- SV-209061r603263_rule
- SV-64799
Checks: C-9314r357968_chk
The following command will list which files on the system have ownership different from what is expected by the RPM database: # rpm -Va | grep '^.....U' If any output is produced, verify that the changes were due to STIG application and have been documented with the ISSO. If any output has not been documented with the ISSO, this is a finding.
Fix: F-9314r357969_fix
The RPM package management system can restore ownership of package files and directories. The following command will update files and directories with ownership different from what is expected by the RPM database: # rpm -qf [file or directory name] # rpm --setugids [package]
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000517
- Vuln IDs
-
- V-209062
- V-50591
- Rule IDs
-
- SV-209062r603263_rule
- SV-64797
Checks: C-9315r357971_chk
The following command will list which files on the system have group-ownership different from what is expected by the RPM database: # rpm -Va | grep '^......G' If any output is produced, verify that the changes were due to STIG application and have been documented with the ISSO. If any output has not been documented with the ISSO, this is a finding.
Fix: F-9315r357972_fix
The RPM package management system can restore group-ownership of the package files and directories. The following command will update files and directories with group-ownership different from what is expected by the RPM database: # rpm -qf [file or directory name] # rpm --setugids [package]
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000518
- Vuln IDs
-
- V-209063
- V-50539
- Rule IDs
-
- SV-209063r603263_rule
- SV-64745
Checks: C-9316r357974_chk
The following command will list which files and directories on the system have permissions different from what is expected by the RPM database: # rpm -Va | grep '^.M' If there is any output, for each file or directory found, find the associated RPM package and compare the RPM-expected permissions with the actual permissions on the file or directory: # rpm -qf [file or directory name] # rpm -q --queryformat "[%{FILENAMES} %{FILEMODES:perms}\n]" [package] | grep [filename] # ls -dlL [filename] If the existing permissions are more permissive than those expected by RPM, this is a finding.
Fix: F-9316r357975_fix
The RPM package management system can restore file access permissions of package files and directories. The following command will update permissions on files and directories with permissions different from what is expected by the RPM database: # rpm --setperms [package]
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000519
- Vuln IDs
-
- V-209064
- V-50535
- Rule IDs
-
- SV-209064r603263_rule
- SV-64741
Checks: C-9317r357977_chk
The following command will list which files on the system have file hashes different from what is expected by the RPM database. # rpm -Va | awk '$1 ~ /..5/ && $2 != "c"' If any output is produced, verify that the changes were due to STIG application and have been documented with the ISSO. If any output has not been documented with the ISSO, this is a finding.
Fix: F-9317r357978_fix
The RPM package management system can check the hashes of installed software packages, including many that are important to system security. Run the following command to list which files on the system have hashes that differ from what is expected by the RPM database: # rpm -Va | grep '^..5' A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file that has changed was not expected to then refresh from distribution media or online repositories. rpm -Uvh [affected_package] OR yum reinstall [affected_package]
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000521
- Vuln IDs
-
- V-209065
- V-50525
- Rule IDs
-
- SV-209065r603263_rule
- SV-64731
Checks: C-9318r357980_chk
Find the list of alias maps used by the Postfix mail server: # postconf alias_maps Query the Postfix alias maps for an alias for "root": # postmap -q root hash:/etc/aliases If there are no aliases configured for root that forward to a monitored email address, this is a finding.
Fix: F-9318r357981_fix
Set up an alias for root that forwards to a monitored email address: # echo "root: <system.administrator>@mail.mil" >> /etc/aliases # newaliases
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- OL6-00-000522
- Vuln IDs
-
- V-209066
- V-50523
- Rule IDs
-
- SV-209066r603263_rule
- SV-64729
Checks: C-9319r357983_chk
Run the following command to check the group owner of the system audit logs: grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %G:%n Audit logs must be group-owned by root. If they are not, this is a finding.
Fix: F-9319r357984_fix
Change the group owner of the audit log files with the following command: # chgrp root [audit_file]
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000015
- Version
- OL6-00-000524
- Vuln IDs
-
- V-209067
- V-50519
- Rule IDs
-
- SV-209067r603263_rule
- SV-64725
Checks: C-9320r357986_chk
Interview the SA to determine if there is an automated system for managing user accounts, preferably integrated with an existing enterprise user management system. If there is not, this is a finding.
Fix: F-9320r357987_fix
Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. If possible, this system should integrate with an existing enterprise user management system, such as, one based Active Directory or Kerberos.
- RMF Control
- AU-12
- Severity
- L
- CCI
- CCI-000169
- Version
- OL6-00-000525
- Vuln IDs
-
- V-209068
- V-50517
- Rule IDs
-
- SV-209068r603263_rule
- SV-64723
Checks: C-9321r357989_chk
Inspect the kernel boot arguments (which follow the word "kernel") in "/etc/grub.conf". If they include "audit=1", then auditing is enabled at boot time. If auditing is not enabled at boot time, this is a finding.
Fix: F-9321r357990_fix
To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument "audit=1" to the kernel line in "/boot/grub/grub.conf", in the manner below: kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1 UEFI systems may prepend "/boot" to the "/vmlinuz-version" argument.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000526
- Vuln IDs
-
- V-209069
- V-50515
- Rule IDs
-
- SV-209069r603263_rule
- SV-64721
Checks: C-9322r357992_chk
To verify the "autofs" service is disabled, run the following command: chkconfig --list autofs If properly configured, the output should be the following: autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off Verify the "autofs" service is not running: # service autofs status If the autofs service is enabled or running, this is a finding.
Fix: F-9322r357993_fix
If the "autofs" service is not needed to dynamically mount NFS filesystems or removable media, disable the service for all runlevels: # chkconfig --level 0123456 autofs off Stop the service if it is already running: # service autofs stop
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000527
- Vuln IDs
-
- V-209070
- V-59377
- Rule IDs
-
- SV-209070r603263_rule
- SV-73807
Checks: C-9323r357995_chk
If the GConf2 package is not installed, this is not applicable. To ensure the user list is disabled, run the following command: $ gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --get /apps/gdm/simple-greeter/disable_user_list The output should be "true". If it is not, this is a finding.
Fix: F-9323r357996_fix
In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled. Run the following command to disable the user list: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool --set /apps/gdm/simple-greeter/disable_user_list true
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000528
- Vuln IDs
-
- V-209071
- V-59379
- Rule IDs
-
- SV-209071r603263_rule
- SV-73809
Checks: C-9324r357998_chk
To verify that binaries cannot be directly executed from the /tmp directory, run the following command: $ grep '\s/tmp' /etc/fstab The resulting output will show whether the /tmp partition has the "noexec" flag set. If the /tmp partition does not have the noexec flag set, this is a finding.
Fix: F-9324r357999_fix
The "noexec" mount option can be used to prevent binaries from being executed out of "/tmp". Add the "noexec" option to the fourth column of "/etc/fstab" for the line which controls mounting of "/tmp".
- RMF Control
- IA-11
- Severity
- M
- CCI
- CCI-002038
- Version
- OL6-00-000529
- Vuln IDs
-
- V-209072
- V-60819
- Rule IDs
-
- SV-209072r603263_rule
- SV-75275
Checks: C-36261r602377_chk
Verify neither the "NOPASSWD" option nor the "!authenticate" option is configured for use in "/etc/sudoers" and associated files. Note that the "#include" and "#includedir" directives may be used to include configuration data from locations other than the defaults enumerated here. # egrep '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/* # egrep '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/* If any occurrences of "NOPASSWD" or “!authenticate” are returned from these commands and have not been documented with the ISSO as an organizationally defined administrative group utilizing MFA, this is a finding.
Fix: F-36225r602378_fix
Update the "/etc/sudoers" or other sudo configuration files to remove or comment out lines utilizing the "NOPASSWD" and "!authenticate" options. # visudo # visudo -f [other sudo configuration file]
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-001764
- Version
- OL6-00-000530
- Vuln IDs
-
- V-209073
- V-81457
- Rule IDs
-
- SV-209073r603263_rule
- SV-96171
Checks: C-9326r358004_chk
Verify that the "nodev" option is configured for /dev/shm. Check that the operating system is configured to use the "nodev" option for /dev/shm with the following command: # cat /etc/fstab | grep /dev/shm | grep nodev tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 If the "nodev" option is not present on the line for "/dev/shm", this is a finding. Verify "/dev/shm" is mounted with the "nodev" option: # mount | grep "/dev/shm" | grep nodev If no results are returned, this is a finding.
Fix: F-9326r358005_fix
Configure the "/etc/fstab" to use the "nodev" option for all lines containing "/dev/shm".
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-001764
- Version
- OL6-00-000531
- Vuln IDs
-
- V-209074
- V-81459
- Rule IDs
-
- SV-209074r603263_rule
- SV-96173
Checks: C-9327r358007_chk
Verify that the "nosuid" option is configured for /dev/shm. Check that the operating system is configured to use the "nosuid" option for /dev/shm with the following command: # cat /etc/fstab | grep /dev/shm | grep nosuid tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 If the "nosuid" option is not present on the line for "/dev/shm", this is a finding. Verify "/dev/shm" is mounted with the "nosuid" option: # mount | grep "/dev/shm" | grep nosuid If no results are returned, this is a finding.
Fix: F-9327r358008_fix
Configure the "/etc/fstab" to use the "nosuid" option for all lines containing "/dev/shm".
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-001764
- Version
- OL6-00-000532
- Vuln IDs
-
- V-209075
- V-81461
- Rule IDs
-
- SV-209075r603263_rule
- SV-96175
Checks: C-9328r358010_chk
Verify that the "noexec" option is configured for /dev/shm. Check that the operating system is configured to use the "noexec" option for /dev/shm with the following command: # cat /etc/fstab | grep /dev/shm | grep noexec tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 If the "noexec" option is not present on the line for "/dev/shm", this is a finding. Verify "/dev/shm" is mounted with the "noexec" option: # mount | grep "/dev/shm" | grep noexec If no results are returned, this is a finding.
Fix: F-9328r358011_fix
Configure the "/etc/fstab" to use the "noexec" option for all lines containing "/dev/shm".
- RMF Control
- SC-13
- Severity
- H
- CCI
- CCI-002450
- Version
- OL6-00-000534
- Vuln IDs
-
- V-209076
- V-97233
- Rule IDs
-
- SV-209076r603263_rule
- SV-106371
Checks: C-9329r462525_chk
Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions. Check to see if the "dracut-fips" package is installed with the following command: # yum list installed dracut-fips dracut-fips-004-411.el6.noarch.rpm If a "dracut-fips" package is installed, check to see if the kernel command line is configured to use FIPS mode with the following command: # grep fips /boot/grub/grub.conf kernel /boot/vmlinuz-4.1.12-124.18.5.el6uek.x86_64 ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=uk LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 rd_LVM_LV=VolGroup/lv_root rd_NO_DM rhgb quiet fips=1 boot=/dev/sda1 If the kernel command line is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command: # cat /proc/sys/crypto/fips_enabled 1 If a "dracut-fips" package is not installed, the kernel command line does not have a fips entry, or the system has a value of "0" for "fips_enabled" in "/proc/sys/crypto", this is a finding.
Fix: F-9329r462526_fix
Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package. To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Configure the operating system to implement DoD-approved encryption by following the steps below: The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a non-unique key. Install the dracut-fips package with the following command: # yum install dracut-fips Existing prelinking, if any, should be undone on all system files using the following command: # prelink -u -a Recreate the "initramfs" file with the following command: Note: This command will overwrite the existing "initramfs" file. # dracut -f Modify the kernel command line of the current kernel in the "grub.conf" file by adding the following option to the "grub.conf" file: fips=1 If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition of /boot or /boot/efi> must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command: # df /boot Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda1 495844 53780 416464 12% /boot To ensure the "boot=" configuration option will work even if device naming changes occur between boots, identify the universally unique identifier (UUID) of the partition with the following command: # blkid /dev/sda1 /dev/sda1: UUID="05c000f1-a213-759e-c7a2-f11b7424c797" TYPE="ext4" For the example above, append the following string to the kernel command line: boot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797 Reboot the system for the changes to take effect.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000004
- Vuln IDs
-
- V-219541
- V-50661
- Rule IDs
-
- SV-219541r603263_rule
- SV-64867
Checks: C-21266r358163_chk
Run the following command to determine if "/var/log/audit" is on its own partition or logical volume: $ mount | grep "on /var/log/audit " If "/var/log/audit" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.
Fix: F-21265r358164_fix
Audit logs are stored in the "/var/log/audit" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.
- RMF Control
- AU-5
- Severity
- M
- CCI
- CCI-001855
- Version
- OL6-00-000005
- Vuln IDs
-
- V-219542
- V-50671
- Rule IDs
-
- SV-219542r603263_rule
- SV-64877
Checks: C-21267r358166_chk
Inspect '/etc/audit/auditd.conf' and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low: # grep space_left_action /etc/audit/auditd.conf space_left_action = email If the system is not configured to send an email to the system administrator when disk space is starting to run low, this is a finding. The 'syslog' option is acceptable when it can be demonstrated that the local log management infrastructure notifies an appropriate administrator in a timely manner.
Fix: F-21266r358167_fix
The 'auditd' service can be configured to take an action when disk space starts to run low. Edit the file '/etc/audit/auditd.conf'. Modify the following line, substituting [ACTION] appropriately: space_left_action = [ACTION] Possible values for [ACTION] are described in the 'auditd.conf' man page. These include: 'ignore', 'syslog', 'email', 'exec', 'suspend', 'single', and 'halt'. Set this to 'email' (instead of the default, which is 'suspend') as it is more likely to get prompt attention. The 'syslog' option is acceptable, provided the local log management infrastructure notifies an appropriate administrator in a timely manner. OL6-00-000521 ensures that the email generated through the operation "space_left_action" will be sent to an administrator.
- RMF Control
- CM-5
- Severity
- H
- CCI
- CCI-001749
- Version
- OL6-00-000008
- Vuln IDs
-
- V-219543
- V-50689
- Rule IDs
-
- SV-219543r603263_rule
- SV-64895
Checks: C-21268r358169_chk
To ensure that the GPG key is installed, run: # rpm -qi gpg-pubkey-ec551f03 | gpg --keyid-format long | grep oracle.com | cut -f3 -d" " |cut -f2 -d"/" The command should return the string below: 72F97B74EC551F03 If the operating system vendor GPG Key is not installed, this is a finding.
Fix: F-21267r358170_fix
To ensure the system can cryptographically verify the software packages come from the operating system vendor (and connect to the vendor's network software repository to receive them if desired), the vendor GPG key must properly be installed. To ensure the GPG key is installed, run: # wget http://public-yum.oracle.com/RPM-GPG-KEY-oracle-ol6 # rpm --import RPM-GPG-KEY-oracle-ol6
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001749
- Version
- OL6-00-000013
- Vuln IDs
-
- V-219544
- V-50701
- Rule IDs
-
- SV-219544r603263_rule
- SV-64907
Checks: C-21269r358172_chk
To determine whether "yum" is configured to use "gpgcheck", inspect "/etc/yum.conf" and ensure the following appears in the "[main]" section: gpgcheck=1 A value of "1" indicates that "gpgcheck" is enabled. Absence of a "gpgcheck" line or a setting of "0" indicates that it is disabled. If GPG checking is not enabled, this is a finding. If the "yum" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed.
Fix: F-21268r358173_fix
The "gpgcheck" option should be used to ensure checking of an RPM package's signature always occurs prior to its installation. To configure yum to check package signatures before installing them, ensure the following line appears in "/etc/yum.conf" in the "[main]" section: gpgcheck=1
- RMF Control
- CM-5
- Severity
- L
- CCI
- CCI-001749
- Version
- OL6-00-000015
- Vuln IDs
-
- V-219545
- V-50709
- Rule IDs
-
- SV-219545r603263_rule
- SV-64915
Checks: C-21270r358175_chk
To determine whether "yum" has been configured to disable "gpgcheck" for any repos, inspect all files in "/etc/yum.repos.d" and ensure the following does not appear in any sections: gpgcheck=0 A value of "0" indicates that "gpgcheck" has been disabled for that repo. If GPG checking is disabled, this is a finding. If the "yum" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed.
Fix: F-21269r358176_fix
To ensure signature checking is not disabled for any repos, remove any lines from files in "/etc/yum.repos.d" of the form: gpgcheck=0
- RMF Control
- CM-3
- Severity
- M
- CCI
- CCI-001744
- Version
- OL6-00-000016
- Vuln IDs
-
- V-219546
- V-50715
- Rule IDs
-
- SV-219546r603263_rule
- SV-64921
Checks: C-21271r358178_chk
If another file integrity tool is installed, this is not a finding. Run the following command to determine if the "aide" package is installed: # rpm -q aide If the package is not installed, this is a finding.
Fix: F-21270r358179_fix
Install the AIDE package with the command: # yum install aide
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- OL6-00-000019
- Vuln IDs
-
- V-219547
- V-50719
- Rule IDs
-
- SV-219547r603263_rule
- SV-64925
Checks: C-21272r358181_chk
The existence of the file "/etc/hosts.equiv" or a file named ".rhosts" inside a user home directory indicates the presence of an Rsh trust relationship. If these files exist, this is a finding.
Fix: F-21271r358182_fix
The files "/etc/hosts.equiv" and "~/.rhosts" (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location. # rm /etc/hosts.equiv $ rm ~/.rhosts
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000103
- Vuln IDs
-
- V-219548
- V-50761
- Rule IDs
-
- SV-219548r603263_rule
- SV-64967
Checks: C-21273r358184_chk
If the system is a cross-domain system, this is not applicable. If IPv6 is disabled, this is not applicable. Run the following command to determine the current status of the "ip6tables" service: # service ip6tables status If the service is not running, it should return the following: ip6tables: Firewall is not running. If the service is not running, this is a finding.
Fix: F-21272r358185_fix
The "ip6tables" service can be enabled with the following commands: # chkconfig ip6tables on # service ip6tables start
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000106
- Vuln IDs
-
- V-219549
- V-50767
- Rule IDs
-
- SV-219549r603263_rule
- SV-64973
Checks: C-21274r358187_chk
If the system is a cross-domain system, this is not applicable. If IPv6 is disabled, this is not applicable. Run the following command to determine the current status of the "ip6tables" service: # service ip6tables status If the service is not running, it should return the following: ip6tables: Firewall is not running. If the service is not running, this is a finding.
Fix: F-21273r358188_fix
The "ip6tables" service can be enabled with the following commands: # chkconfig ip6tables on # service ip6tables start
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000107
- Vuln IDs
-
- V-219550
- V-50781
- Rule IDs
-
- SV-219550r603263_rule
- SV-64987
Checks: C-21275r358190_chk
If the system is a cross-domain system, this is not applicable. If IPv6 is disabled, this is not applicable. Run the following command to determine the current status of the "ip6tables" service: # service ip6tables status If the service is not running, it should return the following: ip6tables: Firewall is not running. If the service is not running, this is a finding.
Fix: F-21274r358191_fix
The "ip6tables" service can be enabled with the following commands: # chkconfig ip6tables on # service ip6tables start
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000113
- Vuln IDs
-
- V-219551
- V-50797
- Rule IDs
-
- SV-219551r603263_rule
- SV-65003
Checks: C-21276r358193_chk
If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the "iptables" service: # service iptables status If the service is not running, it should return the following: iptables: Firewall is not running. If the service is not running, this is a finding.
Fix: F-21275r358194_fix
The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000116
- Vuln IDs
-
- V-219552
- V-50903
- Rule IDs
-
- SV-219552r603263_rule
- SV-65109
Checks: C-21277r358196_chk
If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the "iptables" service: # service iptables status If the service is not running, it should return the following: iptables: Firewall is not running. If the service is not running, this is a finding.
Fix: F-21276r358197_fix
The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000117
- Vuln IDs
-
- V-219553
- V-50979
- Rule IDs
-
- SV-219553r603263_rule
- SV-65185
Checks: C-21278r358199_chk
If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the "iptables" service: # service iptables status If the service is not running, it should return the following: iptables: Firewall is not running. If the service is not running, this is a finding.
Fix: F-21277r358200_fix
The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000120
- Vuln IDs
-
- V-219554
- V-50987
- Rule IDs
-
- SV-219554r603263_rule
- SV-65193
Checks: C-21279r462334_chk
Inspect the file "/etc/sysconfig/iptables" to determine the default policy for the INPUT chain. It should be set to DROP. # grep ":INPUT" /etc/sysconfig/iptables If the default policy for the INPUT chain is not set to DROP, this is a finding.
Fix: F-21278r462335_fix
To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/iptables": :INPUT DROP [0:0]
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001851
- Version
- OL6-00-000137
- Vuln IDs
-
- V-219555
- V-51019
- Rule IDs
-
- SV-219555r603263_rule
- SV-65225
Checks: C-21280r462337_chk
To ensure logs are sent to a remote host, examine the file "/etc/rsyslog.conf". If using UDP, a line similar to the following should be present: *.* @[loghost.example.com] If using TCP, a line similar to the following should be present: *.* @@[loghost.example.com] If using RELP, a line similar to the following should be present: *.* :omrelp:[loghost.example.com] If none of these are present, this is a finding.
Fix: F-21279r462338_fix
To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: *.* @[loghost.example.com] To use TCP for log message delivery: *.* @@[loghost.example.com] To use RELP for log message delivery: *.* :omrelp:[loghost.example.com]
- RMF Control
- AC-6
- Severity
- L
- CCI
- CCI-002234
- Version
- OL6-00-000198
- Vuln IDs
-
- V-219556
- V-51141
- Rule IDs
-
- SV-219556r603263_rule
- SV-65351
Checks: C-21281r358208_chk
To verify that auditing of privileged command use is configured, run the following command once for each local partition [PART] to find relevant setuid / setgid programs: $ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: $ sudo grep path /etc/audit/audit.rules It should be the case that all relevant setuid / setgid programs have a line in the audit rules. If that is not the case, this is a finding.
Fix: F-21280r358209_fix
At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition [PART]: $ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null Then, for each setuid / setgid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid / setgid program in the list: -a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
- RMF Control
- CM-7
- Severity
- H
- CCI
- CCI-000381
- Version
- OL6-00-000211
- Vuln IDs
-
- V-219557
- V-50553
- Rule IDs
-
- SV-219557r603263_rule
- SV-64759
Checks: C-21282r462340_chk
To check that the "telnet" service is disabled in system boot configuration, run the following command: # chkconfig "telnet" --list Output should indicate the "telnet" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "telnet" --list telnet off OR error reading information on service telnet: No such file or directory If the service is running, this is a finding.
Fix: F-21281r462341_fix
The "telnet" service can be disabled with the following command: # chkconfig telnet off
- RMF Control
- CM-7
- Severity
- H
- CCI
- CCI-000381
- Version
- OL6-00-000218
- Vuln IDs
-
- V-219558
- V-50561
- Rule IDs
-
- SV-219558r603263_rule
- SV-64767
Checks: C-21283r358214_chk
To check that the "rlogin" service is disabled in system boot configuration, run the following command: # chkconfig "rlogin" --list Output should indicate the "rlogin" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "rlogin" --list rlogin off OR error reading information on service rlogin: No such file or directory If the service is running, this is a finding.
Fix: F-21282r358215_fix
The "rlogin" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rlogin" service can be disabled with the following command: # chkconfig rlogin off
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- OL6-00-000223
- Vuln IDs
-
- V-219559
- V-50569
- Rule IDs
-
- SV-219559r603263_rule
- SV-64775
Checks: C-21284r358217_chk
To check that the "tftp" service is disabled in system boot configuration, run the following command: # chkconfig "tftp" --list Output should indicate the "tftp" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "tftp" --list tftp off OR error reading information on service tftp: No such file or directory If the service is running, this is a finding.
Fix: F-21283r358218_fix
The "tftp" service should be disabled. The "tftp" service can be disabled with the following command: # chkconfig tftp off
- RMF Control
- IA-5
- Severity
- H
- CCI
- CCI-000197
- Version
- OL6-00-000227
- Vuln IDs
-
- V-219560
- V-50573
- Rule IDs
-
- SV-219560r603263_rule
- SV-64779
Checks: C-21285r358220_chk
To check which SSH protocol version is allowed, run the following command: # grep Protocol /etc/ssh/sshd_config If configured properly, output should be Protocol 2 If it is not, this is a finding.
Fix: F-21284r358221_fix
Only SSH protocol version 2 connections should be permitted. The default setting in "/etc/ssh/sshd_config" is correct, and can be verified by ensuring that the following line appears: Protocol 2
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-001453
- Version
- OL6-00-000243
- Vuln IDs
-
- V-219561
- V-50807
- Rule IDs
-
- SV-219561r603343_rule
- SV-65013
Checks: C-21286r622245_chk
Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: # grep -i Ciphers /etc/ssh/sshd_config Ciphers aes256-ctr,aes192-ctr,aes128-ctr If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.
Fix: F-21285r622246_fix
Limit the ciphers to those algorithms which are FIPS-approved. The following line in "/etc/ssh/sshd_config" demonstrates use of FIPS-approved ciphers: Ciphers 256-ctr,aes192-ctr,aes128-ctr Note: The man page "sshd_config(5)" contains a list of supported ciphers.
- RMF Control
- AU-8
- Severity
- M
- CCI
- CCI-001891
- Version
- OL6-00-000247
- Vuln IDs
-
- V-219562
- V-50811
- Rule IDs
-
- SV-219562r603263_rule
- SV-65017
Checks: C-21287r462343_chk
Run the following command to determine the current status of the "ntpd" service: # service ntpd status If the service is enabled, it should return the following: ntpd is running... If the service is not running, this is a finding.
Fix: F-21286r462344_fix
The "ntpd" service can be enabled with the following command: # chkconfig ntpd on # service ntpd start
- RMF Control
- AU-8
- Severity
- M
- CCI
- CCI-001891
- Version
- OL6-00-000248
- Vuln IDs
-
- V-219563
- V-50813
- Rule IDs
-
- SV-219563r603263_rule
- SV-65019
Checks: C-21288r358229_chk
A remote NTP server should be configured for time synchronization. To verify one is configured, open the following file. /etc/ntp.conf In the file, there should be a section similar to the following: # --- OUR TIMESERVERS ----- server [ntpserver] If this is not the case, this is a finding.
Fix: F-21287r358230_fix
To specify a remote NTP server for time synchronization, edit the file "/etc/ntp.conf". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver. server [ntpserver] This instructs the NTP software to contact that remote server to obtain time data.
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-001453
- Version
- OL6-00-000253
- Vuln IDs
-
- V-219564
- V-50819
- Rule IDs
-
- SV-219564r603263_rule
- SV-65025
Checks: C-21289r358232_chk
If the system does not use LDAP for authentication or account information, this is not applicable. To ensure TLS is configured with trust certificates, run the following command: # grep cert /etc/pam_ldap.conf If there is no output, or the lines are commented out, this is a finding.
Fix: F-21288r358233_fix
Ensure a copy of the site's CA certificate has been placed in the file "/etc/pki/tls/CA/cacert.pem". Configure LDAP to enforce TLS use and to trust certificates signed by the site's CA. First, edit the file "/etc/pam_ldap.conf", and add or correct either of the following lines: tls_cacertdir /etc/pki/tls/CA or tls_cacertfile /etc/pki/tls/CA/cacert.pem Then review the LDAP server and ensure TLS has been configured.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000271
- Vuln IDs
-
- V-219565
- V-50849
- Rule IDs
-
- SV-219565r603263_rule
- SV-65055
Checks: C-21290r358235_chk
Identify any removable media that is configured on the system: # cat /etc/fstab /dev/mapper/vg_rhel6-lv_root / ext4 defaults 1 1 UUID=0be9b205-f8e6-4bf4-b0ba-1f235fc55936 /boot ext4 defaults 1 2 UUID=5D49-30B2 /boot/efi vfat umask=0077,shortname=winnt 0 0 /dev/mapper/vg_rhel6-lv_home /home ext4 defaults 1 2 /dev/mapper/vg_rhel6-lv_tmp /tmp ext4 defaults 1 2 /dev/mapper/vg_rhel6-lv_var /var ext4 defaults 1 2 /dev/mapper/vg_rhel6-lv_swap swap swap defaults 0 0 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 /dev/sdc1 /media/usb vfat defaults,rw,noexec 0 0 If any of the identified removable media devices do not have "noexec" defined, this is a finding.
Fix: F-21289r358236_fix
The "noexec" mount option prevents the direct execution of binaries on the mounted filesystem. Users should not be allowed to execute binaries that exist on partitions mounted from removable media (such as a USB key). The "noexec" option prevents code from being executed directly from the media itself, and may therefore provide a line of defense against certain types of worms or malicious code. Add the "noexec" option to the fourth column of "/etc/fstab" for the line which controls mounting of any removable media partitions.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000275
- Vuln IDs
-
- V-219566
- V-50857
- Rule IDs
-
- SV-219566r603263_rule
- SV-65063
Checks: C-21291r358238_chk
Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding.
Fix: F-21290r358239_fix
The operating system natively supports partition encryption through the Linux Unified Key Setup (LUKS) on-disk-format technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected, the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE] Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. Detailed information on encrypting partitions using LUKS can be found in the Oracle Linux documentation at: http://docs.oracle.com/cd/E37670_01/E36387/html/index.html Additional information is available from: http://linux.oracle.com/documentation/OL6/Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000277
- Vuln IDs
-
- V-219567
- V-50861
- Rule IDs
-
- SV-219567r603263_rule
- SV-65067
Checks: C-21292r358241_chk
Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding.
Fix: F-21291r358242_fix
The operating system natively supports partition encryption through the Linux Unified Key Setup (LUKS) on-disk-format technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected, the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE] Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. Detailed information on encrypting partitions using LUKS can be found in the Oracle Linux documentation at: http://docs.oracle.com/cd/E37670_01/E36387/html/index.html. Additional information is available from: http://linux.oracle.com/documentation/OL6/Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf"
- RMF Control
- SI-2
- Severity
- M
- CCI
- CCI-001233
- Version
- OL6-00-000285
- Vuln IDs
-
- V-219568
- V-50875
- Rule IDs
-
- SV-219568r603263_rule
- SV-65081
Checks: C-21293r462346_chk
Ask the SA or ISSO if a host-based intrusion detection application is loaded on the system. Per OPORD 16-0080 the preferred intrusion detection system is McAfee HBSS available through Cybercom. If another host-based intrusion detection application is in use, such as SELinux, this must be documented and approved by the local Authorizing Official. Procedure: Examine the system to see if the Host Intrusion Prevention System (HIPS) is installed: # rpm -qa | grep MFEhiplsm Verify that the McAfee HIPS module is active on the system: # ps -ef | grep -i “hipclient” If the MFEhiplsm package is not installed, check for another intrusion detection system: # find / -name <daemon name> Where <daemon name> is the name of the primary application daemon to determine if the application is loaded on the system. Determine if the application is active on the system: # ps -ef | grep -i <daemon name> If the MFEhiplsm package is not installed and an alternate host-based intrusion detection application has not been documented for use, this is a finding. If no host-based intrusion detection system is installed and running on the system, this is a finding.
Fix: F-21292r462347_fix
Install and enable the latest McAfee HIPS package, available from Cybercom. If the system does not support the McAfee HIPS package, install and enable a supported intrusion detection system application and document its use with the Authorizing Official.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- OL6-00-000290
- Vuln IDs
-
- V-219569
- V-50885
- Rule IDs
-
- SV-219569r603263_rule
- SV-65091
Checks: C-21294r358247_chk
To verify the default runlevel is 3, run the following command: # grep initdefault /etc/inittab The output should show the following: id:3:initdefault: If it does not, this is a finding.
Fix: F-21293r358248_fix
Setting the system's runlevel to 3 will prevent automatic startup of the X server. To do so, ensure the following line in "/etc/inittab" features a "3" as shown: id:3:initdefault:
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002421
- Version
- OL6-00-000293
- Vuln IDs
-
- V-219570
- V-72823
- Rule IDs
-
- SV-219570r603263_rule
- SV-87469
Checks: C-21295r462349_chk
This is N/A for systems that do not have wireless network adapters. Verify that there are no wireless interfaces configured on the system: # ifconfig -a eth0 Link encap:Ethernet HWaddr b8:ac:6f:65:31:e5 inet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0 inet6 addr: fe80::baac:6fff:fe65:31e5/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2697529 errors:0 dropped:0 overruns:0 frame:0 TX packets:2630541 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2159382827 (2.0 GiB) TX bytes:1389552776 (1.2 GiB) Interrupt:17 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:2849 errors:0 dropped:0 overruns:0 frame:0 TX packets:2849 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2778290 (2.6 MiB) TX bytes:2778290 (2.6 MiB) If a wireless interface is configured, it must be documented and approved by the local Authorizing Official. If a wireless interface is configured and has not been documented and approved, this is a finding.
Fix: F-21294r462350_fix
Configure the system to disable all wireless network interfaces.
- RMF Control
- CM-3
- Severity
- M
- CCI
- CCI-001744
- Version
- OL6-00-000302
- Vuln IDs
-
- V-219571
- V-51011
- Rule IDs
-
- SV-219571r603263_rule
- SV-65217
Checks: C-21296r358253_chk
To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, or if aide is not run at least weekly, this is a finding.
Fix: F-21295r358254_fix
AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.
- RMF Control
- CM-3
- Severity
- M
- CCI
- CCI-001744
- Version
- OL6-00-000303
- Vuln IDs
-
- V-219572
- V-51017
- Rule IDs
-
- SV-219572r603263_rule
- SV-65223
Checks: C-21297r358256_chk
To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding.
Fix: F-21296r358257_fix
AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.
- RMF Control
- CM-3
- Severity
- M
- CCI
- CCI-001744
- Version
- OL6-00-000304
- Vuln IDs
-
- V-219573
- V-51023
- Rule IDs
-
- SV-219573r603263_rule
- SV-65229
Checks: C-21298r358259_chk
To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding.
Fix: F-21297r358260_fix
AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.
- RMF Control
- CM-3
- Severity
- M
- CCI
- CCI-001744
- Version
- OL6-00-000305
- Vuln IDs
-
- V-219574
- V-51029
- Rule IDs
-
- SV-219574r603263_rule
- SV-65235
Checks: C-21299r358262_chk
To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding.
Fix: F-21298r358263_fix
AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.
- RMF Control
- CM-3
- Severity
- M
- CCI
- CCI-001744
- Version
- OL6-00-000306
- Vuln IDs
-
- V-219575
- V-51035
- Rule IDs
-
- SV-219575r603263_rule
- SV-65241
Checks: C-21300r358265_chk
To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding.
Fix: F-21299r358266_fix
AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.
- RMF Control
- CM-3
- Severity
- M
- CCI
- CCI-001744
- Version
- OL6-00-000307
- Vuln IDs
-
- V-219576
- V-51037
- Rule IDs
-
- SV-219576r603263_rule
- SV-65243
Checks: C-21301r358268_chk
To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding.
Fix: F-21300r358269_fix
AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.
- RMF Control
- AU-5
- Severity
- M
- CCI
- CCI-001855
- Version
- OL6-00-000311
- Vuln IDs
-
- V-219577
- V-51051
- Rule IDs
-
- SV-219577r603263_rule
- SV-65257
Checks: C-21302r358271_chk
Inspect "/etc/audit/auditd.conf" and locate the following line to determine whether the system is configured to email the administrator when disk space is starting to run low: # grep space_left /etc/audit/auditd.conf space_left = [num_megabytes] If the "num_megabytes" value does not correspond to a documented value for remaining audit partition capacity or if there is no locally documented value for remaining audit partition capacity, this is a finding.
Fix: F-21301r358272_fix
The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [num_megabytes] appropriately: space_left = [num_megabytes] The "num_megabytes" value should be set to a fraction of the total audit storage capacity available that will allow a system administrator to be notified with enough time to respond to the situation causing the capacity issues. This value must also be documented locally.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- OL6-00-000315
- Vuln IDs
-
- V-219578
- V-51111
- Rule IDs
-
- SV-219578r603263_rule
- SV-65321
Checks: C-21303r358274_chk
If the system is configured to prevent the loading of the "bluetooth" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true” If no line is returned, this is a finding. If the system is configured to prevent the loading of the "net-pf-31" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r net-pf-31 /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true” If no line is returned, this is a finding.
Fix: F-21302r358275_fix
The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate "/etc/modprobe.d" configuration file to prevent the loading of the Bluetooth module: install net-pf-31 /bin/true install bluetooth /bin/true
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000320
- Vuln IDs
-
- V-219579
- V-51117
- Rule IDs
-
- SV-219579r603263_rule
- SV-65327
Checks: C-21304r462352_chk
Run the following command to ensure the default "FORWARD" policy is "DROP": grep ":FORWARD" /etc/sysconfig/iptables The output must be the following: # grep ":FORWARD" /etc/sysconfig/iptables :FORWARD DROP [0:0] If it is not, this is a finding.
Fix: F-21303r462353_fix
To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in "/etc/sysconfig/iptables": :FORWARD DROP [0:0]
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- OL6-00-000321
- Vuln IDs
-
- V-219580
- V-51121
- Rule IDs
-
- SV-219580r603263_rule
- SV-65331
Checks: C-21305r358280_chk
If the system does not communicate over untrusted networks, this is not applicable. Run the following command to determine if the "libreswan" package is installed: # rpm -q libreswan If the package is not installed, this is a finding.
Fix: F-21304r358281_fix
The Libreswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The "libreswan" package can be installed with the following command: # yum install libreswan
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- OL6-00-000331
- Vuln IDs
-
- V-219581
- V-51127
- Rule IDs
-
- SV-219581r603263_rule
- SV-65337
Checks: C-21306r462355_chk
To check that the "bluetooth" service is disabled in system boot configuration, run the following command: # chkconfig "bluetooth" --list Output should indicate the "bluetooth" service has either not been installed or has been disabled at all runlevels, as shown in the example below: # chkconfig "bluetooth" --list "bluetooth" 0:off 1:off 2:off 3:off 4:off 5:off 6:off If the service is configured to run, this is a finding.
Fix: F-21305r462356_fix
The "bluetooth" service can be disabled with the following command: # chkconfig bluetooth off # service bluetooth stop
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-002238
- Version
- OL6-00-000356
- Vuln IDs
-
- V-219582
- V-50637
- Rule IDs
-
- SV-219582r603263_rule
- SV-64843
Checks: C-36262r602380_chk
To ensure the failed password attempt policy is configured correctly, run the following command: # grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth If the "unlock_time" parameter is set to a value other than "0", "never", or less than "900" on "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. Note: The maximum configurable value for "unlock_time" is "604800".
Fix: F-36226r602381_fix
To configure the system to lock out accounts after a number of incorrect logon attempts and require an administrator to unlock the account using "pam_faillock.so", modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-002238
- Version
- OL6-00-000357
- Vuln IDs
-
- V-219583
- V-50635
- Rule IDs
-
- SV-219583r603263_rule
- SV-64841
Checks: C-36263r602383_chk
To ensure the failed password attempt policy is configured correctly, run the following command: $ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth For each file, the output should show "fail_interval=<interval-in-seconds>" where "interval-in-seconds" is 900 (15 minutes) or greater. If the "fail_interval" parameter is not set, the default setting of 900 seconds is acceptable. If that is not the case, this is a finding.
Fix: F-36227r602384_fix
Utilizing "pam_faillock.so", the "fail_interval" directive configures the system to lock out accounts after a number of incorrect logon attempts. Modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.
- RMF Control
- IA-3
- Severity
- M
- CCI
- CCI-000778
- Version
- OL6-00-000503
- Vuln IDs
-
- V-219584
- V-50617
- Rule IDs
-
- SV-219584r603263_rule
- SV-64823
Checks: C-21309r358292_chk
If the system is configured to prevent the loading of the "usb-storage" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true” If no line is returned, this is a finding.
Fix: F-21308r358293_fix
To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the "usb-storage" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install usb-storage /bin/true This will prevent the "modprobe" program from loading the "usb-storage" module, but will not prevent an administrator (or another program) from using the "insmod" program to load the module manually.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000504
- Vuln IDs
-
- V-219585
- V-50615
- Rule IDs
-
- SV-219585r603263_rule
- SV-64821
Checks: C-21310r462698_chk
Ask an administrator if a process exists to back up user data from the system. If such a process does not exist, this is a finding.
Fix: F-21309r462699_fix
Procedures to back up user data from the system must be established and executed. The operating system provides utilities for automating such a process. Commercial and open-source products are also available. Implement a process whereby user data is backed up from the system in accordance with local policies.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000505
- Vuln IDs
-
- V-219586
- V-50613
- Rule IDs
-
- SV-219586r603263_rule
- SV-64819
Checks: C-21311r462358_chk
Ask an administrator if a process exists to back up OS data from the system, including configuration data. If such a process does not exist, this is a finding.
Fix: F-21310r462359_fix
Procedures to back up operating system data from the system must be established and executed. The operating system provides utilities for automating such a process. Commercial and open-source products are also available. Implement a process whereby OS data is backed up from the system in accordance with local policies.
- RMF Control
- AU-4
- Severity
- L
- CCI
- CCI-001851
- Version
- OL6-00-000509
- Vuln IDs
-
- V-219587
- V-50603
- Rule IDs
-
- SV-219587r603263_rule
- SV-64809
Checks: C-21312r358301_chk
Verify the audispd plugin is active: # grep active /etc/audisp/plugins.d/syslog.conf If the "active" setting is missing or set to "no", this is a finding.
Fix: F-21311r358302_fix
Set the "active" line in "/etc/audisp/plugins.d/syslog.conf" to "yes". Restart the auditd process. # service auditd restart
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000523
- Vuln IDs
-
- V-219588
- V-50521
- Rule IDs
-
- SV-219588r603263_rule
- SV-64727
Checks: C-21313r462361_chk
If IPv6 is disabled, this is not applicable. Inspect the file "/etc/sysconfig/ip6tables" to determine the default policy for the INPUT chain. It should be set to DROP: # grep ":INPUT" /etc/sysconfig/ip6tables If the default policy for the INPUT chain is not set to DROP, this is a finding.
Fix: F-21312r462362_fix
To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/ip6tables": :INPUT DROP [0:0] Restart the IPv6 firewall: # service ip6tables restart
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000533
- Vuln IDs
-
- V-219589
- V-81453
- Rule IDs
-
- SV-219589r603263_rule
- SV-96167
Checks: C-21314r462364_chk
Verify an antivirus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. If there is no antivirus solution installed on the system, this is a finding.
Fix: F-21313r466211_fix
Install an antivirus solution on the system.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- OL6-00-000021
- Vuln IDs
-
- V-219957
- V-100007
- Rule IDs
-
- SV-219957r603263_rule
- SV-109111
Checks: C-19343r462695_chk
Verify there are no ".shosts" or "shosts.equiv" files on the system. # find / -name '*.shosts' # find / -name shosts.equiv If any ".shosts" or "shosts.equiv" files are found on the system, this is a finding.
Fix: F-19341r462696_fix
Remove any found ".shosts" or "shosts.equiv" files from the system. # rm /[path]/[to]/[file]/.shosts # rm /[path]/[to]/[file]/shosts.equiv
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-001453
- Version
- OL6-00-000228
- Vuln IDs
-
- V-219958
- V-100009
- Rule IDs
-
- SV-219958r603346_rule
- SV-109113
Checks: C-21668r622248_chk
Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes. Note: If OL6-00-000534 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes. Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes with the following command: # grep -i macs /etc/ssh/sshd_config MACs hmac-sha2-512,hmac-sha2-256 If any hashes other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, they are missing, or the returned line is commented out, this is a finding.
Fix: F-21667r622249_fix
Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-512, hmac-sha2-256" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): MACs hmac-sha2-512,hmac-sha2-256 The SSH service must be restarted for changes to take effect. # sudo service sshd restart
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- OL6-00-000010
- Vuln IDs
-
- V-224675
- V-102347
- Rule IDs
-
- SV-224675r603263_rule
- SV-111303
Checks: C-26366r462519_chk
Verify the version of the operating system is vendor supported. Check the version of the operating system with the following command: # cat /etc/oracle-release Oracle Linux release 6.10 Current end of Support for Oracle Linux 6 is 31 March 2024. If the release is not supported by the vendor, this is a finding.
Fix: F-26354r462520_fix
Upgrade to a supported version of the operating system.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- OL6-00-000535
- Vuln IDs
-
- V-237624
- Rule IDs
-
- SV-237624r646943_rule
Checks: C-40843r646941_chk
Verify the "sudoers" file restricts sudo access to authorized personnel. $ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/* If the either of the following entries are returned, this is a finding: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL
Fix: F-40806r646942_fix
Remove the following entries from the sudoers file: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002227
- Version
- OL6-00-000536
- Vuln IDs
-
- V-237625
- Rule IDs
-
- SV-237625r646946_rule
Checks: C-40844r646944_chk
Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. $ sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' /etc/sudoers:Defaults !targetpw /etc/sudoers:Defaults !rootpw /etc/sudoers:Defaults !runaspw If no results are returned, this is a finding If "Defaults !targetpw" is not defined, this is a finding. If "Defaults !rootpw" is not defined, this is a finding. If "Defaults !runaspw" is not defined, this is a finding.
Fix: F-40807r646945_fix
Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: Defaults !targetpw Defaults !rootpw Defaults !runaspw
- RMF Control
- IA-11
- Severity
- M
- CCI
- CCI-002038
- Version
- OL6-00-000537
- Vuln IDs
-
- V-237626
- Rule IDs
-
- SV-237626r646949_rule
Checks: C-40845r646947_chk
Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. $ sudo grep -i 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* /etc/sudoers:Defaults timestamp_timout=0 If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.
Fix: F-40808r646948_fix
Configure the "sudo" command to require re-authentication. Edit the /etc/sudoers file: $ sudo visudo Add or modify the following line: Defaults timestamp_timeout=[value] Note: The "[value]" must be a number that is greater than or equal to "0".