Oracle Linux 6 Security Technical Implementation Guide

V1R14 2018-11-28       U_Oracle_Linux_6_STIG_V1R14_Manual-xccdf.xml
V1R13 2018-09-19       U_Oracle_Linux_6_STIG_V1R13_Manual-xccdf.xml
The Oracle Linux 6 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Comparison
All 266
No Change 261
Updated 5
Added 0
Removed 0
V-50515 No Change
Findings ID: OL6-00-000526 Rule ID: SV-64721r1_rule Severity: low CCI: CCI-000366

Discussion

All filesystems that are required for the successful operation of the system should be explicitly listed in "/etc/fstab" by an administrator. New filesystems should not be arbitrarily introduced via the automounter.

The "autofs" daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as "/misc/cd". However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it is almost always possible to configure filesystem mounts statically by editing "/etc/fstab" rather than relying on the automounter.

Checks

To verify the "autofs" service is disabled, run the following command:

chkconfig --list autofs

If properly configured, the output should be the following:

autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off

Verify the "autofs" service is not running:

# service autofs status

If the autofs service is enabled or running, this is a finding.

Fix

If the "autofs" service is not needed to dynamically mount NFS filesystems or removable media, disable the service for all runlevels:

# chkconfig --level 0123456 autofs off

Stop the service if it is already running:

# service autofs stop
V-50517 No Change
Findings ID: OL6-00-000525 Rule ID: SV-64723r3_rule Severity: low CCI: CCI-000169

Discussion

Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although "auditd" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.

Checks

Inspect the kernel boot arguments (which follow the word "kernel") in "/etc/grub.conf". If they include "audit=1", then auditing is enabled at boot time.
If auditing is not enabled at boot time, this is a finding.

Fix

To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument "audit=1" to the kernel line in "/boot/grub/grub.conf", in the manner below:

kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1

UEFI systems may prepend "/boot" to the "/vmlinuz-version" argument.
V-50519 No Change
Findings ID: OL6-00-000524 Rule ID: SV-64725r1_rule Severity: medium CCI: CCI-000015

Discussion

A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. Enterprise environments make user account management challenging and complex. A user management process requiring administrators to manually address account management functions adds risk of potential oversight.

Checks

Interview the SA to determine if there is an automated system for managing user accounts, preferably integrated with an existing enterprise user management system.

If there is not, this is a finding.

Fix

Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. If possible, this system should integrate with an existing enterprise user management system, such as, one based Active Directory or Kerberos.
V-50521 No Change
Findings ID: OL6-00-000523 Rule ID: SV-64727r2_rule Severity: medium CCI: CCI-000066

Discussion

In "ip6tables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.

Checks

If IPv6 is disabled, this is not applicable.

Inspect the file "/etc/sysconfig/ip6tables" to determine the default policy for the INPUT chain. It should be set to DROP:

# grep ":INPUT" /etc/sysconfig/ip6tables

If the default policy for the INPUT chain is not set to DROP, this is a finding.

Fix

To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/ip6tables":

:INPUT DROP [0:0]

Restart the IPv6 firewall:

# service ip6tables restart
V-50523 No Change
Findings ID: OL6-00-000522 Rule ID: SV-64729r1_rule Severity: medium CCI: CCI-000162

Discussion

If non-privileged users can write to audit logs, audit trails can be modified or destroyed.

Checks

Run the following command to check the group owner of the system audit logs:

grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %G:%n

Audit logs must be group-owned by root.
If they are not, this is a finding.

Fix

Change the group owner of the audit log files with the following command:

# chgrp root [audit_file]
V-50525 No Change
Findings ID: OL6-00-000521 Rule ID: SV-64731r2_rule Severity: medium CCI: CCI-000366

Discussion

A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address.

Checks

Find the list of alias maps used by the Postfix mail server:

# postconf alias_maps

Query the Postfix alias maps for an alias for "root":

# postmap -q root hash:/etc/aliases

If there are no aliases configured for root that forward to a monitored email address, this is a finding.

Fix

Set up an alias for root that forwards to a monitored email address:

# echo "root: <system.administrator>@mail.mil" >> /etc/aliases
# newaliases
V-50529 No Change
Findings ID: OL6-00-000003 Rule ID: SV-64735r1_rule Severity: low CCI: CCI-000366

Discussion

Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".

Checks

Run the following command to determine if "/var/log" is on its own partition or logical volume:

$ mount | grep "on /var/log "

If "/var/log" has its own partition or volume group, a line will be returned.
If no line is returned, this is a finding.

Fix

System logs are stored in the "/var/log" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.
V-50533 No Change
Findings ID: OL6-00-000001 Rule ID: SV-64739r1_rule Severity: low CCI: CCI-000366

Discussion

The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

Checks

Run the following command to determine if "/tmp" is on its own partition or logical volume:

$ mount | grep "on /tmp "

If "/tmp" has its own partition or volume group, a line will be returned.
If no line is returned, this is a finding.

Fix

The "/tmp" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
V-50535 No Change
Findings ID: OL6-00-000519 Rule ID: SV-64741r2_rule Severity: low CCI: CCI-000366

Discussion

The hash on important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.

Checks

The following command will list which files on the system have file hashes different from what is expected by the RPM database.

# rpm -Va | awk '$1 ~ /..5/ && $2 != "c"'

If any output is produced, verify that the changes were due to STIG application and have been documented with the ISSO.

If any output has not been documented with the ISSO, this is a finding.

Fix

The RPM package management system can check the hashes of installed software packages, including many that are important to system security. Run the following command to list which files on the system have hashes that differ from what is expected by the RPM database:

# rpm -Va | grep '^..5'

A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file that has changed was not expected to then refresh from distribution media or online repositories.

rpm -Uvh [affected_package]

OR

yum reinstall [affected_package]
V-50537 No Change
Findings ID: OL6-00-000002 Rule ID: SV-64743r1_rule Severity: low CCI: CCI-000366

Discussion

Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories, installed by other software packages.

Checks

Run the following command to determine if "/var" is on its own partition or logical volume:

$ mount | grep "on /var "

If "/var" has its own partition or volume group, a line will be returned.
If no line is returned, this is a finding.

Fix

The "/var" directory is used by daemons and other system services to store frequently-changing data. Ensure that "/var" has its own partition or logical volume at installation time, or migrate it using LVM.
V-50539 No Change
Findings ID: OL6-00-000518 Rule ID: SV-64745r2_rule Severity: low CCI: CCI-000366

Discussion

Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Checks

The following command will list which files and directories on the system have permissions different from what is expected by the RPM database:

# rpm -Va | grep '^.M'

If there is any output, for each file or directory found, find the associated RPM package and compare the RPM-expected permissions with the actual permissions on the file or directory:

# rpm -qf [file or directory name]
# rpm -q --queryformat "[%{FILENAMES} %{FILEMODES:perms}\n]" [package] | grep [filename]
# ls -dlL [filename]

If the existing permissions are more permissive than those expected by RPM, this is a finding.

Fix

The RPM package management system can restore file access permissions of package files and directories. The following command will update permissions on files and directories with permissions different from what is expected by the RPM database:

# rpm --setperms [package]
V-50545 No Change
Findings ID: OL6-00-000202 Rule ID: SV-64751r2_rule Severity: medium CCI: CCI-000172

Discussion

The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

Checks

To determine if the system is configured to audit execution of module management programs, run the following commands:

$ sudo egrep -e "(-w |-F path=)/sbin/insmod" /etc/audit/audit.rules
$ sudo egrep -e "(-w |-F path=)/sbin/rmmod" /etc/audit/audit.rules
$ sudo egrep -e "(-w |-F path=)/sbin/modprobe" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return a line.

To determine if the system is configured to audit calls to the "init_module" system call, run the following command:

$ sudo grep -w "init_module" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return a line.

To determine if the system is configured to audit calls to the "delete_module" system call, run the following command:

$ sudo grep -w "delete_module" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return a line.

If no line is returned for any of these commands, this is a finding.

Fix

Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=[ARCH] -S init_module -S delete_module -k modules
V-50547 No Change
Findings ID: OL6-00-000203 Rule ID: SV-64753r1_rule Severity: medium CCI: CCI-000382

Discussion

The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.

Checks

If network services are using the xinetd service, this is not applicable.

To check that the "xinetd" service is disabled in system boot configuration, run the following command:

# chkconfig "xinetd" --list

Output should indicate the "xinetd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:

# chkconfig "xinetd" --list
"xinetd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off

Run the following command to verify "xinetd" is disabled through current runtime configuration:

# service xinetd status

If the service is disabled the command will return the following output:

xinetd is stopped

If the service is running, this is a finding.

Fix

The "xinetd" service can be disabled with the following commands:

# chkconfig xinetd off
# service xinetd stop
V-50549 No Change
Findings ID: OL6-00-000204 Rule ID: SV-64755r1_rule Severity: low CCI: CCI-000382

Discussion

Removing the "xinetd" package decreases the risk of the xinetd service's accidental (or intentional) activation.

Checks

If network services are using the xinetd service, this is not applicable.

Run the following command to determine if the "xinetd" package is installed:

# rpm -q xinetd

If the package is installed, this is a finding.

Fix

The "xinetd" package can be uninstalled with the following command:

# yum erase xinetd
V-50551 No Change
Findings ID: OL6-00-000206 Rule ID: SV-64757r1_rule Severity: high CCI: CCI-000381

Discussion

Removing the "telnet-server" package decreases the risk of the unencrypted telnet service's accidental (or intentional) activation.

Mitigation: If the telnet-server package is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.

Checks

Run the following command to determine if the "telnet-server" package is installed:

# rpm -q telnet-server

If the package is installed, this is a finding.

Fix

The "telnet-server" package can be uninstalled with the following command:

# yum erase telnet-server
V-50553 No Change
Findings ID: OL6-00-000211 Rule ID: SV-64759r1_rule Severity: high CCI: CCI-000888

Discussion

The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks.

Mitigation: If an enabled telnet daemon is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.

Checks

To check that the "telnet" service is disabled in system boot configuration, run the following command:

# chkconfig "telnet" --list

Output should indicate the "telnet" service has either not been installed, or has been disabled, as shown in the example below:

# chkconfig "telnet" --list
telnet off
OR
error reading information on service telnet: No such file or directory

If the service is running, this is a finding.

Fix

The "telnet" service can be disabled with the following command:

# chkconfig telnet off
V-50555 No Change
Findings ID: OL6-00-000213 Rule ID: SV-64761r1_rule Severity: high CCI: CCI-000381

Discussion

The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.

Checks

Run the following command to determine if the "rsh-server" package is installed:

# rpm -q rsh-server

If the package is installed, this is a finding.

Fix

The "rsh-server" package can be uninstalled with the following command:

# yum erase rsh-server
V-50557 No Change
Findings ID: OL6-00-000214 Rule ID: SV-64763r1_rule Severity: high CCI: CCI-000068

Discussion

The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.

Checks

To check that the "rsh" service is disabled in system boot configuration, run the following command:

# chkconfig "rsh" --list

Output should indicate the "rsh" service has either not been installed, or has been disabled, as shown in the example below:

# chkconfig "rsh" --list
rsh off
OR
error reading information on service rsh: No such file or directory

If the service is running, this is a finding.

Fix

The "rsh" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rsh" service can be disabled with the following command:

# chkconfig rsh off
V-50559 No Change
Findings ID: OL6-00-000216 Rule ID: SV-64765r1_rule Severity: high CCI: CCI-000068

Discussion

The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.

Checks

To check that the "rexec" service is disabled in system boot configuration, run the following command:

# chkconfig "rexec" --list

Output should indicate the "rexec" service has either not been installed, or has been disabled, as shown in the example below:

# chkconfig "rexec" --list
rexec off
OR
error reading information on service rexec: No such file or directory

If the service is running, this is a finding.

Fix

The "rexec" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rexec" service can be disabled with the following command:

# chkconfig rexec off
V-50561 No Change
Findings ID: OL6-00-000218 Rule ID: SV-64767r1_rule Severity: high CCI: CCI-001436

Discussion

The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.

Checks

To check that the "rlogin" service is disabled in system boot configuration, run the following command:

# chkconfig "rlogin" --list

Output should indicate the "rlogin" service has either not been installed, or has been disabled, as shown in the example below:

# chkconfig "rlogin" --list
rlogin off
OR
error reading information on service rlogin: No such file or directory

If the service is running, this is a finding.

Fix

The "rlogin" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rlogin" service can be disabled with the following command:

# chkconfig rlogin off
V-50563 No Change
Findings ID: OL6-00-000220 Rule ID: SV-64769r1_rule Severity: medium CCI: CCI-000381

Discussion

Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.

Checks

Run the following command to determine if the "ypserv" package is installed:

# rpm -q ypserv

If the package is installed, this is a finding.

Fix

The "ypserv" package can be uninstalled with the following command:

# yum erase ypserv
V-50565 No Change
Findings ID: OL6-00-000221 Rule ID: SV-64771r1_rule Severity: medium CCI: CCI-000382

Discussion

Disabling the "ypbind" service ensures the system is not acting as a client in a NIS or NIS+ domain.

Checks

To check that the "ypbind" service is disabled in system boot configuration, run the following command:

# chkconfig "ypbind" --list

Output should indicate the "ypbind" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:

# chkconfig "ypbind" --list
"ypbind" 0:off 1:off 2:off 3:off 4:off 5:off 6:off

Run the following command to verify "ypbind" is disabled through current runtime configuration:

# service ypbind status

If the service is disabled the command will return the following output:

ypbind is stopped

If the service is running, this is a finding.

Fix

The "ypbind" service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The "ypbind" service can be disabled with the following commands:

# chkconfig ypbind off
# service ypbind stop
V-50567 Updated
Findings ID: OL6-00-000222 Rule ID: SV-64773r23_rule Severity: medium CCI: CCI-000381

Discussion

Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.

Checks

Run the following command to determine if the "tftp-server" package is installed:

# rpm -q tftp-server

If the package is installed
and not documented and approved by the ISSO, this is a finding.

Fix

The "tftp-server" package can be removed with the following command:

# yum erase tftp-server
V-50569 No Change
Findings ID: OL6-00-000223 Rule ID: SV-64775r1_rule Severity: medium CCI: CCI-001436

Discussion

Disabling the "tftp" service ensures the system is not acting as a tftp server, which does not provide encryption or authentication.

Checks

To check that the "tftp" service is disabled in system boot configuration, run the following command:

# chkconfig "tftp" --list

Output should indicate the "tftp" service has either not been installed, or has been disabled, as shown in the example below:

# chkconfig "tftp" --list
tftp off
OR
error reading information on service tftp: No such file or directory

If the service is running, this is a finding.

Fix

The "tftp" service should be disabled. The "tftp" service can be disabled with the following command:

# chkconfig tftp off
V-50571 No Change
Findings ID: OL6-00-000224 Rule ID: SV-64777r1_rule Severity: medium CCI: CCI-000366

Discussion

Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.

Checks

Run the following command to determine the current status of the "crond" service:

# service crond status

If the service is enabled, it should return the following:

crond is running...

If the service is not running, this is a finding.

Fix

The "crond" service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The "crond" service can be enabled with the following commands:

# chkconfig crond on
# service crond start
V-50573 No Change
Findings ID: OL6-00-000227 Rule ID: SV-64779r1_rule Severity: high CCI: CCI-000774

Discussion

SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.

Checks

To check which SSH protocol version is allowed, run the following command:

# grep Protocol /etc/ssh/sshd_config

If configured properly, output should be

Protocol 2

If it is not, this is a finding.

Fix

Only SSH protocol version 2 connections should be permitted. The default setting in "/etc/ssh/sshd_config" is correct, and can be verified by ensuring that the following line appears:

Protocol 2
V-50575 No Change
Findings ID: OL6-00-000230 Rule ID: SV-64781r1_rule Severity: low CCI: CCI-001133

Discussion

Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.

Checks

Run the following command to see what the timeout interval is:

# grep ClientAliveInterval /etc/ssh/sshd_config

If properly configured, the output should be:

ClientAliveInterval 900

If it is not, this is a finding.

Fix

SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in "/etc/ssh/sshd_config" as follows:

ClientAliveInterval [interval]

The timeout [interval] is given in seconds. To have a timeout of 15 minutes, set [interval] to 900.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
V-50577 No Change
Findings ID: OL6-00-000231 Rule ID: SV-64783r1_rule Severity: low CCI: CCI-000879

Discussion

This ensures a user login will be terminated as soon as the "ClientAliveCountMax" is reached.

Checks

To ensure the SSH idle timeout will occur when the "ClientAliveCountMax" is set, run the following command:

# grep ClientAliveCountMax /etc/ssh/sshd_config

If properly configured, output should be:

ClientAliveCountMax 0

If it is not, this is a finding.

Fix

To ensure the SSH idle timeout occurs precisely when the "ClientAliveCountMax" is set, edit "/etc/ssh/sshd_config" as follows:

ClientAliveCountMax 0
V-50579 No Change
Findings ID: OL6-00-000234 Rule ID: SV-64785r1_rule Severity: medium CCI: CCI-000766

Discussion

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

Checks

To determine how the SSH daemon's "IgnoreRhosts" option is set, run the following command:

# grep -i IgnoreRhosts /etc/ssh/sshd_config

If no line, a commented line, or a line indicating the value "yes" is returned, then the required value is set.
If the required value is not set, this is a finding.

Fix

SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via ".rhosts" files.

To ensure this behavior is disabled, add or correct the following line in "/etc/ssh/sshd_config":

IgnoreRhosts yes
V-50581 No Change
Findings ID: OL6-00-000236 Rule ID: SV-64787r1_rule Severity: medium CCI: CCI-000766

Discussion

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

Checks

To determine how the SSH daemon's "HostbasedAuthentication" option is set, run the following command:

# grep -i HostbasedAuthentication /etc/ssh/sshd_config

If no line, a commented line, or a line indicating the value "no" is returned, then the required value is set.
If the required value is not set, this is a finding.

Fix

SSH's cryptographic host-based authentication is more secure than ".rhosts" authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

To disable host-based authentication, add or correct the following line in "/etc/ssh/sshd_config":

HostbasedAuthentication no
V-50591 No Change
Findings ID: OL6-00-000517 Rule ID: SV-64797r2_rule Severity: low CCI: CCI-000366

Discussion

Group-ownership of system binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The group-ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Checks

The following command will list which files on the system have group-ownership different from what is expected by the RPM database:

# rpm -Va | grep '^......G'

If any output is produced, verify that the changes were due to STIG application and have been documented with the ISSO.

If any output has not been documented with the ISSO, this is a finding.

Fix

The RPM package management system can restore group-ownership of the package files and directories. The following command will update files and directories with group-ownership different from what is expected by the RPM database:

# rpm -qf [file or directory name]
# rpm --setugids [package]
V-50593 No Change
Findings ID: OL6-00-000516 Rule ID: SV-64799r2_rule Severity: low CCI: CCI-000366

Discussion

Ownership of system binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Checks

The following command will list which files on the system have ownership different from what is expected by the RPM database:

# rpm -Va | grep '^.....U'

If any output is produced, verify that the changes were due to STIG application and have been documented with the ISSO.

If any output has not been documented with the ISSO, this is a finding.

Fix

The RPM package management system can restore ownership of package files and directories. The following command will update files and directories with ownership different from what is expected by the RPM database:

# rpm -qf [file or directory name]
# rpm --setugids [package]
V-50595 No Change
Findings ID: OL6-00-000515 Rule ID: SV-64801r1_rule Severity: low CCI: CCI-000764

Discussion

The "all_squash" option maps all client requests to a single anonymous uid/gid on the NFS server, negating the ability to track file access by user ID.

Checks

If the NFS server is read-only, in support of unrestricted access to organizational content, this is not applicable.

The related "root_squash" option provides protection against remote administrator-level access to NFS server content. Its use is not a finding.

To verify the "all_squash" option has been disabled, run the following command:

# grep all_squash /etc/exports

If there is output, this is a finding.

Fix

Remove any instances of the "all_squash" option from the file "/etc/exports". Restart the NFS daemon for the changes to take effect.

# service nfs restart
V-50599 No Change
Findings ID: OL6-00-000511 Rule ID: SV-64805r1_rule Severity: medium CCI: CCI-000140

Discussion

Taking appropriate action in case of disk errors will minimize the possibility of losing audit records.

Checks

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when disk errors occur:

# grep disk_error_action /etc/audit/auditd.conf
disk_error_action = [ACTION]

If the system is configured to "suspend" when disk errors occur or "ignore" them, this is a finding.

Fix

Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately:

disk_error_action = [ACTION]

Possible values for [ACTION] are described in the "auditd.conf" man page. These include:

"ignore"
"syslog"
"exec"
"suspend"
"single"
"halt"

Set this to "syslog", "exec", "single", or "halt".
V-50601 No Change
Findings ID: OL6-00-000510 Rule ID: SV-64807r1_rule Severity: medium CCI: CCI-000140

Discussion

Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.

Checks

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when the audit storage volume is full:

# grep disk_full_action /etc/audit/auditd.conf
disk_full_action = [ACTION]

If the system is configured to "suspend" when the volume is full or "ignore" that it is full, this is a finding.

Fix

The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately:

disk_full_action = [ACTION]

Possible values for [ACTION] are described in the "auditd.conf" man page. These include:

"ignore"
"syslog"
"exec"
"suspend"
"single"
"halt"

Set this to "syslog", "exec", "single", or "halt".
V-50603 No Change
Findings ID: OL6-00-000509 Rule ID: SV-64809r1_rule Severity: low CCI: CCI-000136

Discussion

The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include an audit event multiplexor plugin (audispd) to pass audit records to the local syslog server.

Checks

Verify the audispd plugin is active:

# grep active /etc/audisp/plugins.d/syslog.conf

If the "active" setting is missing or set to "no", this is a finding.

Fix

Set the "active" line in "/etc/audisp/plugins.d/syslog.conf" to "yes". Restart the auditd process.

# service auditd restart
V-50607 No Change
Findings ID: OL6-00-000508 Rule ID: SV-64813r2_rule Severity: low CCI: CCI-000058

Discussion

The ability to lock graphical desktop sessions manually allows users to easily secure their accounts should they need to depart from their workstations temporarily.

Checks

If the GConf2 package is not installed, this is not applicable.

Verify the keybindings for the Gnome screensaver:

# gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome_settings_daemon/keybindings/screensaver

If no output is visible, this is a finding.

Fix

Run the following command to set the Gnome desktop keybinding for locking the screen:

# gconftool-2
--direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type string \
--set /apps/gnome_settings_daemon/keybindings/screensaver "<Control><Alt>l"

Another keyboard sequence may be substituted for "<Control><Alt>l", which is the default for the Gnome desktop.
V-50609 No Change
Findings ID: OL6-00-000507 Rule ID: SV-64815r2_rule Severity: medium CCI: CCI-000052

Discussion

Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.

At ssh login, a user must be presented with the last successful login date and time.

Checks

Verify the value associated with the "PrintLastLog" keyword in /etc/ssh/sshd_config:

# grep -i "^PrintLastLog" /etc/ssh/sshd_config

If the "PrintLastLog" keyword is not present, this is not a finding. If the value is not set to "yes", this is a finding.

Fix

Update the "PrintLastLog" keyword to "yes" in /etc/ssh/sshd_config:

PrintLastLog yes

While it is acceptable to remove the keyword entirely since the default action for the SSH daemon is to print the last login date and time, it is preferred to have the value explicitly documented.
V-50613 No Change
Findings ID: OL6-00-000505 Rule ID: SV-64819r1_rule Severity: medium CCI: CCI-000537

Discussion

Operating system backup is a critical step in maintaining data assurance and availability. System-level information includes system-state information, operating system and application software, and licenses. Backups must be consistent with organizational recovery time and recovery point objectives.

Checks

Ask an administrator if a process exists to back up OS data from the system, including configuration data.

If such a process does not exist, this is a finding.

Fix

Procedures to back up operating system data from the system must be established and executed. The operating system provides utilities for automating such a process. Commercial and open-source products are also available.

Implement a process whereby OS data is backed up from the system in accordance with local policies.
V-50615 No Change
Findings ID: OL6-00-000504 Rule ID: SV-64821r1_rule Severity: medium CCI: CCI-000535

Discussion

Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be consistent with organizational recovery time and recovery point objectives.

Checks

Ask an administrator if a process exists to back up user data from the system.

If such a process does not exist, this is a finding.

Fix

Procedures to back up user data from the system must be established and executed. The operating system provides utilities for automating such a process. Commercial and open-source products are also available.

Implement a process whereby user data is backed up from the system in accordance with local policies.
V-50617 No Change
Findings ID: OL6-00-000503 Rule ID: SV-64823r2_rule Severity: medium CCI: CCI-000086

Discussion

USB storage devices such as thumb drives can be used to introduce unauthorized software and other vulnerabilities. Support for these devices should be disabled and the devices themselves should be tightly controlled.

Checks

If the system is configured to prevent the loading of the "usb-storage" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf":

$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true”

If no line is returned, this is a finding.

Fix

To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the "usb-storage" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d":

install usb-storage /bin/true

This will prevent the "modprobe" program from loading the "usb-storage" module, but will not prevent an administrator (or another program) from using the "insmod" program to load the module manually.
V-50621 No Change
Findings ID: OL6-00-000086 Rule ID: SV-64827r2_rule Severity: medium CCI: CCI-000366

Discussion

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Checks

The status of the "net.ipv4.conf.all.secure_redirects" kernel parameter can be queried by running the following command:

$ sysctl net.ipv4.conf.all.secure_redirects

The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".

$ grep net.ipv4.conf.all.secure_redirects /etc/sysctl.conf

If the correct value is not returned, this is a finding.

Fix

To set the runtime status of the "net.ipv4.conf.all.secure_redirects" kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.all.secure_redirects=0

If this is not the system's default value, add the following line to "/etc/sysctl.conf":

net.ipv4.conf.all.secure_redirects = 0
V-50625 No Change
Findings ID: OL6-00-000088 Rule ID: SV-64831r2_rule Severity: low CCI: CCI-000366

Discussion

The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

Checks

The status of the "net.ipv4.conf.all.log_martians" kernel parameter can be queried by running the following command:

$ sysctl net.ipv4.conf.all.log_martians

The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".

$ grep net.ipv4.conf.all.log_martians /etc/sysctl.conf

If the correct value is not returned, this is a finding.

Fix

To set the runtime status of the "net.ipv4.conf.all.log_martians" kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.all.log_martians=1

If this is not the system's default value, add the following line to "/etc/sysctl.conf":

net.ipv4.conf.all.log_martians = 1
V-50627 No Change
Findings ID: OL6-00-000385 Rule ID: SV-64833r1_rule Severity: medium CCI: CCI-000164

Discussion

If users can delete audit logs, audit trails can be modified or destroyed.

Checks

Run the following command to check the mode of the system audit directories:

grep "^log_file" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//'|xargs stat -c %a:%n

Audit directories must be mode 0755 or less permissive.
If any are more permissive, this is a finding.

Fix

Change the mode of the audit log directories with the following command:

# chmod go-w [audit_directory]
V-50629 No Change
Findings ID: OL6-00-000384 Rule ID: SV-64835r1_rule Severity: medium CCI: CCI-000162

Discussion

If non-privileged users can write to audit logs, audit trails can be modified or destroyed.

Checks

Run the following command to check the owner of the system audit logs:

grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %U:%n

Audit logs must be owned by root.
If they are not, this is a finding.

Fix

Change the owner of the audit log files with the following command:

# chown root [audit_file]
V-50631 No Change
Findings ID: OL6-00-000383 Rule ID: SV-64837r1_rule Severity: medium CCI: CCI-000163

Discussion

If users can write to audit logs, audit trails can be modified or destroyed.

Checks

Run the following command to check the mode of the system audit logs:

grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %a:%n

Audit logs must be mode 0640 or less permissive.
If any are more permissive, this is a finding.

Fix

Change the mode of the audit log files with the following command:

# chmod 0640 [audit_file]
V-50635 No Change
Findings ID: OL6-00-000357 Rule ID: SV-64841r3_rule Severity: medium CCI: CCI-001452

Discussion

Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks.

Checks

To ensure the failed password attempt policy is configured correctly, run the following command:

$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth

For each file, the output should show "fail_interval=<interval-in-seconds>" where "interval-in-seconds" is 900 (15 minutes) or greater. If the "fail_interval" parameter is not set, the default setting of 900 seconds is acceptable. If that is not the case, this is a finding.

Fix

Utilizing "pam_faillock.so", the "fail_interval" directive configures the system to lock out accounts after a number of incorrect logon attempts. Modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows:

Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section:

auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900

Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section:

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900

Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section:

account required pam_faillock.so

Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.
V-50637 No Change
Findings ID: OL6-00-000356 Rule ID: SV-64843r3_rule Severity: medium CCI: CCI-000047

Discussion

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.

Checks

To ensure the failed password attempt policy is configured correctly, run the following command:

# grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth

The output should show "unlock_time=<some-large-number>"; the largest acceptable value is 604800 seconds (one week).
If that is not the case, this is a finding.

Fix

To configure the system to lock out accounts after a number of incorrect logon attempts and require an administrator to unlock the account using "pam_faillock.so", modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows:

Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section:

auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900

Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section:

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900

Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section:

account required pam_faillock.so

Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.
V-50639 No Change
Findings ID: OL6-00-000349 Rule ID: SV-64845r3_rule Severity: medium CCI: CCI-000765

Discussion

Smart card login provides two-factor authentication stronger than that provided by a username/password combination. Smart cards leverage a PKI (public key infrastructure) in order to provide and verify credentials.

Checks

Interview the SA to determine if all accounts not exempted by policy are using CAC authentication. For DoD systems, the following systems and accounts are exempt from using smart card (CAC) authentication:

Standalone systems
Application accounts
Temporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIV
Operational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALT
Test systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT.

If non-exempt accounts are not using CAC authentication, this is a finding.

Fix

To enable smart card authentication, consult the documentation at:

https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html

For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at:

https://access.redhat.com/solutions/82273
V-50641 Updated
Findings ID: OL6-00-000348 Rule ID: SV-64847r23_rule Severity: medium CCI: CCI-000048

Discussion

This setting will cause the system greeting banner to be used for FTP connections as well.

Checks

Verify the "vsftpd" package is installed:

# rpm -qa | grep -i vsftpd
vsftpd-3.0.2-22.e16.x86_64

If the "vsftpd" package is not installed, this is Not Applicable.

To verify this configuration, run the following command:

grep "banner_file" /etc/vsftpd/vsftpd.conf

The output should show the value of "banner_file" is set to "/etc/issue", an example of which is shown below.

# grep "banner_file" /etc/vsftpd/vsftpd.conf
banner_file=/etc/issue

If it does not, this is a finding.

Fix

Edit the vsftpd configuration file, which resides at "/etc/vsftpd/vsftpd.conf" by default.

Add or correct the following configuration options.

banner_file=/etc/issue

Restart the vsftpd daemon.

# service vsftpd restart
V-50643 No Change
Findings ID: OL6-00-000347 Rule ID: SV-64849r2_rule Severity: medium CCI: CCI-000196

Discussion

Unencrypted passwords for remote FTP servers may be stored in ".netrc" files. DoD policy requires passwords be encrypted in storage and not used in access scripts.

Checks

To check the system for the existence of any ".netrc" files, run the following command:

$ sudo find /root /home -xdev -name .netrc

If any .netrc files exist, this is a finding.

Fix

The ".netrc" files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any ".netrc" files should be removed.
V-50647 No Change
Findings ID: OL6-00-000089 Rule ID: SV-64853r2_rule Severity: medium CCI: CCI-000366

Discussion

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Checks

The status of the "net.ipv4.conf.default.accept_source_route" kernel parameter can be queried by running the following command:

$ sysctl net.ipv4.conf.default.accept_source_route

The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".

$ grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf

If the correct value is not returned, this is a finding.

Fix

To set the runtime status of the "net.ipv4.conf.default.accept_source_route" kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.default.accept_source_route=0

If this is not the system's default value, add the following line to "/etc/sysctl.conf":

net.ipv4.conf.default.accept_source_route = 0
V-50651 No Change
Findings ID: OL6-00-000090 Rule ID: SV-64857r2_rule Severity: medium CCI: CCI-000366

Discussion

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Checks

The status of the "net.ipv4.conf.default.secure_redirects" kernel parameter can be queried by running the following command:

$ sysctl net.ipv4.conf.default.secure_redirects

The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".

$ grep net.ipv4.conf.default.secure_redirects /etc/sysctl.conf

If the correct value is not returned, this is a finding.

Fix

To set the runtime status of the "net.ipv4.conf.default.secure_redirects" kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.default.secure_redirects=0

If this is not the system's default value, add the following line to "/etc/sysctl.conf":

net.ipv4.conf.default.secure_redirects = 0
V-50655 No Change
Findings ID: OL6-00-000091 Rule ID: SV-64861r2_rule Severity: low CCI: CCI-000366

Discussion

This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Checks

The status of the "net.ipv4.conf.default.accept_redirects" kernel parameter can be queried by running the following command:

$ sysctl net.ipv4.conf.default.accept_redirects

The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".

$ grep net.ipv4.conf.default.accept_redirects /etc/sysctl.conf

If the correct value is not returned, this is a finding.

Fix

To set the runtime status of the "net.ipv4.conf.default.accept_redirects" kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.default.accept_redirects=0

If this is not the system's default value, add the following line to "/etc/sysctl.conf":

net.ipv4.conf.default.accept_redirects = 0
V-50657 No Change
Findings ID: OL6-00-000092 Rule ID: SV-64863r2_rule Severity: low CCI: CCI-000366

Discussion

Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.

Checks

The status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter can be queried by running the following command:

$ sysctl net.ipv4.icmp_echo_ignore_broadcasts

The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".

$ grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf

If the correct value is not returned, this is a finding.

Fix

To set the runtime status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter, run the following command:

# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

If this is not the system's default value, add the following line to "/etc/sysctl.conf":

net.ipv4.icmp_echo_ignore_broadcasts = 1
V-50661 No Change
Findings ID: OL6-00-000004 Rule ID: SV-64867r1_rule Severity: low CCI: CCI-000137

Discussion

Placing "/var/log/audit" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.

Checks

Run the following command to determine if "/var/log/audit" is on its own partition or logical volume:

$ mount | grep "on /var/log/audit "

If "/var/log/audit" has its own partition or volume group, a line will be returned.
If no line is returned, this is a finding.

Fix

Audit logs are stored in the "/var/log/audit" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.
V-50663 No Change
Findings ID: OL6-00-000093 Rule ID: SV-64869r2_rule Severity: low CCI: CCI-000366

Discussion

Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.

Checks

The status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter can be queried by running the following command:

$ sysctl net.ipv4.icmp_ignore_bogus_error_responses

The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".

$ grep net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf

If the correct value is not returned, this is a finding.

Fix

To set the runtime status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter, run the following command:

# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1

If this is not the system's default value, add the following line to "/etc/sysctl.conf":

net.ipv4.icmp_ignore_bogus_error_responses = 1
V-50665 No Change
Findings ID: OL6-00-000346 Rule ID: SV-64871r1_rule Severity: low CCI: CCI-000366

Discussion

The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.

Checks

To check the value of the "umask", run the following command:

$ grep umask /etc/init.d/functions

The output should show either "022" or "027".
If it does not, this is a finding.

Fix

The file "/etc/init.d/functions" includes initialization parameters for most or all daemons started at boot time. The default umask of 022 prevents creation of group- or world-writable files. To set the default umask for daemons, edit the following line, inserting 022 or 027 for [UMASK] appropriately:

umask [UMASK]

Setting the umask to too restrictive a setting can cause serious errors at runtime. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts.
V-50667 No Change
Findings ID: OL6-00-000345 Rule ID: SV-64873r1_rule Severity: low CCI: CCI-000366

Discussion

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.

Checks

Verify the "umask" setting is configured correctly in the "/etc/login.defs" file by running the following command:

# grep -i "umask" /etc/login.defs

All output must show the value of "umask" set to 077, as shown in the below:

# grep -i "umask" /etc/login.defs
UMASK 077

If the above command returns no output, or if the umask is configured incorrectly, this is a finding.

Fix

To ensure the default umask controlled by "/etc/login.defs" is set properly, add or correct the "umask" setting in "/etc/login.defs" to read as follows:

UMASK 077
V-50669 No Change
Findings ID: OL6-00-000344 Rule ID: SV-64875r1_rule Severity: low CCI: CCI-000366

Discussion

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.

Checks

Verify the "umask" setting is configured correctly in the "/etc/profile" file by running the following command:

# grep "umask" /etc/profile

All output must show the value of "umask" set to 077, as shown in the below:

# grep "umask" /etc/profile
umask 077

If the above command returns no output, or if the umask is configured incorrectly, this is a finding.

Fix

To ensure the default umask controlled by "/etc/profile" is set properly, add or correct the "umask" setting in "/etc/profile" to read as follows:

umask 077
V-50671 No Change
Findings ID: OL6-00-000005 Rule ID: SV-64877r3_rule Severity: medium CCI: CCI-000138

Discussion

Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

Checks

Inspect '/etc/audit/auditd.conf' and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low:

# grep space_left_action /etc/audit/auditd.conf
space_left_action = email

If the system is not configured to send an email to the system administrator when disk space is starting to run low, this is a finding. The 'syslog' option is acceptable when it can be demonstrated that the local log management infrastructure notifies an appropriate administrator in a timely manner.

Fix

The 'auditd' service can be configured to take an action when disk space starts to run low. Edit the file '/etc/audit/auditd.conf'. Modify the following line, substituting [ACTION] appropriately:

space_left_action = [ACTION]

Possible values for [ACTION] are described in the 'auditd.conf' man page. These include: 'ignore',
'syslog', 'email', 'exec', 'suspend', 'single', and 'halt'. Set this to 'email' (instead of the default, which is 'suspend') as it is more likely to get prompt attention. The 'syslog' option is acceptable, provided the local log management infrastructure notifies an appropriate administrator in a timely manner.

OL6-00-000521 ensures that the email generated through the operation "space_left_action" will be sent to an administrator.
V-50673 No Change
Findings ID: OL6-00-000343 Rule ID: SV-64879r1_rule Severity: low CCI: CCI-000366

Discussion

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.

Checks

Verify the "umask" setting is configured correctly in the "/etc/csh.cshrc" file by running the following command:

# grep "umask" /etc/csh.cshrc

All output must show the value of "umask" set to 077, as shown in the below:

# grep "umask" /etc/csh.cshrc
umask 077

If the above command returns no output, or if the umask is configured incorrectly, this is a finding.

Fix

To ensure the default umask for users of the C shell is set properly, add or correct the "umask" setting in "/etc/csh.cshrc" to read as follows:

umask 077
V-50677 No Change
Findings ID: OL6-00-000007 Rule ID: SV-64883r1_rule Severity: low CCI: CCI-000366

Discussion

Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.

Checks

Run the following command to determine if "/home" is on its own partition or logical volume:

$ mount | grep "on /home "

If "/home" has its own partition or volume group, a line will be returned.
If no line is returned, this is a finding.

Fix

If user home directories will be stored locally, create a separate partition for "/home" at installation time (or migrate it later using LVM). If "/home" will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.
V-50683 No Change
Findings ID: OL6-00-000095 Rule ID: SV-64889r2_rule Severity: medium CCI: CCI-001095

Discussion

A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.

Checks

The status of the "net.ipv4.tcp_syncookies" kernel parameter can be queried by running the following command:

$ sysctl net.ipv4.tcp_syncookies

The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".

$ grep net.ipv4.tcp_syncookies /etc/sysctl.conf

If the correct value is not returned, this is a finding.

Fix

To set the runtime status of the "net.ipv4.tcp_syncookies" kernel parameter, run the following command:

# sysctl -w net.ipv4.tcp_syncookies=1

If this is not the system's default value, add the following line to "/etc/sysctl.conf":

net.ipv4.tcp_syncookies = 1
V-50685 No Change
Findings ID: OL6-00-000096 Rule ID: SV-64891r2_rule Severity: medium CCI: CCI-000366

Discussion

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

Checks

The status of the "net.ipv4.conf.all.rp_filter" kernel parameter can be queried by running the following command:

$ sysctl net.ipv4.conf.all.rp_filter

The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".

$ grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf

If the correct value is not returned, this is a finding.

Fix

To set the runtime status of the "net.ipv4.conf.all.rp_filter" kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.all.rp_filter=1

If this is not the system's default value, add the following line to "/etc/sysctl.conf":

net.ipv4.conf.all.rp_filter = 1
V-50689 No Change
Findings ID: OL6-00-000008 Rule ID: SV-64895r3_rule Severity: high CCI: CCI-000352

Discussion

This key is necessary to cryptographically verify packages that packages are from the operating system vendor.

Checks

To ensure that the GPG key is installed, run:

# rpm -qi gpg-pubkey-ec551f03 | gpg --keyid-format long | grep oracle.com | cut -f3 -d" " |cut -f2 -d"/"

The command should return the string below:

72F97B74EC551F03

If the operating system vendor GPG Key is not installed, this is a finding.

Fix

To ensure the system can cryptographically verify the software packages come from the operating system vendor (and connect to the vendor's network software repository to receive them if desired), the vendor GPG key must properly be installed. To ensure the GPG key is installed, run:

# wget http://public-yum.oracle.com/RPM-GPG-KEY-oracle-ol6
# rpm --import RPM-GPG-KEY-oracle-ol6
V-50693 No Change
Findings ID: OL6-00-000009 Rule ID: SV-64899r1_rule Severity: low CCI: CCI-000382

Discussion

Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the system needs to communicate with the Oracle Unbreakable Linux Network for updates or information, then the "rhnsd" daemon can remain on.

Checks

If the system needs to automatically communicate with the Oracle Unbreakable Linux Network for updates or information, then this is not applicable.

To check that the "rhnsd" service is disabled in system boot configuration, run the following command:

# chkconfig "rhnsd" --list

Output should indicate the "rhnsd" service has either not been installed or has been disabled at all runlevels, as shown in the example below:

# chkconfig "rhnsd" --list
"rhnsd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off

Run the following command to verify "rhnsd" is disabled through current runtime configuration:

# service rhnsd status

If the service is disabled, the command will return the following output:

rhnsd is stopped

If the service is running, this is a finding.

Fix

This service automatically queries the Oracle Unbreakable Linux Network service to determine whether there are any software updates or related information. The "rhnsd" service can be disabled with the following commands:

# chkconfig rhnsd off
# service rhnsd stop
V-50695 No Change
Findings ID: OL6-00-000011 Rule ID: SV-64901r1_rule Severity: medium CCI: CCI-001233

Discussion

Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities.

Checks

If the system is joined to Oracle's Unbreakable Linux Network or an internal YUM server that provides updates, invoking the following command will indicate if updates are available.:

# yum check-update

If the system is not configured to update from one of these sources, run the following command to list when each package was last updated:

$ rpm -qa -last

Compare this to (1) http://linux.oracle.com/errata/ and (2) http://linux.oracle.com/cve/ to determine if the system is missing applicable security and bugfix updates. If updates are not installed, this is a finding. A ULN account is not required to obtain security updates Oracle also makes this content freely available on its Public YUM server at: http://public-yum.oracle.com/.

Fix

If the system is joined to Oracle's Unbreakable Linux Network or an internal YUM server, run the following command to install updates

# yum update

If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from Oracle's Unbreakable Linux Network and installed using the "rpm" command.
V-50699 No Change
Findings ID: OL6-00-000097 Rule ID: SV-64905r2_rule Severity: medium CCI: CCI-000366

Discussion

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

Checks

The status of the "net.ipv4.conf.default.rp_filter" kernel parameter can be queried by running the following command:

$ sysctl net.ipv4.conf.default.rp_filter

The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".

$ grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf

If the correct value is not returned, this is a finding.

Fix

To set the runtime status of the "net.ipv4.conf.default.rp_filter" kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.default.rp_filter=1

If this is not the system's default value, add the following line to "/etc/sysctl.conf":

net.ipv4.conf.default.rp_filter = 1
V-50701 No Change
Findings ID: OL6-00-000013 Rule ID: SV-64907r1_rule Severity: medium CCI: CCI-000663

Discussion

Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering.

Checks

To determine whether "yum" is configured to use "gpgcheck", inspect "/etc/yum.conf" and ensure the following appears in the "[main]" section:

gpgcheck=1

A value of "1" indicates that "gpgcheck" is enabled. Absence of a "gpgcheck" line or a setting of "0" indicates that it is disabled. If GPG checking is not enabled, this is a finding.

If the "yum" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed.

Fix

The "gpgcheck" option should be used to ensure checking of an RPM package's signature always occurs prior to its installation. To configure yum to check package signatures before installing them, ensure the following line appears in "/etc/yum.conf" in the "[main]" section:

gpgcheck=1
V-50707 No Change
Findings ID: OL6-00-000342 Rule ID: SV-64913r1_rule Severity: low CCI: CCI-000366

Discussion

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.

Checks

Verify the "umask" setting is configured correctly in the "/etc/bashrc" file by running the following command:

# grep "umask" /etc/bashrc

All output must show the value of "umask" set to 077, as shown below:

# grep "umask" /etc/bashrc
umask 077
umask 077

If the above command returns no output, or if the umask is configured incorrectly, this is a finding.

Fix

To ensure the default umask for users of the Bash shell is set properly, add or correct the "umask" setting in "/etc/bashrc" to read as follows:

umask 077
V-50709 No Change
Findings ID: OL6-00-000015 Rule ID: SV-64915r1_rule Severity: low CCI: CCI-000663

Discussion

Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.

Checks

To determine whether "yum" has been configured to disable "gpgcheck" for any repos, inspect all files in "/etc/yum.repos.d" and ensure the following does not appear in any sections:

gpgcheck=0

A value of "0" indicates that "gpgcheck" has been disabled for that repo.
If GPG checking is disabled, this is a finding.

If the "yum" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed.

Fix

To ensure signature checking is not disabled for any repos, remove any lines from files in "/etc/yum.repos.d" of the form:

gpgcheck=0
V-50711 No Change
Findings ID: OL6-00-000099 Rule ID: SV-64917r2_rule Severity: medium CCI: CCI-000366

Discussion

An illicit ICMP redirect message could result in a man-in-the-middle attack.

Checks

If IPv6 is disabled, this is not applicable.

The status of the "net.ipv6.conf.default.accept_redirects" kernel parameter can be queried by running the following command:

$ sysctl net.ipv6.conf.default.accept_redirects

The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".

$ grep net.ipv6.conf.default.accept_redirects /etc/sysctl.conf

If the correct value is not returned, this is a finding.

Fix

To set the runtime status of the "net.ipv6.conf.default.accept_redirects" kernel parameter, run the following command:

# sysctl -w net.ipv6.conf.default.accept_redirects=0

If this is not the system's default value, add the following line to "/etc/sysctl.conf":

net.ipv6.conf.default.accept_redirects = 0
V-50713 No Change
Findings ID: OL6-00-000341 Rule ID: SV-64919r1_rule Severity: high CCI: CCI-000366

Discussion

Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system.

Checks

To ensure the default password is not set, run the following command:

# grep -v "^#" /etc/snmp/snmpd.conf| grep public

There should be no output.
If there is output, this is a finding.

Fix

Edit "/etc/snmp/snmpd.conf", remove default community string "public". Upon doing that, restart the SNMP service:

# service snmpd restart
V-50715 No Change
Findings ID: OL6-00-000016 Rule ID: SV-64921r1_rule Severity: medium CCI: CCI-001069

Discussion

The AIDE package must be installed if it is to be available for integrity checking.

Checks

If another file integrity tool is installed, this is not a finding.

Run the following command to determine if the "aide" package is installed:

# rpm -q aide

If the package is not installed, this is a finding.

Fix

Install the AIDE package with the command:

# yum install aide
V-50717 No Change
Findings ID: OL6-00-000340 Rule ID: SV-64923r1_rule Severity: medium CCI: CCI-000366

Discussion

Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information.

Checks

To ensure only SNMPv3 or newer is used, run the following command:

# grep 'v1\|v2c\|com2sec' /etc/snmp/snmpd.conf | grep -v '^#'

There should be no output.
If there is output, this is a finding.

Fix

Edit "/etc/snmp/snmpd.conf", removing any references to "v1", "v2c", or "com2sec". Upon doing that, restart the SNMP service:

# service snmpd restart
V-50719 No Change
Findings ID: OL6-00-000019 Rule ID: SV-64925r1_rule Severity: high CCI: CCI-001436

Discussion

Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.

Checks

The existence of the file "/etc/hosts.equiv" or a file named ".rhosts" inside a user home directory indicates the presence of an Rsh trust relationship.
If these files exist, this is a finding.

Fix

The files "/etc/hosts.equiv" and "~/.rhosts" (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location.

# rm /etc/hosts.equiv

$ rm ~/.rhosts
V-50721 No Change
Findings ID: OL6-00-000027 Rule ID: SV-64927r1_rule Severity: medium CCI: CCI-000770

Discussion

Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account.

Checks

To check for virtual console entries which permit root login, run the following command:

# grep '^vc/[0-9]' /etc/securetty

If any output is returned, then root logins over virtual console devices is permitted.
If root login over virtual console devices is permitted, this is a finding.

Fix

To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in "/etc/securetty":

vc/1
vc/2
vc/3
vc/4

Note: Virtual console entries are not limited to those listed above. Any lines starting with "vc/" followed by numerals should be removed.
V-50725 No Change
Findings ID: OL6-00-000028 Rule ID: SV-64931r1_rule Severity: low CCI: CCI-000770

Discussion

Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.

Checks

To check for serial port entries which permit root login, run the following command:

# grep '^ttyS[0-9]' /etc/securetty

If any output is returned, then root login over serial ports is permitted.
If root login over serial ports is permitted, this is a finding.

Fix

To restrict root logins on serial ports, ensure lines of this form do not appear in "/etc/securetty":

ttyS0
ttyS1

Note: Serial port entries are not limited to those listed above. Any lines starting with "ttyS" followed by numerals should be removed.
V-50731 No Change
Findings ID: OL6-00-000029 Rule ID: SV-64937r3_rule Severity: medium CCI: CCI-000366

Discussion

Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.

Checks

To obtain a listing of all users and the contents of their shadow password field, run the command:

$ awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 ":" $2}' /etc/shadow

Identify the operating system accounts from this listing. These will primarily be the accounts with UID numbers less than 500, other than root. If any default operating system account (other than root) has a valid password hash, this is a finding.

Fix

Some accounts are not associated with a human user of the system, and exist to perform some administrative function. An attacker should not be able to log into these accounts.

Disable logon access to these accounts with the command:

# passwd -l [SYSACCT]
V-50737 No Change
Findings ID: OL6-00-000030 Rule ID: SV-64943r3_rule Severity: high CCI: CCI-000366

Discussion

If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

Checks

To verify that null passwords cannot be used, run the following command:

# grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth

If this produces any output, it may be possible to log on to accounts with empty passwords.

If null passwords can be used, this is a finding.

Fix

If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authentication.

Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords.
V-50739 Updated
Findings ID: OL6-00-000339 Rule ID: SV-64945r12_rule Severity: low CCI: CCI-000130

Discussion

To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to the ftp server are logged using the verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log.

Checks

Verify the "vsftpd" package is installed:

# rpm -qa | grep -i vsftpd
vsftpd-3.0.2-22.e16.x86_64

If the "vsftpd" package is not installed, this is Not Applicable.

Find if logging is applied to the ftp daemon.

Procedures:

If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file.

# grep vsftpd /etc/xinetd.d/*

# grep server_args [vsftpd xinetd.d startup file]

This will indicate the vsftpd config file used when starting through xinetd. If the [server_args]line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used.

# grep xferlog_enable [vsftpd config file]

If xferlog_enable is missing, or is not set to yes, this is a finding.

Fix

Add or correct the following configuration options within the "vsftpd" configuration file, located at "/etc/vsftpd/vsftpd.conf".

xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES
V-50741 No Change
Findings ID: OL6-00-000031 Rule ID: SV-64947r1_rule Severity: medium CCI: CCI-000366

Discussion

The hashes for all user account passwords should be stored in the file "/etc/shadow" and never in "/etc/passwd", which is readable by all users.

Checks

To check that no password hashes are stored in "/etc/passwd", run the following command:

# awk -F: '($2 != "x") {print}' /etc/passwd

If it produces any output, then a password hash is stored in "/etc/passwd".
If any stored hashes are found in /etc/passwd, this is a finding.

Fix

If any password hashes are stored in "/etc/passwd" (in the second field, instead of an "x"), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.
V-50747 No Change
Findings ID: OL6-00-000032 Rule ID: SV-64953r2_rule Severity: medium CCI: CCI-000366

Discussion

An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.

Checks

To list all password file entries for accounts with UID 0, run the following command:

# awk -F: '($3 == 0) {print}' /etc/passwd

This should print only one line, for the user root.
If any account other than root has a UID of 0, this is a finding.

Fix

If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
V-50751 Updated
Findings ID: OL6-00-000338 Rule ID: SV-64957r12_rule Severity: high CCI: CCI-000366

Discussion

Using the "-s" option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally specified directory reduces the risk of sharing files which should remain private.

Checks

Verify the "tftp" package is installed:

# rpm -qa | grep -i tftp
tftp-5.2-22.e16.x86_64

If the "tftp" package is not installed, this is Not Applicable.

Verify "tftp" is configured by with the "-s" option by running the following command:

grep "server_args" /etc/xinetd.d/tftp

The output should indicate the "server_args" variable is configured with the "-s" flag, matching the example below:

# grep "server_args" /etc/xinetd.d/tftp
server_args = -s /var/lib/tftpboot

If it does not, this is a finding.

Fix

If running the "tftp" service is necessary, it should be configured to change its root directory at startup. To do so, ensure "/etc/xinetd.d/tftp" includes "-s" as a command line argument, as shown in the following example (which is also the default):

server_args = -s /var/lib/tftpboot
V-50753 No Change
Findings ID: OL6-00-000033 Rule ID: SV-64959r1_rule Severity: medium CCI: CCI-000366

Discussion

The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

Checks

To check the ownership of "/etc/shadow", run the command:

$ ls -l /etc/shadow

If properly configured, the output should indicate the following owner: "root"
If it does not, this is a finding.

Fix

To properly set the owner of "/etc/shadow", run the command:

# chown root /etc/shadow
V-50755 No Change
Findings ID: OL6-00-000034 Rule ID: SV-64961r1_rule Severity: medium CCI: CCI-000366

Discussion

The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.

Checks

To check the group ownership of "/etc/shadow", run the command:

$ ls -l /etc/shadow

If properly configured, the output should indicate the following group-owner. "root"
If it does not, this is a finding.

Fix

To properly set the group owner of "/etc/shadow", run the command:

# chgrp root /etc/shadow
V-50757 No Change
Findings ID: OL6-00-000035 Rule ID: SV-64963r1_rule Severity: medium CCI: CCI-000366

Discussion

The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

Checks

To check the permissions of "/etc/shadow", run the command:

$ ls -l /etc/shadow

If properly configured, the output should indicate the following permissions: "----------"
If it does not, this is a finding.

Fix

To properly set the permissions of "/etc/shadow", run the command:

# chmod 0000 /etc/shadow
V-50759 No Change
Findings ID: OL6-00-000036 Rule ID: SV-64965r1_rule Severity: medium CCI: CCI-000366

Discussion

The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.

Checks

To check the ownership of "/etc/gshadow", run the command:

$ ls -l /etc/gshadow

If properly configured, the output should indicate the following owner: "root"
If it does not, this is a finding.

Fix

To properly set the owner of "/etc/gshadow", run the command:

# chown root /etc/gshadow
V-50761 No Change
Findings ID: OL6-00-000103 Rule ID: SV-64967r2_rule Severity: medium CCI: CCI-001118

Discussion

The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.

Checks

If the system is a cross-domain system, this is not applicable.

If IPv6 is disabled, this is not applicable.

Run the following command to determine the current status of the "ip6tables" service:

# service ip6tables status

If the service is not running, it should return the following:

ip6tables: Firewall is not running.

If the service is not running, this is a finding.

Fix

The "ip6tables" service can be enabled with the following commands:

# chkconfig ip6tables on
# service ip6tables start
V-50763 No Change
Findings ID: OL6-00-000037 Rule ID: SV-64969r1_rule Severity: medium CCI: CCI-000366

Discussion

The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.

Checks

To check the group ownership of "/etc/gshadow", run the command:

$ ls -l /etc/gshadow

If properly configured, the output should indicate the following group-owner. "root"
If it does not, this is a finding.

Fix

To properly set the group owner of "/etc/gshadow", run the command:

# chgrp root /etc/gshadow
V-50765 No Change
Findings ID: OL6-00-000038 Rule ID: SV-64971r1_rule Severity: medium CCI: CCI-000366

Discussion

The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.

Checks

To check the permissions of "/etc/gshadow", run the command:

$ ls -l /etc/gshadow

If properly configured, the output should indicate the following permissions: "----------"
If it does not, this is a finding.

Fix

To properly set the permissions of "/etc/gshadow", run the command:

# chmod 0000 /etc/gshadow
V-50767 No Change
Findings ID: OL6-00-000106 Rule ID: SV-64973r2_rule Severity: medium CCI: CCI-001098

Discussion

The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.

Checks

If the system is a cross-domain system, this is not applicable.

If IPv6 is disabled, this is not applicable.

Run the following command to determine the current status of the "ip6tables" service:

# service ip6tables status

If the service is not running, it should return the following:

ip6tables: Firewall is not running.

If the service is not running, this is a finding.

Fix

The "ip6tables" service can be enabled with the following commands:

# chkconfig ip6tables on
# service ip6tables start
V-50769 No Change
Findings ID: OL6-00-000039 Rule ID: SV-64975r1_rule Severity: medium CCI: CCI-000366

Discussion

The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.

Checks

To check the ownership of "/etc/passwd", run the command:

$ ls -l /etc/passwd

If properly configured, the output should indicate the following owner: "root"
If it does not, this is a finding.

Fix

To properly set the owner of "/etc/passwd", run the command:

# chown root /etc/passwd
V-50771 No Change
Findings ID: OL6-00-000040 Rule ID: SV-64977r1_rule Severity: medium CCI: CCI-000366

Discussion

The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.

Checks

To check the group ownership of "/etc/passwd", run the command:

$ ls -l /etc/passwd

If properly configured, the output should indicate the following group-owner. "root"
If it does not, this is a finding.

Fix

To properly set the group owner of "/etc/passwd", run the command:

# chgrp root /etc/passwd
V-50773 No Change
Findings ID: OL6-00-000041 Rule ID: SV-64979r1_rule Severity: medium CCI: CCI-000366

Discussion

If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.

Checks

To check the permissions of "/etc/passwd", run the command:

$ ls -l /etc/passwd

If properly configured, the output should indicate the following permissions: "-rw-r--r--"
If it does not, this is a finding.

Fix

To properly set the permissions of "/etc/passwd", run the command:

# chmod 0644 /etc/passwd
V-50775 No Change
Findings ID: OL6-00-000042 Rule ID: SV-64981r1_rule Severity: medium CCI: CCI-000366

Discussion

The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Checks

To check the ownership of "/etc/group", run the command:

$ ls -l /etc/group

If properly configured, the output should indicate the following owner: "root"
If it does not, this is a finding.

Fix

To properly set the owner of "/etc/group", run the command:

# chown root /etc/group
V-50777 No Change
Findings ID: OL6-00-000043 Rule ID: SV-64983r1_rule Severity: medium CCI: CCI-000366

Discussion

The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Checks

To check the group ownership of "/etc/group", run the command:

$ ls -l /etc/group

If properly configured, the output should indicate the following group-owner. "root"
If it does not, this is a finding.

Fix

To properly set the group owner of "/etc/group", run the command:

# chgrp root /etc/group
V-50779 No Change
Findings ID: OL6-00-000044 Rule ID: SV-64985r1_rule Severity: medium CCI: CCI-000366

Discussion

The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Checks

To check the permissions of "/etc/group", run the command:

$ ls -l /etc/group

If properly configured, the output should indicate the following permissions: "-rw-r--r--"
If it does not, this is a finding.

Fix

To properly set the permissions of "/etc/group", run the command:

# chmod 644 /etc/group
V-50781 No Change
Findings ID: OL6-00-000107 Rule ID: SV-64987r2_rule Severity: medium CCI: CCI-001100

Discussion

The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.

Checks

If the system is a cross-domain system, this is not applicable.

If IPv6 is disabled, this is not applicable.

Run the following command to determine the current status of the "ip6tables" service:

# service ip6tables status

If the service is not running, it should return the following:

ip6tables: Firewall is not running.

If the service is not running, this is a finding.

Fix

The "ip6tables" service can be enabled with the following commands:

# chkconfig ip6tables on
# service ip6tables start
V-50783 No Change
Findings ID: OL6-00-000045 Rule ID: SV-64989r2_rule Severity: medium CCI: CCI-001499

Discussion

Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system.

Checks

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:

/lib
/lib64
/usr/lib
/usr/lib64

Kernel modules, which can be added to the kernel during runtime, are stored in "/lib/modules". All files in these directories should not be group-writable or world-writable. To find shared libraries that are group-writable or world-writable, run the following command for each directory [DIR] which contains shared libraries:

$ find -L [DIR] -perm /022 -type f

If any of these files (excluding broken symlinks) are group-writable or world-writable, this is a finding.

Fix

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:

/lib
/lib64
/usr/lib
/usr/lib64

If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:

# chmod go-w [FILE]
V-50785 No Change
Findings ID: OL6-00-000046 Rule ID: SV-64991r4_rule Severity: medium CCI: CCI-001499

Discussion

Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.

Checks

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:

/lib
/lib64
/usr/lib
/usr/lib64
/usr/local/lib
/usr/local/lib64

Kernel modules, which can be added to the kernel during runtime, are stored in "/lib/modules". All files in these directories should not be group-writable or world-writable. To find shared libraries that are not owned by "root" and do not match what is expected by the RPM, run the following command:

for i in /lib /lib64 /usr/lib /usr/lib64 /usr/local/lib /usr/local/lib64
do
for j in `find -L $i \! -user root`
do
rpm -V -f $j | grep '^.....U'
done
done


If the command returns any results, this is a finding.

Fix

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:

/lib
/lib64
/usr/lib
/usr/lib64
/usr/local/lib
/usr/local/lib64

If any file in these directories is found to be owned by a user other than “root” and does not match what is expected by the RPM, correct its ownership by running one of the following commands:


# rpm --setugids [PACKAGE_NAME]

Or

# chown root [FILE]
V-50787 No Change
Findings ID: OL6-00-000047 Rule ID: SV-64993r2_rule Severity: medium CCI: CCI-001499

Discussion

System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.

Checks

System executables are stored in the following directories by default:

/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin

All files in these directories should not be group-writable or world-writable. To find system executables that are group-writable or world-writable, run the following command for each directory [DIR] which contains system executables:

$ find -L [DIR] -perm /022 -type f

If any system executables are found to be group-writable or world-writable, this is a finding.

Fix

System executables are stored in the following directories by default:

/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin

If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:

# chmod go-w [FILE]
V-50789 No Change
Findings ID: OL6-00-000048 Rule ID: SV-64995r2_rule Severity: medium CCI: CCI-001499

Discussion

System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.

Checks

System executables are stored in the following directories by default:

/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin

To find system executables that are not owned by "root", run the following command for each directory [DIR] which contains system executables:

$ find -L [DIR] \! -user root

If any system executables are found to not be owned by root, this is a finding.

Fix

System executables are stored in the following directories by default:

/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin

If any file [FILE] in these directories is found to be owned by a user other than root, correct its ownership with the following command:

# chown root [FILE]
V-50791 No Change
Findings ID: OL6-00-000050 Rule ID: SV-64997r3_rule Severity: medium CCI: CCI-000205

Discussion

Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result.

While it does not negate the password length requirement, it is preferable to migrate from a password-based authentication scheme to a stronger one based on PKI (public key infrastructure).

Checks

To check the minimum password length, run the command:

$ grep PASS_MIN_LEN /etc/login.defs

The DoD requirement is "15".

If it is not set to the required value, this is a finding.

$ grep –E ‘pam_cracklib.so.*minlen’ /etc/pam.d/*

If no results are returned, this is not a finding.

If any results are returned and are not set to “15” or greater, this is a finding.

Fix

To specify password length requirements for new accounts, edit the file "/etc/login.defs" and add or correct the following lines:

PASS_MIN_LEN 15

The DoD requirement is "15". If a program consults "/etc/login.defs" and also another PAM module (such as "pam_cracklib") during a password change operation, then the most restrictive must be satisfied.
V-50793 No Change
Findings ID: OL6-00-000051 Rule ID: SV-64999r1_rule Severity: medium CCI: CCI-000198

Discussion

Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.

Checks

To check the minimum password age, run the command:

$ grep PASS_MIN_DAYS /etc/login.defs

The DoD requirement is 1.
If it is not set to the required value, this is a finding.

Fix

To specify password minimum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately:

PASS_MIN_DAYS [DAYS]

A value of 1 day is considered sufficient for many environments. The DoD requirement is 1.
V-50795 No Change
Findings ID: OL6-00-000053 Rule ID: SV-65001r1_rule Severity: medium CCI: CCI-000199

Discussion

Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.

Checks

To check the maximum password age, run the command:

$ grep PASS_MAX_DAYS /etc/login.defs

The DoD requirement is 60.
If it is not set to the required value, this is a finding.

Fix

To specify password maximum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately:

PASS_MAX_DAYS [DAYS]

The DoD requirement is 60.
V-50797 No Change
Findings ID: OL6-00-000113 Rule ID: SV-65003r2_rule Severity: medium CCI: CCI-001118

Discussion

The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.

Checks

If the system is a cross-domain system, this is not applicable.

Run the following command to determine the current status of the "iptables" service:

# service iptables status

If the service is not running, it should return the following:

iptables: Firewall is not running.

If the service is not running, this is a finding.

Fix

The "iptables" service can be enabled with the following commands:

# chkconfig iptables on
# service iptables start
V-50799 No Change
Findings ID: OL6-00-000237 Rule ID: SV-65005r1_rule Severity: medium CCI: CCI-000770

Discussion

Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.

Checks

To determine how the SSH daemon's "PermitRootLogin" option is set, run the following command:

# grep -i PermitRootLogin /etc/ssh/sshd_config

If a line indicating "no" is returned, then the required value is set.
If the required value is not set, this is a finding.

Fix

The root user should never be allowed to log in to a system directly over a network. To disable root login via SSH, add or correct the following line in "/etc/ssh/sshd_config":

PermitRootLogin no
V-50801 No Change
Findings ID: OL6-00-000239 Rule ID: SV-65007r1_rule Severity: high CCI: CCI-000766

Discussion

Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.

Checks

To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command:

# grep -i PermitEmptyPasswords /etc/ssh/sshd_config

If no line, a commented line, or a line indicating the value "no" is returned, then the required value is set.
If the required value is not set, this is a finding.

Fix

To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config":

PermitEmptyPasswords no

Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.
V-50803 No Change
Findings ID: OL6-00-000240 Rule ID: SV-65009r1_rule Severity: medium CCI: CCI-000048

Discussion

The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.

Checks

To determine how the SSH daemon's "Banner" option is set, run the following command:

# grep -i Banner /etc/ssh/sshd_config

If a line indicating /etc/issue is returned, then the required value is set.
If the required value is not set, this is a finding.

Fix

To enable the warning banner and ensure it is consistent across the system, add or correct the following line in "/etc/ssh/sshd_config":

Banner /etc/issue

Another section contains information on how to create an appropriate system-wide warning banner.
V-50805 No Change
Findings ID: OL6-00-000241 Rule ID: SV-65011r1_rule Severity: low CCI: CCI-001414

Discussion

SSH environment options potentially allow users to bypass access restriction in some configurations.

Checks

To ensure users are not able to present environment daemons, run the following command:

# grep PermitUserEnvironment /etc/ssh/sshd_config

If properly configured, output should be:

PermitUserEnvironment no

If it is not, this is a finding.

Fix

To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in "/etc/ssh/sshd_config":

PermitUserEnvironment no
V-50807 No Change
Findings ID: OL6-00-000243 Rule ID: SV-65013r1_rule Severity: medium CCI: CCI-001144

Discussion

Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance.

Checks

Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command:

# grep Ciphers /etc/ssh/sshd_config

The output should contain only those ciphers which are FIPS-approved, namely, the AES and 3DES ciphers.
If that is not the case, this is a finding.

Fix

Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in "/etc/ssh/sshd_config" demonstrates use of FIPS-approved ciphers:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

The man page "sshd_config(5)" contains a list of supported ciphers.
V-50809 No Change
Findings ID: OL6-00-000246 Rule ID: SV-65015r1_rule Severity: low CCI: CCI-000366

Discussion

Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.

Checks

To check that the "avahi-daemon" service is disabled in system boot configuration, run the following command:

# chkconfig "avahi-daemon" --list

Output should indicate the "avahi-daemon" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:

# chkconfig "avahi-daemon" --list
"avahi-daemon" 0:off 1:off 2:off 3:off 4:off 5:off 6:off

Run the following command to verify "avahi-daemon" is disabled through current runtime configuration:

# service avahi-daemon status

If the service is disabled the command will return the following output:

avahi-daemon is stopped

If the service is running, this is a finding.

Fix

The "avahi-daemon" service can be disabled with the following commands:

# chkconfig avahi-daemon off
# service avahi-daemon stop
V-50811 No Change
Findings ID: OL6-00-000247 Rule ID: SV-65017r1_rule Severity: medium CCI: CCI-000160

Discussion

Enabling the "ntpd" service ensures that the "ntpd" service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.

Checks

Run the following command to determine the current status of the "ntpd" service:

# service ntpd status

If the service is enabled, it should return the following:

ntpd is running...

If the service is not running, this is a finding.

Fix

The "ntpd" service can be enabled with the following command:

# chkconfig ntpd on
# service ntpd start
V-50813 No Change
Findings ID: OL6-00-000248 Rule ID: SV-65019r1_rule Severity: medium CCI: CCI-000160

Discussion

Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is recommended.

Checks

A remote NTP server should be configured for time synchronization. To verify one is configured, open the following file.

/etc/ntp.conf

In the file, there should be a section similar to the following:

# --- OUR TIMESERVERS -----
server [ntpserver]

If this is not the case, this is a finding.

Fix

To specify a remote NTP server for time synchronization, edit the file "/etc/ntp.conf". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver.

server [ntpserver]

This instructs the NTP software to contact that remote server to obtain time data.
V-50815 No Change
Findings ID: OL6-00-000249 Rule ID: SV-65021r2_rule Severity: medium CCI: CCI-000382

Discussion

This ensures "postfix" accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.

Checks

If the system is an authorized mail relay host, this is not applicable.

Run the following command to ensure postfix accepts mail messages from only the local system:

$ grep inet_interfaces /etc/postfix/main.cf

If properly configured, the output should show only "localhost".
If it does not, this is a finding.

Fix

Edit the file "/etc/postfix/main.cf" to ensure that only the following "inet_interfaces" line appears:

inet_interfaces = localhost
V-50817 No Change
Findings ID: OL6-00-000252 Rule ID: SV-65023r1_rule Severity: medium CCI: CCI-001453

Discussion

The ssl directive specifies whether to use ssl or not. If not specified it will default to "no". It should be set to "start_tls" rather than doing LDAP over SSL.

Checks

If the system does not use LDAP for authentication or account information, this is not applicable.

To ensure LDAP is configured to use TLS for all transactions, run the following command:

$ grep start_tls /etc/pam_ldap.conf

If no lines are returned, this is a finding.

Fix

Configure LDAP to enforce TLS use. First, edit the file "/etc/pam_ldap.conf", and add or correct the following lines:

ssl start_tls

Then review the LDAP server and ensure TLS has been configured.
V-50819 No Change
Findings ID: OL6-00-000253 Rule ID: SV-65025r1_rule Severity: medium CCI: CCI-000776

Discussion

The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA.

Checks

If the system does not use LDAP for authentication or account information, this is not applicable.

To ensure TLS is configured with trust certificates, run the following command:

# grep cert /etc/pam_ldap.conf

If there is no output, or the lines are commented out, this is a finding.

Fix

Ensure a copy of the site's CA certificate has been placed in the file "/etc/pki/tls/CA/cacert.pem". Configure LDAP to enforce TLS use and to trust certificates signed by the site's CA. First, edit the file "/etc/pam_ldap.conf", and add or correct either of the following lines:

tls_cacertdir /etc/pki/tls/CA

or

tls_cacertfile /etc/pki/tls/CA/cacert.pem

Then review the LDAP server and ensure TLS has been configured.
V-50821 No Change
Findings ID: OL6-00-000256 Rule ID: SV-65027r1_rule Severity: low CCI: CCI-000366

Discussion

Unnecessary packages should not be installed to decrease the attack surface of the system.

Checks

To verify the "openldap-servers" package is not installed, run the following command:

$ rpm -q openldap-servers

The output should show the following.

package openldap-servers is not installed

If it does not, this is a finding.

Fix

The "openldap-servers" package should be removed if not in use. Is this machine the OpenLDAP server? If not, remove the package.

# yum erase openldap-servers

The openldap-servers RPM may be installed. It is needed only by the OpenLDAP server, not by clients which use LDAP for authentication. If the system is not intended for use as an LDAP server, it should be removed.
V-50823 No Change
Findings ID: OL6-00-000257 Rule ID: SV-65029r2_rule Severity: medium CCI: CCI-000057

Discussion

Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.

Checks

If the GConf2 package is not installed, this is not applicable.

To check the current idle time-out value, run the following command:

$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_delay

If properly configured, the output should be "15".

If it is not, this is a finding.

Fix

Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes:

# gconftool-2 \
--direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type int \
--set /apps/gnome-screensaver/idle_delay 15
V-50825 No Change
Findings ID: OL6-00-000258 Rule ID: SV-65031r3_rule Severity: medium CCI: CCI-000057

Discussion

Enabling idle activation of the screen saver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.

Checks

If the GConf2 package is not installed, this is not applicable.

To check the screensaver mandatory use status, run the following command:

$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_activation_enabled

If properly configured, the output should be "true".

If it is not, this is a finding.

Fix

Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity:

# gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/idle_activation_enabled true
V-50827 No Change
Findings ID: OL6-00-000259 Rule ID: SV-65033r2_rule Severity: medium CCI: CCI-000057

Discussion

Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby.

Checks

If the GConf2 package is not installed, this is not applicable.

To check the status of the idle screen lock activation, run the following command:

$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/lock_enabled

If properly configured, the output should be "true".
If it is not, this is a finding.

Fix

Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated:

# gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/lock_enabled true
V-50829 No Change
Findings ID: OL6-00-000260 Rule ID: SV-65035r2_rule Severity: low CCI: CCI-000060

Discussion

Setting the screensaver mode to blank-only conceals the contents of the display from passersby.

Checks

If the GConf2 package is not installed, this is not applicable.

To ensure the screensaver is configured to be blank, run the following command:

$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode

If properly configured, the output should be "blank-only".
If it is not, this is a finding.

Fix

Run the following command to set the screensaver mode in the GNOME desktop to a blank screen:

# gconftool-2 \
--direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type string \
--set /apps/gnome-screensaver/mode blank-only
V-50831 No Change
Findings ID: OL6-00-000261 Rule ID: SV-65037r1_rule Severity: low CCI: CCI-000382

Discussion

Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers.

Checks

To check that the "abrtd" service is disabled in system boot configuration, run the following command:

# chkconfig "abrtd" --list

Output should indicate the "abrtd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:

# chkconfig "abrtd" --list
"abrtd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off

Run the following command to verify "abrtd" is disabled through current runtime configuration:

# service abrtd status

If the service is disabled the command will return the following output:

abrtd is stopped

If the service is running, this is a finding.

Fix

The Automatic Bug Reporting Tool ("abrtd") daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue-tracking system such as the operating system vendor's centralized issue-tracking system. The "abrtd" service can be disabled with the following commands:

# chkconfig abrtd off
# service abrtd stop
V-50835 No Change
Findings ID: OL6-00-000262 Rule ID: SV-65041r2_rule Severity: low CCI: CCI-000382

Discussion

The "atd" service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with "at" or "batch" is not common.

Checks

If the system requires the use of the "atd" service to support an organizational requirement, this is not applicable.

To check that the "atd" service is disabled in system boot configuration, run the following command:

# chkconfig "atd" --list

Output should indicate the "atd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:

# chkconfig "atd" --list
"atd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off

Run the following command to verify "atd" is disabled through current runtime configuration:

# service atd status

If the service is disabled the command will return the following output:

atd is stopped

If the service is running, this is a finding.

Fix

The "at" and "batch" commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon "atd" keeps track of tasks scheduled via "at" and "batch", and executes them at the specified time. The "atd" service can be disabled with the following commands:

# chkconfig atd off
# service atd stop
V-50837 No Change
Findings ID: OL6-00-000265 Rule ID: SV-65043r1_rule Severity: low CCI: CCI-000382

Discussion

The "ntpdate" service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.

Checks

To check that the "ntpdate" service is disabled in system boot configuration, run the following command:

# chkconfig "ntpdate" --list

Output should indicate the "ntpdate" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:

# chkconfig "ntpdate" --list
"ntpdate" 0:off 1:off 2:off 3:off 4:off 5:off 6:off

Run the following command to verify "ntpdate" is disabled through current runtime configuration:

# service ntpdate status

If the service is disabled the command will return the following output:

ntpdate is stopped

If the service is running, this is a finding.

Fix

The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in "/etc/ntp/step-tickers" or "/etc/ntp.conf" and then sets the local hardware clock to the newly synchronized system time. The "ntpdate" service can be disabled with the following commands:

# chkconfig ntpdate off
# service ntpdate stop
V-50839 No Change
Findings ID: OL6-00-000266 Rule ID: SV-65045r1_rule Severity: low CCI: CCI-000382

Discussion

The "oddjobd" service may provide necessary functionality in some environments but it can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.

Checks

To check that the "oddjobd" service is disabled in system boot configuration, run the following command:

# chkconfig "oddjobd" --list

Output should indicate the "oddjobd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:

# chkconfig "oddjobd" --list
"oddjobd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off

Run the following command to verify "oddjobd" is disabled through current runtime configuration:

# service oddjobd status

If the service is disabled the command will return the following output:

oddjobd is stopped

If the service is running, this is a finding.

Fix

The "oddjobd" service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with "oddjobd" is through the system message bus. The "oddjobd" service can be disabled with the following commands:

# chkconfig oddjobd off
# service oddjobd stop
V-50841 No Change
Findings ID: OL6-00-000267 Rule ID: SV-65047r2_rule Severity: low CCI: CCI-000382

Discussion

The qpidd service is automatically installed when the "base" package selection is selected during installation. The qpidd service listens for network connections, which increases the attack surface of the system. If the system is not intended to receive AMQP, traffic then the "qpidd" service is not needed and should be disabled or removed.

Checks

To check that the "qpidd" service is disabled in system boot configuration, run the following command:

# chkconfig "qpidd" --list

Output should indicate the "qpidd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:

# chkconfig "qpidd" --list
"qpidd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off

Run the following command to verify "qpidd" is disabled through current runtime configuration:

# service qpidd status

If the service is disabled the command will return the following output:

qpidd is stopped

If the service is running, this is a finding.

Fix

The "qpidd" service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The "qpidd" service can be disabled with the following commands:

# chkconfig qpidd off
# service qpidd stop
V-50843 No Change
Findings ID: OL6-00-000268 Rule ID: SV-65049r1_rule Severity: low CCI: CCI-000382

Discussion

General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.

Checks

To check that the "rdisc" service is disabled in system boot configuration, run the following command:

# chkconfig "rdisc" --list

Output should indicate the "rdisc" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:

# chkconfig "rdisc" --list
"rdisc" 0:off 1:off 2:off 3:off 4:off 5:off 6:off

Run the following command to verify "rdisc" is disabled through current runtime configuration:

# service rdisc status

If the service is disabled the command will return the following output:

rdisc is stopped

If the service is running, this is a finding.

Fix

The "rdisc" service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. The "rdisc" service can be disabled with the following commands:

# chkconfig rdisc off
# service rdisc stop
V-50845 No Change
Findings ID: OL6-00-000269 Rule ID: SV-65051r2_rule Severity: medium CCI: CCI-000366

Discussion

Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.

Checks

To verify the "nodev" option is configured for all NFS mounts, run the following command:

$ mount | grep nfs

All NFS mounts should show the "nodev" setting in parentheses, along with other mount options.
If the setting does not show, this is a finding.

Fix

Add the "nodev" option to the fourth column of "/etc/fstab" for the line which controls mounting of any NFS mounts.
V-50847 No Change
Findings ID: OL6-00-000270 Rule ID: SV-65053r2_rule Severity: medium CCI: CCI-000366

Discussion

NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.

Checks

To verify the "nosuid" option is configured for all NFS mounts, run the following command:

$ mount | grep nfs

All NFS mounts should show the "nosuid" setting in parentheses, along with other mount options.
If the setting does not show, this is a finding.

Fix

Add the "nosuid" option to the fourth column of "/etc/fstab" for the line which controls mounting of any NFS mounts.
V-50849 No Change
Findings ID: OL6-00-000271 Rule ID: SV-65055r1_rule Severity: low CCI: CCI-000087

Discussion

Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.

Checks

To verify that binaries cannot be directly executed from removable media, run the following command:

# grep noexec /etc/fstab

The output should show "noexec" in use.
If it does not, this is a finding.

Fix

The "noexec" mount option prevents the direct execution of binaries on the mounted filesystem. Users should not be allowed to execute binaries that exist on partitions mounted from removable media (such as a USB key). The "noexec" option prevents code from being executed directly from the media itself, and may therefore provide a line of defense against certain types of worms or malicious code. Add the "noexec" option to the fourth column of "/etc/fstab" for the line which controls mounting of any removable media partitions.
V-50851 No Change
Findings ID: OL6-00-000272 Rule ID: SV-65057r1_rule Severity: low CCI: CCI-000366

Discussion

Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.

Checks

To verify that Samba clients running smbclient must use packet signing, run the following command:

# grep signing /etc/samba/smb.conf

The output should show:

client signing = mandatory

If it is not, this is a finding.

Fix

To require samba clients running "smbclient" to use packet signing, add the following to the "[global]" section of the Samba configuration file in "/etc/samba/smb.conf":

client signing = mandatory

Requiring samba clients such as "smbclient" to use packet signing ensures they can only communicate with servers that support packet signing.
V-50853 No Change
Findings ID: OL6-00-000273 Rule ID: SV-65059r2_rule Severity: low CCI: CCI-000366

Discussion

Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.

Checks

If Samba is not in use, this is not applicable.

To verify that Samba clients using mount.cifs must use packet signing, run the following command:

# grep sec /etc/fstab /etc/mtab

The output should show either "krb5i" or "ntlmv2i" in use.
If it does not, this is a finding.

Fix

Require packet signing of clients who mount Samba shares using the "mount.cifs" program (e.g., those who specify shares in "/etc/fstab"). To do so, ensure signing options (either "sec=krb5i" or "sec=ntlmv2i") are used.

See the "mount.cifs(8)" man page for more information. A Samba client should only communicate with servers who can support SMB packet signing.
V-50855 No Change
Findings ID: OL6-00-000274 Rule ID: SV-65061r5_rule Severity: medium CCI: CCI-000200

Discussion

Preventing reuse of previous passwords helps ensure that a compromised password is not reused by a user.

Checks

To verify the password reuse setting is compliant, run the following command:

# grep remember /etc/pam.d/system-auth /etc/pam.d/password-auth

The output must be a line beginning with "password required pam_pwhistory.so" and ending with "remember=5".

If the line is commented out, the line does not contain the specified elements, or the value for "remember" is less than “5”, this is a finding.

Fix

Do not allow users to reuse recent passwords. This can be accomplished by using the "remember" option for the "pam_pwhistory" PAM module. In the file "/etc/pam.d/system-auth", append "remember=5" to the line which refers to the "pam_pwhistory.so" module, as shown:

password required pam_pwhistory.so [existing_options] remember=5

The DoD requirement is five passwords.
V-50857 No Change
Findings ID: OL6-00-000275 Rule ID: SV-65063r1_rule Severity: low CCI: CCI-001019

Discussion

The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.

Checks

Determine if encryption must be used to protect data on the system.
If encryption must be used and is not employed, this is a finding.

Fix

The operating system natively supports partition encryption through the Linux Unified Key Setup (LUKS) on-disk-format technology. The easiest way to encrypt a partition is during installation time.

For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected, the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.

For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:

part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE]

Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.

Detailed information on encrypting partitions using LUKS can be found in the Oracle Linux documentation at:

http://docs.oracle.com/cd/E37670_01/E36387/html/index.html

Additional information is available from:

http://linux.oracle.com/documentation/OL6/Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf
V-50859 No Change
Findings ID: OL6-00-000276 Rule ID: SV-65065r1_rule Severity: low CCI: CCI-001199

Discussion

The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.

Checks

Determine if encryption must be used to protect data on the system.
If encryption must be used and is not employed, this is a finding.

Fix

The operating system natively supports partition encryption through the Linux Unified Key Setup (LUKS) on-disk-format technology. The easiest way to encrypt a partition is during installation time.

For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected, the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.

For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:

part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE]

Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.

Detailed information on encrypting partitions using LUKS can be found in the Oracle Linux documentation at:

http://docs.oracle.com/cd/E37670_01/E36387/html/index.html

Additional information is available from:

http://linux.oracle.com/documentation/OL6/Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf
V-50861 No Change
Findings ID: OL6-00-000277 Rule ID: SV-65067r1_rule Severity: low CCI: CCI-001200

Discussion

The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.

Checks

Determine if encryption must be used to protect data on the system.
If encryption must be used and is not employed, this is a finding.

Fix

The operating system natively supports partition encryption through the Linux Unified Key Setup (LUKS) on-disk-format technology. The easiest way to encrypt a partition is during installation time.

For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected, the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.

For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:

part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE]

Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.

Detailed information on encrypting partitions using LUKS can be found in the Oracle Linux documentation at:

http://docs.oracle.com/cd/E37670_01/E36387/html/index.html.

Additional information is available from:

http://linux.oracle.com/documentation/OL6/Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf"
V-50863 No Change
Findings ID: OL6-00-000278 Rule ID: SV-65069r1_rule Severity: medium CCI: CCI-001493

Discussion

Permissions on audit binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Checks

The following command will list which audit files on the system have permissions different from what is expected by the RPM database:

# rpm -V audit | grep '^.M'

If there is any output, for each file or directory found, compare the RPM-expected permissions with the permissions on the file or directory:

# rpm -q --queryformat "[%{FILENAMES} %{FILEMODES:perms}\n]" audit | grep [filename]
# ls -lL [filename]

If the existing permissions are more permissive than those expected by RPM, this is a finding.

Fix

The RPM package management system can restore file access permissions of the audit package files and directories. The following command will update audit files with permissions different from what is expected by the RPM database:

# rpm --setperms audit
V-50865 No Change
Findings ID: OL6-00-000279 Rule ID: SV-65071r1_rule Severity: medium CCI: CCI-001494

Discussion

Ownership of audit binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Checks

The following command will list which audit files on the system have ownership different from what is expected by the RPM database:

# rpm -V audit | grep '^.....U'

If there is output, this is a finding.

Fix

The RPM package management system can restore file ownership of the audit package files and directories. The following command will update audit files with ownership different from what is expected by the RPM database:

# rpm --setugids audit
V-50867 No Change
Findings ID: OL6-00-000280 Rule ID: SV-65073r1_rule Severity: medium CCI: CCI-001495

Discussion

Group-ownership of audit binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The group-ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Checks

The following command will list which audit files on the system have group-ownership different from what is expected by the RPM database:

# rpm -V audit | grep '^......G'

If there is output, this is a finding.

Fix

The RPM package management system can restore file group-ownership of the audit package files and directories. The following command will update audit files with group-ownership different from what is expected by the RPM database:

# rpm --setugids audit
V-50869 No Change
Findings ID: OL6-00-000281 Rule ID: SV-65075r1_rule Severity: medium CCI: CCI-001496

Discussion

The hash on important files like audit system executables should match the information given by the RPM database. Audit executables with erroneous hashes could be a sign of nefarious activity on the system.

Checks

The following command will list which audit files on the system have file hashes different from what is expected by the RPM database.

# rpm -V audit | awk '$1 ~ /..5/ && $2 != "c"'

If there is output, this is a finding.

Fix

The RPM package management system can check the hashes of audit system package files. Run the following command to list which audit files on the system have hashes that differ from what is expected by the RPM database:

# rpm -V audit | grep '^..5'

A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file that has changed was not expected to then refresh from distribution media or online repositories.

rpm -Uvh [affected_package]

OR

yum reinstall [affected_package]
V-50871 No Change
Findings ID: OL6-00-000282 Rule ID: SV-65077r2_rule Severity: medium CCI: CCI-000366

Discussion

Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.

Checks

To find world-writable files, run the following command for each local partition [PART], excluding special filesystems such as /selinux, /proc, or /sys:

# find [PART] -xdev -type f -perm -002

If there is output, this is a finding.

Fix

It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account.
V-50875 No Change
Findings ID: OL6-00-000285 Rule ID: SV-65081r3_rule Severity: medium CCI: CCI-001259

Discussion

Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of system, which may not otherwise exist in an organization's systems management regime.

Checks

Ask the SA or ISSO if a host-based intrusion detection application is loaded on the system. Per OPORD 16-0080 the preferred intrusion detection system is McAfee HBSS available through Cybercom.
If another host-based intrusion detection application is in use, such as SELinux, this must be documented and approved by the local Authorizing Official.

Procedure:
Examine the system to see if the Host Intrusion Prevention System (HIPS) is installed:

# rpm -qa | grep MFEhiplsm

Verify that the McAfee HIPS module is active on the system:

# ps -ef | grep -i “hipclient”

If the MFEhiplsm package is not installed, check for another intrusion detection system:

# find / -name <daemon name>

Where <daemon name> is the name of the primary application daemon to determine if the application is loaded on the system.

Determine if the application is active on the system:

# ps -ef | grep -i <daemon name>

If the MFEhiplsm package is not installed and an alternate host-based intrusion detection application has not been documented for use, this is a finding.

If no host-based intrusion detection system is installed and running on the system, this is a finding.

Fix

Install and enable the latest McAfee HIPS package, available from Cybercom.

If the system does not support the McAfee HIPS package, install and enable a supported intrusion detection system application and document its use with the Authorizing Official.

V-50877 No Change
Findings ID: OL6-00-000286 Rule ID: SV-65083r4_rule Severity: high CCI: CCI-000366

Discussion

A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.

Checks

To ensure the system is configured to log a message instead of rebooting the system when “Ctrl-Alt-Delete” is pressed, ensure the following line is in "/etc/init/control-alt-delete.override":

exec /usr/bin/logger -p authpriv.notice "Ctrl-Alt-Delete pressed"

If the system is not configured to block the shutdown command when “Ctrl-Alt-Delete” is pressed, this is a finding.

Fix

By default, the system includes the following line in "/etc/init/control-alt-delete.conf" to reboot the system when the “Ctrl-Alt-Delete” key sequence is pressed:

exec /sbin/shutdown -r now "Ctrl-Alt-Delete pressed"

To configure the system to log a message instead of rebooting the system, add the following line to "/etc/init/control-alt-delete.override" to read as follows:

exec /usr/bin/logger -p authpriv.notice "Ctrl-Alt-Delete pressed"
V-50879 No Change
Findings ID: OL6-00-000287 Rule ID: SV-65085r1_rule Severity: low CCI: CCI-000366

Discussion

Local mail delivery is essential to some system maintenance and notification tasks.

Checks

Run the following command to determine the current status of the "postfix" service:

# service postfix status

If the service is enabled, it should return the following:

postfix is running...

If the service is not enabled, this is a finding.

Fix

The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The "postfix" service can be enabled with the following command:

# chkconfig postfix on
# service postfix start
V-50881 No Change
Findings ID: OL6-00-000288 Rule ID: SV-65087r1_rule Severity: medium CCI: CCI-000366

Discussion

The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.

Checks

Run the following command to determine if the "sendmail" package is installed:

# rpm -q sendmail

If the package is installed, this is a finding.

Fix

Sendmail is not the default mail transfer agent and is not installed by default. The "sendmail" package can be removed with the following command:

# yum erase sendmail
V-50883 No Change
Findings ID: OL6-00-000289 Rule ID: SV-65089r1_rule Severity: low CCI: CCI-000382

Discussion

The "netconsole" service is not necessary unless there is a need to debug kernel panics, which is not common.

Checks

To check that the "netconsole" service is disabled in system boot configuration, run the following command:

# chkconfig "netconsole" --list

Output should indicate the "netconsole" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:

# chkconfig "netconsole" --list
"netconsole" 0:off 1:off 2:off 3:off 4:off 5:off 6:off

Run the following command to verify "netconsole" is disabled through current runtime configuration:

# service netconsole status

If the service is disabled the command will return the following output:

netconsole is stopped

If the service is running, this is a finding.

Fix

The "netconsole" service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. The "netconsole" service can be disabled with the following commands:

# chkconfig netconsole off
# service netconsole stop
V-50885 No Change
Findings ID: OL6-00-000290 Rule ID: SV-65091r1_rule Severity: medium CCI: CCI-001436

Discussion

Unnecessary services should be disabled to decrease the attack surface of the system.

Checks

To verify the default runlevel is 3, run the following command:

# grep initdefault /etc/inittab

The output should show the following:

id:3:initdefault:

If it does not, this is a finding.

Fix

Setting the system's runlevel to 3 will prevent automatic startup of the X server. To do so, ensure the following line in "/etc/inittab" features a "3" as shown:

id:3:initdefault:
V-50887 No Change
Findings ID: OL6-00-000291 Rule ID: SV-65093r1_rule Severity: low CCI: CCI-000366

Discussion

Unnecessary packages should not be installed to decrease the attack surface of the system.

Checks

To ensure the X Windows package group is removed, run the following command:

$ rpm -qi xorg-x11-server-common

The output should be:

package xorg-x11-server-common is not installed

If it is not, this is a finding.

Fix

Removing all packages which constitute the X Window System ensures users or malicious software cannot start X. To do so, run the following command:

# yum groupremove "X Window System"
V-50889 No Change
Findings ID: OL6-00-000292 Rule ID: SV-65095r1_rule Severity: medium CCI: CCI-000366

Discussion

DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances.

Checks

To verify that DHCP is not being used, examine the following file for each interface.

# /etc/sysconfig/network-scripts/ifcfg-[IFACE]

If there is any network interface without a associated "ifcfg" file, this is a finding.

Look for the following:

BOOTPROTO=none

Also verify the following, substituting the appropriate values based on your site's addressing scheme:

NETMASK=[local LAN netmask]
IPADDR=[assigned IP address]
GATEWAY=[local LAN default gateway]

If it does not, this is a finding.

Fix

For each interface [IFACE] on the system (e.g. eth0), edit "/etc/sysconfig/network-scripts/ifcfg-[IFACE]" and make the following changes.

Correct the BOOTPROTO line to read:

BOOTPROTO=none

Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme:

NETMASK=[local LAN netmask]
IPADDR=[assigned IP address]
GATEWAY=[local LAN default gateway]
V-50903 No Change
Findings ID: OL6-00-000116 Rule ID: SV-65109r2_rule Severity: medium CCI: CCI-001098

Discussion

The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.

Checks

If the system is a cross-domain system, this is not applicable.

Run the following command to determine the current status of the "iptables" service:

# service iptables status

If the service is not running, it should return the following:

iptables: Firewall is not running.

If the service is not running, this is a finding.

Fix

The "iptables" service can be enabled with the following commands:

# chkconfig iptables on
# service iptables start
V-50907 No Change
Findings ID: OL6-00-000054 Rule ID: SV-65113r1_rule Severity: low CCI: CCI-000366

Discussion

Setting the password warning age enables users to make the change at a practical time.

Checks

To check the password warning age, run the command:

$ grep PASS_WARN_AGE /etc/login.defs

The DoD requirement is 7.
If it is not set to the required value, this is a finding.

Fix

To specify how many days prior to password expiration that a warning will be issued to users, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately:

PASS_WARN_AGE [DAYS]

The DoD requirement is 7.
V-50911 No Change
Findings ID: OL6-00-000056 Rule ID: SV-65117r2_rule Severity: low CCI: CCI-000194

Discussion

Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.

Checks

To check how many digits are required in a password, run the following command:

$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth

The "dcredit" parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as "dcredit=-1".

If the “dcredit” parameter is not found or not set to the required value, this is a finding.

Fix

The pam_cracklib module's "dcredit" parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit.

Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "dcredit=-1" after pam_cracklib.so to require use of a digit in passwords.
V-50913 No Change
Findings ID: OL6-00-000057 Rule ID: SV-65119r2_rule Severity: low CCI: CCI-000192

Discussion

Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.

Checks

To check how many uppercase characters are required in a password, run the following command:

$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth

The "ucredit" parameter (as a negative number) will indicate how many uppercase characters are required. The DoD requires at least one uppercase character in a password. This would appear as "ucredit=-1".

If the “ucredit” parameter is not found or not set to the required value, this is a finding.

Fix

The pam_cracklib module's "ucredit=" parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character.

Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "ucredit=-1" after pam_cracklib.so to require use of an uppercase character in passwords.
V-50915 No Change
Findings ID: OL6-00-000058 Rule ID: SV-65121r2_rule Severity: low CCI: CCI-001619

Discussion

Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.

Checks

To check how many special characters are required in a password, run the following command:

$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth

The "ocredit" parameter (as a negative number) will indicate how many special characters are required. The DoD requires at least one special character in a password. This would appear as "ocredit=-1".

If the “ocredit” parameter is not found or not set to the required value, this is a finding.

Fix

The pam_cracklib module's "ocredit=" parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character.

Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "ocredit=-1" after pam_cracklib.so to require use of a special character in passwords.
V-50917 No Change
Findings ID: OL6-00-000059 Rule ID: SV-65123r3_rule Severity: low CCI: CCI-000193

Discussion

Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.

Checks

To check how many lower-case characters are required in a password, run the following command:

$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth

The "lcredit" parameter (as a negative number) will indicate how many lower-case characters are required. The DoD requires at least one lower-case character in a password. This would appear as "lcredit=-1".

If the “lcredit” parameter is not found or not set to the required value, this is a finding.

Fix

The pam_cracklib module's "lcredit=" parameter controls requirements for usage of lower-case letters in a password. When set to a negative number, any password will be required to contain that many lower-case characters.

Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "lcredit=-1" after pam_cracklib.so to require use of a lower-case character in passwords.
V-50919 No Change
Findings ID: OL6-00-000060 Rule ID: SV-65125r3_rule Severity: low CCI: CCI-000195

Discussion

Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note: Passwords which are changed on compromised systems will still be compromised.

Checks

To check how many characters must differ during a password change, run the following command:

$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth

The "difok" parameter will indicate how many characters must differ. The DoD requires eight characters differ during a password change. This would appear as "difok=8".

If the “difok” parameter is not found or not set to the required value, this is a finding.

Fix

The pam_cracklib module's "difok" parameter controls requirements for usage of different characters during a password change.

Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "difok=[NUM]" after pam_cracklib.so to require differing characters when changing passwords, substituting [NUM] appropriately. The DoD requirement is “8”.
V-50921 No Change
Findings ID: OL6-00-000061 Rule ID: SV-65127r3_rule Severity: medium CCI: CCI-000044

Discussion

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.

Checks

To ensure the failed password attempt policy is configured correctly, run the following command:

# grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth

The output should show "deny=3" for both files.
If that is not the case, this is a finding.

Fix

To configure the system to lock out accounts after a number of incorrect logon attempts using "pam_faillock.so", modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows:

Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section:

auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900

Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section:

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900

Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section:

account required pam_faillock.so

Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.
V-50923 No Change
Findings ID: OL6-00-000062 Rule ID: SV-65129r4_rule Severity: medium CCI: CCI-000803

Discussion

Using a stronger hashing algorithm makes password-cracking attacks more difficult.

Checks

Inspect the "password" section of "/etc/pam.d/system-auth", "/etc/pam.d/system-auth-ac", "/etc/pam.d/password-auth", "/etc/pam.d/password-auth-ac", and other files in "/etc/pam.d" to identify the number of occurrences where the “pam_unix.so” module is used in the “password” section.

$ grep -E -c 'password.*pam_unix.so' /etc/pam.d/*

/etc/pam.d/atd:0
/etc/pam.d/config-util:0
/etc/pam.d/crond:0
/etc/pam.d/login:0
/etc/pam.d/other:0
/etc/pam.d/passwd:0
/etc/pam.d/password-auth:1
/etc/pam.d/password-auth-ac:1
/etc/pam.d/sshd:0
/etc/pam.d/su:0
/etc/pam.d/sudo:0
/etc/pam.d/system-auth:1
/etc/pam.d/system-auth-ac:1
/etc/pam.d/vlock:0

Note: The number adjacent to the file name indicates how many occurrences of the “pam_unix.so” module are found in the password section.

If the “pam_unix.so” module is not defined in the “password” section of “/etc/pam.d/system-auth”, “/etc/pam.d/system-auth-ac”, “/etc/pam.d/password-auth”, and “/etc/pam.d/password-auth-ac” at a minimum, this is a finding.

Verify that the “sha512” variable is used with each instance of the “pam_unix.so” module in the “password” section:

$ grep password /etc/pam.d/* | grep pam_unix.so | grep sha512

/etc/pam.d/password-auth:password sufficient pam_unix.so sha512 [other arguments…]
/etc/pam.d/password-auth-ac:password sufficient pam_unix.so sha512 [other arguments…]
/etc/pam.d/system-auth:password sufficient pam_unix.so sha512 [other arguments…]
/etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 [other arguments…]

If this list of files does not coincide with the previous command, this is a finding.

If any of the identified “pam_unix.so” modules do not use the “sha512” variable, this is a finding.

Fix

In "/etc/pam.d/system-auth”, "/etc/pam.d/system-auth-ac", “/etc/pam.d/password-auth”, and “/etc/pam.d/password-auth-ac”, among potentially other files, the "password" section of the files control which PAM modules execute during a password change.

Set the "pam_unix.so" module in the "password" section to include the argument "sha512", as shown below:

password sufficient pam_unix.so sha512 [other arguments...]

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.

Note: Any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" will be overwritten by the "authconfig" program. The "authconfig" program should not be used.
V-50927 No Change
Findings ID: OL6-00-000063 Rule ID: SV-65133r1_rule Severity: medium CCI: CCI-000803

Discussion

Using a stronger hashing algorithm makes password cracking attacks more difficult.

Checks

Inspect "/etc/login.defs" and ensure the following line appears:

ENCRYPT_METHOD SHA512

If it does not, this is a finding.

Fix

In "/etc/login.defs", add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm:

ENCRYPT_METHOD SHA512
V-50933 No Change
Findings ID: OL6-00-000065 Rule ID: SV-65139r2_rule Severity: medium CCI: CCI-000366

Discussion

Only root should be able to modify important boot parameters.

Checks

To check the ownership of "/boot/grub/grub.conf", run the command:

$ ls -lL /boot/grub/grub.conf

If properly configured, the output should indicate that the owner is "root".
If it does not, this is a finding.

Fix

The file "/boot/grub/grub.conf" should be owned by the "root" user to prevent destruction or modification of the file. To properly set the owner of "/boot/grub/grub.conf", run the command:

# chown root /boot/grub/grub.conf
V-50937 No Change
Findings ID: OL6-00-000064 Rule ID: SV-65143r1_rule Severity: medium CCI: CCI-000803

Discussion

Using a stronger hashing algorithm makes password cracking attacks more difficult.

Checks

Inspect "/etc/libuser.conf" and ensure the following line appears in the "[default]" section:

crypt_style = sha512

If it does not, this is a finding.

Fix

In "/etc/libuser.conf", add or correct the following line in its "[defaults]" section to ensure the system will use the SHA-512 algorithm for password hashing:

crypt_style = sha512
V-50939 No Change
Findings ID: OL6-00-000066 Rule ID: SV-65145r2_rule Severity: medium CCI: CCI-000366

Discussion

The "root" group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.

Checks

To check the group ownership of "/boot/grub/grub.conf", run the command:

$ ls -lL /boot/etc/grub.conf

If properly configured, the output should indicate the group-owner is "root".
If it does not, this is a finding.

Fix

The file "/boot/grub/grub.conf" should be group-owned by the "root" group to prevent destruction or modification of the file. To properly set the group owner of "/boot/grub/grub.conf", run the command:

# chgrp root /boot/grub/grub.conf
V-50943 No Change
Findings ID: OL6-00-000067 Rule ID: SV-65149r3_rule Severity: medium CCI: CCI-000366

Discussion

Proper permissions ensure that only the root user can modify important boot parameters.

Checks

To check the permissions of "/boot/grub/grub.conf", run the command:

$ sudo ls -lL /boot/grub/grub.conf

If properly configured, the output should indicate the following permissions: "-rw-------"
If it does not, this is a finding.

Fix

File permissions for "/boot/grub/grub.conf" should be set to 600, which is the default. To properly set the permissions of "/boot/grub/grub.conf", run the command:

# chmod 600 /boot/grub/grub.conf

Boot partitions based on VFAT, NTFS, or other non-standard configurations may require alternative measures.
V-50945 No Change
Findings ID: OL6-00-000068 Rule ID: SV-65151r3_rule Severity: medium CCI: CCI-000213

Discussion

Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.

Checks

To verify the boot loader password has been set and encrypted, run the following command:

# grep password /boot/grub/grub.conf

The output should show the following:

password --encrypted $6$[rest-of-the-password-hash]

If it does not, this is a finding.

Fix

The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command:

# grub-crypt --sha-512

When prompted to enter a password, insert the following line into "/boot/grub/grub.conf" immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]):

password --encrypted [password-hash]
V-50947 No Change
Findings ID: OL6-00-000069 Rule ID: SV-65153r1_rule Severity: medium CCI: CCI-000213

Discussion

This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.

Checks

To check if authentication is required for single-user mode, run the following command:

$ grep SINGLE /etc/sysconfig/init

The output should be the following:

SINGLE=/sbin/sulogin

If the output is different, this is a finding.

Fix

Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected.

To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file "/etc/sysconfig/init":

SINGLE=/sbin/sulogin
V-50951 No Change
Findings ID: OL6-00-000070 Rule ID: SV-65157r1_rule Severity: medium CCI: CCI-000213

Discussion

Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.

Checks

To check whether interactive boot is disabled, run the following command:

$ grep PROMPT /etc/sysconfig/init

If interactive boot is disabled, the output will show:

PROMPT=no

If it does not, this is a finding.

Fix

To disable the ability for users to perform interactive startups, edit the file "/etc/sysconfig/init". Add or correct the line:

PROMPT=no

The "PROMPT" option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot.
V-50953 No Change
Findings ID: OL6-00-000071 Rule ID: SV-65159r1_rule Severity: low CCI: CCI-000058

Discussion

Installing "screen" ensures a console locking capability is available for users who may need to suspend console logins.

Checks

Run the following command to determine if the "screen" package is installed:

# rpm -q screen

If the package is not installed, this is a finding.

Fix

To enable console screen locking when in text mode, install the "screen" package:

# yum install screen

Instruct users to begin new terminal sessions with the following command:

$ screen

The console can now be locked with the following key combination:

ctrl+a x
V-50955 No Change
Findings ID: OL6-00-000073 Rule ID: SV-65161r4_rule Severity: medium CCI: CCI-001384

Discussion

An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.

Checks

To check if the system login banner is compliant, run the following command:

$ cat /etc/issue

Note: The full text banner must be implemented unless there are character limitations that prevent the display of the full DoD logon banner.

If the required DoD logon banner is not displayed, this is a finding.

Fix

To configure the system login banner:

Edit "/etc/issue". Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

If the device cannot support the full DoD logon banner due to character limitations, the following text can be used:

"I've read & consent to terms in IS user agreem't."
V-50957 No Change
Findings ID: OL6-00-000078 Rule ID: SV-65163r2_rule Severity: medium CCI: CCI-000366

Discussion

Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return oriented programming (ROP) techniques.

Checks

The status of the "kernel.randomize_va_space" kernel parameter can be queried by running the following commands:

$ sysctl kernel.randomize_va_space
$ grep kernel.randomize_va_space /etc/sysctl.conf

The output of the command should indicate a value of at least "1" (preferably "2"). If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".
If the correct value is not returned, this is a finding.

Fix

To set the runtime status of the "kernel.randomize_va_space" kernel parameter, run the following command:

# sysctl -w kernel.randomize_va_space=2

If this is not the system's default value, add the following line to "/etc/sysctl.conf":

kernel.randomize_va_space = 2
V-50959 No Change
Findings ID: OL6-00-000079 Rule ID: SV-65165r3_rule Severity: medium CCI: CCI-000366

Discussion

A common type of exploit is the stack buffer overflow. An application receives from an attacker more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack.

Checks

If the system being evaluated is running a Red Hat-compatible operating system kernel, check that the "kernel.exec-shield" kernel parameter is set to "1" in /etc/sysctl.conf. If the system is running an Oracle Unbreakable Enterprise kernel, verify that Oracle's Data Execution Prevention is enabled.

First, determine if the system is operating an Oracle Unbreakable Enterprise Kernel (UEK):

# uname -r | grep uek

If no value is returned, the system is running a Red Hat-compatible kernel. Verify that the "kernel.exec-shield" kernel parameter is set to "1" in the running kernel and /etc/sysctl.conf:

# sysctl kernel.exec-shield
# grep ^kernel\.exec-shield /etc/sysctl.conf | awk -F= '{ print $2 }'
kernel.exec-shield = 1

If there is no value returned, or if a value is returned that is not "1", this is a finding.

If the system was found to be running an Unbreakable Enterprise Kernel, verify that DEP is enabled:

# dmesg | grep 'NX.*protection:'

If there is no value returned, or if a value is returned that is not "NX (Execute Disable) protection: active", this is a finding.

Note that this is not a finding when the underlying processor architecture does not support the "Execute Disable" (NX) capability. To determine if the processor supports the NX capability, run the following:

# grep nx /proc/cpuinfo

If there is no value returned, this is not applicable.

Fix

If the system being evaluated is running a Red Hat-compatible operating system kernel, then ensure that the "kernel.exec-shield" kernel parameter is set to "1". If the system is running an Oracle Unbreakable Enterprise Kernel, this parameter does not exist. When an Unbreakable Enterprise Kernel is booted, Oracle's Data Execution Prevention (DEP) feature will leverage the hardware-enforced NX (never execute) bit of compatible CPUs to protect against code being executed from the stack. By default, DEP is enabled. If DEP is not enabled, ensure that the string "noexec=off" does not appear in /boot/grub/grub.conf.

First, determine if the system is operating an Oracle Unbreakable Enterprise Kernel (UEK):

# uname -r | grep uek

If no value is returned, the system is running a Red Hat-compatible kernel. Edit (or add if necessary) the entry in /etc/sysctl.conf for the "kernel.exec-shield" kernel parameter. Ensure that this parameter is set to "1" as in:

kernel.exec-shield = 1

If this was not already the default, reboot the system for the change to take effect.

If the system was found to be running an Unbreakable Enterprise Kernel, then ensure that the string "noexec=off" is not found in /boot/grub/grub.conf:

# grep noexec=off /boot/grub/grub.conf

If found, remove the offending kernels from /boot/grub/grub.conf.
V-50961 No Change
Findings ID: OL6-00-000080 Rule ID: SV-65167r2_rule Severity: medium CCI: CCI-000366

Discussion

Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.

Checks

The status of the "net.ipv4.conf.default.send_redirects" kernel parameter can be queried by running the following command:

$ sysctl net.ipv4.conf.default.send_redirects

The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".

$ grep net.ipv4.conf.default.send_redirects /etc/sysctl.conf

If the correct value is not returned, this is a finding.

Fix

To set the runtime status of the "net.ipv4.conf.default.send_redirects" kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.default.send_redirects=0

If this is not the system's default value, add the following line to "/etc/sysctl.conf":

net.ipv4.conf.default.send_redirects = 0
V-50963 No Change
Findings ID: OL6-00-000081 Rule ID: SV-65169r2_rule Severity: medium CCI: CCI-000366

Discussion

Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.

Checks

The status of the "net.ipv4.conf.all.send_redirects" kernel parameter can be queried by running the following command:

$ sysctl net.ipv4.conf.all.send_redirects

The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".

$ grep net.ipv4.conf.all.send_redirects /etc/sysctl.conf

If the correct value is not returned, this is a finding.

Fix

To set the runtime status of the "net.ipv4.conf.all.send_redirects" kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.all.send_redirects=0

If this is not the system's default value, add the following line to "/etc/sysctl.conf":

net.ipv4.conf.all.send_redirects = 0
V-50967 No Change
Findings ID: OL6-00-000082 Rule ID: SV-65173r2_rule Severity: medium CCI: CCI-000366

Discussion

IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.

Checks

The status of the "net.ipv4.ip_forward" kernel parameter can be queried by running the following command:

$ sysctl net.ipv4.ip_forward

The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".

$ grep net.ipv4.ip_forward /etc/sysctl.conf

The ability to forward packets is only appropriate for routers. If the correct value is not returned, this is a finding.

Fix

To set the runtime status of the "net.ipv4.ip_forward" kernel parameter, run the following command:

# sysctl -w net.ipv4.ip_forward=0

If this is not the system's default value, add the following line to "/etc/sysctl.conf":

net.ipv4.ip_forward = 0
V-50969 No Change
Findings ID: OL6-00-000083 Rule ID: SV-65175r2_rule Severity: medium CCI: CCI-000366

Discussion

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Checks

The status of the "net.ipv4.conf.all.accept_source_route" kernel parameter can be queried by running the following command:

$ sysctl net.ipv4.conf.all.accept_source_route

The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".

$ grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf

If the correct value is not returned, this is a finding.

Fix

To set the runtime status of the "net.ipv4.conf.all.accept_source_route" kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.all.accept_source_route=0

If this is not the system's default value, add the following line to "/etc/sysctl.conf":

net.ipv4.conf.all.accept_source_route = 0
V-50971 No Change
Findings ID: OL6-00-000084 Rule ID: SV-65177r2_rule Severity: medium CCI: CCI-000366

Discussion

Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.

Checks

The status of the "net.ipv4.conf.all.accept_redirects" kernel parameter can be queried by running the following command:

$ sysctl net.ipv4.conf.all.accept_redirects

The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".

$ grep net.ipv4.conf.all.accept_redirects /etc/sysctl.conf

If the correct value is not returned, this is a finding.

Fix

To set the runtime status of the "net.ipv4.conf.all.accept_redirects" kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.all.accept_redirects=0

If this is not the system's default value, add the following line to "/etc/sysctl.conf":

net.ipv4.conf.all.accept_redirects = 0
V-50973 No Change
Findings ID: OL6-00-000294 Rule ID: SV-65179r2_rule Severity: low CCI: CCI-000366

Discussion

Inconsistency in GIDs between /etc/passwd and /etc/group could lead to a user having unintended rights.

Checks

To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, run the following command:

# pwck -r | grep 'no group'

There should be no output.
If there is output, this is a finding.

Fix

Add a group to the system for each GID referenced without a corresponding group.
V-50979 No Change
Findings ID: OL6-00-000117 Rule ID: SV-65185r2_rule Severity: medium CCI: CCI-001100

Discussion

The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.

Checks

If the system is a cross-domain system, this is not applicable.

Run the following command to determine the current status of the "iptables" service:

# service iptables status

If the service is not running, it should return the following:

iptables: Firewall is not running.

If the service is not running, this is a finding.

Fix

The "iptables" service can be enabled with the following commands:

# chkconfig iptables on
# service iptables start
V-50985 No Change
Findings ID: OL6-00-000296 Rule ID: SV-65191r1_rule Severity: low CCI: CCI-000804

Discussion

Unique usernames allow for accountability on the system.

Checks

Run the following command to check for duplicate account names:

# pwck -rq

If there are no duplicate names, no line will be returned.
If a line is returned, this is a finding.

Fix

Change usernames, or delete accounts, so each has a unique name.
V-50987 No Change
Findings ID: OL6-00-000120 Rule ID: SV-65193r1_rule Severity: medium CCI: CCI-000066

Discussion

In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.

Checks

Inspect the file "/etc/sysconfig/iptables" to determine the default policy for the INPUT chain. It should be set to DROP.

# grep ":INPUT" /etc/sysconfig/iptables

If the default policy for the INPUT chain is not set to DROP, this is a finding.

Fix

To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/iptables":

:INPUT DROP [0:0]
V-50989 No Change
Findings ID: OL6-00-000124 Rule ID: SV-65195r2_rule Severity: medium CCI: CCI-000382

Discussion

Disabling DCCP protects the system against exploitation of any flaws in its implementation.

Checks

If the system is configured to prevent the loading of the "dccp" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf":

grep -r dccp /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true”

If no line is returned, this is a finding.

Fix

The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the "dccp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d":

install dccp /bin/true
V-50991 No Change
Findings ID: OL6-00-000297 Rule ID: SV-65197r1_rule Severity: low CCI: CCI-000016

Discussion

When temporary accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked.

Checks

For every temporary account, run the following command to obtain its account aging and expiration information:

# chage -l [USER]

Verify each of these accounts has an expiration date set as documented.

If any temporary accounts have no expiration date set or do not expire within a documented time frame, this is a finding.

Fix

In the event temporary accounts are required, configure the system to terminate them after a documented time period.

For every temporary account, run the following command to set an expiration date on it, substituting "[USER]" and "[YYYY-MM-DD]" appropriately:

# chage -E [YYYY-MM-DD] [USER]

"[YYYY-MM-DD]" indicates the documented expiration date for the account.
V-50993 No Change
Findings ID: OL6-00-000298 Rule ID: SV-65199r1_rule Severity: low CCI: CCI-001682

Discussion

When emergency accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked.

Checks

For every emergency account, run the following command to obtain its account aging and expiration information:

# chage -l [USER]

Verify each of these accounts has an expiration date set as documented.

If any emergency accounts have no expiration date set or do not expire within a documented time frame, this is a finding.

Fix

In the event emergency accounts are required, configure the system to terminate them after a documented time period.

For every emergency account, run the following command to set an expiration date on it, substituting "[USER]" and "[YYYY-MM-DD]" appropriately:

# chage -E [YYYY-MM-DD] [USER]

"[YYYY-MM-DD]" indicates the documented expiration date for the account.
V-50995 Updated
Findings ID: OL6-00-000299 Rule ID: SV-65201r34_rule Severity: low CCI: CCI-000366

Discussion

Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.

Checks

To check the maximum value for consecutive repeating characters, run the following command:

$ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth

Look for the value of the "maxrepeat" parameter. The DoD requirement is “3”.

If
the “"maxrepeat” parameter" is not found or not set to the required value, is set to zero, or is set to a value greater than “, this is a finding.

Fix

The pam_cracklib module's ”maxrepeat” parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords that contain more than the number of consecutive characters.

Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "maxrepeat=3" after pam_cracklib.so to prevent a run of (3 + 1) or more identical characters.
password required pam_cracklib.so maxrepeat=3
V-50997 No Change
Findings ID: OL6-00-000125 Rule ID: SV-65203r2_rule Severity: medium CCI: CCI-000382

Discussion

Disabling SCTP protects the system against exploitation of any flaws in its implementation.

Checks

If the system is configured to prevent the loading of the "sctp" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf":

$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true”

If no line is returned, this is a finding.

Fix

The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the "sctp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d":

install sctp /bin/true
V-51001 No Change
Findings ID: OL6-00-000126 Rule ID: SV-65207r1_rule Severity: low CCI: CCI-000382

Discussion

Disabling RDS protects the system against exploitation of any flaws in its implementation.

Checks

If the system is configured to prevent the loading of the "rds" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module-loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf":

$ grep -r rds /etc/modprobe.conf /etc/modprobe.d

If no line is returned, this is a finding.

This is not a finding if the RDS service is required for proper system or application operation. Oracle Engineered Systems such as Exadata use the RDS service for InfiniBand-based communication with storage services.

Fix

The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high- bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the "rds" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d":

install rds /bin/true
V-51005 No Change
Findings ID: OL6-00-000127 Rule ID: SV-65211r2_rule Severity: medium CCI: CCI-000382

Discussion

Disabling TIPC protects the system against exploitation of any flaws in its implementation.

Checks

If the system is configured to prevent the loading of the "tipc" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf":

$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true”

If no line is returned, this is a finding.

Fix

The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the "tipc" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d":

install tipc /bin/true
V-51007 No Change
Findings ID: OL6-00-000133 Rule ID: SV-65213r2_rule Severity: medium CCI: CCI-001314

Discussion

The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.

Checks

The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". To see the owner of a given log file, run the following command:

$ ls -l [LOGFILE]

Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration.

If the owner is not root, this is a finding.

Fix

The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's owner:

$ ls -l [LOGFILE]

If the owner is not "root", run the following command to correct this:

# chown root [LOGFILE]
V-51009 No Change
Findings ID: OL6-00-000134 Rule ID: SV-65215r2_rule Severity: medium CCI: CCI-001314

Discussion

The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.

Checks

The group-owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". To see the group-owner of a given log file, run the following command:

$ ls -l [LOGFILE]

Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration.

If the group-owner is not root, this is a finding.

Fix

The group-owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's group owner:

$ ls -l [LOGFILE]

If the owner is not "root", run the following command to correct this:

# chgrp root [LOGFILE]
V-51011 No Change
Findings ID: OL6-00-000302 Rule ID: SV-65217r2_rule Severity: medium CCI: CCI-000374

Discussion

By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.

Checks

To determine that periodic AIDE execution has been scheduled, run the following command:

# grep aide /etc/crontab /etc/cron.*/*

If there is no output, or if aide is not run at least weekly, this is a finding.

Fix

AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:

05 4 * * * root /usr/sbin/aide --check

AIDE can be executed periodically through other means; this is merely one example.
V-51013 No Change
Findings ID: OL6-00-000135 Rule ID: SV-65219r2_rule Severity: medium CCI: CCI-001314

Discussion

Log files can contain valuable information regarding system configuration. If the system log files are not protected, unauthorized users could change the logged data, eliminating their forensic value.

Checks

The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's permissions:

$ ls -l [LOGFILE]

The permissions should be 600, or more restrictive. Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration.

If the permissions are not correct, this is a finding.

Fix

The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's permissions:

$ ls -l [LOGFILE]

If the permissions are not 600 or more restrictive, run the following command to correct this:

# chmod 0600 [LOGFILE]
V-51015 No Change
Findings ID: OL6-00-000136 Rule ID: SV-65221r1_rule Severity: medium CCI: CCI-001348

Discussion

A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.

Checks

To ensure logs are sent to a remote host, examine the file "/etc/rsyslog.conf". If using UDP, a line similar to the following should be present:

*.* @[loghost.example.com]

If using TCP, a line similar to the following should be present:

*.* @@[loghost.example.com]

If using RELP, a line similar to the following should be present:

*.* :omrelp:[loghost.example.com]

If none of these are present, this is a finding.

Fix

To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery:

*.* @[loghost.example.com]

To use TCP for log message delivery:

*.* @@[loghost.example.com]

To use RELP for log message delivery:

*.* :omrelp:[loghost.example.com]
V-51017 No Change
Findings ID: OL6-00-000303 Rule ID: SV-65223r2_rule Severity: medium CCI: CCI-000416

Discussion

By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.

Checks

To determine that periodic AIDE execution has been scheduled, run the following command:

# grep aide /etc/crontab /etc/cron.*/*

If there is no output, this is a finding.

Fix

AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:

05 4 * * * root /usr/sbin/aide --check

AIDE can be executed periodically through other means; this is merely one example.
V-51019 No Change
Findings ID: OL6-00-000137 Rule ID: SV-65225r1_rule Severity: medium CCI: CCI-000169

Discussion

A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.

Checks

To ensure logs are sent to a remote host, examine the file "/etc/rsyslog.conf". If using UDP, a line similar to the following should be present:

*.* @[loghost.example.com]

If using TCP, a line similar to the following should be present:

*.* @@[loghost.example.com]

If using RELP, a line similar to the following should be present:

*.* :omrelp:[loghost.example.com]

If none of these are present, this is a finding.

Fix

To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery:

*.* @[loghost.example.com]

To use TCP for log message delivery:

*.* @@[loghost.example.com]

To use RELP for log message delivery:

*.* :omrelp:[loghost.example.com]
V-51021 No Change
Findings ID: OL6-00-000138 Rule ID: SV-65227r1_rule Severity: low CCI: CCI-000366

Discussion

Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.

Checks

Run the following commands to determine the current status of the "logrotate" service:

# grep logrotate /var/log/cron*

If the logrotate service is not run on a daily basis by cron, this is a finding.

Fix

The "logrotate" service should be installed or reinstalled if it is not installed and operating properly, by running the following command:

# yum reinstall logrotate
V-51023 No Change
Findings ID: OL6-00-000304 Rule ID: SV-65229r2_rule Severity: medium CCI: CCI-001069

Discussion

By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.

Checks

To determine that periodic AIDE execution has been scheduled, run the following command:

# grep aide /etc/crontab /etc/cron.*/*

If there is no output, this is a finding.

Fix

AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:

05 4 * * * root /usr/sbin/aide --check

AIDE can be executed periodically through other means; this is merely one example.
V-51027 No Change
Findings ID: OL6-00-000145 Rule ID: SV-65233r1_rule Severity: medium CCI: CCI-001487

Discussion

Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.

Checks

Run the following command to determine the current status of the "auditd" service:

# service auditd status

If the service is enabled, it should return the following:

auditd is running...

If the service is not running, this is a finding.

Fix

The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands:

# chkconfig auditd on
# service auditd start
V-51029 No Change
Findings ID: OL6-00-000305 Rule ID: SV-65235r2_rule Severity: medium CCI: CCI-001263

Discussion

By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.

Checks

To determine that periodic AIDE execution has been scheduled, run the following command:

# grep aide /etc/crontab /etc/cron.*/*

If there is no output, this is a finding.

Fix

AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:

05 4 * * * root /usr/sbin/aide --check

AIDE can be executed periodically through other means; this is merely one example.
V-51033 No Change
Findings ID: OL6-00-000148 Rule ID: SV-65239r1_rule Severity: medium CCI: CCI-000067

Discussion

Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.

Checks

Run the following command to determine the current status of the "auditd" service:

# service auditd status

If the service is enabled, it should return the following:

auditd is running...

If the service is not running, this is a finding.

Fix

The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands:

# chkconfig auditd on
# service auditd start
V-51035 No Change
Findings ID: OL6-00-000306 Rule ID: SV-65241r2_rule Severity: medium CCI: CCI-001297

Discussion

By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.

Checks

To determine that periodic AIDE execution has been scheduled, run the following command:

# grep aide /etc/crontab /etc/cron.*/*

If there is no output, this is a finding.

Fix

AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:

05 4 * * * root /usr/sbin/aide --check

AIDE can be executed periodically through other means; this is merely one example.
V-51037 No Change
Findings ID: OL6-00-000307 Rule ID: SV-65243r2_rule Severity: medium CCI: CCI-001589

Discussion

By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.

Checks

To determine that periodic AIDE execution has been scheduled, run the following command:

# grep aide /etc/crontab /etc/cron.*/*

If there is no output, this is a finding.

Fix

AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:

05 4 * * * root /usr/sbin/aide --check

AIDE can be executed periodically through other means; this is merely one example.
V-51039 No Change
Findings ID: OL6-00-000154 Rule ID: SV-65245r1_rule Severity: medium CCI: CCI-000130

Discussion

Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.

Checks

Run the following command to determine the current status of the "auditd" service:

# service auditd status

If the service is enabled, it should return the following:

auditd is running...

If the service is not running, this is a finding.

Fix

The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands:

# chkconfig auditd on
# service auditd start
V-51041 No Change
Findings ID: OL6-00-000308 Rule ID: SV-65247r2_rule Severity: low CCI: CCI-000366

Discussion

A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.

Checks

To verify that core dumps are disabled for all users, run the following command:

$ grep core /etc/security/limits.conf /etc/security/limits.d/*.conf

The output should be:

* hard core 0

If it is not, this is a finding.

Fix

To disable core dumps for all users, add the following line to "/etc/security/limits.conf":

* hard core 0
V-51043 No Change
Findings ID: OL6-00-000159 Rule ID: SV-65249r1_rule Severity: medium CCI: CCI-000366

Discussion

The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.

Checks

Inspect "/etc/audit/auditd.conf" and locate the following line to determine how many logs the system is configured to retain after rotation: "# grep num_logs /etc/audit/auditd.conf"

num_logs = 5

If the overall system log file(s) retention hasn't been properly set up, this is a finding.

Fix

Determine how many log files "auditd" should retain when it rotates logs. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [NUMLOGS] with the correct value:

num_logs = [NUMLOGS]

Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.
V-51047 No Change
Findings ID: OL6-00-000309 Rule ID: SV-65253r1_rule Severity: high CCI: CCI-000764

Discussion

Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user.

Checks

To verify insecure file locking has been disabled, run the following command:

# grep insecure_locks /etc/exports

If there is output, this is a finding.

Fix

By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files.

To get around this, the "insecure_locks" option can be used so these clients can access the desired export.

This poses a security risk by potentially allowing the client access to data for which it does not have authorization.

Remove any instances of the "insecure_locks" option from the file "/etc/exports".
V-51049 No Change
Findings ID: OL6-00-000160 Rule ID: SV-65255r1_rule Severity: medium CCI: CCI-000366

Discussion

The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.

Checks

Inspect "/etc/audit/auditd.conf" and locate the following line to determine how much data the system will retain in each audit log file: "# grep max_log_file /etc/audit/auditd.conf"

max_log_file = 6

If the system audit data threshold hasn't been properly set up, this is a finding.

Fix

Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting the correct value for [STOREMB]:

max_log_file = [STOREMB]

Set the value to "6" (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.
V-51051 No Change
Findings ID: OL6-00-000311 Rule ID: SV-65257r2_rule Severity: medium CCI: CCI-000143

Discussion

Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

Checks

Inspect "/etc/audit/auditd.conf" and locate the following line to determine whether the system is configured to email the administrator when disk space is starting to run low:

# grep space_left /etc/audit/auditd.conf

space_left = [num_megabytes]

If the "num_megabytes" value does not correspond to a documented value for remaining audit partition capacity or if there is no locally documented value for remaining audit partition capacity, this is a finding.

Fix

The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [num_megabytes] appropriately:

space_left = [num_megabytes]

The "num_megabytes" value should be set to a fraction of the total audit storage capacity available that will allow a system administrator to be notified with enough time to respond to the situation causing the capacity issues. This value must also be documented locally.
V-51053 No Change
Findings ID: OL6-00-000161 Rule ID: SV-65259r2_rule Severity: medium CCI: CCI-000366

Discussion

Automatically rotating logs (by setting this to "rotate") minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, "keep_logs" can be employed.

Checks

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to rotate logs when they reach their maximum size:

# grep max_log_file_action /etc/audit/auditd.conf
max_log_file_action = rotate

If the "keep_logs" option is configured for the "max_log_file_action" line in "/etc/audit/auditd.conf" and an alternate process is in place to ensure audit data does not overwhelm local audit storage, this is not a finding.

If the system has not been properly set up to rotate audit logs, this is a finding.

Fix

The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by "auditd", add or correct the line in "/etc/audit/auditd.conf":

max_log_file_action = [ACTION]

Possible values for [ACTION] are described in the "auditd.conf" man page. These include:

"ignore"
"syslog"
"suspend"
"rotate"
"keep_logs"

Set the "[ACTION]" to "rotate" to ensure log rotation occurs. This is the default. The setting is case-insensitive.
V-51057 No Change
Findings ID: OL6-00-000313 Rule ID: SV-65263r1_rule Severity: medium CCI: CCI-000139

Discussion

Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.

Checks

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator:

action_mail_acct = root

If auditd is not configured to send emails per identified actions, this is a finding.

Fix

The "auditd" service can be configured to send email to a designated account in certain situations. Add or correct the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations:

action_mail_acct = root
V-51061 No Change
Findings ID: OL6-00-000165 Rule ID: SV-65267r2_rule Severity: low CCI: CCI-000169

Discussion

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Checks

To determine if the system is configured to audit calls to the "adjtimex" system call, run the following command:

$ sudo grep -w "adjtimex" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return a line.
If the system is not configured to audit time changes, this is a finding.

Fix

On a 32-bit system, add the following to "/etc/audit/audit.rules":

# audit_time_rules
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules

On a 64-bit system, add the following to "/etc/audit/audit.rules":

# audit_time_rules
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules

The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules
V-51063 No Change
Findings ID: OL6-00-000167 Rule ID: SV-65269r2_rule Severity: low CCI: CCI-000169

Discussion

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Checks

To determine if the system is configured to audit calls to the "settimeofday" system call, run the following command:

$ sudo grep -w "settimeofday" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return a line.
If the system is not configured to audit time changes, this is a finding.

Fix

On a 32-bit system, add the following to "/etc/audit/audit.rules":

# audit_time_rules
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules

On a 64-bit system, add the following to "/etc/audit/audit.rules":

# audit_time_rules
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules

The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but this is not required. See an example of multiple combined syscalls:

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules
V-51067 No Change
Findings ID: OL6-00-000169 Rule ID: SV-65273r2_rule Severity: low CCI: CCI-000169

Discussion

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Checks

If the system is 64-bit only, this is not applicable.

To determine if the system is configured to audit calls to the "stime" system call, run the following command:

$ sudo grep -w "stime" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return a line.

If the system is not configured to audit time changes, this is a finding.

Fix

On a 32-bit system, add the following to "/etc/audit/audit.rules":

# audit_time_rules
-a always,exit -F arch=b32 -S stime -k audit_time_rules

On a 64-bit system, the "-S time" is not necessary. The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime
-k audit_time_rules
V-51069 No Change
Findings ID: OL6-00-000171 Rule ID: SV-65275r2_rule Severity: low CCI: CCI-000169

Discussion

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Checks

To determine if the system is configured to audit calls to the "clock_settime" system call, run the following command:

$ sudo grep -w "clock_settime" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return a line.
If the system is not configured to audit time changes, this is a finding.

Fix

On a 32-bit system, add the following to "/etc/audit/audit.rules":

# audit_time_rules
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules

On a 64-bit system, add the following to "/etc/audit/audit.rules":

# audit_time_rules
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules

The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but this is not required. See an example of multiple combined syscalls:

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules
V-51071 No Change
Findings ID: OL6-00-000173 Rule ID: SV-65277r2_rule Severity: low CCI: CCI-000169

Discussion

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Checks

To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command:

$ sudo grep -w "/etc/localtime" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return a line.

If the system is not configured to audit time changes, this is a finding.

Fix

Add the following to "/etc/audit/audit.rules":

-w /etc/localtime -p wa -k audit_time_rules

The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.
V-51073 No Change
Findings ID: OL6-00-000174 Rule ID: SV-65279r2_rule Severity: low CCI: CCI-000018

Discussion

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

Checks

To determine if the system is configured to audit account changes, run the following command:

$ sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules

If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each).

If the system is not configured to audit account changes, this is a finding.

Fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes:

# audit_account_changes
-w /etc/group -p wa -k audit_account_changes
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes
V-51077 No Change
Findings ID: OL6-00-000175 Rule ID: SV-65283r2_rule Severity: low CCI: CCI-001403

Discussion

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

Checks

To determine if the system is configured to audit account changes, run the following command:

$sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules

If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each).

If the system is not configured to audit account changes, this is a finding.

Fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes:

# audit_account_changes
-w /etc/group -p wa -k audit_account_changes
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes
V-51083 No Change
Findings ID: OL6-00-000176 Rule ID: SV-65291r2_rule Severity: low CCI: CCI-001404

Discussion

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

Checks

To determine if the system is configured to audit account changes, run the following command:

$sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules

If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each).

If the system is not configured to audit account changes, this is a finding.

Fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes:

# audit_account_changes
-w /etc/group -p wa -k audit_account_changes
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes
V-51087 No Change
Findings ID: OL6-00-000177 Rule ID: SV-65295r2_rule Severity: low CCI: CCI-001405

Discussion

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

Checks

To determine if the system is configured to audit account changes, run the following command:

$sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules

If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each).

If the system is not configured to audit account changes, this is a finding.

Fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes:

# audit_account_changes
-w /etc/group -p wa -k audit_account_changes
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes
V-51093 No Change
Findings ID: OL6-00-000182 Rule ID: SV-65301r4_rule Severity: low CCI: CCI-000366

Discussion

The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.

Checks

If you are running x86_64 architecture, determine the values for sethostname:
$ uname -m; ausyscall i386 sethostname; ausyscall x86_64 sethostname

If the values returned are not identical verify that the system is configured to monitor network configuration changes for the i386 and x86_64 architectures:

$ sudo egrep -w '(sethostname|setdomainname|/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)' /etc/audit/audit.rules

-a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications
-w /etc/issue -p wa -k audit_network_modifications
-w /etc/issue.net -p wa -k audit_network_modifications
-w /etc/hosts -p wa -k audit_network_modifications
-w /etc/sysconfig/network -p wa -k audit_network_modifications

-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications
-w /etc/issue -p wa -k audit_network_modifications
-w /etc/issue.net -p wa -k audit_network_modifications
-w /etc/hosts -p wa -k audit_network_modifications
-w /etc/sysconfig/network -p wa -k audit_network_modifications

If the system is not configured to audit changes of the network configuration, this is a finding.

Fix

Add the following to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system:

# audit_network_modifications
-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_network_modifications
-w /etc/issue -p wa -k audit_network_modifications
-w /etc/issue.net -p wa -k audit_network_modifications
-w /etc/hosts -p wa -k audit_network_modifications
-w /etc/sysconfig/network -p wa -k audit_network_modifications
V-51111 No Change
Findings ID: OL6-00-000315 Rule ID: SV-65321r3_rule Severity: medium CCI: CCI-000085

Discussion

If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

Checks

If the system is configured to prevent the loading of the "bluetooth" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf":

$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true”

If no line is returned, this is a finding.


If the system is configured to prevent the loading of the "net-pf-31" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf":

$ grep -r net-pf-31 /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true”

If no line is returned, this is a finding.

Fix

The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate "/etc/modprobe.d" configuration file to prevent the loading of the Bluetooth module:

install net-pf-31 /bin/true
install bluetooth /bin/true
V-51115 No Change
Findings ID: OL6-00-000319 Rule ID: SV-65325r2_rule Severity: low CCI: CCI-000054

Discussion

Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.

Checks

Run the following command to ensure the "maxlogins" value is configured for all users on the system:

$ grep "maxlogins" /etc/security/limits.conf /etc/security/limits.d/*.conf

You should receive output similar to the following:

* hard maxlogins 10

If it is not similar, this is a finding.

Fix

Limiting the number of allowed users and sessions per user can limit risks related to denial of service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in "/etc/security/limits.conf":

* hard maxlogins 10

A documented site-defined number may be substituted for 10 in the above.
V-51117 No Change
Findings ID: OL6-00-000320 Rule ID: SV-65327r1_rule Severity: medium CCI: CCI-001109

Discussion

In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.

Checks

Run the following command to ensure the default "FORWARD" policy is "DROP":

grep ":FORWARD" /etc/sysconfig/iptables

The output must be the following:

# grep ":FORWARD" /etc/sysconfig/iptables
:FORWARD DROP [0:0]

If it is not, this is a finding.

Fix

To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in "/etc/sysconfig/iptables":

:FORWARD DROP [0:0]
V-51121 No Change
Findings ID: OL6-00-000321 Rule ID: SV-65331r2_rule Severity: low CCI: CCI-001130

Discussion

Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.

Checks

If the system does not communicate over untrusted networks, this is not applicable.

Run the following command to determine if the "openswan" package is installed:

# rpm -q openswan

If the package is not installed, this is a finding.

Fix

The Openswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks.

The "openswan" package can be installed with the following command:

# yum install openswan
V-51123 No Change
Findings ID: OL6-00-000324 Rule ID: SV-65333r2_rule Severity: medium CCI: CCI-000050

Discussion

An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.

Checks

If the GConf2 package is not installed, this is not applicable.

To ensure a login warning banner is enabled, run the following:

$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_enable

Search for the "banner_message_enable" schema. If properly configured, the "default" value should be "true".

If it is not, this is a finding.

Fix

To enable displaying a login warning banner in the GNOME Display Manager's login screen, run the following command:

# gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gdm/simple-greeter/banner_message_enable true

To display a banner, this setting must be enabled and then banner text must also be set.
V-51125 No Change
Findings ID: OL6-00-000326 Rule ID: SV-65335r3_rule Severity: medium CCI: CCI-001384

Discussion

An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.

Checks

If the GConf2 package is not installed, this is not applicable.

To ensure login warning banner text is properly set, run the following:

$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_text

If properly configured, the proper banner text will appear within this schema.

The DoD required text is either:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

OR:

"I've read & consent to terms in IS user agreem't."

If the DoD required banner text does not appear in the schema, this is a finding.

Fix

To set the text shown by the GNOME Display Manager in the login screen, run the following command:

# gconftool-2
--direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type string \
--set /apps/gdm/simple-greeter/banner_message_text \
"[DoD required text]"

Where the DoD required text is either:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

OR:

"I've read & consent to terms in IS user agreem't."

When entering a warning banner that spans several lines, remember to begin and end the string with """. This command writes directly to the file "/etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml", and this file can later be edited directly if necessary.
V-51127 No Change
Findings ID: OL6-00-000331 Rule ID: SV-65337r2_rule Severity: medium CCI: CCI-000085

Discussion

Disabling the "bluetooth" service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.

Checks

To check that the "bluetooth" service is disabled in system boot configuration, run the following command:

# chkconfig "bluetooth" --list

Output should indicate the "bluetooth" service has either not been installed or has been disabled at all runlevels, as shown in the example below:

# chkconfig "bluetooth" --list
"bluetooth" 0:off 1:off 2:off 3:off 4:off 5:off 6:off

If the service is configured to run, this is a finding.

Fix

The "bluetooth" service can be disabled with the following command:

# chkconfig bluetooth off

# service bluetooth stop
V-51129 No Change
Findings ID: OL6-00-000334 Rule ID: SV-65339r1_rule Severity: low CCI: CCI-000017

Discussion

Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.

Checks

To verify the "INACTIVE" setting, run the following command:

grep "INACTIVE" /etc/default/useradd

The output should indicate the "INACTIVE" configuration option is set to an appropriate integer as shown in the example below:

# grep "INACTIVE" /etc/default/useradd
INACTIVE=35

If it does not, this is a finding.

Fix

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately:

INACTIVE=[NUM_DAYS]

A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled.

See the "useradd" man page for more information.

Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment.

Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.
V-51131 No Change
Findings ID: OL6-00-000335 Rule ID: SV-65341r1_rule Severity: low CCI: CCI-000795

Discussion

Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.

Checks

To verify the "INACTIVE" setting, run the following command:

grep "INACTIVE" /etc/default/useradd

The output should indicate the "INACTIVE" configuration option is set to an appropriate integer as shown in the example below:

# grep "INACTIVE" /etc/default/useradd
INACTIVE=35

If it does not, this is a finding.

Fix

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately:

INACTIVE=[NUM_DAYS]

A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled.

See the "useradd" man page for more information.

Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment.

Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.
V-51133 No Change
Findings ID: OL6-00-000336 Rule ID: SV-65343r1_rule Severity: low CCI: CCI-000366

Discussion

Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.

The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, and by users for temporary file storage - such as /tmp - and for directories requiring global read/write access.

Checks

To find world-writable directories that lack the sticky bit, run the following command for each local partition [PART]:

# find [PART] -xdev -type d -perm -002 ! -perm -1000

If any world-writable directories are missing the sticky bit, this is a finding.

Fix

When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory.

Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit.

However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes.

To set the sticky bit on a world-writable directory [DIR], run the following command:

# chmod +t [DIR]
V-51135 No Change
Findings ID: OL6-00-000201 Rule ID: SV-65345r2_rule Severity: low CCI: CCI-000172

Discussion

The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.

Checks

To verify that auditing is configured for system administrator actions, run the following command:

$ sudo grep -w "/etc/sudoers" /etc/audit/audit.rules

If the system is configured to watch for changes to its sudoers configuration, a line should be returned (including "-p wa" indicating permissions that are watched).

If there is no output, this is a finding.

Fix

At a minimum, the audit system should collect administrator actions for all users and root. Add the following to "/etc/audit/audit.rules":

-w /etc/sudoers -p wa -k actions
V-51137 No Change
Findings ID: OL6-00-000200 Rule ID: SV-65347r2_rule Severity: low CCI: CCI-000172

Discussion

Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as detecting malicious processes that attempt to delete log files to conceal their presence.

Checks

To determine if the system is configured to audit calls to the "rmdir" system call, run the following command:

$ sudo grep -w "rmdir" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the "unlink" system call, run the following command:

$ sudo grep -w "unlink" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the "unlinkat" system call, run the following command:

$ sudo grep -w "unlinkat" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the "rename" system call, run the following command:

$ sudo grep -w "rename" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the "renameat" system call, run the following command:

$ sudo grep -w "renameat" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return a line.

If no line is returned, this is a finding.

Fix

At a minimum, the audit system should collect file deletion events for all users and root. Add the following (or equivalent) to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete
V-51139 No Change
Findings ID: OL6-00-000199 Rule ID: SV-65349r2_rule Severity: low CCI: CCI-000172

Discussion

The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.

Checks

To verify that auditing is configured for all media exportation events, run the following command:

$ sudo grep -w "mount" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return several lines.

If no line is returned, this is a finding.

Fix

At a minimum, the audit system should collect media exportation events for all users and root. Add the following to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export
-a always,exit -F arch=ARCH -S mount -F auid=0 -k export
V-51141 No Change
Findings ID: OL6-00-000198 Rule ID: SV-65351r2_rule Severity: low CCI: CCI-000040

Discussion

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Checks

To verify that auditing of privileged command use is configured, run the following command once for each local partition [PART] to find relevant setuid / setgid programs:

$ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null

Run the following command to verify entries in the audit rules for all programs found with the previous command:

$ sudo grep path /etc/audit/audit.rules

It should be the case that all relevant setuid / setgid programs have a line in the audit rules. If that is not the case, this is a finding.

Fix

At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition [PART]:

$ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null

Then, for each setuid / setgid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid / setgid program in the list:

-a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
V-51143 No Change
Findings ID: OL6-00-000197 Rule ID: SV-65353r1_rule Severity: low CCI: CCI-000172

Discussion

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Checks

To verify that the audit system collects unauthorized file accesses, run the following commands:

# grep EACCES /etc/audit/audit.rules

# grep EPERM /etc/audit/audit.rules

If either command lacks output, this is a finding.

Fix

At a minimum, the audit system should collect unauthorized file accesses for all users and root. Add the following to "/etc/audit/audit.rules", setting ARCH to either "b32" or "b64" as appropriate for your system:

-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
-S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
-S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
-S ftruncate -F exit=-EACCES -F auid=0 -k access
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
-S ftruncate -F exit=-EPERM -F auid=0 -k access
V-51145 No Change
Findings ID: OL6-00-000196 Rule ID: SV-65355r2_rule Severity: low CCI: CCI-000172

Discussion

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Checks

To determine if the system is configured to audit calls to the "setxattr" system call, run the following command:

$ sudo grep -w "setxattr" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return several lines.

If no lines are returned, this is a finding.

Fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":

-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod

If the system is 64-bit, then also add the following:

-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod
V-51147 No Change
Findings ID: OL6-00-000195 Rule ID: SV-65357r2_rule Severity: low CCI: CCI-000172

Discussion

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Checks

To determine if the system is configured to audit calls to the "removexattr" system call, run the following command:

$ sudo grep -w "removexattr" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return several lines.

If no lines are returned, this is a finding.

Fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":

-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod

If the system is 64-bit, then also add the following:

-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod
V-51149 No Change
Findings ID: OL6-00-000194 Rule ID: SV-65359r2_rule Severity: low CCI: CCI-000172

Discussion

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Checks

To determine if the system is configured to audit calls to the "lsetxattr" system call, run the following command:

$ sudo grep -w "lsetxattr" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return several lines.

If no lines are returned, this is a finding.

Fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":

-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod

If the system is 64-bit, then also add the following:

-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod
V-51151 No Change
Findings ID: OL6-00-000193 Rule ID: SV-65361r2_rule Severity: low CCI: CCI-000172

Discussion

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Checks

To determine if the system is configured to audit calls to the "lremovexattr" system call, run the following command:

$ sudo grep -w "lremovexattr" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return several lines.

If no lines are returned, this is a finding.

Fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":

-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod

If the system is 64-bit, then also add the following:

-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod
V-51153 No Change
Findings ID: OL6-00-000192 Rule ID: SV-65363r2_rule Severity: low CCI: CCI-000172

Discussion

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Checks

To determine if the system is configured to audit calls to the "lchown" system call, run the following command:

$ sudo grep -w "lchown" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return several lines.

If no lines are returned, this is a finding.

Fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":

-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod

If the system is 64-bit, then also add the following:

-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod
V-51155 No Change
Findings ID: OL6-00-000191 Rule ID: SV-65365r2_rule Severity: low CCI: CCI-000172

Discussion

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Checks

To determine if the system is configured to audit calls to the "fsetxattr" system call, run the following command:

$ sudo grep -w "fsetxattr" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return several lines.

If no lines are returned, this is a finding.

Fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":

-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod

If the system is 64-bit, then also add the following:

-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod
V-51157 No Change
Findings ID: OL6-00-000190 Rule ID: SV-65367r2_rule Severity: low CCI: CCI-000172

Discussion

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Checks

To determine if the system is configured to audit calls to the "fremovexattr" system call, run the following command:

$ sudo grep -w "fremovexattr" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return several lines.

If no lines are returned, this is a finding.

Fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":

-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod

If the system is 64-bit, then also add the following:

-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod
V-51159 No Change
Findings ID: OL6-00-000189 Rule ID: SV-65369r2_rule Severity: low CCI: CCI-000172

Discussion

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Checks

To determine if the system is configured to audit calls to the "fchownat" system call, run the following command:

$ sudo grep -w "fchownat" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return several lines.

If no lines are returned, this is a finding.

Fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":

-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod

If the system is 64-bit, then also add the following:

-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod
V-51161 No Change
Findings ID: OL6-00-000188 Rule ID: SV-65371r2_rule Severity: low CCI: CCI-000172

Discussion

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Checks

To determine if the system is configured to audit calls to the "fchown" system call, run the following command:

$ sudo grep -w "fchown" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return several lines.

If no lines are returned, this is a finding.

Fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":

-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod

If the system is 64-bit, then also add the following:

-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod
V-51163 No Change
Findings ID: OL6-00-000187 Rule ID: SV-65373r2_rule Severity: low CCI: CCI-000172

Discussion

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Checks

To determine if the system is configured to audit calls to the "fchmodat" system call, run the following command:

$ sudo grep -w "fchmodat" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return several lines.
If no lines are returned, this is a finding.

Fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":

-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod

If the system is 64-bit, then also add the following:

-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod
V-51165 No Change
Findings ID: OL6-00-000186 Rule ID: SV-65375r2_rule Severity: low CCI: CCI-000172

Discussion

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Checks

To determine if the system is configured to audit calls to the "fchmod" system call, run the following command:

$ sudo grep -w "fchmod" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return several lines.
If no lines are returned, this is a finding.

Fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":

-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod

If the system is 64-bit, then also add the following:

-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod
V-51167 No Change
Findings ID: OL6-00-000185 Rule ID: SV-65377r2_rule Severity: low CCI: CCI-000172

Discussion

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Checks

To determine if the system is configured to audit calls to the "chown" system call, run the following command:

$ sudo grep -w "chown" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return several lines.
If no lines are returned, this is a finding.

Fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":

-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod

If the system is 64-bit, then also add the following:

-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod
V-51169 No Change
Findings ID: OL6-00-000184 Rule ID: SV-65379r2_rule Severity: low CCI: CCI-000172

Discussion

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Checks

To determine if the system is configured to audit calls to the "chmod" system call, run the following command:

$ sudo grep -w "chmod" /etc/audit/audit.rules

If the system is configured to audit this activity, it will return several lines.

If the system is not configured to audit permission changes, this is a finding.

Fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":

-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod

If the system is 64-bit, then also add the following:

-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod
V-51171 No Change
Findings ID: OL6-00-000183 Rule ID: SV-65381r2_rule Severity: low CCI: CCI-000366

Discussion

The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.

Checks

To determine if the system is configured to audit changes to its SELinux configuration files, run the following command:

$ sudo grep -w "/etc/selinux" /etc/audit/audit.rules

If the system is configured to watch for changes to its SELinux configuration, a line should be returned (including "-p wa" indicating permissions that are watched).

If the system is not configured to audit attempts to change the MAC policy, this is a finding.

Fix

Add the following to "/etc/audit/audit.rules":

-w /etc/selinux/ -p wa -k MAC-policy
V-51423 No Change
Findings ID: OL6-00-000337 Rule ID: SV-65633r1_rule Severity: low CCI: CCI-000366

Discussion

Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.

Checks

The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 500. Run it once for each local partition [PART]:

# find [PART] -xdev -type d -perm -0002 -uid +500 -print

If there is output, this is a finding.

Fix

All directories in local partitions which are world-writable should be owned by root or another system account.

If any world-writable directories are not owned by a system account, this should be investigated.

Following this, the files should be deleted or assigned to an appropriate group.
V-59347 No Change
Findings ID: OL6-00-000017 Rule ID: SV-73777r2_rule Severity: medium CCI: CCI-000366

Discussion

Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.

Checks

Inspect "/boot/grub/grub.conf" for any instances of "selinux=0" in the kernel boot arguments. Presence of "selinux=0" indicates that SELinux is disabled at boot time. If SELinux is disabled at boot time, this is a finding.

Fix

SELinux can be disabled at boot time by an argument in "/boot/grub/grub.conf". Remove any instances of "selinux=0" from the kernel arguments in that file to prevent SELinux from being disabled at boot.
V-59353 No Change
Findings ID: OL6-00-000018 Rule ID: SV-73783r1_rule Severity: medium CCI: CCI-000366

Discussion

For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.

Checks

To find the location of the AIDE database file, run the following command:

# grep DBDIR /etc/aide.conf

Using the defined values of the [DBDIR] and [database] variables, verify the existence of the AIDE database file:

# ls -l [DBDIR]/[database_file_name]

If there is no database file, this is a finding.

Fix

Run the following command to generate a new database:

# /usr/sbin/aide --init

By default, the database will be written to the file "/var/lib/aide/aide.db.new.gz". Storing the database, the configuration file "/etc/aide.conf", and the binary "/usr/sbin/aide" (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows:

# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

To initiate a manual check, run the following command:

# /usr/sbin/aide --check

If this check produces any unexpected output, investigate.
V-59367 No Change
Findings ID: OL6-00-000020 Rule ID: SV-73797r1_rule Severity: medium CCI: CCI-000366

Discussion

Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.

Checks

Check the file "/etc/selinux/config" and ensure the following line appears:

SELINUX=enforcing

If SELINUX is not set to enforcing, this is a finding.

Fix

The SELinux state should be set to "enforcing" at system boot time. In the file "/etc/selinux/config", add or correct the following line to configure the system to boot into enforcing mode:

SELINUX=enforcing
V-59369 No Change
Findings ID: OL6-00-000023 Rule ID: SV-73799r1_rule Severity: low CCI: CCI-000366

Discussion

Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Checks

Check the file "/etc/selinux/config" and ensure the following line appears:

SELINUXTYPE=targeted

If it does not, this is a finding.

Fix

The SELinux "targeted" policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in "/etc/selinux/config":

SELINUXTYPE=targeted

Other policies, such as "mls", provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
V-59371 No Change
Findings ID: OL6-00-000025 Rule ID: SV-73801r1_rule Severity: low CCI: CCI-000366

Discussion

If a device file carries the SELinux type "unlabeled_t", then SELinux cannot properly restrict access to the device file.

Checks

To check for unlabeled device files, run the following command:

# ls -RZ /dev | grep unlabeled_t

It should produce no output in a well-configured system.

If there is output, this is a finding.

Fix

Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type "unlabeled_t", investigate the cause and correct the file's context.
V-59373 No Change
Findings ID: OL6-00-000163 Rule ID: SV-73803r3_rule Severity: medium CCI: CCI-000366

Discussion

Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.

Checks

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to either suspend, switch to single-user mode, or halt when disk space has run low:

admin_space_left_action = single

If the system is not configured to switch to single-user mode, suspend, or halt for corrective action, this is a finding.

Fix

The "auditd" service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [ACTION] appropriately:

admin_space_left_action = [ACTION]

Set this value to "single" to cause the system to switch to single-user mode for corrective action. Acceptable values also include "suspend" and "halt". For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for [ACTION] are described in the "auditd.conf" man page.
V-59375 No Change
Findings ID: OL6-00-000372 Rule ID: SV-73805r1_rule Severity: medium CCI: CCI-000366

Discussion

Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.

Checks

To ensure that last logon/access notification is configured correctly, run the following command:

# grep pam_lastlog.so /etc/pam.d/system-auth

The output should show output "showfailed". If that is not the case, this is a finding.

Fix

To configure the system to notify users of last logon/access using "pam_lastlog", add the following line immediately after "session required pam_limits.so":

session required pam_lastlog.so showfailed
V-59377 No Change
Findings ID: OL6-00-000527 Rule ID: SV-73807r1_rule Severity: medium CCI: CCI-000366

Discussion

Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in.

Checks

If the GConf2 package is not installed, this is not applicable.

To ensure the user list is disabled, run the following command:

$ gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--get /apps/gdm/simple-greeter/disable_user_list

The output should be "true". If it is not, this is a finding.

Fix

In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled.

Run the following command to disable the user list:

$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool --set /apps/gdm/simple-greeter/disable_user_list true
V-59379 No Change
Findings ID: OL6-00-000528 Rule ID: SV-73809r1_rule Severity: medium CCI: CCI-000366

Discussion

Allowing users to execute binaries from world-writable directories such as "/tmp" should never be necessary in normal operation and can expose the system to potential compromise.

Checks

To verify that binaries cannot be directly executed from the /tmp directory, run the following command:

$ grep '\s/tmp' /etc/fstab

The resulting output will show whether the /tmp partition has the "noexec" flag set. If the /tmp partition does not have the noexec flag set, this is a finding.

Fix

The "noexec" mount option can be used to prevent binaries from being executed out of "/tmp". Add the "noexec" option to the fourth column of "/etc/fstab" for the line which controls mounting of "/tmp".
V-60819 No Change
Findings ID: OL6-00-000529 Rule ID: SV-75275r1_rule Severity: medium CCI: CCI-002038

Discussion

The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts.

Checks

Verify neither the "NOPASSWD" option nor the "!authenticate" option is configured for use in "/etc/sudoers" and associated files. Note that the "#include" and "#includedir" directives may be used to include configuration data from locations other than the defaults enumerated here.

# egrep '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/*
# egrep '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/*

If the "NOPASSWD" or "!authenticate" options are configured for use in "/etc/sudoers" or associated files, this is a finding.

Fix

Update the "/etc/sudoers" or other sudo configuration files to remove or comment out lines utilizing the "NOPASSWD" and "!authenticate" options.

# visudo
# visudo -f [other sudo configuration file]
V-72823 No Change
Findings ID: OL6-00-000293 Rule ID: SV-87469r1_rule Severity: medium CCI: CCI-001443

Discussion

The use of wireless networking can introduce many different attack vectors into the organization’s network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.

Checks

This is N/A for systems that do not have wireless network adapters.

Verify that there are no wireless interfaces configured on the system:

# ifconfig -a


eth0 Link encap:Ethernet HWaddr b8:ac:6f:65:31:e5
inet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::baac:6fff:fe65:31e5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2697529 errors:0 dropped:0 overruns:0 frame:0
TX packets:2630541 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2159382827 (2.0 GiB) TX bytes:1389552776 (1.2 GiB)
Interrupt:17

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2849 errors:0 dropped:0 overruns:0 frame:0
TX packets:2849 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2778290 (2.6 MiB) TX bytes:2778290 (2.6 MiB)


If a wireless interface is configured, it must be documented and approved by the local Authorizing Official.

If a wireless interface is configured and has not been documented and approved, this is a finding.

Fix

Configure the system to disable all wireless network interfaces.
V-81453 No Change
Findings ID: OL6-00-000533 Rule ID: SV-96167r1_rule Severity: medium CCI: CCI-001668

Discussion

Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems.

The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis.

If the system processes inbound SMTP mail, the virus scanner must be configured to scan all received mail.

Checks

Verify an antivirus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution.

If there is no antivirus solution installed on the system, this is a finding.

Fix

Install an antivirus solution on the system.
V-81457 No Change
Findings ID: OL6-00-000530 Rule ID: SV-96171r1_rule Severity: low CCI: CCI-001764

Discussion

The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Checks

Verify that the "nodev" option is configured for /dev/shm.

Check that the operating system is configured to use the "nodev" option for /dev/shm with the following command:

# cat /etc/fstab | grep /dev/shm | grep nodev

tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0

If the "nodev" option is not present on the line for "/dev/shm", this is a finding.

Verify "/dev/shm" is mounted with the "nodev" option:

# mount | grep "/dev/shm" | grep nodev

If no results are returned, this is a finding.

Fix

Configure the "/etc/fstab" to use the "nodev" option for all lines containing "/dev/shm".
V-81459 No Change
Findings ID: OL6-00-000531 Rule ID: SV-96173r1_rule Severity: low CCI: CCI-001764

Discussion

The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Checks

Verify that the "nosuid" option is configured for /dev/shm.

Check that the operating system is configured to use the "nosuid" option for /dev/shm with the following command:

# cat /etc/fstab | grep /dev/shm | grep nosuid

tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0

If the "nosuid" option is not present on the line for "/dev/shm", this is a finding.

Verify "/dev/shm" is mounted with the "nosuid" option:

# mount | grep "/dev/shm" | grep nosuid

If no results are returned, this is a finding.

Fix

Configure the "/etc/fstab" to use the "nosuid" option for all lines containing "/dev/shm".
V-81461 No Change
Findings ID: OL6-00-000532 Rule ID: SV-96175r1_rule Severity: low CCI: CCI-001764

Discussion

The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Checks

Verify that the "noexec" option is configured for /dev/shm.

Check that the operating system is configured to use the "noexec" option for /dev/shm with the following command:

# cat /etc/fstab | grep /dev/shm | grep noexec

tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0

If the "noexec" option is not present on the line for "/dev/shm", this is a finding.

Verify "/dev/shm" is mounted with the "noexec" option:

# mount | grep "/dev/shm" | grep noexec

If no results are returned, this is a finding.

Fix

Configure the "/etc/fstab" to use the "noexec" option for all lines containing "/dev/shm".