Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Red Hat Enterprise Linux 6 Security Technical Implementation Guide

V1R4 · · · Released 25 Jul 2014 · 261 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

The Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.
Sort by
a
Automated file system mounting tools must not be enabled unless needed.
CM-6 - Low - CCI-000366 - V-38437 - SV-50237r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000526
Vuln IDs
  • V-38437
Rule IDs
  • SV-50237r1_rule
All filesystems that are required for the successful operation of the system should be explicitly listed in "/etc/fstab" by an administrator. New filesystems should not be arbitrarily introduced via the automounter. The "autofs" daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as "/misc/cd". However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it is almost always possible to configure filesystem mounts statically by editing "/etc/fstab" rather than relying on the automounter.
Checks: C-45991r1_chk

To verify the "autofs" service is disabled, run the following command: chkconfig --list autofs If properly configured, the output should be the following: autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off Verify the "autofs" service is not running: # service autofs status If the autofs service is enabled or running, this is a finding.

Fix: F-43381r1_fix

If the "autofs" service is not needed to dynamically mount NFS filesystems or removable media, disable the service for all runlevels: # chkconfig --level 0123456 autofs off Stop the service if it is already running: # service autofs stop

a
Auditing must be enabled at boot by setting a kernel parameter.
AU-12 - Low - CCI-000169 - V-38438 - SV-50238r1_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000169
Version
RHEL-06-000525
Vuln IDs
  • V-38438
Rule IDs
  • SV-50238r1_rule
Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although "auditd" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.
Checks: C-45992r1_chk

Inspect the kernel boot arguments (which follow the word "kernel") in "/etc/grub.conf". If they include "audit=1", then auditing is enabled at boot time. If auditing is not enabled at boot time, this is a finding.

Fix: F-43382r1_fix

To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument "audit=1" to the kernel line in "/etc/grub.conf", in the manner below: kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1

b
The system must provide automated support for account management functions.
AC-2 - Medium - CCI-000015 - V-38439 - SV-50239r1_rule
RMF Control
AC-2
Severity
M
CCI
CCI-000015
Version
RHEL-06-000524
Vuln IDs
  • V-38439
Rule IDs
  • SV-50239r1_rule
A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. Enterprise environments make user account management challenging and complex. A user management process requiring administrators to manually address account management functions adds risk of potential oversight.
Checks: C-45994r1_chk

Interview the SA to determine if there is an automated system for managing user accounts, preferably integrated with an existing enterprise user management system. If there is not, this is a finding.

Fix: F-43384r1_fix

Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. If possible, this system should integrate with an existing enterprise user management system, such as, one based Active Directory or Kerberos.

b
The /etc/gshadow file must be owned by root.
CM-6 - Medium - CCI-000366 - V-38443 - SV-50243r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000036
Vuln IDs
  • V-38443
Rule IDs
  • SV-50243r1_rule
The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
Checks: C-45998r1_chk

To check the ownership of "/etc/gshadow", run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.

Fix: F-43388r1_fix

To properly set the owner of "/etc/gshadow", run the command: # chown root /etc/gshadow

b
The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
AC-17 - Medium - CCI-000066 - V-38444 - SV-50244r2_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000066
Version
RHEL-06-000523
Vuln IDs
  • V-38444
Rule IDs
  • SV-50244r2_rule
In "ip6tables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.
Checks: C-45999r2_chk

If IPv6 is disabled, this is not applicable. Inspect the file "/etc/sysconfig/ip6tables" to determine the default policy for the INPUT chain. It should be set to DROP: # grep ":INPUT" /etc/sysconfig/ip6tables If the default policy for the INPUT chain is not set to DROP, this is a finding.

Fix: F-43389r3_fix

To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/ip6tables": :INPUT DROP [0:0] Restart the IPv6 firewall: # service ip6tables restart

b
Audit log files must be group-owned by root.
Medium - V-38445 - SV-50245r1_rule
RMF Control
Severity
M
CCI
Version
RHEL-06-000522
Vuln IDs
  • V-38445
Rule IDs
  • SV-50245r1_rule
If non-privileged users can write to audit logs, audit trails can be modified or destroyed.
Checks: C-46000r1_chk

Run the following command to check the group owner of the system audit logs: grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %G:%n Audit logs must be group-owned by root. If they are not, this is a finding.

Fix: F-43390r1_fix

Change the group owner of the audit log files with the following command: # chgrp root [audit_file]

b
The mail system must forward all mail for root to one or more system administrators.
CM-6 - Medium - CCI-000366 - V-38446 - SV-50246r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000521
Vuln IDs
  • V-38446
Rule IDs
  • SV-50246r1_rule
A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address.
Checks: C-46001r1_chk

Find the list of alias maps used by the Postfix mail server: # postconf alias_maps Query the Postfix alias maps for an alias for "root": # postmap -q root <alias_map> If there are no aliases configured for root that forward to a monitored email address, this is a finding.

Fix: F-43391r1_fix

Set up an alias for root that forwards to a monitored email address: # echo "root: <system.administrator>@mail.mil" >> /etc/aliases # newaliases

a
The system package management tool must verify contents of all files associated with packages.
CM-6 - Low - CCI-000366 - V-38447 - SV-50247r2_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000519
Vuln IDs
  • V-38447
Rule IDs
  • SV-50247r2_rule
The hash on important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.
Checks: C-46002r3_chk

The following command will list which files on the system have file hashes different from what is expected by the RPM database. # rpm -Va | awk '$1 ~ /..5/ &amp;&amp; $2 != "c"' If there is output, this is a finding.

Fix: F-43392r1_fix

The RPM package management system can check the hashes of installed software packages, including many that are important to system security. Run the following command to list which files on the system have hashes that differ from what is expected by the RPM database: # rpm -Va | grep '^..5' A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file that has changed was not expected to then refresh from distribution media or online repositories. rpm -Uvh [affected_package] OR yum reinstall [affected_package]

b
The /etc/gshadow file must be group-owned by root.
CM-6 - Medium - CCI-000366 - V-38448 - SV-50248r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000037
Vuln IDs
  • V-38448
Rule IDs
  • SV-50248r1_rule
The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
Checks: C-46003r1_chk

To check the group ownership of "/etc/gshadow", run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.

Fix: F-43393r1_fix

To properly set the group owner of "/etc/gshadow", run the command: # chgrp root /etc/gshadow

b
The /etc/gshadow file must have mode 0000.
CM-6 - Medium - CCI-000366 - V-38449 - SV-50249r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000038
Vuln IDs
  • V-38449
Rule IDs
  • SV-50249r1_rule
The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.
Checks: C-46004r1_chk

To check the permissions of "/etc/gshadow", run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following permissions: "----------" If it does not, this is a finding.

Fix: F-43394r1_fix

To properly set the permissions of "/etc/gshadow", run the command: # chmod 0000 /etc/gshadow

b
The /etc/passwd file must be owned by root.
CM-6 - Medium - CCI-000366 - V-38450 - SV-50250r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000039
Vuln IDs
  • V-38450
Rule IDs
  • SV-50250r1_rule
The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.
Checks: C-46005r1_chk

To check the ownership of "/etc/passwd", run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.

Fix: F-43395r1_fix

To properly set the owner of "/etc/passwd", run the command: # chown root /etc/passwd

b
The /etc/passwd file must be group-owned by root.
CM-6 - Medium - CCI-000366 - V-38451 - SV-50251r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000040
Vuln IDs
  • V-38451
Rule IDs
  • SV-50251r1_rule
The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.
Checks: C-46006r1_chk

To check the group ownership of "/etc/passwd", run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.

Fix: F-43396r1_fix

To properly set the group owner of "/etc/passwd", run the command: # chgrp root /etc/passwd

a
The system package management tool must verify permissions on all files and directories associated with packages.
CM-6 - Low - CCI-000366 - V-38452 - SV-50252r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000518
Vuln IDs
  • V-38452
Rule IDs
  • SV-50252r1_rule
Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.
Checks: C-46008r1_chk

The following command will list which files and directories on the system have permissions different from what is expected by the RPM database: # rpm -Va | grep '^.M' If there is any output, for each file or directory found, find the associated RPM package and compare the RPM-expected permissions with the actual permissions on the file or directory: # rpm -qf [file or directory name] # rpm -q --queryformat "[%{FILENAMES} %{FILEMODES:perms}\n]" [package] | grep [filename] # ls -lL [filename] If the existing permissions are more permissive than those expected by RPM, this is a finding.

Fix: F-43398r1_fix

The RPM package management system can restore file access permissions of package files and directories. The following command will update permissions on files and directories with permissions different from what is expected by the RPM database: # rpm --setperms [package]

a
The system package management tool must verify group-ownership on all files and directories associated with packages.
CM-6 - Low - CCI-000366 - V-38453 - SV-50253r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000517
Vuln IDs
  • V-38453
Rule IDs
  • SV-50253r1_rule
Group-ownership of system binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The group-ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.
Checks: C-46009r1_chk

The following command will list which files on the system have group-ownership different from what is expected by the RPM database: # rpm -Va | grep '^......G' If there is output, this is a finding.

Fix: F-43399r1_fix

The RPM package management system can restore group-ownership of the package files and directories. The following command will update files and directories with group-ownership different from what is expected by the RPM database: # rpm -qf [file or directory name] # rpm --setugids [package]

a
The system package management tool must verify ownership on all files and directories associated with packages.
CM-6 - Low - CCI-000366 - V-38454 - SV-50254r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000516
Vuln IDs
  • V-38454
Rule IDs
  • SV-50254r1_rule
Ownership of system binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.
Checks: C-46010r1_chk

The following command will list which files on the system have ownership different from what is expected by the RPM database: # rpm -Va | grep '^.....U' If there is output, this is a finding.

Fix: F-43400r1_fix

The RPM package management system can restore ownership of package files and directories. The following command will update files and directories with ownership different from what is expected by the RPM database: # rpm -qf [file or directory name] # rpm --setugids [package]

a
The system must use a separate file system for /tmp.
CM-6 - Low - CCI-000366 - V-38455 - SV-50255r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000001
Vuln IDs
  • V-38455
Rule IDs
  • SV-50255r1_rule
The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.
Checks: C-45997r1_chk

Run the following command to determine if "/tmp" is on its own partition or logical volume: $ mount | grep "on /tmp " If "/tmp" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.

Fix: F-43387r1_fix

The "/tmp" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.

a
The system must use a separate file system for /var.
CM-6 - Low - CCI-000366 - V-38456 - SV-50256r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000002
Vuln IDs
  • V-38456
Rule IDs
  • SV-50256r1_rule
Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories, installed by other software packages.
Checks: C-46011r2_chk

Run the following command to determine if "/var" is on its own partition or logical volume: $ mount | grep "on /var " If "/var" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.

Fix: F-43401r2_fix

The "/var" directory is used by daemons and other system services to store frequently-changing data. Ensure that "/var" has its own partition or logical volume at installation time, or migrate it using LVM.

b
The /etc/passwd file must have mode 0644 or less permissive.
CM-6 - Medium - CCI-000366 - V-38457 - SV-50257r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000041
Vuln IDs
  • V-38457
Rule IDs
  • SV-50257r1_rule
If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.
Checks: C-46007r1_chk

To check the permissions of "/etc/passwd", run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following permissions: "-rw-r--r--" If it does not, this is a finding.

Fix: F-43397r1_fix

To properly set the permissions of "/etc/passwd", run the command: # chmod 0644 /etc/passwd

b
The /etc/group file must be owned by root.
CM-6 - Medium - CCI-000366 - V-38458 - SV-50258r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000042
Vuln IDs
  • V-38458
Rule IDs
  • SV-50258r1_rule
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
Checks: C-46013r1_chk

To check the ownership of "/etc/group", run the command: $ ls -l /etc/group If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.

Fix: F-43403r1_fix

To properly set the owner of "/etc/group", run the command: # chown root /etc/group

b
The /etc/group file must be group-owned by root.
CM-6 - Medium - CCI-000366 - V-38459 - SV-50259r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000043
Vuln IDs
  • V-38459
Rule IDs
  • SV-50259r1_rule
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
Checks: C-46014r1_chk

To check the group ownership of "/etc/group", run the command: $ ls -l /etc/group If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.

Fix: F-43404r1_fix

To properly set the group owner of "/etc/group", run the command: # chgrp root /etc/group

a
The NFS server must not have the all_squash option enabled.
IA-2 - Low - CCI-000764 - V-38460 - SV-50260r1_rule
RMF Control
IA-2
Severity
L
CCI
CCI-000764
Version
RHEL-06-000515
Vuln IDs
  • V-38460
Rule IDs
  • SV-50260r1_rule
The "all_squash" option maps all client requests to a single anonymous uid/gid on the NFS server, negating the ability to track file access by user ID.
Checks: C-46016r1_chk

If the NFS server is read-only, in support of unrestricted access to organizational content, this is not applicable. The related "root_squash" option provides protection against remote administrator-level access to NFS server content. Its use is not a finding. To verify the "all_squash" option has been disabled, run the following command: # grep all_squash /etc/exports If there is output, this is a finding.

Fix: F-43405r1_fix

Remove any instances of the "all_squash" option from the file "/etc/exports". Restart the NFS daemon for the changes to take effect. # service nfs restart

b
The /etc/group file must have mode 0644 or less permissive.
CM-6 - Medium - CCI-000366 - V-38461 - SV-50261r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000044
Vuln IDs
  • V-38461
Rule IDs
  • SV-50261r1_rule
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
Checks: C-46015r1_chk

To check the permissions of "/etc/group", run the command: $ ls -l /etc/group If properly configured, the output should indicate the following permissions: "-rw-r--r--" If it does not, this is a finding.

Fix: F-43406r1_fix

To properly set the permissions of "/etc/group", run the command: # chmod 644 /etc/group

c
The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
CM-5 - High - CCI-000352 - V-38462 - SV-50262r1_rule
RMF Control
CM-5
Severity
H
CCI
CCI-000352
Version
RHEL-06-000514
Vuln IDs
  • V-38462
Rule IDs
  • SV-50262r1_rule
Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.
Checks: C-46017r1_chk

Verify RPM signature validation is not disabled: # grep nosignature /etc/rpmrc /usr/lib/rpm/rpmrc /usr/lib/rpm/redhat/rpmrc ~root/.rpmrc If any configuration is found, this is a finding.

Fix: F-43407r1_fix

Edit the RPM configuration files containing the "nosignature" option and remove the option.

a
The system must use a separate file system for /var/log.
CM-6 - Low - CCI-000366 - V-38463 - SV-50263r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000003
Vuln IDs
  • V-38463
Rule IDs
  • SV-50263r1_rule
Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".
Checks: C-46018r1_chk

Run the following command to determine if "/var/log" is on its own partition or logical volume: $ mount | grep "on /var/log " If "/var/log" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.

Fix: F-43408r1_fix

System logs are stored in the "/var/log" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.

b
The audit system must take appropriate action when there are disk errors on the audit storage volume.
AU-5 - Medium - CCI-000140 - V-38464 - SV-50264r1_rule
RMF Control
AU-5
Severity
M
CCI
CCI-000140
Version
RHEL-06-000511
Vuln IDs
  • V-38464
Rule IDs
  • SV-50264r1_rule
Taking appropriate action in case of disk errors will minimize the possibility of losing audit records.
Checks: C-46020r1_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when disk errors occur: # grep disk_error_action /etc/audit/auditd.conf disk_error_action = [ACTION] If the system is configured to "suspend" when disk errors occur or "ignore" them, this is a finding.

Fix: F-43410r1_fix

Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: disk_error_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "exec" "suspend" "single" "halt" Set this to "syslog", "exec", "single", or "halt".

b
Library files must have mode 0755 or less permissive.
CM-5 - Medium - CCI-001499 - V-38465 - SV-50265r3_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
RHEL-06-000045
Vuln IDs
  • V-38465
Rule IDs
  • SV-50265r3_rule
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system.
Checks: C-46019r4_chk

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in "/lib/modules". All files in these directories should not be group-writable or world-writable. To find shared libraries that are group-writable or world-writable, run the following command for each directory [DIR] which contains shared libraries: $ find -L [DIR] -perm /022 -type f If any of these files (excluding broken symlinks) are group-writable or world-writable, this is a finding.

Fix: F-43409r2_fix

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: # chmod go-w [FILE]

b
Library files must be owned by root.
CM-5 - Medium - CCI-001499 - V-38466 - SV-50266r1_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
RHEL-06-000046
Vuln IDs
  • V-38466
Rule IDs
  • SV-50266r1_rule
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.
Checks: C-46021r1_chk

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in "/lib/modules". All files in these directories should not be group-writable or world-writable. To find shared libraries that are not owned by "root", run the following command for each directory [DIR] which contains shared libraries: $ find -L [DIR] \! -user root If any of these files are not owned by root, this is a finding.

Fix: F-43411r1_fix

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 If any file in these directories is found to be owned by a user other than root, correct its ownership with the following command: # chown root [FILE]

a
The system must use a separate file system for the system audit data path.
AU-4 - Low - CCI-000137 - V-38467 - SV-50267r1_rule
RMF Control
AU-4
Severity
L
CCI
CCI-000137
Version
RHEL-06-000004
Vuln IDs
  • V-38467
Rule IDs
  • SV-50267r1_rule
Placing "/var/log/audit" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.
Checks: C-46022r1_chk

Run the following command to determine if "/var/log/audit" is on its own partition or logical volume: $ mount | grep "on /var/log/audit " If "/var/log/audit" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.

Fix: F-43412r1_fix

Audit logs are stored in the "/var/log/audit" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

b
The audit system must take appropriate action when the audit storage volume is full.
AU-5 - Medium - CCI-000140 - V-38468 - SV-50268r1_rule
RMF Control
AU-5
Severity
M
CCI
CCI-000140
Version
RHEL-06-000510
Vuln IDs
  • V-38468
Rule IDs
  • SV-50268r1_rule
Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.
Checks: C-46023r1_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when the audit storage volume is full: # grep disk_full_action /etc/audit/auditd.conf disk_full_action = [ACTION] If the system is configured to "suspend" when the volume is full or "ignore" that it is full, this is a finding.

Fix: F-43413r1_fix

The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: disk_full_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "exec" "suspend" "single" "halt" Set this to "syslog", "exec", "single", or "halt".

b
All system command files must have mode 0755 or less permissive.
CM-5 - Medium - CCI-001499 - V-38469 - SV-50269r2_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
RHEL-06-000047
Vuln IDs
  • V-38469
Rule IDs
  • SV-50269r2_rule
System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.
Checks: C-46024r2_chk

System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin All files in these directories should not be group-writable or world-writable. To find system executables that are group-writable or world-writable, run the following command for each directory [DIR] which contains system executables: $ find -L [DIR] -perm /022 -type f If any system executables are found to be group-writable or world-writable, this is a finding.

Fix: F-43414r1_fix

System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: # chmod go-w [FILE]

b
The audit system must alert designated staff members when the audit storage volume approaches capacity.
AU-4 - Medium - CCI-000138 - V-38470 - SV-50270r1_rule
RMF Control
AU-4
Severity
M
CCI
CCI-000138
Version
RHEL-06-000005
Vuln IDs
  • V-38470
Rule IDs
  • SV-50270r1_rule
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
Checks: C-46025r1_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low: # grep space_left_action /etc/audit/auditd.conf space_left_action = email If the system is not configured to send an email to the system administrator when disk space is starting to run low, this is a finding.

Fix: F-43415r1_fix

The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: space_left_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "email" "exec" "suspend" "single" "halt" Set this to "email" (instead of the default, which is "suspend") as it is more likely to get prompt attention. RHEL-06-000521 ensures that the email generated through the operation "space_left_action" will be sent to an administrator.

a
The system must forward audit records to the syslog service.
AU-3 - Low - CCI-000136 - V-38471 - SV-50271r1_rule
RMF Control
AU-3
Severity
L
CCI
CCI-000136
Version
RHEL-06-000509
Vuln IDs
  • V-38471
Rule IDs
  • SV-50271r1_rule
The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include an audit event multiplexor plugin (audispd) to pass audit records to the local syslog server.
Checks: C-46026r1_chk

Verify the audispd plugin is active: # grep active /etc/audisp/plugins.d/syslog.conf If the "active" setting is missing or set to "no", this is a finding.

Fix: F-43416r1_fix

Set the "active" line in "/etc/audisp/plugins.d/syslog.conf" to "yes". Restart the auditd process. # service auditd restart

b
All system command files must be owned by root.
CM-5 - Medium - CCI-001499 - V-38472 - SV-50272r1_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
RHEL-06-000048
Vuln IDs
  • V-38472
Rule IDs
  • SV-50272r1_rule
System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.
Checks: C-46027r1_chk

System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin All files in these directories should not be group-writable or world-writable. To find system executables that are not owned by "root", run the following command for each directory [DIR] which contains system executables: $ find -L [DIR] \! -user root If any system executables are found to not be owned by root, this is a finding.

Fix: F-43417r1_fix

System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin If any file [FILE] in these directories is found to be owned by a user other than root, correct its ownership with the following command: # chown root [FILE]

a
The system must use a separate file system for user home directories.
CM-6 - Low - CCI-000366 - V-38473 - SV-50273r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000007
Vuln IDs
  • V-38473
Rule IDs
  • SV-50273r1_rule
Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.
Checks: C-46028r1_chk

Run the following command to determine if "/home" is on its own partition or logical volume: $ mount | grep "on /home " If "/home" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.

Fix: F-43418r1_fix

If user home directories will be stored locally, create a separate partition for "/home" at installation time (or migrate it later using LVM). If "/home" will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.

a
The system must allow locking of graphical desktop sessions.
AC-11 - Low - CCI-000058 - V-38474 - SV-50274r1_rule
RMF Control
AC-11
Severity
L
CCI
CCI-000058
Version
RHEL-06-000508
Vuln IDs
  • V-38474
Rule IDs
  • SV-50274r1_rule
The ability to lock graphical desktop sessions manually allows users to easily secure their accounts should they need to depart from their workstations temporarily.
Checks: C-46030r1_chk

Verify the keybindings for the Gnome screensaver: # gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome_settings_daemon/keybindings/screensaver If no output is visible, this is a finding.

Fix: F-43420r1_fix

Run the following command to set the Gnome desktop keybinding for locking the screen: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome_settings_daemon/keybindings/screensaver "<Control><Alt>l" Another keyboard sequence may be substituted for "<Control><Alt>l", which is the default for the Gnome desktop.

b
The system must require passwords to contain a minimum of 14 characters.
IA-5 - Medium - CCI-000205 - V-38475 - SV-50275r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000205
Version
RHEL-06-000050
Vuln IDs
  • V-38475
Rule IDs
  • SV-50275r1_rule
Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. While it does not negate the password length requirement, it is preferable to migrate from a password-based authentication scheme to a stronger one based on PKI (public key infrastructure).
Checks: C-46029r1_chk

To check the minimum password length, run the command: $ grep PASS_MIN_LEN /etc/login.defs The DoD requirement is "14". If it is not set to the required value, this is a finding.

Fix: F-43419r1_fix

To specify password length requirements for new accounts, edit the file "/etc/login.defs" and add or correct the following lines: PASS_MIN_LEN 14 The DoD requirement is "14". If a program consults "/etc/login.defs" and also another PAM module (such as "pam_cracklib") during a password change operation, then the most restrictive must be satisfied.

c
Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
CM-5 - High - CCI-000352 - V-38476 - SV-50276r2_rule
RMF Control
CM-5
Severity
H
CCI
CCI-000352
Version
RHEL-06-000008
Vuln IDs
  • V-38476
Rule IDs
  • SV-50276r2_rule
The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat.
Checks: C-46031r2_chk

To ensure that the GPG key is installed, run: $ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey The command should return the string below: gpg(Red Hat, Inc. (release key 2) &lt;security@redhat.com&gt; If the Red Hat GPG Key is not installed, this is a finding.

Fix: F-43421r2_fix

To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run: # rhn_register If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in "/media/cdrom", use the following command as the root user to import it into the keyring: # rpm --import /media/cdrom/RPM-GPG-KEY

b
Users must not be able to change passwords more than once every 24 hours.
IA-5 - Medium - CCI-000198 - V-38477 - SV-50277r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000198
Version
RHEL-06-000051
Vuln IDs
  • V-38477
Rule IDs
  • SV-50277r1_rule
Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.
Checks: C-46032r1_chk

To check the minimum password age, run the command: $ grep PASS_MIN_DAYS /etc/login.defs The DoD requirement is 1. If it is not set to the required value, this is a finding.

Fix: F-43422r1_fix

To specify password minimum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MIN_DAYS [DAYS] A value of 1 day is considered sufficient for many environments. The DoD requirement is 1.

a
The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.
CM-7 - Low - CCI-000382 - V-38478 - SV-50278r2_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000382
Version
RHEL-06-000009
Vuln IDs
  • V-38478
Rule IDs
  • SV-50278r2_rule
Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the system is being managed by RHN or RHN Satellite Server the "rhnsd" daemon can remain on.
Checks: C-46033r2_chk

If the system uses RHN or an RHN Satellite, this is not applicable. To check that the "rhnsd" service is disabled in system boot configuration, run the following command: # chkconfig "rhnsd" --list Output should indicate the "rhnsd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "rhnsd" --list "rhnsd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "rhnsd" is disabled through current runtime configuration: # service rhnsd status If the service is disabled the command will return the following output: rhnsd is stopped If the service is running, this is a finding.

Fix: F-43423r2_fix

The Red Hat Network service automatically queries Red Hat Network servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system was registered to an RHN server or satellite and managed as such. The "rhnsd" service can be disabled with the following commands: # chkconfig rhnsd off # service rhnsd stop

b
User passwords must be changed at least every 60 days.
IA-5 - Medium - CCI-000199 - V-38479 - SV-50279r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000199
Version
RHEL-06-000053
Vuln IDs
  • V-38479
Rule IDs
  • SV-50279r1_rule
Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.
Checks: C-46034r1_chk

To check the maximum password age, run the command: $ grep PASS_MAX_DAYS /etc/login.defs The DoD requirement is 60. If it is not set to the required value, this is a finding.

Fix: F-43424r1_fix

To specify password maximum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MAX_DAYS [DAYS] The DoD requirement is 60.

a
Users must be warned 7 days in advance of password expiration.
CM-6 - Low - CCI-000366 - V-38480 - SV-50280r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000054
Vuln IDs
  • V-38480
Rule IDs
  • SV-50280r1_rule
Setting the password warning age enables users to make the change at a practical time.
Checks: C-46035r1_chk

To check the password warning age, run the command: $ grep PASS_WARN_AGE /etc/login.defs The DoD requirement is 7. If it is not set to the required value, this is a finding.

Fix: F-43425r1_fix

To specify how many days prior to password expiration that a warning will be issued to users, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_WARN_AGE [DAYS] The DoD requirement is 7.

b
System security patches and updates must be installed and up-to-date.
SI-2 - Medium - CCI-001233 - V-38481 - SV-50281r1_rule
RMF Control
SI-2
Severity
M
CCI
CCI-001233
Version
RHEL-06-000011
Vuln IDs
  • V-38481
Rule IDs
  • SV-50281r1_rule
Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities.
Checks: C-46036r1_chk

If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server which provides updates, invoking the following command will indicate if updates are available: # yum check-update If the system is not configured to update from one of these sources, run the following command to list when each package was last updated: $ rpm -qa -last Compare this to Red Hat Security Advisories (RHSA) listed at https://access.redhat.com/security/updates/active/ to determine whether the system is missing applicable security and bugfix updates. If updates are not installed, this is a finding.

Fix: F-43426r1_fix

If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: # yum update If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using "rpm".

a
The system must require passwords to contain at least one numeric character.
IA-5 - Low - CCI-000194 - V-38482 - SV-50282r1_rule
RMF Control
IA-5
Severity
L
CCI
CCI-000194
Version
RHEL-06-000056
Vuln IDs
  • V-38482
Rule IDs
  • SV-50282r1_rule
Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
Checks: C-46037r1_chk

To check how many digits are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The "dcredit" parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as "dcredit=-1". If dcredit is not found or not set to the required value, this is a finding.

Fix: F-43427r1_fix

The pam_cracklib module's "dcredit" parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add "dcredit=-1" after pam_cracklib.so to require use of a digit in passwords.

b
The system package management tool must cryptographically verify the authenticity of system software packages during installation.
SA-7 - Medium - CCI-000663 - V-38483 - SV-50283r1_rule
RMF Control
SA-7
Severity
M
CCI
CCI-000663
Version
RHEL-06-000013
Vuln IDs
  • V-38483
Rule IDs
  • SV-50283r1_rule
Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering.
Checks: C-46039r1_chk

To determine whether "yum" is configured to use "gpgcheck", inspect "/etc/yum.conf" and ensure the following appears in the "[main]" section: gpgcheck=1 A value of "1" indicates that "gpgcheck" is enabled. Absence of a "gpgcheck" line or a setting of "0" indicates that it is disabled. If GPG checking is not enabled, this is a finding. If the "yum" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed.

Fix: F-43429r1_fix

The "gpgcheck" option should be used to ensure checking of an RPM package's signature always occurs prior to its installation. To configure yum to check package signatures before installing them, ensure the following line appears in "/etc/yum.conf" in the "[main]" section: gpgcheck=1

b
The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh.
AC-9 - Medium - CCI-000052 - V-38484 - SV-50285r1_rule
RMF Control
AC-9
Severity
M
CCI
CCI-000052
Version
RHEL-06-000507
Vuln IDs
  • V-38484
Rule IDs
  • SV-50285r1_rule
Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. At ssh login, a user must be presented with the last successful login date and time.
Checks: C-46041r1_chk

Verify the value associated with the "PrintLastLog" keyword in /etc/ssh/sshd_config: # grep -i PrintLastLog /etc/ssh/sshd_config If the value is not set to "yes", this is a finding. If the "PrintLastLog" keyword is not present, this is not a finding.

Fix: F-43431r1_fix

Update the "PrintLastLog" keyword to "yes" in /etc/ssh/sshd_config: PrintLastLog yes While it is acceptable to remove the keyword entirely since the default action for the SSH daemon is to print the last login date and time, it is preferred to have the value explicitly documented.

b
The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
CP-9 - Medium - CCI-000537 - V-38486 - SV-50287r1_rule
RMF Control
CP-9
Severity
M
CCI
CCI-000537
Version
RHEL-06-000505
Vuln IDs
  • V-38486
Rule IDs
  • SV-50287r1_rule
Operating system backup is a critical step in maintaining data assurance and availability. System-level information includes system-state information, operating system and application software, and licenses. Backups must be consistent with organizational recovery time and recovery point objectives.
Checks: C-46044r1_chk

Ask an administrator if a process exists to back up OS data from the system, including configuration data. If such a process does not exist, this is a finding.

Fix: F-43434r1_fix

Procedures to back up OS data from the system must be established and executed. The Red Hat operating system provides utilities for automating such a process. Commercial and open-source products are also available. Implement a process whereby OS data is backed up from the system in accordance with local policies.

a
The system package management tool must cryptographically verify the authenticity of all software packages during installation.
SA-7 - Low - CCI-000663 - V-38487 - SV-50288r1_rule
RMF Control
SA-7
Severity
L
CCI
CCI-000663
Version
RHEL-06-000015
Vuln IDs
  • V-38487
Rule IDs
  • SV-50288r1_rule
Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.
Checks: C-46043r1_chk

To determine whether "yum" has been configured to disable "gpgcheck" for any repos, inspect all files in "/etc/yum.repos.d" and ensure the following does not appear in any sections: gpgcheck=0 A value of "0" indicates that "gpgcheck" has been disabled for that repo. If GPG checking is disabled, this is a finding. If the "yum" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed.

Fix: F-43433r1_fix

To ensure signature checking is not disabled for any repos, remove any lines from files in "/etc/yum.repos.d" of the form: gpgcheck=0

b
The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.
CP-9 - Medium - CCI-000535 - V-38488 - SV-50289r1_rule
RMF Control
CP-9
Severity
M
CCI
CCI-000535
Version
RHEL-06-000504
Vuln IDs
  • V-38488
Rule IDs
  • SV-50289r1_rule
Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be consistent with organizational recovery time and recovery point objectives.
Checks: C-46045r1_chk

Ask an administrator if a process exists to back up user data from the system. If such a process does not exist, this is a finding.

Fix: F-43435r1_fix

Procedures to back up user data from the system must be established and executed. The Red Hat operating system provides utilities for automating such a process. Commercial and open-source products are also available. Implement a process whereby user data is backed up from the system in accordance with local policies.

b
A file integrity tool must be installed.
RA-5 - Medium - CCI-001069 - V-38489 - SV-50290r1_rule
RMF Control
RA-5
Severity
M
CCI
CCI-001069
Version
RHEL-06-000016
Vuln IDs
  • V-38489
Rule IDs
  • SV-50290r1_rule
The AIDE package must be installed if it is to be available for integrity checking.
Checks: C-46046r1_chk

If another file integrity tool is installed, this is not a finding. Run the following command to determine if the "aide" package is installed: # rpm -q aide If the package is not installed, this is a finding.

Fix: F-43436r1_fix

Install the AIDE package with the command: # yum install aide

b
The operating system must enforce requirements for the connection of mobile devices to operating systems.
Medium - V-38490 - SV-50291r2_rule
RMF Control
Severity
M
CCI
Version
RHEL-06-000503
Vuln IDs
  • V-38490
Rule IDs
  • SV-50291r2_rule
USB storage devices such as thumb drives can be used to introduce unauthorized software and other vulnerabilities. Support for these devices should be disabled and the devices themselves should be tightly controlled.
Checks: C-46047r2_chk

If the system is configured to prevent the loading of the "usb-storage" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/false") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding.

Fix: F-43437r2_fix

To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the "usb-storage" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install usb-storage /bin/false This will prevent the "modprobe" program from loading the "usb-storage" module, but will not prevent an administrator (or another program) from using the "insmod" program to load the module manually.

c
There must be no .rhosts or hosts.equiv files on the system.
AC-17 - High - CCI-001436 - V-38491 - SV-50292r1_rule
RMF Control
AC-17
Severity
H
CCI
CCI-001436
Version
RHEL-06-000019
Vuln IDs
  • V-38491
Rule IDs
  • SV-50292r1_rule
Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.
Checks: C-46048r1_chk

The existence of the file "/etc/hosts.equiv" or a file named ".rhosts" inside a user home directory indicates the presence of an Rsh trust relationship. If these files exist, this is a finding.

Fix: F-43438r1_fix

The files "/etc/hosts.equiv" and "~/.rhosts" (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location. # rm /etc/hosts.equiv $ rm ~/.rhosts

b
The system must prevent the root account from logging in from virtual consoles.
IA-2 - Medium - CCI-000770 - V-38492 - SV-50293r1_rule
RMF Control
IA-2
Severity
M
CCI
CCI-000770
Version
RHEL-06-000027
Vuln IDs
  • V-38492
Rule IDs
  • SV-50293r1_rule
Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account.
Checks: C-46049r1_chk

To check for virtual console entries which permit root login, run the following command: # grep '^vc/[0-9]' /etc/securetty If any output is returned, then root logins over virtual console devices is permitted. If root login over virtual console devices is permitted, this is a finding.

Fix: F-43439r2_fix

To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in "/etc/securetty": vc/1 vc/2 vc/3 vc/4 Note: Virtual console entries are not limited to those listed above. Any lines starting with "vc/" followed by numerals should be removed.

b
Audit log directories must have mode 0755 or less permissive.
AU-9 - Medium - CCI-000164 - V-38493 - SV-50294r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000164
Version
RHEL-06-000385
Vuln IDs
  • V-38493
Rule IDs
  • SV-50294r1_rule
If users can delete audit logs, audit trails can be modified or destroyed.
Checks: C-46050r1_chk

Run the following command to check the mode of the system audit directories: grep "^log_file" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//'|xargs stat -c %a:%n Audit directories must be mode 0755 or less permissive. If any are more permissive, this is a finding.

Fix: F-43440r1_fix

Change the mode of the audit log directories with the following command: # chmod go-w [audit_directory]

a
The system must prevent the root account from logging in from serial consoles.
IA-2 - Low - CCI-000770 - V-38494 - SV-50295r1_rule
RMF Control
IA-2
Severity
L
CCI
CCI-000770
Version
RHEL-06-000028
Vuln IDs
  • V-38494
Rule IDs
  • SV-50295r1_rule
Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.
Checks: C-46051r1_chk

To check for serial port entries which permit root login, run the following command: # grep '^ttyS[0-9]' /etc/securetty If any output is returned, then root login over serial ports is permitted. If root login over serial ports is permitted, this is a finding.

Fix: F-43441r1_fix

To restrict root logins on serial ports, ensure lines of this form do not appear in "/etc/securetty": ttyS0 ttyS1 Note: Serial port entries are not limited to those listed above. Any lines starting with "ttyS" followed by numerals should be removed

b
Audit log files must be owned by root.
AU-9 - Medium - CCI-000162 - V-38495 - SV-50296r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
RHEL-06-000384
Vuln IDs
  • V-38495
Rule IDs
  • SV-50296r1_rule
If non-privileged users can write to audit logs, audit trails can be modified or destroyed.
Checks: C-46053r1_chk

Run the following command to check the owner of the system audit logs: grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %U:%n Audit logs must be owned by root. If they are not, this is a finding.

Fix: F-43443r1_fix

Change the owner of the audit log files with the following command: # chown root [audit_file]

b
Default operating system accounts, other than root, must be locked.
CM-6 - Medium - CCI-000366 - V-38496 - SV-50297r2_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000029
Vuln IDs
  • V-38496
Rule IDs
  • SV-50297r2_rule
Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.
Checks: C-46052r1_chk

To obtain a listing of all users and the contents of their shadow password field, run the command: $ awk -F: '{print $1 ":" $2}' /etc/shadow Identify the system accounts from this listing. These will primarily be the accounts with UID numbers less than 500, other than root. If any system account (other than root) has a valid password hash, this is a finding.

Fix: F-43442r1_fix

Some accounts are not associated with a human user of the system, and exist to perform some administrative function. An attacker should not be able to log into these accounts. Disable login access to these accounts with the command: # passwd -l [SYSACCT]

c
The system must not have accounts configured with blank or null passwords.
CM-6 - High - CCI-000366 - V-38497 - SV-50298r1_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
RHEL-06-000030
Vuln IDs
  • V-38497
Rule IDs
  • SV-50298r1_rule
If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
Checks: C-46054r1_chk

To verify that null passwords cannot be used, run the following command: # grep nullok /etc/pam.d/system-auth /etc/pam.d/system-auth-ac If this produces any output, it may be possible to log into accounts with empty passwords. If NULL passwords can be used, this is a finding.

Fix: F-43444r1_fix

If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the "nullok" option in "/etc/pam.d/system-auth-ac" to prevent logins with empty passwords.

b
Audit log files must have mode 0640 or less permissive.
AU-9 - Medium - CCI-000163 - V-38498 - SV-50299r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000163
Version
RHEL-06-000383
Vuln IDs
  • V-38498
Rule IDs
  • SV-50299r1_rule
If users can write to audit logs, audit trails can be modified or destroyed.
Checks: C-46055r1_chk

Run the following command to check the mode of the system audit logs: grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %a:%n Audit logs must be mode 0640 or less permissive. If any are more permissive, this is a finding.

Fix: F-43445r1_fix

Change the mode of the audit log files with the following command: # chmod 0640 [audit_file]

b
The /etc/passwd file must not contain password hashes.
CM-6 - Medium - CCI-000366 - V-38499 - SV-50300r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000031
Vuln IDs
  • V-38499
Rule IDs
  • SV-50300r1_rule
The hashes for all user account passwords should be stored in the file "/etc/shadow" and never in "/etc/passwd", which is readable by all users.
Checks: C-46056r1_chk

To check that no password hashes are stored in "/etc/passwd", run the following command: # awk -F: '($2 != "x") {print}' /etc/passwd If it produces any output, then a password hash is stored in "/etc/passwd". If any stored hashes are found in /etc/passwd, this is a finding.

Fix: F-43446r1_fix

If any password hashes are stored in "/etc/passwd" (in the second field, instead of an "x"), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.

b
The root account must be the only account having a UID of 0.
CM-6 - Medium - CCI-000366 - V-38500 - SV-50301r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000032
Vuln IDs
  • V-38500
Rule IDs
  • SV-50301r1_rule
An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.
Checks: C-46057r1_chk

To list all password file entries for accounts with UID 0, run the following command: # awk -F: '($3 == "0") {print}' /etc/passwd This should print only one line, for the user root. If any account other than root has a UID of 0, this is a finding.

Fix: F-43447r1_fix

If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.

b
The system must disable accounts after excessive login failures within a 15-minute interval.
AC-7 - Medium - CCI-001452 - V-38501 - SV-50302r2_rule
RMF Control
AC-7
Severity
M
CCI
CCI-001452
Version
RHEL-06-000357
Vuln IDs
  • V-38501
Rule IDs
  • SV-50302r2_rule
Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks.
Checks: C-46058r1_chk

To ensure the failed password attempt policy is configured correctly, run the following command: # grep pam_faillock /etc/pam.d/system-auth-ac The output should show "fail_interval=&lt;interval-in-seconds&gt;" where "interval-in-seconds" is 900 (15 minutes) or greater. If the "fail_interval" parameter is not set, the default setting of 900 seconds is acceptable. If that is not the case, this is a finding.

Fix: F-43448r2_fix

To configure the system to lock out accounts after a number of incorrect login attempts within a 15-minute interval using "pam_faillock.so": Add the following lines immediately below the "pam_unix.so" statement in the AUTH section of "/etc/pam.d/system-auth-ac": auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900 Note that any updates made to "/etc/pam.d/system-auth-ac" will be overwritten by the "authconfig" program. The "authconfig" program should not be used.

b
The /etc/shadow file must be owned by root.
CM-6 - Medium - CCI-000366 - V-38502 - SV-50303r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000033
Vuln IDs
  • V-38502
Rule IDs
  • SV-50303r1_rule
The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.
Checks: C-46059r1_chk

To check the ownership of "/etc/shadow", run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.

Fix: F-43449r1_fix

To properly set the owner of "/etc/shadow", run the command: # chown root /etc/shadow

b
The /etc/shadow file must be group-owned by root.
CM-6 - Medium - CCI-000366 - V-38503 - SV-50304r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000034
Vuln IDs
  • V-38503
Rule IDs
  • SV-50304r1_rule
The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.
Checks: C-46060r1_chk

To check the group ownership of "/etc/shadow", run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.

Fix: F-43450r1_fix

To properly set the group owner of "/etc/shadow", run the command: # chgrp root /etc/shadow

b
The /etc/shadow file must have mode 0000.
CM-6 - Medium - CCI-000366 - V-38504 - SV-50305r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000035
Vuln IDs
  • V-38504
Rule IDs
  • SV-50305r1_rule
The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.
Checks: C-46061r2_chk

To check the permissions of "/etc/shadow", run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following permissions: "----------" If it does not, this is a finding.

Fix: F-43451r1_fix

To properly set the permissions of "/etc/shadow", run the command: # chmod 0000 /etc/shadow

b
IP forwarding for IPv4 must not be enabled, unless the system is a router.
CM-6 - Medium - CCI-000366 - V-38511 - SV-50312r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000082
Vuln IDs
  • V-38511
Rule IDs
  • SV-50312r1_rule
IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for routers.
Checks: C-46068r2_chk

If the system serves as a router, this is not applicable. The status of the "net.ipv4.ip_forward" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.ip_forward The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding.

Fix: F-43458r2_fix

To set the runtime status of the "net.ipv4.ip_forward" kernel parameter, run the following command: # sysctl -w net.ipv4.ip_forward=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.ip_forward = 0

b
The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
SC-7 - Medium - CCI-001100 - V-38512 - SV-50313r2_rule
RMF Control
SC-7
Severity
M
CCI
CCI-001100
Version
RHEL-06-000117
Vuln IDs
  • V-38512
Rule IDs
  • SV-50313r2_rule
The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.
Checks: C-46069r2_chk

If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the "iptables" service: # service iptables status If the service is not running, it should return the following: iptables: Firewall is not running. If the service is not running, this is a finding.

Fix: F-43459r2_fix

The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start

b
The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
AC-17 - Medium - CCI-000066 - V-38513 - SV-50314r1_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000066
Version
RHEL-06-000120
Vuln IDs
  • V-38513
Rule IDs
  • SV-50314r1_rule
In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.
Checks: C-46070r1_chk

Inspect the file "/etc/sysconfig/iptables" to determine the default policy for the INPUT chain. It should be set to DROP. # grep ":INPUT" /etc/sysconfig/iptables If the default policy for the INPUT chain is not set to DROP, this is a finding.

Fix: F-43460r1_fix

To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/iptables": :INPUT DROP [0:0]

b
The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
CM-7 - Medium - CCI-000382 - V-38514 - SV-50315r2_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
RHEL-06-000124
Vuln IDs
  • V-38514
Rule IDs
  • SV-50315r2_rule
Disabling DCCP protects the system against exploitation of any flaws in its implementation.
Checks: C-46071r2_chk

If the system is configured to prevent the loading of the "dccp" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/false") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r dccp /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding.

Fix: F-43461r2_fix

The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the "dccp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install dccp /bin/false

b
The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
CM-7 - Medium - CCI-000382 - V-38515 - SV-50316r2_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
RHEL-06-000125
Vuln IDs
  • V-38515
Rule IDs
  • SV-50316r2_rule
Disabling SCTP protects the system against exploitation of any flaws in its implementation.
Checks: C-46072r2_chk

If the system is configured to prevent the loading of the "sctp" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/false") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r sctp /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding.

Fix: F-43462r2_fix

The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the "sctp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install sctp /bin/false

a
The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.
CM-7 - Low - CCI-000382 - V-38516 - SV-50317r2_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000382
Version
RHEL-06-000126
Vuln IDs
  • V-38516
Rule IDs
  • SV-50317r2_rule
Disabling RDS protects the system against exploitation of any flaws in its implementation.
Checks: C-46073r2_chk

If the system is configured to prevent the loading of the "rds" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated "/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/false") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r rds /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding.

Fix: F-43463r2_fix

The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high- bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the "rds" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install rds /bin/false

b
The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.
CM-7 - Medium - CCI-000382 - V-38517 - SV-50318r2_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
RHEL-06-000127
Vuln IDs
  • V-38517
Rule IDs
  • SV-50318r2_rule
Disabling TIPC protects the system against exploitation of any flaws in its implementation.
Checks: C-46074r2_chk

If the system is configured to prevent the loading of the "tipc" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/false") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r tipc /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding.

Fix: F-43464r2_fix

The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the "tipc" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install tipc /bin/false

b
All rsyslog-generated log files must be owned by root.
SI-11 - Medium - CCI-001314 - V-38518 - SV-50319r1_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001314
Version
RHEL-06-000133
Vuln IDs
  • V-38518
Rule IDs
  • SV-50319r1_rule
The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.
Checks: C-46075r1_chk

The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's owner: $ ls -l [LOGFILE] If the owner is not root, this is a finding.

Fix: F-43465r1_fix

The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's owner: $ ls -l [LOGFILE] If the owner is not "root", run the following command to correct this: # chown root [LOGFILE]

b
All rsyslog-generated log files must be group-owned by root.
SI-11 - Medium - CCI-001314 - V-38519 - SV-50320r1_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001314
Version
RHEL-06-000134
Vuln IDs
  • V-38519
Rule IDs
  • SV-50320r1_rule
The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.
Checks: C-46076r1_chk

The group-owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's group owner: $ ls -l [LOGFILE] If the group-owner is not root, this is a finding.

Fix: F-43466r1_fix

The group-owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's group owner: $ ls -l [LOGFILE] If the owner is not "root", run the following command to correct this: # chgrp root [LOGFILE]

b
The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.
AU-9 - Medium - CCI-001348 - V-38520 - SV-50321r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001348
Version
RHEL-06-000136
Vuln IDs
  • V-38520
Rule IDs
  • SV-50321r1_rule
A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.
Checks: C-46078r1_chk

To ensure logs are sent to a remote host, examine the file "/etc/rsyslog.conf". If using UDP, a line similar to the following should be present: *.* @[loghost.example.com] If using TCP, a line similar to the following should be present: *.* @@[loghost.example.com] If using RELP, a line similar to the following should be present: *.* :omrelp:[loghost.example.com] If none of these are present, this is a finding.

Fix: F-43468r1_fix

To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: *.* @[loghost.example.com] To use TCP for log message delivery: *.* @@[loghost.example.com] To use RELP for log message delivery: *.* :omrelp:[loghost.example.com]

b
The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.
AU-12 - Medium - CCI-000169 - V-38521 - SV-50322r1_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000169
Version
RHEL-06-000137
Vuln IDs
  • V-38521
Rule IDs
  • SV-50322r1_rule
A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.
Checks: C-46269r1_chk

To ensure logs are sent to a remote host, examine the file "/etc/rsyslog.conf". If using UDP, a line similar to the following should be present: *.* @[loghost.example.com] If using TCP, a line similar to the following should be present: *.* @@[loghost.example.com] If using RELP, a line similar to the following should be present: *.* :omrelp:[loghost.example.com] If none of these are present, this is a finding.

Fix: F-43656r1_fix

To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: *.* @[loghost.example.com] To use TCP for log message delivery: *.* @@[loghost.example.com] To use RELP for log message delivery: *.* :omrelp:[loghost.example.com]

a
The audit system must be configured to audit all attempts to alter system time through settimeofday.
AU-12 - Low - CCI-000169 - V-38522 - SV-50323r2_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000169
Version
RHEL-06-000167
Vuln IDs
  • V-38522
Rule IDs
  • SV-50323r2_rule
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Checks: C-46080r1_chk

To determine if the system is configured to audit calls to the "settimeofday" system call, run the following command: # auditctl -l | grep syscall | grep settimeofday If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding.

Fix: F-43470r2_fix

On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S settimeofday -k audit_time_rules On a 64-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules

b
The system must not accept IPv4 source-routed packets on any interface.
CM-6 - Medium - CCI-000366 - V-38523 - SV-50324r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000083
Vuln IDs
  • V-38523
Rule IDs
  • SV-50324r1_rule
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
Checks: C-46081r2_chk

The status of the "net.ipv4.conf.all.accept_source_route" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_source_route The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding.

Fix: F-43471r1_fix

To set the runtime status of the "net.ipv4.conf.all.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_source_route=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.accept_source_route = 0

b
The system must not accept ICMPv4 redirect packets on any interface.
CM-6 - Medium - CCI-000366 - V-38524 - SV-50325r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000084
Vuln IDs
  • V-38524
Rule IDs
  • SV-50325r1_rule
Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.
Checks: C-46082r1_chk

The status of the "net.ipv4.conf.all.accept_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding.

Fix: F-43472r1_fix

To set the runtime status of the "net.ipv4.conf.all.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.accept_redirects = 0

a
The audit system must be configured to audit all attempts to alter system time through stime.
AU-12 - Low - CCI-000169 - V-38525 - SV-50326r3_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000169
Version
RHEL-06-000169
Vuln IDs
  • V-38525
Rule IDs
  • SV-50326r3_rule
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Checks: C-46083r2_chk

If the system is 64-bit only, this is not applicable. To determine if the system is configured to audit calls to the "stime" system call, run the following command: # auditctl -l | grep syscall | grep stime If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding.

Fix: F-43473r4_fix

On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S stime -k audit_time_rules On a 64-bit system, the "-S stime" is not necessary. The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules

b
The system must not accept ICMPv4 secure redirect packets on any interface.
CM-6 - Medium - CCI-000366 - V-38526 - SV-50327r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000086
Vuln IDs
  • V-38526
Rule IDs
  • SV-50327r1_rule
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
Checks: C-46084r1_chk

The status of the "net.ipv4.conf.all.secure_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.secure_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding.

Fix: F-43474r1_fix

To set the runtime status of the "net.ipv4.conf.all.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.secure_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.secure_redirects = 0

a
The audit system must be configured to audit all attempts to alter system time through clock_settime.
AU-12 - Low - CCI-000169 - V-38527 - SV-50328r2_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000169
Version
RHEL-06-000171
Vuln IDs
  • V-38527
Rule IDs
  • SV-50328r2_rule
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Checks: C-46085r1_chk

To determine if the system is configured to audit calls to the "clock_settime" system call, run the following command: # auditctl -l | grep syscall | grep clock_settime If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding.

Fix: F-43475r2_fix

On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules On a 64-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules

a
The system must log Martian packets.
CM-6 - Low - CCI-000366 - V-38528 - SV-50329r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000088
Vuln IDs
  • V-38528
Rule IDs
  • SV-50329r1_rule
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
Checks: C-46086r2_chk

The status of the "net.ipv4.conf.all.log_martians" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.log_martians The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding.

Fix: F-43476r1_fix

To set the runtime status of the "net.ipv4.conf.all.log_martians" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.log_martians=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.log_martians = 1

b
The system must not accept IPv4 source-routed packets by default.
CM-6 - Medium - CCI-000366 - V-38529 - SV-50330r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000089
Vuln IDs
  • V-38529
Rule IDs
  • SV-50330r1_rule
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
Checks: C-46088r1_chk

The status of the "net.ipv4.conf.default.accept_source_route" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_source_route The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding.

Fix: F-43478r1_fix

To set the runtime status of the "net.ipv4.conf.default.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_source_route=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.accept_source_route = 0

a
The audit system must be configured to audit all attempts to alter system time through /etc/localtime.
AU-12 - Low - CCI-000169 - V-38530 - SV-50331r1_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000169
Version
RHEL-06-000173
Vuln IDs
  • V-38530
Rule IDs
  • SV-50331r1_rule
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Checks: C-46087r1_chk

To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command: # auditctl -l | grep "watch=/etc/localtime" If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding.

Fix: F-43477r1_fix

Add the following to "/etc/audit/audit.rules": -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.

a
The operating system must automatically audit account creation.
AC-2 - Low - CCI-000018 - V-38531 - SV-50332r1_rule
RMF Control
AC-2
Severity
L
CCI
CCI-000018
Version
RHEL-06-000174
Vuln IDs
  • V-38531
Rule IDs
  • SV-50332r1_rule
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Checks: C-46090r1_chk

To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with "perm=wa" for each). If the system is not configured to audit account changes, this is a finding.

Fix: F-43480r1_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

b
The system must not accept ICMPv4 secure redirect packets by default.
CM-6 - Medium - CCI-000366 - V-38532 - SV-50333r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000090
Vuln IDs
  • V-38532
Rule IDs
  • SV-50333r1_rule
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
Checks: C-46089r1_chk

The status of the "net.ipv4.conf.default.secure_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.secure_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding.

Fix: F-43479r1_fix

To set the runtime status of the "net.ipv4.conf.default.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.secure_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.secure_redirects = 0

a
The system must ignore ICMPv4 redirect messages by default.
CM-6 - Low - CCI-000366 - V-38533 - SV-50334r2_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000091
Vuln IDs
  • V-38533
Rule IDs
  • SV-50334r2_rule
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
Checks: C-46091r1_chk

The status of the "net.ipv4.conf.default.accept_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding.

Fix: F-43481r1_fix

To set the runtime status of the "net.ipv4.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.accept_redirects = 0

a
The operating system must automatically audit account modification.
AC-2 - Low - CCI-001403 - V-38534 - SV-50335r1_rule
RMF Control
AC-2
Severity
L
CCI
CCI-001403
Version
RHEL-06-000175
Vuln IDs
  • V-38534
Rule IDs
  • SV-50335r1_rule
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Checks: C-46092r1_chk

To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with "perm=wa" for each). If the system is not configured to audit account changes, this is a finding.

Fix: F-43482r1_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

a
The system must not respond to ICMPv4 sent to a broadcast address.
CM-6 - Low - CCI-000366 - V-38535 - SV-50336r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000092
Vuln IDs
  • V-38535
Rule IDs
  • SV-50336r1_rule
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
Checks: C-46093r1_chk

The status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_echo_ignore_broadcasts The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding.

Fix: F-43483r1_fix

To set the runtime status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.icmp_echo_ignore_broadcasts = 1

a
The operating system must automatically audit account disabling actions.
AC-2 - Low - CCI-001404 - V-38536 - SV-50337r1_rule
RMF Control
AC-2
Severity
L
CCI
CCI-001404
Version
RHEL-06-000176
Vuln IDs
  • V-38536
Rule IDs
  • SV-50337r1_rule
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Checks: C-46094r1_chk

To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with "perm=wa" for each). If the system is not configured to audit account changes, this is a finding.

Fix: F-43484r1_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

a
The system must ignore ICMPv4 bogus error responses.
CM-6 - Low - CCI-000366 - V-38537 - SV-50338r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000093
Vuln IDs
  • V-38537
Rule IDs
  • SV-50338r1_rule
Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.
Checks: C-46095r1_chk

The status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_ignore_bogus_error_responses The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding.

Fix: F-43485r1_fix

To set the runtime status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.icmp_ignore_bogus_error_responses = 1

a
The operating system must automatically audit account termination.
AC-2 - Low - CCI-001405 - V-38538 - SV-50339r1_rule
RMF Control
AC-2
Severity
L
CCI
CCI-001405
Version
RHEL-06-000177
Vuln IDs
  • V-38538
Rule IDs
  • SV-50339r1_rule
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Checks: C-46096r1_chk

To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with "perm=wa" for each). If the system is not configured to audit account changes, this is a finding.

Fix: F-43486r1_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

b
The system must be configured to use TCP syncookies.
SC-5 - Medium - CCI-001095 - V-38539 - SV-50340r1_rule
RMF Control
SC-5
Severity
M
CCI
CCI-001095
Version
RHEL-06-000095
Vuln IDs
  • V-38539
Rule IDs
  • SV-50340r1_rule
A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.
Checks: C-46097r1_chk

The status of the "net.ipv4.tcp_syncookies" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.tcp_syncookies The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding.

Fix: F-43487r1_fix

To set the runtime status of the "net.ipv4.tcp_syncookies" kernel parameter, run the following command: # sysctl -w net.ipv4.tcp_syncookies=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.tcp_syncookies = 1

a
The audit system must be configured to audit modifications to the systems network configuration.
CM-6 - Low - CCI-000366 - V-38540 - SV-50341r2_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000182
Vuln IDs
  • V-38540
Rule IDs
  • SV-50341r2_rule
The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.
Checks: C-46098r1_chk

To determine if the system is configured to audit changes to its network configuration, run the following command: auditctl -l | egrep '(sethostname|setdomainname|/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)' If the system is configured to watch for network configuration changes, a line should be returned for each file specified (and "perm=wa" should be indicated for each). If the system is not configured to audit changes of the network configuration, this is a finding.

Fix: F-43488r2_fix

Add the following to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system: # audit_network_modifications -a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications

a
The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).
CM-6 - Low - CCI-000366 - V-38541 - SV-50342r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000183
Vuln IDs
  • V-38541
Rule IDs
  • SV-50342r1_rule
The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.
Checks: C-46099r1_chk

To determine if the system is configured to audit changes to its SELinux configuration files, run the following command: # auditctl -l | grep "dir=/etc/selinux" If the system is configured to watch for changes to its SELinux configuration, a line should be returned (including "perm=wa" indicating permissions that are watched). If the system is not configured to audit attempts to change the MAC policy, this is a finding.

Fix: F-43489r1_fix

Add the following to "/etc/audit/audit.rules": -w /etc/selinux/ -p wa -k MAC-policy

b
The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
CM-6 - Medium - CCI-000366 - V-38542 - SV-50343r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000096
Vuln IDs
  • V-38542
Rule IDs
  • SV-50343r1_rule
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
Checks: C-46100r1_chk

The status of the "net.ipv4.conf.all.rp_filter" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.rp_filter The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding.

Fix: F-43490r1_fix

To set the runtime status of the "net.ipv4.conf.all.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.rp_filter=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.rp_filter = 1

a
The audit system must be configured to audit all discretionary access control permission modifications using chmod.
AU-12 - Low - CCI-000172 - V-38543 - SV-50344r2_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000184
Vuln IDs
  • V-38543
Rule IDs
  • SV-50344r2_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-46101r1_chk

To determine if the system is configured to audit calls to the "chmod" system call, run the following command: # auditctl -l | grep syscall | grep chmod If the system is configured to audit this activity, it will return several lines. If no lines are returned, this is a finding.

Fix: F-43491r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod

b
The system must use a reverse-path filter for IPv4 network traffic when possible by default.
CM-6 - Medium - CCI-000366 - V-38544 - SV-50345r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000097
Vuln IDs
  • V-38544
Rule IDs
  • SV-50345r1_rule
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
Checks: C-46102r1_chk

The status of the "net.ipv4.conf.default.rp_filter" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.rp_filter The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding.

Fix: F-43492r1_fix

To set the runtime status of the "net.ipv4.conf.default.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.rp_filter=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.rp_filter = 1

a
The audit system must be configured to audit all discretionary access control permission modifications using chown.
AU-12 - Low - CCI-000172 - V-38545 - SV-50346r2_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000185
Vuln IDs
  • V-38545
Rule IDs
  • SV-50346r2_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-46103r1_chk

To determine if the system is configured to audit calls to the "chown" system call, run the following command: # auditctl -l | grep syscall | grep chown If the system is configured to audit this activity, it will return several lines. If no lines are returned, this is a finding.

Fix: F-43493r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod

b
The IPv6 protocol handler must not be bound to the network stack unless needed.
CM-6 - Medium - CCI-000366 - V-38546 - SV-50347r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000098
Vuln IDs
  • V-38546
Rule IDs
  • SV-50347r1_rule
Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.
Checks: C-46104r1_chk

If the system uses IPv6, this is not applicable. If the system is configured to prevent the loading of the "ipv6" kernel module, it will contain a line of the form: options ipv6 disable=1 Such lines may be inside any file in "/etc/modprobe.d" or the deprecated "/etc/modprobe.conf". This permits insertion of the IPv6 kernel module (which other parts of the system expect to be present), but otherwise keeps it inactive. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r ipv6 /etc/modprobe.conf /etc/modprobe.d If the IPv6 kernel module is loaded, this is a finding.

Fix: F-43494r1_fix

To prevent the IPv6 kernel module ("ipv6") from loading the IPv6 networking stack, add the following line to "/etc/modprobe.d/disabled.conf" (or another file in "/etc/modprobe.d"): options ipv6 disable=1 This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol.

a
The audit system must be configured to audit all discretionary access control permission modifications using fchmod.
AU-12 - Low - CCI-000172 - V-38547 - SV-50348r2_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000186
Vuln IDs
  • V-38547
Rule IDs
  • SV-50348r2_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-46105r1_chk

To determine if the system is configured to audit calls to the "fchmod" system call, run the following command: # auditctl -l | grep syscall | grep fchmod If the system is configured to audit this activity, it will return several lines. If no lines are returned, this is a finding.

Fix: F-43495r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod

b
The system must ignore ICMPv6 redirects by default.
CM-6 - Medium - CCI-000366 - V-38548 - SV-50349r2_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000099
Vuln IDs
  • V-38548
Rule IDs
  • SV-50349r2_rule
An illicit ICMP redirect message could result in a man-in-the-middle attack.
Checks: C-46106r2_chk

If IPv6 is disabled, this is not applicable. The status of the "net.ipv6.conf.default.accept_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.default.accept_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding.

Fix: F-43496r1_fix

To set the runtime status of the "net.ipv6.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv6.conf.default.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv6.conf.default.accept_redirects = 0

b
The system must employ a local IPv6 firewall.
SC-7 - Medium - CCI-001118 - V-38549 - SV-50350r2_rule
RMF Control
SC-7
Severity
M
CCI
CCI-001118
Version
RHEL-06-000103
Vuln IDs
  • V-38549
Rule IDs
  • SV-50350r2_rule
The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.
Checks: C-46107r2_chk

If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the "ip6tables" service: # service ip6tables status If the service is not running, it should return the following: ip6tables: Firewall is not running. If the service is not running, this is a finding.

Fix: F-43497r3_fix

The "ip6tables" service can be enabled with the following commands: # chkconfig ip6tables on # service ip6tables start

a
The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.
AU-12 - Low - CCI-000172 - V-38550 - SV-50351r2_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000187
Vuln IDs
  • V-38550
Rule IDs
  • SV-50351r2_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-46108r1_chk

To determine if the system is configured to audit calls to the "fchmodat" system call, run the following command: # auditctl -l | grep syscall | grep fchmodat If the system is configured to audit this activity, it will return several lines. If no lines are returned, this is a finding.

Fix: F-43498r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod

b
The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
SC-7 - Medium - CCI-001098 - V-38551 - SV-50352r2_rule
RMF Control
SC-7
Severity
M
CCI
CCI-001098
Version
RHEL-06-000106
Vuln IDs
  • V-38551
Rule IDs
  • SV-50352r2_rule
The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.
Checks: C-46109r2_chk

If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the "ip6tables" service: # service ip6tables status If the service is not running, it should return the following: ip6tables: Firewall is not running. If the service is not running, this is a finding.

Fix: F-43499r2_fix

The "ip6tables" service can be enabled with the following commands: # chkconfig ip6tables on # service ip6tables start

a
The audit system must be configured to audit all discretionary access control permission modifications using fchown.
AU-12 - Low - CCI-000172 - V-38552 - SV-50353r2_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000188
Vuln IDs
  • V-38552
Rule IDs
  • SV-50353r2_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-46110r1_chk

To determine if the system is configured to audit calls to the "fchown" system call, run the following command: # auditctl -l | grep syscall | grep fchown If the system is configured to audit this activity, it will return several lines. If no lines are returned, this is a finding.

Fix: F-43500r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod

b
The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
SC-7 - Medium - CCI-001100 - V-38553 - SV-50354r2_rule
RMF Control
SC-7
Severity
M
CCI
CCI-001100
Version
RHEL-06-000107
Vuln IDs
  • V-38553
Rule IDs
  • SV-50354r2_rule
The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.
Checks: C-46111r2_chk

If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the "ip6tables" service: # service ip6tables status If the service is not running, it should return the following: ip6tables: Firewall is not running. If the service is not running, this is a finding.

Fix: F-43501r2_fix

The "ip6tables" service can be enabled with the following commands: # chkconfig ip6tables on # service ip6tables start

a
The audit system must be configured to audit all discretionary access control permission modifications using fchownat.
AU-12 - Low - CCI-000172 - V-38554 - SV-50355r2_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000189
Vuln IDs
  • V-38554
Rule IDs
  • SV-50355r2_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-46112r1_chk

To determine if the system is configured to audit calls to the "fchownat" system call, run the following command: # auditctl -l | grep syscall | grep fchownat If the system is configured to audit this activity, it will return several lines. If no lines are returned, this is a finding.

Fix: F-43502r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod

b
The system must employ a local IPv4 firewall.
SC-7 - Medium - CCI-001118 - V-38555 - SV-50356r2_rule
RMF Control
SC-7
Severity
M
CCI
CCI-001118
Version
RHEL-06-000113
Vuln IDs
  • V-38555
Rule IDs
  • SV-50356r2_rule
The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.
Checks: C-46113r2_chk

If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the "iptables" service: # service iptables status If the service is not running, it should return the following: iptables: Firewall is not running. If the service is not running, this is a finding.

Fix: F-43503r2_fix

The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start

a
The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.
AU-12 - Low - CCI-000172 - V-38556 - SV-50357r2_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000190
Vuln IDs
  • V-38556
Rule IDs
  • SV-50357r2_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-46114r1_chk

To determine if the system is configured to audit calls to the "fremovexattr" system call, run the following command: # auditctl -l | grep syscall | grep fremovexattr If the system is configured to audit this activity, it will return several lines. If no lines are returned, this is a finding.

Fix: F-43504r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.
AU-12 - Low - CCI-000172 - V-38557 - SV-50358r2_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000191
Vuln IDs
  • V-38557
Rule IDs
  • SV-50358r2_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-46115r1_chk

To determine if the system is configured to audit calls to the "fsetxattr" system call, run the following command: # auditctl -l | grep syscall | grep fsetxattr If the system is configured to audit this activity, it will return several lines. If no lines are returned, this is a finding.

Fix: F-43505r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using lchown.
AU-12 - Low - CCI-000172 - V-38558 - SV-50359r2_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000192
Vuln IDs
  • V-38558
Rule IDs
  • SV-50359r2_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-46116r1_chk

To determine if the system is configured to audit calls to the "lchown" system call, run the following command: # auditctl -l | grep syscall | grep lchown If the system is configured to audit this activity, it will return several lines. If no lines are returned, this is a finding.

Fix: F-43506r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.
AU-12 - Low - CCI-000172 - V-38559 - SV-50360r2_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000193
Vuln IDs
  • V-38559
Rule IDs
  • SV-50360r2_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-46117r1_chk

To determine if the system is configured to audit calls to the "lremovexattr" system call, run the following command: # auditctl -l | grep syscall | grep lremovexattr If the system is configured to audit this activity, it will return several lines. If no lines are returned, this is a finding.

Fix: F-43507r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod

b
The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
SC-7 - Medium - CCI-001098 - V-38560 - SV-50361r2_rule
RMF Control
SC-7
Severity
M
CCI
CCI-001098
Version
RHEL-06-000116
Vuln IDs
  • V-38560
Rule IDs
  • SV-50361r2_rule
The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.
Checks: C-46118r2_chk

If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the "iptables" service: # service iptables status If the service is not running, it should return the following: iptables: Firewall is not running. If the service is not running, this is a finding.

Fix: F-43508r2_fix

The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start

a
The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.
AU-12 - Low - CCI-000172 - V-38561 - SV-50362r2_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000194
Vuln IDs
  • V-38561
Rule IDs
  • SV-50362r2_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-46119r1_chk

To determine if the system is configured to audit calls to the "lsetxattr" system call, run the following command: # auditctl -l | grep syscall | grep lsetxattr If the system is configured to audit this activity, it will return several lines. If no lines are returned, this is a finding.

Fix: F-43509r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using removexattr.
AU-12 - Low - CCI-000172 - V-38563 - SV-50364r2_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000195
Vuln IDs
  • V-38563
Rule IDs
  • SV-50364r2_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-46121r1_chk

To determine if the system is configured to audit calls to the "removexattr" system call, run the following command: # auditctl -l | grep syscall | grep removexattr If the system is configured to audit this activity, it will return several lines. If no lines are returned, this is a finding.

Fix: F-43511r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using setxattr.
AU-12 - Low - CCI-000172 - V-38565 - SV-50366r2_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000196
Vuln IDs
  • V-38565
Rule IDs
  • SV-50366r2_rule
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-46123r1_chk

To determine if the system is configured to audit calls to the "setxattr" system call, run the following command: # auditctl -l | grep syscall | grep setxattr If the system is configured to audit this activity, it will return several lines. If no lines are returned, this is a finding.

Fix: F-43513r2_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit failed attempts to access files and programs.
AU-12 - Low - CCI-000172 - V-38566 - SV-50367r2_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000197
Vuln IDs
  • V-38566
Rule IDs
  • SV-50367r2_rule
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Checks: C-46124r1_chk

To verify that the audit system collects unauthorized file accesses, run the following commands: # grep EACCES /etc/audit/audit.rules # grep EPERM /etc/audit/audit.rules If either command lacks output, this is a finding.

Fix: F-43514r2_fix

At a minimum, the audit system should collect unauthorized file accesses for all users and root. Add the following to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access

a
The audit system must be configured to audit all use of setuid programs.
AC-6 - Low - CCI-000040 - V-38567 - SV-50368r2_rule
RMF Control
AC-6
Severity
L
CCI
CCI-000040
Version
RHEL-06-000198
Vuln IDs
  • V-38567
Rule IDs
  • SV-50368r2_rule
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Checks: C-46125r4_chk

To verify that auditing of privileged command use is configured, run the following command once for each local partition [PART] to find relevant setuid programs: # find [PART] -xdev -type f \( -perm -4000 -o -perm -2000 \) 2&gt;/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: # grep [path] /etc/audit/audit.rules It should be the case that all relevant setuid programs have a line in the audit rules. If it is not the case, this is a finding.

Fix: F-43515r3_fix

At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid programs run the following command for each local partition [PART]: # find [PART] -xdev -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null Then, for each setuid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid program in the list: -a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged

a
The audit system must be configured to audit successful file system mounts.
AU-12 - Low - CCI-000172 - V-38568 - SV-50369r2_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000199
Vuln IDs
  • V-38568
Rule IDs
  • SV-50369r2_rule
The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.
Checks: C-46126r1_chk

To verify that auditing is configured for all media exportation events, run the following command: # auditctl -l | grep syscall | grep mount If there is no output, this is a finding.

Fix: F-43516r2_fix

At a minimum, the audit system should collect media exportation events for all users and root. Add the following to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=ARCH -S mount -F auid=0 -k export

a
The system must require passwords to contain at least one uppercase alphabetic character.
IA-5 - Low - CCI-000192 - V-38569 - SV-50370r1_rule
RMF Control
IA-5
Severity
L
CCI
CCI-000192
Version
RHEL-06-000057
Vuln IDs
  • V-38569
Rule IDs
  • SV-50370r1_rule
Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.
Checks: C-46127r1_chk

To check how many uppercase characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The "ucredit" parameter (as a negative number) will indicate how many uppercase characters are required. The DoD requires at least one uppercase character in a password. This would appear as "ucredit=-1". If ucredit is not found or not set to the required value, this is a finding.

Fix: F-43517r1_fix

The pam_cracklib module's "ucredit=" parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add "ucredit=-1" after pam_cracklib.so to require use of an uppercase character in passwords.

a
The system must require passwords to contain at least one special character.
IA-5 - Low - CCI-001619 - V-38570 - SV-50371r1_rule
RMF Control
IA-5
Severity
L
CCI
CCI-001619
Version
RHEL-06-000058
Vuln IDs
  • V-38570
Rule IDs
  • SV-50371r1_rule
Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.
Checks: C-46128r1_chk

To check how many special characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The "ocredit" parameter (as a negative number) will indicate how many special characters are required. The DoD requires at least one special character in a password. This would appear as "ocredit=-1". If ocredit is not found or not set to the required value, this is a finding.

Fix: F-43518r1_fix

The pam_cracklib module's "ocredit=" parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Add "ocredit=-1" after pam_cracklib.so to require use of a special character in passwords.

a
The system must require passwords to contain at least one lowercase alphabetic character.
IA-5 - Low - CCI-000193 - V-38571 - SV-50372r1_rule
RMF Control
IA-5
Severity
L
CCI
CCI-000193
Version
RHEL-06-000059
Vuln IDs
  • V-38571
Rule IDs
  • SV-50372r1_rule
Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.
Checks: C-46129r1_chk

To check how many lowercase characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The "lcredit" parameter (as a negative number) will indicate how many special characters are required. The DoD requires at least one lowercase character in a password. This would appear as "lcredit=-1". If lcredit is not found or not set to the required value, this is a finding.

Fix: F-43519r1_fix

The pam_cracklib module's "lcredit=" parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. Add "lcredit=-1" after pam_cracklib.so to require use of a lowercase character in passwords.

a
The system must require at least four characters be changed between the old and new passwords during a password change.
IA-5 - Low - CCI-000195 - V-38572 - SV-50373r1_rule
RMF Control
IA-5
Severity
L
CCI
CCI-000195
Version
RHEL-06-000060
Vuln IDs
  • V-38572
Rule IDs
  • SV-50373r1_rule
Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.
Checks: C-46130r1_chk

To check how many characters must differ during a password change, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The "difok" parameter will indicate how many characters must differ. The DoD requires four characters differ during a password change. This would appear as "difok=4". If difok is not found or not set to the required value, this is a finding.

Fix: F-43520r1_fix

The pam_cracklib module's "difok" parameter controls requirements for usage of different characters during a password change. Add "difok=[NUM]" after pam_cracklib.so to require differing characters when changing passwords, substituting [NUM] appropriately. The DoD requirement is 4.

b
The system must disable accounts after three consecutive unsuccessful login attempts.
AC-7 - Medium - CCI-000044 - V-38573 - SV-50374r2_rule
RMF Control
AC-7
Severity
M
CCI
CCI-000044
Version
RHEL-06-000061
Vuln IDs
  • V-38573
Rule IDs
  • SV-50374r2_rule
Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.
Checks: C-46131r2_chk

To ensure the failed password attempt policy is configured correctly, run the following command: # grep pam_faillock /etc/pam.d/system-auth-ac # grep pam_faillock /etc/pam.d/password-auth-ac The output should show "deny=3" for both files. If that is not the case, this is a finding.

Fix: F-43521r3_fix

To configure the system to lock out accounts after a number of incorrect login attempts using "pam_faillock.so": Add the following lines immediately below the "pam_unix.so" statement in the AUTH section of "/etc/pam.d/system-auth-ac" and "/etc/pam.d/password-auth-ac": auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900 Note that any updates made to "/etc/pam.d/system-auth-ac" and "/etc/pam.d/password-auth-ac" will be overwritten by the "authconfig" program. The "authconfig" program should not be used.

b
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).
IA-7 - Medium - CCI-000803 - V-38574 - SV-50375r1_rule
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
RHEL-06-000062
Vuln IDs
  • V-38574
Rule IDs
  • SV-50375r1_rule
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Checks: C-46132r1_chk

Inspect the "password" section of "/etc/pam.d/system-auth" and ensure that the "pam_unix.so" module includes the argument "sha512". $ grep sha512 /etc/pam.d/system-auth" If it does not, this is a finding.

Fix: F-43522r1_fix

In "/etc/pam.d/system-auth", the "password" section of the file controls which PAM modules execute during a password change. Set the "pam_unix.so" module in the "password" section to include the argument "sha512", as shown below: password sufficient pam_unix.so sha512 [other arguments...] This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. Note that any updates made to "/etc/pam.d/system-auth" will be overwritten by the "authconfig" program. The "authconfig" program should not be used.

a
The audit system must be configured to audit user deletions of files and programs.
AU-12 - Low - CCI-000172 - V-38575 - SV-50376r3_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000200
Vuln IDs
  • V-38575
Rule IDs
  • SV-50376r3_rule
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as detecting malicious processes that attempt to delete log files to conceal their presence.
Checks: C-46133r2_chk

To determine if the system is configured to audit calls to the "unlink" system call, run the following command: # auditctl -l | grep syscall | grep -w unlink If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the "unlinkat" system call, run the following command: # auditctl -l | grep syscall | grep -w unlinkat If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the "rename" system call, run the following command: # auditctl -l | grep syscall | grep -w rename If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the "renameat" system call, run the following command: # auditctl -l | grep syscall | grep -w renameat If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding.

Fix: F-43523r2_fix

At a minimum, the audit system should collect file deletion events for all users and root. Add the following to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat \ -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat \ -F auid=0 -k delete

b
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).
IA-7 - Medium - CCI-000803 - V-38576 - SV-50377r1_rule
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
RHEL-06-000063
Vuln IDs
  • V-38576
Rule IDs
  • SV-50377r1_rule
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Checks: C-46134r1_chk

Inspect "/etc/login.defs" and ensure the following line appears: ENCRYPT_METHOD SHA512 If it does not, this is a finding.

Fix: F-43524r1_fix

In "/etc/login.defs", add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: ENCRYPT_METHOD SHA512

b
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).
IA-7 - Medium - CCI-000803 - V-38577 - SV-50378r1_rule
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
RHEL-06-000064
Vuln IDs
  • V-38577
Rule IDs
  • SV-50378r1_rule
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Checks: C-46135r1_chk

Inspect "/etc/libuser.conf" and ensure the following line appears in the "[default]" section: crypt_style = sha512 If it does not, this is a finding.

Fix: F-43525r1_fix

In "/etc/libuser.conf", add or correct the following line in its "[defaults]" section to ensure the system will use the SHA-512 algorithm for password hashing: crypt_style = sha512

a
The audit system must be configured to audit changes to the /etc/sudoers file.
AU-12 - Low - CCI-000172 - V-38578 - SV-50379r1_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
RHEL-06-000201
Vuln IDs
  • V-38578
Rule IDs
  • SV-50379r1_rule
The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.
Checks: C-46136r1_chk

To verify that auditing is configured for system administrator actions, run the following command: # auditctl -l | grep "watch=/etc/sudoers" If there is no output, this is a finding.

Fix: F-43526r1_fix

At a minimum, the audit system should collect administrator actions for all users and root. Add the following to "/etc/audit/audit.rules": -w /etc/sudoers -p wa -k actions

b
The system boot loader configuration file(s) must be owned by root.
CM-6 - Medium - CCI-000366 - V-38579 - SV-50380r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000065
Vuln IDs
  • V-38579
Rule IDs
  • SV-50380r1_rule
Only root should be able to modify important boot parameters.
Checks: C-46137r1_chk

To check the ownership of "/etc/grub.conf", run the command: $ ls -lL /etc/grub.conf If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.

Fix: F-43527r1_fix

The file "/etc/grub.conf" should be owned by the "root" user to prevent destruction or modification of the file. To properly set the owner of "/etc/grub.conf", run the command: # chown root /etc/grub.conf

b
The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
AU-12 - Medium - CCI-000172 - V-38580 - SV-50381r1_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
RHEL-06-000202
Vuln IDs
  • V-38580
Rule IDs
  • SV-50381r1_rule
The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
Checks: C-46138r1_chk

To determine if the system is configured to audit calls to the "init_module" system call, run the following command: # auditctl -l | grep syscall | grep init_module If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the "delete_module" system call, run the following command: # auditctl -l | grep syscall | grep delete_module If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding.

Fix: F-43528r2_fix

Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=[ARCH] -S init_module -S delete_module -k modules

b
The system boot loader configuration file(s) must be group-owned by root.
CM-6 - Medium - CCI-000366 - V-38581 - SV-50382r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000066
Vuln IDs
  • V-38581
Rule IDs
  • SV-50382r1_rule
The "root" group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.
Checks: C-46139r1_chk

To check the group ownership of "/etc/grub.conf", run the command: $ ls -lL /etc/grub.conf If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.

Fix: F-43529r1_fix

The file "/etc/grub.conf" should be group-owned by the "root" group to prevent destruction or modification of the file. To properly set the group owner of "/etc/grub.conf", run the command: # chgrp root /etc/grub.conf

b
The xinetd service must be disabled if no network services utilizing it are enabled.
CM-7 - Medium - CCI-000382 - V-38582 - SV-50383r2_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
RHEL-06-000203
Vuln IDs
  • V-38582
Rule IDs
  • SV-50383r2_rule
The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.
Checks: C-46140r2_chk

If network services are using the xinetd service, this is not applicable. To check that the "xinetd" service is disabled in system boot configuration, run the following command: # chkconfig "xinetd" --list Output should indicate the "xinetd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "xinetd" --list "xinetd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "xinetd" is disabled through current runtime configuration: # service xinetd status If the service is disabled the command will return the following output: xinetd is stopped If the service is running, this is a finding.

Fix: F-43530r2_fix

The "xinetd" service can be disabled with the following commands: # chkconfig xinetd off # service xinetd stop

b
The system boot loader configuration file(s) must have mode 0600 or less permissive.
CM-6 - Medium - CCI-000366 - V-38583 - SV-50384r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000067
Vuln IDs
  • V-38583
Rule IDs
  • SV-50384r1_rule
Proper permissions ensure that only the root user can modify important boot parameters.
Checks: C-46141r1_chk

To check the permissions of "/etc/grub.conf", run the command: $ ls -lL /etc/grub.conf If properly configured, the output should indicate the following permissions: "-rw-------" If it does not, this is a finding.

Fix: F-43531r1_fix

File permissions for "/etc/grub.conf" should be set to 600, which is the default. To properly set the permissions of "/etc/grub.conf", run the command: # chmod 600 /etc/grub.conf

a
The xinetd service must be uninstalled if no network services utilizing it are enabled.
CM-7 - Low - CCI-000382 - V-38584 - SV-50385r1_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000382
Version
RHEL-06-000204
Vuln IDs
  • V-38584
Rule IDs
  • SV-50385r1_rule
Removing the "xinetd" package decreases the risk of the xinetd service's accidental (or intentional) activation.
Checks: C-46142r1_chk

If network services are using the xinetd service, this is not applicable. Run the following command to determine if the "xinetd" package is installed: # rpm -q xinetd If the package is installed, this is a finding.

Fix: F-43532r1_fix

The "xinetd" package can be uninstalled with the following command: # yum erase xinetd

b
The system boot loader must require authentication.
AC-3 - Medium - CCI-000213 - V-38585 - SV-50386r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000213
Version
RHEL-06-000068
Vuln IDs
  • V-38585
Rule IDs
  • SV-50386r1_rule
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
Checks: C-46143r1_chk

To verify the boot loader password has been set and encrypted, run the following command: # grep password /etc/grub.conf The output should show the following: password --encrypted "$6$[rest-of-the-password-hash]" If it does not, this is a finding.

Fix: F-43533r1_fix

The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command: # grub-crypt --sha-512 When prompted to enter a password, insert the following line into "/etc/grub.conf" immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]): password --encrypted [password-hash]

b
The system must require authentication upon booting into single-user and maintenance modes.
AC-3 - Medium - CCI-000213 - V-38586 - SV-50387r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000213
Version
RHEL-06-000069
Vuln IDs
  • V-38586
Rule IDs
  • SV-50387r1_rule
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
Checks: C-46145r1_chk

To check if authentication is required for single-user mode, run the following command: $ grep SINGLE /etc/sysconfig/init The output should be the following: SINGLE=/sbin/sulogin If the output is different, this is a finding.

Fix: F-43534r1_fix

Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file "/etc/sysconfig/init": SINGLE=/sbin/sulogin

c
The telnet-server package must not be installed.
CM-7 - High - CCI-000381 - V-38587 - SV-50388r1_rule
RMF Control
CM-7
Severity
H
CCI
CCI-000381
Version
RHEL-06-000206
Vuln IDs
  • V-38587
Rule IDs
  • SV-50388r1_rule
Removing the "telnet-server" package decreases the risk of the unencrypted telnet service's accidental (or intentional) activation. Mitigation: If the telnet-server package is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.
Checks: C-46144r1_chk

Run the following command to determine if the "telnet-server" package is installed: # rpm -q telnet-server If the package is installed, this is a finding.

Fix: F-43535r1_fix

The "telnet-server" package can be uninstalled with the following command: # yum erase telnet-server

b
The system must not permit interactive boot.
AC-3 - Medium - CCI-000213 - V-38588 - SV-50389r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000213
Version
RHEL-06-000070
Vuln IDs
  • V-38588
Rule IDs
  • SV-50389r1_rule
Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.
Checks: C-46146r1_chk

To check whether interactive boot is disabled, run the following command: $ grep PROMPT /etc/sysconfig/init If interactive boot is disabled, the output will show: PROMPT=no If it does not, this is a finding.

Fix: F-43536r1_fix

To disable the ability for users to perform interactive startups, edit the file "/etc/sysconfig/init". Add or correct the line: PROMPT=no The "PROMPT" option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot.

c
The telnet daemon must not be running.
MA-4 - High - CCI-000888 - V-38589 - SV-50390r2_rule
RMF Control
MA-4
Severity
H
CCI
CCI-000888
Version
RHEL-06-000211
Vuln IDs
  • V-38589
Rule IDs
  • SV-50390r2_rule
The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. Mitigation: If an enabled telnet daemon is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.
Checks: C-46147r3_chk

To check that the "telnet" service is disabled in system boot configuration, run the following command: # chkconfig "telnet" --list Output should indicate the "telnet" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "telnet" --list telnet off OR error reading information on service telnet: No such file or directory If the service is running, this is a finding.

Fix: F-43537r1_fix

The "telnet" service can be disabled with the following command: # chkconfig telnet off

a
The system must allow locking of the console screen in text mode.
AC-11 - Low - CCI-000058 - V-38590 - SV-50391r1_rule
RMF Control
AC-11
Severity
L
CCI
CCI-000058
Version
RHEL-06-000071
Vuln IDs
  • V-38590
Rule IDs
  • SV-50391r1_rule
Installing "screen" ensures a console locking capability is available for users who may need to suspend console logins.
Checks: C-46148r1_chk

Run the following command to determine if the "screen" package is installed: # rpm -q screen If the package is not installed, this is a finding.

Fix: F-43538r1_fix

To enable console screen locking when in text mode, install the "screen" package: # yum install screen Instruct users to begin new terminal sessions with the following command: $ screen The console can now be locked with the following key combination: ctrl+a x

c
The rsh-server package must not be installed.
CM-7 - High - CCI-000381 - V-38591 - SV-50392r1_rule
RMF Control
CM-7
Severity
H
CCI
CCI-000381
Version
RHEL-06-000213
Vuln IDs
  • V-38591
Rule IDs
  • SV-50392r1_rule
The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.
Checks: C-46149r1_chk

Run the following command to determine if the "rsh-server" package is installed: # rpm -q rsh-server If the package is installed, this is a finding.

Fix: F-43539r1_fix

The "rsh-server" package can be uninstalled with the following command: # yum erase rsh-server

b
The system must require administrator action to unlock an account locked by excessive failed login attempts.
AC-7 - Medium - CCI-000047 - V-38592 - SV-50393r2_rule
RMF Control
AC-7
Severity
M
CCI
CCI-000047
Version
RHEL-06-000356
Vuln IDs
  • V-38592
Rule IDs
  • SV-50393r2_rule
Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.
Checks: C-46151r3_chk

To ensure the failed password attempt policy is configured correctly, run the following command: # grep pam_faillock /etc/pam.d/system-auth-ac # grep pam_faillock /etc/pam.d/password-auth-ac The output should show "unlock_time=&lt;some-large-number&gt;"; the largest acceptable value is 604800 seconds (one week). If that is not the case, this is a finding.

Fix: F-43541r2_fix

To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using "pam_faillock.so": Add the following lines immediately below the "pam_unix.so" statement in the AUTH section of "/etc/pam.d/system-auth-ac" and "/etc/pam.d/password-auth-ac": auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900 Note that any updates made to "/etc/pam.d/system-auth-ac" and "/etc/pam.d/password-auth-ac" will be overwritten by the "authconfig" program. The "authconfig" program should not be used.

b
The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
AC-8 - Medium - CCI-001384 - V-38593 - SV-50394r1_rule
RMF Control
AC-8
Severity
M
CCI
CCI-001384
Version
RHEL-06-000073
Vuln IDs
  • V-38593
Rule IDs
  • SV-50394r1_rule
An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.
Checks: C-46150r1_chk

To check if the system login banner is compliant, run the following command: $ cat /etc/issue If it does not display the required banner, this is a finding.

Fix: F-43540r1_fix

To configure the system login banner: Edit "/etc/issue". Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." OR: "I've read & consent to terms in IS user agreem't."

c
The rshd service must not be running.
AC-17 - High - CCI-000068 - V-38594 - SV-50395r2_rule
RMF Control
AC-17
Severity
H
CCI
CCI-000068
Version
RHEL-06-000214
Vuln IDs
  • V-38594
Rule IDs
  • SV-50395r2_rule
The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
Checks: C-46152r2_chk

To check that the "rsh" service is disabled in system boot configuration, run the following command: # chkconfig "rsh" --list Output should indicate the "rsh" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "rsh" --list rsh off OR error reading information on service rsh: No such file or directory If the service is running, this is a finding.

Fix: F-43542r3_fix

The "rsh" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rsh" service can be disabled with the following command: # chkconfig rsh off

b
The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
IA-2 - Medium - CCI-000765 - V-38595 - SV-50396r1_rule
RMF Control
IA-2
Severity
M
CCI
CCI-000765
Version
RHEL-06-000349
Vuln IDs
  • V-38595
Rule IDs
  • SV-50396r1_rule
Smart card login provides two-factor authentication stronger than that provided by a username/password combination. Smart cards leverage a PKI (public key infrastructure) in order to provide and verify credentials.
Checks: C-46154r1_chk

Interview the SA to determine if all accounts not exempted by policy are using CAC authentication. For DoD systems, the following systems and accounts are exempt from using smart card (CAC) authentication: SIPRNET systems Standalone systems Application accounts Temporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIV Operational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALT Test systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT. If non-exempt accounts are not using CAC authentication, this is a finding.

Fix: F-43544r1_fix

To enable smart card authentication, consult the documentation at: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html

b
The system must implement virtual address space randomization.
CM-6 - Medium - CCI-000366 - V-38596 - SV-50397r2_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000078
Vuln IDs
  • V-38596
Rule IDs
  • SV-50397r2_rule
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return oriented programming (ROP) techniques.
Checks: C-46153r2_chk

The status of the "kernel.randomize_va_space" kernel parameter can be queried by running the following commands: $ sysctl kernel.randomize_va_space $ grep kernel.randomize_va_space /etc/sysctl.conf The output of the command should indicate a value of at least "1" (preferably "2"). If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding.

Fix: F-43543r1_fix

To set the runtime status of the "kernel.randomize_va_space" kernel parameter, run the following command: # sysctl -w kernel.randomize_va_space=2 If this is not the system's default value, add the following line to "/etc/sysctl.conf": kernel.randomize_va_space = 2

b
The system must limit the ability of processes to have simultaneous write and execute access to memory.
CM-6 - Medium - CCI-000366 - V-38597 - SV-50398r2_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000079
Vuln IDs
  • V-38597
Rule IDs
  • SV-50398r2_rule
ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range.
Checks: C-46155r3_chk

The status of the "kernel.exec-shield" kernel parameter can be queried by running the following command: $ sysctl kernel.exec-shield $ grep kernel.exec-shield /etc/sysctl.conf The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding.

Fix: F-43545r1_fix

To set the runtime status of the "kernel.exec-shield" kernel parameter, run the following command: # sysctl -w kernel.exec-shield=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": kernel.exec-shield = 1

c
The rexecd service must not be running.
AC-17 - High - CCI-000068 - V-38598 - SV-50399r2_rule
RMF Control
AC-17
Severity
H
CCI
CCI-000068
Version
RHEL-06-000216
Vuln IDs
  • V-38598
Rule IDs
  • SV-50399r2_rule
The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
Checks: C-46156r3_chk

To check that the "rexec" service is disabled in system boot configuration, run the following command: # chkconfig "rexec" --list Output should indicate the "rexec" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "rexec" --list rexec off OR error reading information on service rexec: No such file or directory If the service is running, this is a finding.

Fix: F-43546r3_fix

The "rexec" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rexec" service can be disabled with the following command: # chkconfig rexec off

b
The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
AC-8 - Medium - CCI-000048 - V-38599 - SV-50400r2_rule
RMF Control
AC-8
Severity
M
CCI
CCI-000048
Version
RHEL-06-000348
Vuln IDs
  • V-38599
Rule IDs
  • SV-50400r2_rule
This setting will cause the system greeting banner to be used for FTP connections as well.
Checks: C-46174r1_chk

To verify this configuration, run the following command: grep "banner_file" /etc/vsftpd/vsftpd.conf The output should show the value of "banner_file" is set to "/etc/issue", an example of which is shown below. # grep "banner_file" /etc/vsftpd/vsftpd.conf banner_file=/etc/issue If it does not, this is a finding.

Fix: F-43564r3_fix

Edit the vsftpd configuration file, which resides at "/etc/vsftpd/vsftpd.conf" by default. Add or correct the following configuration options. banner_file=/etc/issue Restart the vsftpd daemon. # service vsftpd restart

b
The system must not send ICMPv4 redirects by default.
CM-6 - Medium - CCI-000366 - V-38600 - SV-50401r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000080
Vuln IDs
  • V-38600
Rule IDs
  • SV-50401r1_rule
Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for routers.
Checks: C-46157r1_chk

The status of the "net.ipv4.conf.default.send_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.send_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding.

Fix: F-43547r1_fix

To set the runtime status of the "net.ipv4.conf.default.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.send_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.send_redirects = 0

b
The system must not send ICMPv4 redirects from any interface.
CM-6 - Medium - CCI-000366 - V-38601 - SV-50402r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000081
Vuln IDs
  • V-38601
Rule IDs
  • SV-50402r1_rule
Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for routers.
Checks: C-46159r1_chk

The status of the "net.ipv4.conf.all.send_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.send_redirects The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". If the correct value is not returned, this is a finding.

Fix: F-43548r1_fix

To set the runtime status of the "net.ipv4.conf.all.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.send_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.send_redirects = 0

c
The rlogind service must not be running.
AC-17 - High - CCI-001436 - V-38602 - SV-50403r2_rule
RMF Control
AC-17
Severity
H
CCI
CCI-001436
Version
RHEL-06-000218
Vuln IDs
  • V-38602
Rule IDs
  • SV-50403r2_rule
The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
Checks: C-46158r3_chk

To check that the "rlogin" service is disabled in system boot configuration, run the following command: # chkconfig "rlogin" --list Output should indicate the "rlogin" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "rlogin" --list rlogin off OR error reading information on service rlogin: No such file or directory If the service is running, this is a finding.

Fix: F-43549r3_fix

The "rlogin" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rlogin" service can be disabled with the following command: # chkconfig rlogin off

b
The ypserv package must not be installed.
CM-7 - Medium - CCI-000381 - V-38603 - SV-50404r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
RHEL-06-000220
Vuln IDs
  • V-38603
Rule IDs
  • SV-50404r1_rule
Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.
Checks: C-46161r1_chk

Run the following command to determine if the "ypserv" package is installed: # rpm -q ypserv If the package is installed, this is a finding.

Fix: F-43551r1_fix

The "ypserv" package can be uninstalled with the following command: # yum erase ypserv

b
The ypbind service must not be running.
CM-7 - Medium - CCI-000382 - V-38604 - SV-50405r2_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
RHEL-06-000221
Vuln IDs
  • V-38604
Rule IDs
  • SV-50405r2_rule
Disabling the "ypbind" service ensures the system is not acting as a client in a NIS or NIS+ domain.
Checks: C-46162r2_chk

To check that the "ypbind" service is disabled in system boot configuration, run the following command: # chkconfig "ypbind" --list Output should indicate the "ypbind" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "ypbind" --list "ypbind" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "ypbind" is disabled through current runtime configuration: # service ypbind status If the service is disabled the command will return the following output: ypbind is stopped If the service is running, this is a finding.

Fix: F-43552r2_fix

The "ypbind" service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The "ypbind" service can be disabled with the following commands: # chkconfig ypbind off # service ypbind stop

b
The cron service must be running.
CM-6 - Medium - CCI-000366 - V-38605 - SV-50406r2_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000224
Vuln IDs
  • V-38605
Rule IDs
  • SV-50406r2_rule
Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.
Checks: C-46163r1_chk

Run the following command to determine the current status of the "crond" service: # service crond status If the service is enabled, it should return the following: crond is running... If the service is not running, this is a finding.

Fix: F-43553r2_fix

The "crond" service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The "crond" service can be enabled with the following commands: # chkconfig crond on # service crond start

b
The tftp-server package must not be installed.
CM-7 - Medium - CCI-000381 - V-38606 - SV-50407r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
RHEL-06-000222
Vuln IDs
  • V-38606
Rule IDs
  • SV-50407r1_rule
Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.
Checks: C-46164r1_chk

Run the following command to determine if the "tftp-server" package is installed: # rpm -q tftp-server If the package is installed, this is a finding.

Fix: F-43554r1_fix

The "tftp-server" package can be removed with the following command: # yum erase tftp-server

c
The SSH daemon must be configured to use only the SSHv2 protocol.
IA-2 - High - CCI-000774 - V-38607 - SV-50408r1_rule
RMF Control
IA-2
Severity
H
CCI
CCI-000774
Version
RHEL-06-000227
Vuln IDs
  • V-38607
Rule IDs
  • SV-50408r1_rule
SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.
Checks: C-46165r1_chk

To check which SSH protocol version is allowed, run the following command: # grep Protocol /etc/ssh/sshd_config If configured properly, output should be Protocol 2 If it is not, this is a finding.

Fix: F-43555r1_fix

Only SSH protocol version 2 connections should be permitted. The default setting in "/etc/ssh/sshd_config" is correct, and can be verified by ensuring that the following line appears: Protocol 2

a
The SSH daemon must set a timeout interval on idle sessions.
SC-10 - Low - CCI-001133 - V-38608 - SV-50409r1_rule
RMF Control
SC-10
Severity
L
CCI
CCI-001133
Version
RHEL-06-000230
Vuln IDs
  • V-38608
Rule IDs
  • SV-50409r1_rule
Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.
Checks: C-46167r1_chk

Run the following command to see what the timeout interval is: # grep ClientAliveInterval /etc/ssh/sshd_config If properly configured, the output should be: ClientAliveInterval 900 If it is not, this is a finding.

Fix: F-43556r1_fix

SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in "/etc/ssh/sshd_config" as follows: ClientAliveInterval [interval] The timeout [interval] is given in seconds. To have a timeout of 15 minutes, set [interval] to 900. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.

b
The TFTP service must not be running.
AC-17 - Medium - CCI-001436 - V-38609 - SV-50410r2_rule
RMF Control
AC-17
Severity
M
CCI
CCI-001436
Version
RHEL-06-000223
Vuln IDs
  • V-38609
Rule IDs
  • SV-50410r2_rule
Disabling the "tftp" service ensures the system is not acting as a tftp server, which does not provide encryption or authentication.
Checks: C-46166r2_chk

To check that the "tftp" service is disabled in system boot configuration, run the following command: # chkconfig "tftp" --list Output should indicate the "tftp" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "tftp" --list tftp off OR error reading information on service tftp: No such file or directory If the service is running, this is a finding.

Fix: F-43557r4_fix

The "tftp" service should be disabled. The "tftp" service can be disabled with the following command: # chkconfig tftp off

a
The SSH daemon must set a timeout count on idle sessions.
MA-4 - Low - CCI-000879 - V-38610 - SV-50411r1_rule
RMF Control
MA-4
Severity
L
CCI
CCI-000879
Version
RHEL-06-000231
Vuln IDs
  • V-38610
Rule IDs
  • SV-50411r1_rule
This ensures a user login will be terminated as soon as the "ClientAliveCountMax" is reached.
Checks: C-46168r1_chk

To ensure the SSH idle timeout will occur when the "ClientAliveCountMax" is set, run the following command: # grep ClientAliveCountMax /etc/ssh/sshd_config If properly configured, output should be: ClientAliveCountMax 0 If it is not, this is a finding.

Fix: F-43558r1_fix

To ensure the SSH idle timeout occurs precisely when the "ClientAliveCountMax" is set, edit "/etc/ssh/sshd_config" as follows: ClientAliveCountMax 0

b
The SSH daemon must ignore .rhosts files.
IA-2 - Medium - CCI-000766 - V-38611 - SV-50412r1_rule
RMF Control
IA-2
Severity
M
CCI
CCI-000766
Version
RHEL-06-000234
Vuln IDs
  • V-38611
Rule IDs
  • SV-50412r1_rule
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
Checks: C-46169r1_chk

To determine how the SSH daemon's "IgnoreRhosts" option is set, run the following command: # grep -i IgnoreRhosts /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value "yes" is returned, then the required value is set. If the required value is not set, this is a finding.

Fix: F-43559r1_fix

SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via ".rhosts" files. To ensure this behavior is disabled, add or correct the following line in "/etc/ssh/sshd_config": IgnoreRhosts yes

b
The SSH daemon must not allow host-based authentication.
IA-2 - Medium - CCI-000766 - V-38612 - SV-50413r1_rule
RMF Control
IA-2
Severity
M
CCI
CCI-000766
Version
RHEL-06-000236
Vuln IDs
  • V-38612
Rule IDs
  • SV-50413r1_rule
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
Checks: C-46170r1_chk

To determine how the SSH daemon's "HostbasedAuthentication" option is set, run the following command: # grep -i HostbasedAuthentication /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value "no" is returned, then the required value is set. If the required value is not set, this is a finding.

Fix: F-43560r1_fix

SSH's cryptographic host-based authentication is more secure than ".rhosts" authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization. To disable host-based authentication, add or correct the following line in "/etc/ssh/sshd_config": HostbasedAuthentication no

b
The system must not permit root logins using remote access programs such as ssh.
IA-2 - Medium - CCI-000770 - V-38613 - SV-50414r1_rule
RMF Control
IA-2
Severity
M
CCI
CCI-000770
Version
RHEL-06-000237
Vuln IDs
  • V-38613
Rule IDs
  • SV-50414r1_rule
Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.
Checks: C-46171r1_chk

To determine how the SSH daemon's "PermitRootLogin" option is set, run the following command: # grep -i PermitRootLogin /etc/ssh/sshd_config If a line indicating "no" is returned, then the required value is set. If the required value is not set, this is a finding.

Fix: F-43561r1_fix

The root user should never be allowed to log in to a system directly over a network. To disable root login via SSH, add or correct the following line in "/etc/ssh/sshd_config": PermitRootLogin no

c
The SSH daemon must not allow authentication using an empty password.
IA-2 - High - CCI-000766 - V-38614 - SV-50415r1_rule
RMF Control
IA-2
Severity
H
CCI
CCI-000766
Version
RHEL-06-000239
Vuln IDs
  • V-38614
Rule IDs
  • SV-50415r1_rule
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
Checks: C-46172r1_chk

To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command: # grep -i PermitEmptyPasswords /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value "no" is returned, then the required value is set. If the required value is not set, this is a finding.

Fix: F-43562r1_fix

To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config": PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.

b
The SSH daemon must be configured with the Department of Defense (DoD) login banner.
AC-8 - Medium - CCI-000048 - V-38615 - SV-50416r1_rule
RMF Control
AC-8
Severity
M
CCI
CCI-000048
Version
RHEL-06-000240
Vuln IDs
  • V-38615
Rule IDs
  • SV-50416r1_rule
The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.
Checks: C-46173r1_chk

To determine how the SSH daemon's "Banner" option is set, run the following command: # grep -i Banner /etc/ssh/sshd_config If a line indicating /etc/issue is returned, then the required value is set. If the required value is not set, this is a finding.

Fix: F-43563r1_fix

To enable the warning banner and ensure it is consistent across the system, add or correct the following line in "/etc/ssh/sshd_config": Banner /etc/issue Another section contains information on how to create an appropriate system-wide warning banner.

a
The SSH daemon must not permit user environment settings.
AC-4 - Low - CCI-001414 - V-38616 - SV-50417r1_rule
RMF Control
AC-4
Severity
L
CCI
CCI-001414
Version
RHEL-06-000241
Vuln IDs
  • V-38616
Rule IDs
  • SV-50417r1_rule
SSH environment options potentially allow users to bypass access restriction in some configurations.
Checks: C-46175r1_chk

To ensure users are not able to present environment daemons, run the following command: # grep PermitUserEnvironment /etc/ssh/sshd_config If properly configured, output should be: PermitUserEnvironment no If it is not, this is a finding.

Fix: F-43565r1_fix

To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in "/etc/ssh/sshd_config": PermitUserEnvironment no

b
The SSH daemon must be configured to use only FIPS 140-2 approved ciphers.
SC-13 - Medium - CCI-001144 - V-38617 - SV-50418r1_rule
RMF Control
SC-13
Severity
M
CCI
CCI-001144
Version
RHEL-06-000243
Vuln IDs
  • V-38617
Rule IDs
  • SV-50418r1_rule
Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance.
Checks: C-46176r1_chk

Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: # grep Ciphers /etc/ssh/sshd_config The output should contain only those ciphers which are FIPS-approved, namely, the AES and 3DES ciphers. If that is not the case, this is a finding.

Fix: F-43566r1_fix

Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in "/etc/ssh/sshd_config" demonstrates use of FIPS-approved ciphers: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc The man page "sshd_config(5)" contains a list of supported ciphers.

a
The avahi service must be disabled.
CM-6 - Low - CCI-000366 - V-38618 - SV-50419r2_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000246
Vuln IDs
  • V-38618
Rule IDs
  • SV-50419r2_rule
Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.
Checks: C-46177r1_chk

To check that the "avahi-daemon" service is disabled in system boot configuration, run the following command: # chkconfig "avahi-daemon" --list Output should indicate the "avahi-daemon" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "avahi-daemon" --list "avahi-daemon" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "avahi-daemon" is disabled through current runtime configuration: # service avahi-daemon status If the service is disabled the command will return the following output: avahi-daemon is stopped If the service is running, this is a finding.

Fix: F-43567r2_fix

The "avahi-daemon" service can be disabled with the following commands: # chkconfig avahi-daemon off # service avahi-daemon stop

b
There must be no .netrc files on the system.
IA-5 - Medium - CCI-000196 - V-38619 - SV-50420r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000196
Version
RHEL-06-000347
Vuln IDs
  • V-38619
Rule IDs
  • SV-50420r1_rule
Unencrypted passwords for remote FTP servers may be stored in ".netrc" files. DoD policy requires passwords be encrypted in storage and not used in access scripts.
Checks: C-46179r1_chk

To check the system for the existence of any ".netrc" files, run the following command: # find /home -xdev -name .netrc If any .netrc files exist, this is a finding.

Fix: F-43569r1_fix

The ".netrc" files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any ".netrc" files should be removed.

b
The system clock must be synchronized continuously, or at least daily.
AU-8 - Medium - CCI-000160 - V-38620 - SV-50421r1_rule
RMF Control
AU-8
Severity
M
CCI
CCI-000160
Version
RHEL-06-000247
Vuln IDs
  • V-38620
Rule IDs
  • SV-50421r1_rule
Enabling the "ntpd" service ensures that the "ntpd" service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.
Checks: C-46178r1_chk

Run the following command to determine the current status of the "ntpd" service: # service ntpd status If the service is enabled, it should return the following: ntpd is running... If the service is not running, this is a finding.

Fix: F-43568r1_fix

The "ntpd" service can be enabled with the following command: # chkconfig ntpd on # service ntpd start

b
The system clock must be synchronized to an authoritative DoD time source.
AU-8 - Medium - CCI-000160 - V-38621 - SV-50422r1_rule
RMF Control
AU-8
Severity
M
CCI
CCI-000160
Version
RHEL-06-000248
Vuln IDs
  • V-38621
Rule IDs
  • SV-50422r1_rule
Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is recommended.
Checks: C-46180r1_chk

A remote NTP server should be configured for time synchronization. To verify one is configured, open the following file. /etc/ntp.conf In the file, there should be a section similar to the following: # --- OUR TIMESERVERS ----- server [ntpserver] If this is not the case, this is a finding.

Fix: F-43570r1_fix

To specify a remote NTP server for time synchronization, edit the file "/etc/ntp.conf". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver. server [ntpserver] This instructs the NTP software to contact that remote server to obtain time data.

b
Mail relaying must be restricted.
CM-7 - Medium - CCI-000382 - V-38622 - SV-50423r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
RHEL-06-000249
Vuln IDs
  • V-38622
Rule IDs
  • SV-50423r1_rule
This ensures "postfix" accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.
Checks: C-46182r1_chk

Run the following command to ensure postfix accepts mail messages from only the local system: $ grep inet_interfaces /etc/postfix/main.cf If properly configured, the output should show only "localhost". If it does not, this is a finding.

Fix: F-43572r1_fix

Edit the file "/etc/postfix/main.cf" to ensure that only the following "inet_interfaces" line appears: inet_interfaces = localhost

b
All rsyslog-generated log files must have mode 0600 or less permissive.
SI-11 - Medium - CCI-001314 - V-38623 - SV-50424r1_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001314
Version
RHEL-06-000135
Vuln IDs
  • V-38623
Rule IDs
  • SV-50424r1_rule
Log files can contain valuable information regarding system configuration. If the system log files are not protected, unauthorized users could change the logged data, eliminating their forensic value.
Checks: C-46181r1_chk

The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's permissions: $ ls -l [LOGFILE] The permissions should be 600, or more restrictive. If the permissions are not correct, this is a finding.

Fix: F-43571r1_fix

The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's permissions: $ ls -l [LOGFILE] If the permissions are not 600 or more restrictive, run the following command to correct this: # chmod 0600 [LOGFILE]

a
System logs must be rotated daily.
CM-6 - Low - CCI-000366 - V-38624 - SV-50425r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000138
Vuln IDs
  • V-38624
Rule IDs
  • SV-50425r1_rule
Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.
Checks: C-46183r1_chk

Run the following commands to determine the current status of the "logrotate" service: # grep logrotate /var/log/cron* If the logrotate service is not run on a daily basis by cron, this is a finding.

Fix: F-43573r1_fix

The "logrotate" service should be installed or reinstalled if it is not installed and operating properly, by running the following command: # yum reinstall logrotate

b
If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
AC-17 - Medium - CCI-001453 - V-38625 - SV-50426r1_rule
RMF Control
AC-17
Severity
M
CCI
CCI-001453
Version
RHEL-06-000252
Vuln IDs
  • V-38625
Rule IDs
  • SV-50426r1_rule
The ssl directive specifies whether to use ssl or not. If not specified it will default to "no". It should be set to "start_tls" rather than doing LDAP over SSL.
Checks: C-46184r1_chk

If the system does not use LDAP for authentication or account information, this is not applicable. To ensure LDAP is configured to use TLS for all transactions, run the following command: $ grep start_tls /etc/pam_ldap.conf If no lines are returned, this is a finding.

Fix: F-43574r1_fix

Configure LDAP to enforce TLS use. First, edit the file "/etc/pam_ldap.conf", and add or correct the following lines: ssl start_tls Then review the LDAP server and ensure TLS has been configured.

b
The LDAP client must use a TLS connection using trust certificates signed by the site CA.
IA-2 - Medium - CCI-000776 - V-38626 - SV-50427r1_rule
RMF Control
IA-2
Severity
M
CCI
CCI-000776
Version
RHEL-06-000253
Vuln IDs
  • V-38626
Rule IDs
  • SV-50427r1_rule
The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA.
Checks: C-46185r1_chk

If the system does not use LDAP for authentication or account information, this is not applicable. To ensure TLS is configured with trust certificates, run the following command: # grep cert /etc/pam_ldap.conf If there is no output, or the lines are commented out, this is a finding.

Fix: F-43575r1_fix

Ensure a copy of the site's CA certificate has been placed in the file "/etc/pki/tls/CA/cacert.pem". Configure LDAP to enforce TLS use and to trust certificates signed by the site's CA. First, edit the file "/etc/pam_ldap.conf", and add or correct either of the following lines: tls_cacertdir /etc/pki/tls/CA or tls_cacertfile /etc/pki/tls/CA/cacert.pem Then review the LDAP server and ensure TLS has been configured.

a
The openldap-servers package must not be installed unless required.
CM-6 - Low - CCI-000366 - V-38627 - SV-50428r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000256
Vuln IDs
  • V-38627
Rule IDs
  • SV-50428r1_rule
Unnecessary packages should not be installed to decrease the attack surface of the system.
Checks: C-46187r1_chk

To verify the "openldap-servers" package is not installed, run the following command: $ rpm -q openldap-servers The output should show the following. package openldap-servers is not installed If it does not, this is a finding.

Fix: F-43577r1_fix

The "openldap-servers" package should be removed if not in use. Is this machine the OpenLDAP server? If not, remove the package. # yum erase openldap-servers The openldap-servers RPM is not installed by default on RHEL6 machines. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed.

b
The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.
AU-3 - Medium - CCI-001487 - V-38628 - SV-50429r2_rule
RMF Control
AU-3
Severity
M
CCI
CCI-001487
Version
RHEL-06-000145
Vuln IDs
  • V-38628
Rule IDs
  • SV-50429r2_rule
Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.
Checks: C-46186r1_chk

Run the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, it should return the following: auditd is running... If the service is not running, this is a finding.

Fix: F-43576r2_fix

The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands: # chkconfig auditd on # service auditd start

b
The graphical desktop environment must set the idle timeout to no more than 15 minutes.
AC-11 - Medium - CCI-000057 - V-38629 - SV-50430r2_rule
RMF Control
AC-11
Severity
M
CCI
CCI-000057
Version
RHEL-06-000257
Vuln IDs
  • V-38629
Rule IDs
  • SV-50430r2_rule
Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.
Checks: C-46188r2_chk

To check the current idle time-out value, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_delay If properly configured, the output should be "15". If it is not, this is a finding.

Fix: F-43578r1_fix

Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes: # gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /apps/gnome-screensaver/idle_delay 15

b
The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user to re-authenticate to unlock the environment.
AC-11 - Medium - CCI-000057 - V-38630 - SV-50431r2_rule
RMF Control
AC-11
Severity
M
CCI
CCI-000057
Version
RHEL-06-000258
Vuln IDs
  • V-38630
Rule IDs
  • SV-50431r2_rule
Enabling idle activation of the screen saver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.
Checks: C-46189r2_chk

To check the screensaver mandatory use status, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_activation_enabled If properly configured, the output should be "true". If it is not, this is a finding.

Fix: F-43579r1_fix

Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true

b
The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
AC-17 - Medium - CCI-000067 - V-38631 - SV-50432r2_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000067
Version
RHEL-06-000148
Vuln IDs
  • V-38631
Rule IDs
  • SV-50432r2_rule
Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.
Checks: C-46190r1_chk

Run the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, it should return the following: auditd is running... If the service is not running, this is a finding.

Fix: F-43580r2_fix

The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands: # chkconfig auditd on # service auditd start

b
The operating system must produce audit records containing sufficient information to establish what type of events occurred.
AU-3 - Medium - CCI-000130 - V-38632 - SV-50433r2_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
RHEL-06-000154
Vuln IDs
  • V-38632
Rule IDs
  • SV-50433r2_rule
Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.
Checks: C-46191r1_chk

Run the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, it should return the following: auditd is running... If the service is not running, this is a finding.

Fix: F-43581r2_fix

The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands: # chkconfig auditd on # service auditd start

b
The system must set a maximum audit log file size.
CM-6 - Medium - CCI-000366 - V-38633 - SV-50434r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000160
Vuln IDs
  • V-38633
Rule IDs
  • SV-50434r1_rule
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
Checks: C-46192r1_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine how much data the system will retain in each audit log file: "# grep max_log_file /etc/audit/auditd.conf" max_log_file = 6 If the system audit data threshold hasn't been properly set up, this is a finding.

Fix: F-43582r1_fix

Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting the correct value for [STOREMB]: max_log_file = [STOREMB] Set the value to "6" (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.

b
The system must rotate audit log files that reach the maximum file size.
CM-6 - Medium - CCI-000366 - V-38634 - SV-50435r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000161
Vuln IDs
  • V-38634
Rule IDs
  • SV-50435r1_rule
Automatically rotating logs (by setting this to "rotate") minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, "keep_logs" can be employed.
Checks: C-46193r1_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to rotate logs when they reach their maximum size: "# grep max_log_file_action /etc/audit/auditd.conf" max_log_file_action "rotate" If the system has not been properly set up to rotate audit logs, this is a finding.

Fix: F-43583r1_fix

The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by "auditd", add or correct the line in "/etc/audit/auditd.conf": max_log_file_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "suspend" "rotate" "keep_logs" Set the "[ACTION]" to "rotate" to ensure log rotation occurs. This is the default. The setting is case-insensitive.

a
The audit system must be configured to audit all attempts to alter system time through adjtimex.
AU-12 - Low - CCI-000169 - V-38635 - SV-50436r2_rule
RMF Control
AU-12
Severity
L
CCI
CCI-000169
Version
RHEL-06-000165
Vuln IDs
  • V-38635
Rule IDs
  • SV-50436r2_rule
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Checks: C-46194r1_chk

To determine if the system is configured to audit calls to the "adjtimex" system call, run the following command: # auditctl -l | grep syscall | grep adjtimex If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding.

Fix: F-43584r2_fix

On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules On a 64-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b64 -S adjtimex -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules

b
The system must retain enough rotated audit logs to cover the required log retention period.
CM-6 - Medium - CCI-000366 - V-38636 - SV-50437r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000159
Vuln IDs
  • V-38636
Rule IDs
  • SV-50437r1_rule
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
Checks: C-46195r1_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine how many logs the system is configured to retain after rotation: "# grep num_logs /etc/audit/auditd.conf" num_logs = 5 If the overall system log file(s) retention hasn't been properly set up, this is a finding.

Fix: F-43585r1_fix

Determine how many log files "auditd" should retain when it rotates logs. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [NUMLOGS] with the correct value: num_logs = [NUMLOGS] Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.

b
The system package management tool must verify contents of all files associated with the audit package.
AU-9 - Medium - CCI-001496 - V-38637 - SV-50438r2_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001496
Version
RHEL-06-000281
Vuln IDs
  • V-38637
Rule IDs
  • SV-50438r2_rule
The hash on important files like audit system executables should match the information given by the RPM database. Audit executables with erroneous hashes could be a sign of nefarious activity on the system.
Checks: C-46196r3_chk

The following command will list which audit files on the system have file hashes different from what is expected by the RPM database. # rpm -V audit | awk '$1 ~ /..5/ &amp;&amp; $2 != "c"' If there is output, this is a finding.

Fix: F-43586r1_fix

The RPM package management system can check the hashes of audit system package files. Run the following command to list which audit files on the system have hashes that differ from what is expected by the RPM database: # rpm -V audit | grep '^..5' A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file that has changed was not expected to then refresh from distribution media or online repositories. rpm -Uvh [affected_package] OR yum reinstall [affected_package]

b
The graphical desktop environment must have automatic lock enabled.
AC-11 - Medium - CCI-000057 - V-38638 - SV-50439r2_rule
RMF Control
AC-11
Severity
M
CCI
CCI-000057
Version
RHEL-06-000259
Vuln IDs
  • V-38638
Rule IDs
  • SV-50439r2_rule
Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby.
Checks: C-46198r2_chk

To check the status of the idle screen lock activation, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/lock_enabled If properly configured, the output should be "true". If it is not, this is a finding.

Fix: F-43587r1_fix

Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/lock_enabled true

a
The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
AC-11 - Low - CCI-000060 - V-38639 - SV-50440r2_rule
RMF Control
AC-11
Severity
L
CCI
CCI-000060
Version
RHEL-06-000260
Vuln IDs
  • V-38639
Rule IDs
  • SV-50440r2_rule
Setting the screensaver mode to blank-only conceals the contents of the display from passersby.
Checks: C-46199r3_chk

To ensure the screensaver is configured to be blank, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode If properly configured, the output should be "blank-only". If it is not, this is a finding.

Fix: F-43588r2_fix

Run the following command to set the screensaver mode in the GNOME desktop to a blank screen: # gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome-screensaver/mode blank-only

a
The Automatic Bug Reporting Tool (abrtd) service must not be running.
CM-7 - Low - CCI-000382 - V-38640 - SV-50441r2_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000382
Version
RHEL-06-000261
Vuln IDs
  • V-38640
Rule IDs
  • SV-50441r2_rule
Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers.
Checks: C-46200r1_chk

To check that the "abrtd" service is disabled in system boot configuration, run the following command: # chkconfig "abrtd" --list Output should indicate the "abrtd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "abrtd" --list "abrtd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "abrtd" is disabled through current runtime configuration: # service abrtd status If the service is disabled the command will return the following output: abrtd is stopped If the service is running, this is a finding.

Fix: F-43589r2_fix

The Automatic Bug Reporting Tool ("abrtd") daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The "abrtd" service can be disabled with the following commands: # chkconfig abrtd off # service abrtd stop

a
The atd service must be disabled.
CM-7 - Low - CCI-000382 - V-38641 - SV-50442r2_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000382
Version
RHEL-06-000262
Vuln IDs
  • V-38641
Rule IDs
  • SV-50442r2_rule
The "atd" service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with "at" or "batch" is not common.
Checks: C-46201r2_chk

If the system uses the "atd" service, this is not applicable. To check that the "atd" service is disabled in system boot configuration, run the following command: # chkconfig "atd" --list Output should indicate the "atd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "atd" --list "atd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "atd" is disabled through current runtime configuration: # service atd status If the service is disabled the command will return the following output: atd is stopped If the service is running, this is a finding.

Fix: F-43590r2_fix

The "at" and "batch" commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon "atd" keeps track of tasks scheduled via "at" and "batch", and executes them at the specified time. The "atd" service can be disabled with the following commands: # chkconfig atd off # service atd stop

a
The system default umask for daemons must be 027 or 022.
CM-6 - Low - CCI-000366 - V-38642 - SV-50443r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000346
Vuln IDs
  • V-38642
Rule IDs
  • SV-50443r1_rule
The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.
Checks: C-46203r1_chk

To check the value of the "umask", run the following command: $ grep umask /etc/init.d/functions The output should show either "022" or "027". If it does not, this is a finding.

Fix: F-43592r1_fix

The file "/etc/init.d/functions" includes initialization parameters for most or all daemons started at boot time. The default umask of 022 prevents creation of group- or world-writable files. To set the default umask for daemons, edit the following line, inserting 022 or 027 for [UMASK] appropriately: umask [UMASK] Setting the umask to too restrictive a setting can cause serious errors at runtime. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts.

b
There must be no world-writable files on the system.
CM-6 - Medium - CCI-000366 - V-38643 - SV-50444r2_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000282
Vuln IDs
  • V-38643
Rule IDs
  • SV-50444r2_rule
Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.
Checks: C-46202r2_chk

To find world-writable files, run the following command for each local partition [PART]: # find [PART] -xdev -type f -perm -002 If there is output, this is a finding.

Fix: F-43591r1_fix

It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account.

a
The ntpdate service must not be running.
CM-7 - Low - CCI-000382 - V-38644 - SV-50445r2_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000382
Version
RHEL-06-000265
Vuln IDs
  • V-38644
Rule IDs
  • SV-50445r2_rule
The "ntpdate" service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.
Checks: C-46204r1_chk

To check that the "ntpdate" service is disabled in system boot configuration, run the following command: # chkconfig "ntpdate" --list Output should indicate the "ntpdate" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "ntpdate" --list "ntpdate" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "ntpdate" is disabled through current runtime configuration: # service ntpdate status If the service is disabled the command will return the following output: ntpdate is stopped If the service is running, this is a finding.

Fix: F-43593r2_fix

The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in "/etc/ntp/step-tickers" or "/etc/ntp.conf" and then sets the local hardware clock to the newly synchronized system time. The "ntpdate" service can be disabled with the following commands: # chkconfig ntpdate off # service ntpdate stop

a
The system default umask in /etc/login.defs must be 077.
CM-6 - Low - CCI-000366 - V-38645 - SV-50446r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000345
Vuln IDs
  • V-38645
Rule IDs
  • SV-50446r1_rule
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.
Checks: C-46205r1_chk

Verify the "umask" setting is configured correctly in the "/etc/login.defs" file by running the following command: # grep -i "umask" /etc/login.defs All output must show the value of "umask" set to 077, as shown in the below: # grep -i "umask" /etc/login.defs UMASK 077 If the above command returns no output, or if the umask is configured incorrectly, this is a finding.

Fix: F-43594r1_fix

To ensure the default umask controlled by "/etc/login.defs" is set properly, add or correct the "umask" setting in "/etc/login.defs" to read as follows: UMASK 077

a
The oddjobd service must not be running.
CM-7 - Low - CCI-000382 - V-38646 - SV-50447r2_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000382
Version
RHEL-06-000266
Vuln IDs
  • V-38646
Rule IDs
  • SV-50447r2_rule
The "oddjobd" service may provide necessary functionality in some environments but it can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.
Checks: C-46206r2_chk

To check that the "oddjobd" service is disabled in system boot configuration, run the following command: # chkconfig "oddjobd" --list Output should indicate the "oddjobd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "oddjobd" --list "oddjobd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "oddjobd" is disabled through current runtime configuration: # service oddjobd status If the service is disabled the command will return the following output: oddjobd is stopped If the service is running, this is a finding.

Fix: F-43595r2_fix

The "oddjobd" service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with "oddjobd" is through the system message bus. The "oddjobd" service can be disabled with the following commands: # chkconfig oddjobd off # service oddjobd stop

a
The system default umask in /etc/profile must be 077.
CM-6 - Low - CCI-000366 - V-38647 - SV-50448r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000344
Vuln IDs
  • V-38647
Rule IDs
  • SV-50448r1_rule
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.
Checks: C-46207r1_chk

Verify the "umask" setting is configured correctly in the "/etc/profile" file by running the following command: # grep "umask" /etc/profile All output must show the value of "umask" set to 077, as shown in the below: # grep "umask" /etc/profile umask 077 If the above command returns no output, or if the umask is configured incorrectly, this is a finding.

Fix: F-43596r1_fix

To ensure the default umask controlled by "/etc/profile" is set properly, add or correct the "umask" setting in "/etc/profile" to read as follows: umask 077

a
The qpidd service must not be running.
CM-7 - Low - CCI-000382 - V-38648 - SV-50449r2_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000382
Version
RHEL-06-000267
Vuln IDs
  • V-38648
Rule IDs
  • SV-50449r2_rule
The qpidd service is automatically installed when the "base" package selection is selected during installation. The qpidd service listens for network connections which increases the attack surface of the system. If the system is not intended to receive AMQP traffic then the "qpidd" service is not needed and should be disabled or removed.
Checks: C-46208r2_chk

To check that the "qpidd" service is disabled in system boot configuration, run the following command: # chkconfig "qpidd" --list Output should indicate the "qpidd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "qpidd" --list "qpidd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "qpidd" is disabled through current runtime configuration: # service qpidd status If the service is disabled the command will return the following output: qpidd is stopped If the service is running, this is a finding.

Fix: F-43597r2_fix

The "qpidd" service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The "qpidd" service can be disabled with the following commands: # chkconfig qpidd off # service qpidd stop

a
The system default umask for the csh shell must be 077.
CM-6 - Low - CCI-000366 - V-38649 - SV-50450r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000343
Vuln IDs
  • V-38649
Rule IDs
  • SV-50450r1_rule
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.
Checks: C-46209r1_chk

Verify the "umask" setting is configured correctly in the "/etc/csh.cshrc" file by running the following command: # grep "umask" /etc/csh.cshrc All output must show the value of "umask" set to 077, as shown in the below: # grep "umask" /etc/csh.cshrc umask 077 If the above command returns no output, or if the umask is configured incorrectly, this is a finding.

Fix: F-43598r1_fix

To ensure the default umask for users of the C shell is set properly, add or correct the "umask" setting in "/etc/csh.cshrc" to read as follows: umask 077

a
The rdisc service must not be running.
CM-7 - Low - CCI-000382 - V-38650 - SV-50451r2_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000382
Version
RHEL-06-000268
Vuln IDs
  • V-38650
Rule IDs
  • SV-50451r2_rule
General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.
Checks: C-46210r1_chk

To check that the "rdisc" service is disabled in system boot configuration, run the following command: # chkconfig "rdisc" --list Output should indicate the "rdisc" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "rdisc" --list "rdisc" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "rdisc" is disabled through current runtime configuration: # service rdisc status If the service is disabled the command will return the following output: rdisc is stopped If the service is running, this is a finding.

Fix: F-43599r2_fix

The "rdisc" service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. The "rdisc" service can be disabled with the following commands: # chkconfig rdisc off # service rdisc stop

a
The system default umask for the bash shell must be 077.
CM-6 - Low - CCI-000366 - V-38651 - SV-50452r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000342
Vuln IDs
  • V-38651
Rule IDs
  • SV-50452r1_rule
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.
Checks: C-46211r1_chk

Verify the "umask" setting is configured correctly in the "/etc/bashrc" file by running the following command: # grep "umask" /etc/bashrc All output must show the value of "umask" set to 077, as shown below: # grep "umask" /etc/bashrc umask 077 umask 077 If the above command returns no output, or if the umask is configured incorrectly, this is a finding.

Fix: F-43600r1_fix

To ensure the default umask for users of the Bash shell is set properly, add or correct the "umask" setting in "/etc/bashrc" to read as follows: umask 077

b
Remote file systems must be mounted with the nodev option.
CM-6 - Medium - CCI-000366 - V-38652 - SV-50453r2_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000269
Vuln IDs
  • V-38652
Rule IDs
  • SV-50453r2_rule
Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.
Checks: C-46212r2_chk

To verify the "nodev" option is configured for all NFS mounts, run the following command: $ mount | grep "nfs " All NFS mounts should show the "nodev" setting in parentheses, along with other mount options. If the setting does not show, this is a finding.

Fix: F-43601r1_fix

Add the "nodev" option to the fourth column of "/etc/fstab" for the line which controls mounting of any NFS mounts.

c
The snmpd service must not use a default password.
CM-6 - High - CCI-000366 - V-38653 - SV-50454r1_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
RHEL-06-000341
Vuln IDs
  • V-38653
Rule IDs
  • SV-50454r1_rule
Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system.
Checks: C-46213r1_chk

To ensure the default password is not set, run the following command: # grep -v "^#" /etc/snmp/snmpd.conf| grep public There should be no output. If there is output, this is a finding.

Fix: F-43602r1_fix

Edit "/etc/snmp/snmpd.conf", remove default community string "public". Upon doing that, restart the SNMP service: # service snmpd restart

b
Remote file systems must be mounted with the nosuid option.
CM-6 - Medium - CCI-000366 - V-38654 - SV-50455r2_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000270
Vuln IDs
  • V-38654
Rule IDs
  • SV-50455r2_rule
NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.
Checks: C-46214r3_chk

To verify the "nosuid" option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the "nosuid" setting in parentheses, along with other mount options. If the setting does not show, this is a finding.

Fix: F-43603r1_fix

Add the "nosuid" option to the fourth column of "/etc/fstab" for the line which controls mounting of any NFS mounts.

a
The noexec option must be added to removable media partitions.
AC-19 - Low - CCI-000087 - V-38655 - SV-50456r1_rule
RMF Control
AC-19
Severity
L
CCI
CCI-000087
Version
RHEL-06-000271
Vuln IDs
  • V-38655
Rule IDs
  • SV-50456r1_rule
Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.
Checks: C-46216r1_chk

To verify that binaries cannot be directly executed from removable media, run the following command: # grep noexec /etc/fstab The output should show "noexec" in use. If it does not, this is a finding.

Fix: F-43605r1_fix

The "noexec" mount option prevents the direct execution of binaries on the mounted filesystem. Users should not be allowed to execute binaries that exist on partitions mounted from removable media (such as a USB key). The "noexec" option prevents code from being executed directly from the media itself, and may therefore provide a line of defense against certain types of worms or malicious code. Add the "noexec" option to the fourth column of "/etc/fstab" for the line which controls mounting of any removable media partitions.

a
The system must use SMB client signing for connecting to samba servers using smbclient.
CM-6 - Low - CCI-000366 - V-38656 - SV-50457r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000272
Vuln IDs
  • V-38656
Rule IDs
  • SV-50457r1_rule
Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.
Checks: C-46217r1_chk

To verify that Samba clients running smbclient must use packet signing, run the following command: # grep signing /etc/samba/smb.conf The output should show: client signing = mandatory If it is not, this is a finding.

Fix: F-43606r1_fix

To require samba clients running "smbclient" to use packet signing, add the following to the "[global]" section of the Samba configuration file in "/etc/samba/smb.conf": client signing = mandatory Requiring samba clients such as "smbclient" to use packet signing ensures they can only communicate with servers that support packet signing.

a
The system must use SMB client signing for connecting to samba servers using mount.cifs.
CM-6 - Low - CCI-000366 - V-38657 - SV-50458r2_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000273
Vuln IDs
  • V-38657
Rule IDs
  • SV-50458r2_rule
Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.
Checks: C-46218r4_chk

If Samba is not in use, this is not applicable. To verify that Samba clients using mount.cifs must use packet signing, run the following command: # grep sec /etc/fstab /etc/mtab The output should show either "krb5i" or "ntlmv2i" in use. If it does not, this is a finding.

Fix: F-43607r1_fix

Require packet signing of clients who mount Samba shares using the "mount.cifs" program (e.g., those who specify shares in "/etc/fstab"). To do so, ensure signing options (either "sec=krb5i" or "sec=ntlmv2i") are used. See the "mount.cifs(8)" man page for more information. A Samba client should only communicate with servers who can support SMB packet signing.

b
The system must prohibit the reuse of passwords within twenty-four iterations.
IA-5 - Medium - CCI-000200 - V-38658 - SV-50459r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000200
Version
RHEL-06-000274
Vuln IDs
  • V-38658
Rule IDs
  • SV-50459r1_rule
Preventing reuse of previous passwords helps ensure that a compromised password is not reused by a user.
Checks: C-46219r1_chk

To verify the password reuse setting is compliant, run the following command: $ grep remember /etc/pam.d/system-auth The output should show the following at the end of the line: remember=24 If it does not, this is a finding.

Fix: F-43608r1_fix

Do not allow users to reuse recent passwords. This can be accomplished by using the "remember" option for the "pam_unix" PAM module. In the file "/etc/pam.d/system-auth", append "remember=24" to the line which refers to the "pam_unix.so" module, as shown: password sufficient pam_unix.so [existing_options] remember=24 The DoD requirement is 24 passwords.

a
The operating system must employ cryptographic mechanisms to protect information in storage.
MP-4 - Low - CCI-001019 - V-38659 - SV-50460r1_rule
RMF Control
MP-4
Severity
L
CCI
CCI-001019
Version
RHEL-06-000275
Vuln IDs
  • V-38659
Rule IDs
  • SV-50460r1_rule
The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.
Checks: C-46220r1_chk

Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding.

Fix: F-43609r1_fix

Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE] Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. Detailed information on encrypting partitions using LUKS can be found on the Red Had Documentation web site: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html

b
The snmpd service must use only SNMP protocol version 3 or newer.
CM-6 - Medium - CCI-000366 - V-38660 - SV-50461r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000340
Vuln IDs
  • V-38660
Rule IDs
  • SV-50461r1_rule
Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information.
Checks: C-46215r1_chk

To ensure only SNMPv3 or newer is used, run the following command: # grep 'v1\|v2c\|com2sec' /etc/snmp/snmpd.conf | grep -v '^#' There should be no output. If there is output, this is a finding.

Fix: F-43604r1_fix

Edit "/etc/snmp/snmpd.conf", removing any references to "v1", "v2c", or "com2sec". Upon doing that, restart the SNMP service: # service snmpd restart

a
The operating system must protect the confidentiality and integrity of data at rest.
SC-28 - Low - CCI-001199 - V-38661 - SV-50462r1_rule
RMF Control
SC-28
Severity
L
CCI
CCI-001199
Version
RHEL-06-000276
Vuln IDs
  • V-38661
Rule IDs
  • SV-50462r1_rule
The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.
Checks: C-46221r1_chk

Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding.

Fix: F-43610r1_fix

Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE] Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. Detailed information on encrypting partitions using LUKS can be found on the Red Had Documentation web site: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html

a
The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures.
SC-28 - Low - CCI-001200 - V-38662 - SV-50463r1_rule
RMF Control
SC-28
Severity
L
CCI
CCI-001200
Version
RHEL-06-000277
Vuln IDs
  • V-38662
Rule IDs
  • SV-50463r1_rule
The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.
Checks: C-46222r1_chk

Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding.

Fix: F-43611r1_fix

Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE] Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. Detailed information on encrypting partitions using LUKS can be found on the Red Had Documentation web site: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html

b
The system package management tool must verify permissions on all files and directories associated with the audit package.
AU-9 - Medium - CCI-001493 - V-38663 - SV-50464r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001493
Version
RHEL-06-000278
Vuln IDs
  • V-38663
Rule IDs
  • SV-50464r1_rule
Permissions on audit binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.
Checks: C-46223r1_chk

The following command will list which audit files on the system have permissions different from what is expected by the RPM database: # rpm -V audit | grep '^.M' If there is any output, for each file or directory found, compare the RPM-expected permissions with the permissions on the file or directory: # rpm -q --queryformat "[%{FILENAMES} %{FILEMODES:perms}\n]" audit | grep [filename] # ls -lL [filename] If the existing permissions are more permissive than those expected by RPM, this is a finding.

Fix: F-43612r1_fix

The RPM package management system can restore file access permissions of the audit package files and directories. The following command will update audit files with permissions different from what is expected by the RPM database: # rpm --setperms audit

b
The system package management tool must verify ownership on all files and directories associated with the audit package.
AU-9 - Medium - CCI-001494 - V-38664 - SV-50465r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001494
Version
RHEL-06-000279
Vuln IDs
  • V-38664
Rule IDs
  • SV-50465r1_rule
Ownership of audit binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.
Checks: C-46224r1_chk

The following command will list which audit files on the system have ownership different from what is expected by the RPM database: # rpm -V audit | grep '^.....U' If there is output, this is a finding.

Fix: F-43613r1_fix

The RPM package management system can restore file ownership of the audit package files and directories. The following command will update audit files with ownership different from what is expected by the RPM database: # rpm --setugids audit

b
The system package management tool must verify group-ownership on all files and directories associated with the audit package.
AU-9 - Medium - CCI-001495 - V-38665 - SV-50466r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001495
Version
RHEL-06-000280
Vuln IDs
  • V-38665
Rule IDs
  • SV-50466r1_rule
Group-ownership of audit binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The group-ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.
Checks: C-46225r1_chk

The following command will list which audit files on the system have group-ownership different from what is expected by the RPM database: # rpm -V audit | grep '^......G' If there is output, this is a finding.

Fix: F-43614r1_fix

The RPM package management system can restore file group-ownership of the audit package files and directories. The following command will update audit files with group-ownership different from what is expected by the RPM database: # rpm --setugids audit

c
The system must use and update a DoD-approved virus scan program.
SI-3 - High - CCI-001668 - V-38666 - SV-50467r2_rule
RMF Control
SI-3
Severity
H
CCI
CCI-001668
Version
RHEL-06-000284
Vuln IDs
  • V-38666
Rule IDs
  • SV-50467r2_rule
Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.
Checks: C-46226r2_chk

Inspect the system for a cron job or system service which executes a virus scanning tool regularly. To verify the McAfee VSEL system service is operational, run the following command: # /etc/init.d/nails status To check on the age of uvscan virus definition files, run the following command: # cd /opt/NAI/LinuxShield/engine/dat # ls -la avvscan.dat avvnames.dat avvclean.dat If virus scanning software does not run continuously, or at least daily, or has signatures that are out of date, this is a finding.

Fix: F-43615r2_fix

Install virus scanning software, which uses signatures to search for the presence of viruses on the filesystem. The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems. Ensure virus definition files are no older than 7 days, or their last release. Configure the virus scanning software to perform scans dynamically on all accessed files. If this is not possible, configure the system to scan all altered files on the system on a daily basis. If the system processes inbound SMTP mail, configure the virus scanner to scan all received mail.

b
The system must have a host-based intrusion detection tool installed.
SI-4 - Medium - CCI-001263 - V-38667 - SV-50468r2_rule
RMF Control
SI-4
Severity
M
CCI
CCI-001263
Version
RHEL-06-000285
Vuln IDs
  • V-38667
Rule IDs
  • SV-50468r2_rule
Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of system, which may not otherwise exist in an organization's systems management regime.
Checks: C-46227r1_chk

Inspect the system to determine if intrusion detection software has been installed. Verify the intrusion detection software is active. If no host-based intrusion detection tools are installed, this is a finding.

Fix: F-43616r2_fix

The base Red Hat platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user sessions which may become compromised. In DoD environments, supplemental intrusion detection tools, such as, the McAfee Host-based Security System, are available to integrate with existing infrastructure. When these supplemental tools interfere with the proper functioning of SELinux, SELinux takes precedence.

c
The x86 Ctrl-Alt-Delete key sequence must be disabled.
CM-6 - High - CCI-000366 - V-38668 - SV-50469r1_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
RHEL-06-000286
Vuln IDs
  • V-38668
Rule IDs
  • SV-50469r1_rule
A locally logged-in user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
Checks: C-46228r1_chk

Determine what actions the system takes when the Ctrl-Alt-Delete key sequence is pressed, run the following command: # cat `grep -l control-alt-delete /etc/init/*` Examine all lines following the "start on control-alt-delete" line in any files found. By default, the system uses "/etc/init/control-alt-delete.conf" to reboot the system with the following command when the Ctrl-Alt-Delete key sequence is pressed: exec /sbin/shutdown -r now "Control-Alt-Delete pressed" If the system is configured to run any shutdown command, this is a finding.

Fix: F-43617r1_fix

Configure the system to log a message instead of rebooting the system by altering the "shutdown" line in "/etc/init/control-alt-delete.conf" to read as follows: exec /usr/bin/logger -p security.info "Ctrl-Alt-Delete pressed"

a
The postfix service must be enabled for mail delivery.
CM-6 - Low - CCI-000366 - V-38669 - SV-50470r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000287
Vuln IDs
  • V-38669
Rule IDs
  • SV-50470r1_rule
Local mail delivery is essential to some system maintenance and notification tasks.
Checks: C-46230r1_chk

Run the following command to determine the current status of the "postfix" service: # service postfix status If the service is enabled, it should return the following: postfix is running... If the service is not enabled, this is a finding.

Fix: F-43618r1_fix

The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The "postfix" service can be enabled with the following command: # chkconfig postfix on # service postfix start

b
The operating system must detect unauthorized changes to software and information.
SI-7 - Medium - CCI-001297 - V-38670 - SV-50471r1_rule
RMF Control
SI-7
Severity
M
CCI
CCI-001297
Version
RHEL-06-000306
Vuln IDs
  • V-38670
Rule IDs
  • SV-50471r1_rule
By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.
Checks: C-46229r1_chk

To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab If there is no output, this is a finding.

Fix: F-43619r1_fix

AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.

b
The sendmail package must be removed.
CM-6 - Medium - CCI-000366 - V-38671 - SV-50472r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000288
Vuln IDs
  • V-38671
Rule IDs
  • SV-50472r1_rule
The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.
Checks: C-46231r1_chk

Run the following command to determine if the "sendmail" package is installed: # rpm -q sendmail If the package is installed, this is a finding.

Fix: F-43620r1_fix

Sendmail is not the default mail transfer agent and is not installed by default. The "sendmail" package can be removed with the following command: # yum erase sendmail

a
The netconsole service must be disabled unless required.
CM-7 - Low - CCI-000382 - V-38672 - SV-50473r2_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000382
Version
RHEL-06-000289
Vuln IDs
  • V-38672
Rule IDs
  • SV-50473r2_rule
The "netconsole" service is not necessary unless there is a need to debug kernel panics, which is not common.
Checks: C-46233r1_chk

To check that the "netconsole" service is disabled in system boot configuration, run the following command: # chkconfig "netconsole" --list Output should indicate the "netconsole" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "netconsole" --list "netconsole" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "netconsole" is disabled through current runtime configuration: # service netconsole status If the service is disabled the command will return the following output: netconsole is stopped If the service is running, this is a finding.

Fix: F-43622r2_fix

The "netconsole" service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. The "netconsole" service can be disabled with the following commands: # chkconfig netconsole off # service netconsole stop

b
The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
CM-6 - Medium - CCI-001589 - V-38673 - SV-50474r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-001589
Version
RHEL-06-000307
Vuln IDs
  • V-38673
Rule IDs
  • SV-50474r1_rule
By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.
Checks: C-46232r1_chk

To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab If there is no output, this is a finding.

Fix: F-43621r1_fix

AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.

b
X Windows must not be enabled unless required.
AC-17 - Medium - CCI-001436 - V-38674 - SV-50475r1_rule
RMF Control
AC-17
Severity
M
CCI
CCI-001436
Version
RHEL-06-000290
Vuln IDs
  • V-38674
Rule IDs
  • SV-50475r1_rule
Unnecessary services should be disabled to decrease the attack surface of the system.
Checks: C-46234r1_chk

To verify the default runlevel is 3, run the following command: # grep initdefault /etc/inittab The output should show the following: id:3:initdefault: If it does not, this is a finding.

Fix: F-43623r1_fix

Setting the system's runlevel to 3 will prevent automatic startup of the X server. To do so, ensure the following line in "/etc/inittab" features a "3" as shown: id:3:initdefault:

a
Process core dumps must be disabled unless needed.
CM-6 - Low - CCI-000366 - V-38675 - SV-50476r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000308
Vuln IDs
  • V-38675
Rule IDs
  • SV-50476r1_rule
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
Checks: C-46235r1_chk

To verify that core dumps are disabled for all users, run the following command: $ grep core /etc/security/limits.conf The output should be: * hard core 0 If it is not, this is a finding.

Fix: F-43624r1_fix

To disable core dumps for all users, add the following line to "/etc/security/limits.conf": * hard core 0

a
The xorg-x11-server-common (X Windows) package must not be installed, unless required.
Low - V-38676 - SV-50477r1_rule
RMF Control
Severity
L
CCI
Version
RHEL-06-000291
Vuln IDs
  • V-38676
Rule IDs
  • SV-50477r1_rule
Unnecessary packages should not be installed to decrease the attack surface of the system.
Checks: C-46236r1_chk

To ensure the X Windows package group is removed, run the following command: $ rpm -qi xorg-x11-server-common The output should be: package xorg-x11-server-common is not installed If it is not, this is a finding.

Fix: F-43625r1_fix

Removing all packages which constitute the X Window System ensures users or malicious software cannot start X. To do so, run the following command: # yum groupremove "X Window System"

c
The NFS server must not have the insecure file locking option enabled.
IA-2 - High - CCI-000764 - V-38677 - SV-50478r1_rule
RMF Control
IA-2
Severity
H
CCI
CCI-000764
Version
RHEL-06-000309
Vuln IDs
  • V-38677
Rule IDs
  • SV-50478r1_rule
Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user.
Checks: C-46239r1_chk

To verify insecure file locking has been disabled, run the following command: # grep insecure_locks /etc/exports If there is output, this is a finding.

Fix: F-43626r1_fix

By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files. To get around this, the "insecure_locks" option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. Remove any instances of the "insecure_locks" option from the file "/etc/exports".

b
The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.
AU-5 - Medium - CCI-000143 - V-38678 - SV-50479r2_rule
RMF Control
AU-5
Severity
M
CCI
CCI-000143
Version
RHEL-06-000311
Vuln IDs
  • V-38678
Rule IDs
  • SV-50479r2_rule
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
Checks: C-46240r1_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine whether the system is configured to email the administrator when disk space is starting to run low: # grep space_left /etc/audit/auditd.conf space_left = [num_megabytes] If the "num_megabytes" value does not correspond to a documented value for remaining audit partition capacity or if there is no locally documented value for remaining audit partition capacity, this is a finding.

Fix: F-43627r2_fix

The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [num_megabytes] appropriately: space_left = [num_megabytes] The "num_megabytes" value should be set to a fraction of the total audit storage capacity available that will allow a system administrator to be notified with enough time to respond to the situation causing the capacity issues. This value must also be documented locally.

b
The DHCP client must be disabled if not needed.
CM-6 - Medium - CCI-000366 - V-38679 - SV-50480r2_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000292
Vuln IDs
  • V-38679
Rule IDs
  • SV-50480r2_rule
DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances.
Checks: C-46242r2_chk

To verify that DHCP is not being used, examine the following file for each interface. # /etc/sysconfig/network-scripts/ifcfg-[IFACE] If there is any network interface without a associated "ifcfg" file, this is a finding. Look for the following: BOOTPROTO=none Also verify the following, substituting the appropriate values based on your site's addressing scheme: NETMASK=[local LAN netmask] IPADDR=[assigned IP address] GATEWAY=[local LAN default gateway] If it does not, this is a finding.

Fix: F-43628r2_fix

For each interface [IFACE] on the system (e.g. eth0), edit "/etc/sysconfig/network-scripts/ifcfg-[IFACE]" and make the following changes. Correct the BOOTPROTO line to read: BOOTPROTO=none Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: NETMASK=[local LAN netmask] IPADDR=[assigned IP address] GATEWAY=[local LAN default gateway]

b
The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.
AU-5 - Medium - CCI-000139 - V-38680 - SV-50481r1_rule
RMF Control
AU-5
Severity
M
CCI
CCI-000139
Version
RHEL-06-000313
Vuln IDs
  • V-38680
Rule IDs
  • SV-50481r1_rule
Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.
Checks: C-46241r1_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator: action_mail_acct = root If auditd is not configured to send emails per identified actions, this is a finding.

Fix: F-43629r1_fix

The "auditd" service can be configured to send email to a designated account in certain situations. Add or correct the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations: action_mail_acct = root

a
All GIDs referenced in /etc/passwd must be defined in /etc/group
CM-6 - Low - CCI-000366 - V-38681 - SV-50482r2_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000294
Vuln IDs
  • V-38681
Rule IDs
  • SV-50482r2_rule
Inconsistency in GIDs between /etc/passwd and /etc/group could lead to a user having unintended rights.
Checks: C-46243r2_chk

To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, run the following command: # pwck -r | grep 'no group' There should be no output. If there is output, this is a finding.

Fix: F-43630r1_fix

Add a group to the system for each GID referenced without a corresponding group.

b
The Bluetooth kernel module must be disabled.
AC-19 - Medium - CCI-000085 - V-38682 - SV-50483r2_rule
RMF Control
AC-19
Severity
M
CCI
CCI-000085
Version
RHEL-06-000315
Vuln IDs
  • V-38682
Rule IDs
  • SV-50483r2_rule
If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.
Checks: C-46244r2_chk

If the system is configured to prevent the loading of the "bluetooth" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/false") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d If the system is configured to prevent the loading of the "net-pf-31" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/false") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r net-pf-31 /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding.

Fix: F-43631r2_fix

The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate "/etc/modprobe.d" configuration file to prevent the loading of the Bluetooth module: install net-pf-31 /bin/false install bluetooth /bin/false

a
All accounts on the system must have unique user or account names
IA-8 - Low - CCI-000804 - V-38683 - SV-50484r1_rule
RMF Control
IA-8
Severity
L
CCI
CCI-000804
Version
RHEL-06-000296
Vuln IDs
  • V-38683
Rule IDs
  • SV-50484r1_rule
Unique usernames allow for accountability on the system.
Checks: C-46245r1_chk

Run the following command to check for duplicate account names: # pwck -rq If there are no duplicate names, no line will be returned. If a line is returned, this is a finding.

Fix: F-43632r1_fix

Change usernames, or delete accounts, so each has a unique name.

a
The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
AC-10 - Low - CCI-000054 - V-38684 - SV-50485r1_rule
RMF Control
AC-10
Severity
L
CCI
CCI-000054
Version
RHEL-06-000319
Vuln IDs
  • V-38684
Rule IDs
  • SV-50485r1_rule
Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.
Checks: C-46246r1_chk

Run the following command to ensure the "maxlogins" value is configured for all users on the system: # grep "maxlogins" /etc/security/limits.conf You should receive output similar to the following: * hard maxlogins 10 If it is not set to 10 or a documented site-defined number, this is a finding.

Fix: F-43633r1_fix

Limiting the number of allowed users and sessions per user can limit risks related to denial of service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in "/etc/security/limits.conf": * hard maxlogins 10 A documented site-defined number may be substituted for 10 in the above.

a
Temporary accounts must be provisioned with an expiration date.
AC-2 - Low - CCI-000016 - V-38685 - SV-50486r1_rule
RMF Control
AC-2
Severity
L
CCI
CCI-000016
Version
RHEL-06-000297
Vuln IDs
  • V-38685
Rule IDs
  • SV-50486r1_rule
When temporary accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked.
Checks: C-46247r1_chk

For every temporary account, run the following command to obtain its account aging and expiration information: # chage -l [USER] Verify each of these accounts has an expiration date set as documented. If any temporary accounts have no expiration date set or do not expire within a documented time frame, this is a finding.

Fix: F-43634r1_fix

In the event temporary accounts are required, configure the system to terminate them after a documented time period. For every temporary account, run the following command to set an expiration date on it, substituting "[USER]" and "[YYYY-MM-DD]" appropriately: # chage -E [YYYY-MM-DD] [USER] "[YYYY-MM-DD]" indicates the documented expiration date for the account.

b
The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets.
SC-7 - Medium - CCI-001109 - V-38686 - SV-50487r1_rule
RMF Control
SC-7
Severity
M
CCI
CCI-001109
Version
RHEL-06-000320
Vuln IDs
  • V-38686
Rule IDs
  • SV-50487r1_rule
In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.
Checks: C-46248r1_chk

Run the following command to ensure the default "FORWARD" policy is "DROP": grep ":FORWARD" /etc/sysconfig/iptables The output must be the following: # grep ":FORWARD" /etc/sysconfig/iptables :FORWARD DROP [0:0] If it is not, this is a finding.

Fix: F-43635r1_fix

To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in "/etc/sysconfig/iptables": :FORWARD DROP [0:0]

a
The system must provide VPN connectivity for communications over untrusted networks.
SC-9 - Low - CCI-001130 - V-38687 - SV-50488r1_rule
RMF Control
SC-9
Severity
L
CCI
CCI-001130
Version
RHEL-06-000321
Vuln IDs
  • V-38687
Rule IDs
  • SV-50488r1_rule
Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.
Checks: C-46249r1_chk

Run the following command to determine if the "openswan" package is installed: # rpm -q openswan If the package is not installed, this is a finding.

Fix: F-43636r1_fix

The Openswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The "openswan" package can be installed with the following command: # yum install openswan

b
A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
AC-8 - Medium - CCI-000050 - V-38688 - SV-50489r2_rule
RMF Control
AC-8
Severity
M
CCI
CCI-000050
Version
RHEL-06-000324
Vuln IDs
  • V-38688
Rule IDs
  • SV-50489r2_rule
An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.
Checks: C-46250r2_chk

To ensure a login warning banner is enabled, run the following: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_enable Search for the "banner_message_enable" schema. If properly configured, the "default" value should be "true". If it is not, this is a finding.

Fix: F-43637r2_fix

To enable displaying a login warning banner in the GNOME Display Manager's login screen, run the following command: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gdm/simple-greeter/banner_message_enable true To display a banner, this setting must be enabled and then banner text must also be set.

b
The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
AC-8 - Medium - CCI-001384 - V-38689 - SV-50490r2_rule
RMF Control
AC-8
Severity
M
CCI
CCI-001384
Version
RHEL-06-000326
Vuln IDs
  • V-38689
Rule IDs
  • SV-50490r2_rule
An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.
Checks: C-46252r2_chk

To ensure login warning banner text is properly set, run the following: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_text If properly configured, the proper banner text will appear within this schema. The DoD required text is either: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." OR: "I've read &amp; consent to terms in IS user agreem't." If the DoD required banner text is not appear in the schema, this is a finding.

Fix: F-43638r2_fix

To set the text shown by the GNOME Display Manager in the login screen, run the following command: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gdm/simple-greeter/banner_message_text \ "[DoD required text]" Where the DoD required text is either: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." OR: "I've read & consent to terms in IS user agreem't." When entering a warning banner that spans several lines, remember to begin and end the string with """. This command writes directly to the file "/var/lib/gdm/.gconf/apps/gdm/simple-greeter/%gconf.xml", and this file can later be edited directly if necessary.

a
Emergency accounts must be provisioned with an expiration date.
AC-2 - Low - CCI-001682 - V-38690 - SV-50491r1_rule
RMF Control
AC-2
Severity
L
CCI
CCI-001682
Version
RHEL-06-000298
Vuln IDs
  • V-38690
Rule IDs
  • SV-50491r1_rule
When emergency accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked.
Checks: C-46251r1_chk

For every emergency account, run the following command to obtain its account aging and expiration information: # chage -l [USER] Verify each of these accounts has an expiration date set as documented. If any emergency accounts have no expiration date set or do not expire within a documented time frame, this is a finding.

Fix: F-43639r1_fix

In the event emergency accounts are required, configure the system to terminate them after a documented time period. For every emergency account, run the following command to set an expiration date on it, substituting "[USER]" and "[YYYY-MM-DD]" appropriately: # chage -E [YYYY-MM-DD] [USER] "[YYYY-MM-DD]" indicates the documented expiration date for the account.

b
The Bluetooth service must be disabled.
AC-19 - Medium - CCI-000085 - V-38691 - SV-50492r1_rule
RMF Control
AC-19
Severity
M
CCI
CCI-000085
Version
RHEL-06-000331
Vuln IDs
  • V-38691
Rule IDs
  • SV-50492r1_rule
Disabling the "bluetooth" service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.
Checks: C-46253r1_chk

To check that the "bluetooth" service is disabled in system boot configuration, run the following command: # chkconfig "bluetooth" --list Output should indicate the "bluetooth" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "bluetooth" --list "bluetooth" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "bluetooth" is disabled through current runtime configuration: # service bluetooth status If the service is disabled the command will return the following output: bluetooth is stopped If the service is running, this is a finding.

Fix: F-43640r1_fix

The "bluetooth" service can be disabled with the following command: # chkconfig bluetooth off # service bluetooth stop

a
Accounts must be locked upon 35 days of inactivity.
AC-2 - Low - CCI-000017 - V-38692 - SV-50493r1_rule
RMF Control
AC-2
Severity
L
CCI
CCI-000017
Version
RHEL-06-000334
Vuln IDs
  • V-38692
Rule IDs
  • SV-50493r1_rule
Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
Checks: C-46254r2_chk

To verify the "INACTIVE" setting, run the following command: grep "INACTIVE" /etc/default/useradd The output should indicate the "INACTIVE" configuration option is set to an appropriate integer as shown in the example below: # grep "INACTIVE" /etc/default/useradd INACTIVE=35 If it does not, this is a finding.

Fix: F-43641r2_fix

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately: INACTIVE=[NUM_DAYS] A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the "useradd" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.

a
The system must require passwords to contain no more than three consecutive repeating characters.
CM-6 - Low - CCI-000366 - V-38693 - SV-50494r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000299
Vuln IDs
  • V-38693
Rule IDs
  • SV-50494r1_rule
Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
Checks: C-46255r1_chk

To check the maximum value for consecutive repeating characters, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth Look for the value of the "maxrepeat" parameter. The DoD requirement is 3. If maxrepeat is not found or not set to the required value, this is a finding.

Fix: F-43642r1_fix

The pam_cracklib module's "maxrepeat" parameter controls requirements for consecutive repeating characters. Edit the "/etc/pam.d/system-auth" file to include the following line prior to the "password include system-auth-ac" line: password required pam_cracklib.so maxrepeat=3

a
The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.
IA-4 - Low - CCI-000795 - V-38694 - SV-50495r1_rule
RMF Control
IA-4
Severity
L
CCI
CCI-000795
Version
RHEL-06-000335
Vuln IDs
  • V-38694
Rule IDs
  • SV-50495r1_rule
Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
Checks: C-46256r1_chk

To verify the "INACTIVE" setting, run the following command: grep "INACTIVE" /etc/default/useradd The output should indicate the "INACTIVE" configuration option is set to an appropriate integer as shown in the example below: # grep "INACTIVE" /etc/default/useradd INACTIVE=35 If it does not, this is a finding.

Fix: F-43643r2_fix

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately: INACTIVE=[NUM_DAYS] A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the "useradd" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.

b
A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
CM-6 - Medium - CCI-000374 - V-38695 - SV-50496r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000374
Version
RHEL-06-000302
Vuln IDs
  • V-38695
Rule IDs
  • SV-50496r1_rule
By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.
Checks: C-46257r1_chk

To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab If there is no output or if aide is not run at least weekly, this is a finding.

Fix: F-43644r1_fix

AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.

b
The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system.
CM-8 - Medium - CCI-000416 - V-38696 - SV-50497r1_rule
RMF Control
CM-8
Severity
M
CCI
CCI-000416
Version
RHEL-06-000303
Vuln IDs
  • V-38696
Rule IDs
  • SV-50497r1_rule
By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.
Checks: C-46258r1_chk

To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab If there is no output, this is a finding.

Fix: F-43645r1_fix

AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.

a
The sticky bit must be set on all public directories.
CM-6 - Low - CCI-000366 - V-38697 - SV-50498r2_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000336
Vuln IDs
  • V-38697
Rule IDs
  • SV-50498r2_rule
Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, and by users for temporary file storage - such as /tmp - and for directories requiring global read/write access.
Checks: C-46259r4_chk

To find world-writable directories that lack the sticky bit, run the following command for each local partition [PART]: # find [PART] -xdev -type d -perm -002 \! -perm -1000 If any world-writable directories are missing the sticky bit, this is a finding.

Fix: F-43646r1_fix

When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes. To set the sticky bit on a world-writable directory [DIR], run the following command: # chmod +t [DIR]

b
The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.
RA-5 - Medium - CCI-001069 - V-38698 - SV-50499r1_rule
RMF Control
RA-5
Severity
M
CCI
CCI-001069
Version
RHEL-06-000304
Vuln IDs
  • V-38698
Rule IDs
  • SV-50499r1_rule
By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.
Checks: C-46261r1_chk

To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab If there is no output, this is a finding.

Fix: F-43647r1_fix

AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.

a
All public directories must be owned by a system account.
CM-6 - Low - CCI-000366 - V-38699 - SV-50500r2_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000337
Vuln IDs
  • V-38699
Rule IDs
  • SV-50500r2_rule
Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.
Checks: C-46260r3_chk

The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 500. Run it once for each local partition [PART]: # find [PART] -xdev -type d -perm -0002 -uid +499 -print If there is output, this is a finding.

Fix: F-43648r1_fix

All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.

b
The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.
SI-4 - Medium - CCI-001263 - V-38700 - SV-50501r1_rule
RMF Control
SI-4
Severity
M
CCI
CCI-001263
Version
RHEL-06-000305
Vuln IDs
  • V-38700
Rule IDs
  • SV-50501r1_rule
By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.
Checks: C-46262r1_chk

To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab If there is no output, this is a finding.

Fix: F-43649r1_fix

AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.

c
The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
CM-6 - High - CCI-000366 - V-38701 - SV-50502r1_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
RHEL-06-000338
Vuln IDs
  • V-38701
Rule IDs
  • SV-50502r1_rule
Using the "-s" option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally specified directory reduces the risk of sharing files which should remain private.
Checks: C-46263r1_chk

Verify "tftp" is configured by with the "-s" option by running the following command: grep "server_args" /etc/xinetd.d/tftp The output should indicate the "server_args" variable is configured with the "-s" flag, matching the example below: # grep "server_args" /etc/xinetd.d/tftp server_args = -s /var/lib/tftpboot If it does not, this is a finding.

Fix: F-43650r1_fix

If running the "tftp" service is necessary, it should be configured to change its root directory at startup. To do so, ensure "/etc/xinetd.d/tftp" includes "-s" as a command line argument, as shown in the following example (which is also the default): server_args = -s /var/lib/tftpboot

a
The FTP daemon must be configured for logging or verbose mode.
AU-3 - Low - CCI-000130 - V-38702 - SV-50503r1_rule
RMF Control
AU-3
Severity
L
CCI
CCI-000130
Version
RHEL-06-000339
Vuln IDs
  • V-38702
Rule IDs
  • SV-50503r1_rule
To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to the ftp server are logged using the verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log.
Checks: C-46264r1_chk

Find if logging is applied to the ftp daemon. Procedures: If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file. # grep vsftpd /etc/xinetd.d/* # grep server_args [vsftpd xinetd.d startup file] This will indicate the vsftpd config file used when starting through xinetd. If the [server_args]line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used. # grep xferlog_enable [vsftpd config file] If xferlog_enable is missing, or is not set to yes, this is a finding.

Fix: F-43651r1_fix

Add or correct the following configuration options within the "vsftpd" configuration file, located at "/etc/vsftpd/vsftpd.conf". xferlog_enable=YES xferlog_std_format=NO log_ftp_protocol=YES

b
The login user list must be disabled.
CM-6 - Medium - CCI-000366 - V-43150 - SV-55880r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000527
Vuln IDs
  • V-43150
Rule IDs
  • SV-55880r1_rule
Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in.
Checks: C-49197r3_chk

To ensure the user list is disabled, run the following command: $ gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --get /apps/gdm/simple-greeter/disable_user_list The output should be "true". If it is not, this is a finding.

Fix: F-48722r2_fix

In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled. Run the following command to disable the user list: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool --set /apps/gdm/simple-greeter/disable_user_list true

b
The system must use a Linux Security Module at boot time.
CM-6 - Medium - CCI-000366 - V-51337 - SV-65547r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000017
Vuln IDs
  • V-51337
Rule IDs
  • SV-65547r1_rule
Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.
Checks: C-54007r1_chk

Inspect "/etc/grub.conf" for any instances of "selinux=0" in the kernel boot arguments. Presence of "selinux=0" indicates that SELinux is disabled at boot time. If SELinux is disabled at boot time, this is a finding.

Fix: F-56147r1_fix

SELinux can be disabled at boot time by an argument in "/etc/grub.conf". Remove any instances of "selinux=0" from the kernel arguments in that file to prevent SELinux from being disabled at boot.

b
The system must use a Linux Security Module configured to enforce limits on system services.
CM-6 - Medium - CCI-000366 - V-51363 - SV-65573r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000020
Vuln IDs
  • V-51363
Rule IDs
  • SV-65573r1_rule
Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.
Checks: C-53703r1_chk

Check the file "/etc/selinux/config" and ensure the following line appears: SELINUX=enforcing If SELINUX is not set to enforcing, this is a finding.

Fix: F-56165r1_fix

The SELinux state should be set to "enforcing" at system boot time. In the file "/etc/selinux/config", add or correct the following line to configure the system to boot into enforcing mode: SELINUX=enforcing

a
The system must use a Linux Security Module configured to limit the privileges of system services.
CM-6 - Low - CCI-000366 - V-51369 - SV-65579r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000023
Vuln IDs
  • V-51369
Rule IDs
  • SV-65579r1_rule
Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.
Checks: C-53711r1_chk

Check the file "/etc/selinux/config" and ensure the following line appears: SELINUXTYPE=targeted If it does not, this is a finding.

Fix: F-56171r1_fix

The SELinux "targeted" policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in "/etc/selinux/config": SELINUXTYPE=targeted Other policies, such as "mls", provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.

a
All device files must be monitored by the system Linux Security Module.
CM-6 - Low - CCI-000366 - V-51379 - SV-65589r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
RHEL-06-000025
Vuln IDs
  • V-51379
Rule IDs
  • SV-65589r1_rule
If a device file carries the SELinux type "unlabeled_t", then SELinux cannot properly restrict access to the device file.
Checks: C-53719r1_chk

To check for unlabeled device files, run the following command: # ls -RZ /dev | grep unlabeled_t It should produce no output in a well-configured system. If there is output, this is a finding.

Fix: F-56179r1_fix

Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type "unlabeled_t", investigate the cause and correct the file's context.

b
A file integrity baseline must be created.
CM-6 - Medium - CCI-000366 - V-51391 - SV-65601r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000018
Vuln IDs
  • V-51391
Rule IDs
  • SV-65601r1_rule
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Checks: C-53727r1_chk

To find the location of the AIDE database file, run the following command: # grep DBDIR /etc/aide.conf Using the defined values of the [DBDIR] and [database] variables, verify the existence of the AIDE database file: # ls -l [DBDIR]/[database_file_name] If there is no database file, this is a finding.

Fix: F-56189r1_fix

Run the following command to generate a new database: # /usr/sbin/aide --init By default, the database will be written to the file "/var/lib/aide/aide.db.new.gz". Storing the database, the configuration file "/etc/aide.conf", and the binary "/usr/sbin/aide" (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: # cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz To initiate a manual check, run the following command: # /usr/sbin/aide --check If this check produces any unexpected output, investigate.

b
The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.
CM-6 - Medium - CCI-000366 - V-51875 - SV-66089r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
RHEL-06-000372
Vuln IDs
  • V-51875
Rule IDs
  • SV-66089r1_rule
Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.
Checks: C-54013r1_chk

To ensure that last logon/access notification is configured correctly, run the following command: # grep pam_lastlog.so /etc/pam.d/system-auth The output should show output "showfailed". If that is not the case, this is a finding.

Fix: F-56701r1_fix

To configure the system to notify users of last logon/access using "pam_lastlog", add the following line immediately after "session required pam_limits.so": session required pam_lastlog.so showfailed