Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Run the following command to determine if "/tmp" is on its own partition or logical volume: $ mount | grep "on /tmp " If "/tmp" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.
The "/tmp" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
Run the following command to determine if "/var" is on its own partition or logical volume: $ mount | grep "on /var " If "/var" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.
The "/var" directory is used by daemons and other system services to store frequently-changing data. Ensure that "/var" has its own partition or logical volume at installation time, or migrate it using LVM.
Run the following command to determine if "/var/log" is on its own partition or logical volume: $ mount | grep "on /var/log " If "/var/log" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.
System logs are stored in the "/var/log" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.
Run the following command to determine if "/var/log/audit" is on its own partition or logical volume: $ mount | grep "on /var/log/audit " If "/var/log/audit" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.
Audit logs are stored in the "/var/log/audit" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.
Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low: # grep space_left_action /etc/audit/auditd.conf space_left_action = email If the system is not configured to send an email to the system administrator when disk space is starting to run low, this is a finding. The "syslog" option is acceptable when it can be demonstrated that the local log management infrastructure notifies an appropriate administrator in a timely manner.
The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: space_left_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "email" "exec" "suspend" "single" "halt" Set this to "email" (instead of the default, which is "suspend") as it is more likely to get prompt attention. The "syslog" option is acceptable, provided the local log management infrastructure notifies an appropriate administrator in a timely manner. RHEL-06-000521 ensures that the email generated through the operation "space_left_action" will be sent to an administrator.
Run the following command to determine if "/home" is on its own partition or logical volume: $ mount | grep "on /home " If "/home" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.
If user home directories will be stored locally, create a separate partition for "/home" at installation time (or migrate it later using LVM). If "/home" will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.
To ensure that the GPG keys are installed, run: $ rpm -q gpg-pubkey The command should return the strings below: gpg-pubkey-fd431d51-4ae0493b gpg-pubkey-2fa658e0-45700c69 If the Red Hat GPG Keys are not installed, this is a finding.
To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG keys must be installed properly. To install the Red Hat GPG keys, run: # rhn_register If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG keys from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in "/media/cdrom", use the following command as the root user to import them into the keyring: # rpm --import /media/cdrom/RPM-GPG-KEY
If the system uses RHN or an RHN Satellite, this is not applicable. To check that the "rhnsd" service is disabled in system boot configuration, run the following command: # chkconfig "rhnsd" --list Output should indicate the "rhnsd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "rhnsd" --list "rhnsd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "rhnsd" is disabled through current runtime configuration: # service rhnsd status If the service is disabled the command will return the following output: rhnsd is stopped If the service is running, this is a finding.
The Red Hat Network service automatically queries Red Hat Network servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system was registered to an RHN server or satellite and managed as such. The "rhnsd" service can be disabled with the following commands: # chkconfig rhnsd off # service rhnsd stop
If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server which provides updates, invoking the following command will indicate if updates are available: # yum check-update If the system is not configured to update from one of these sources, run the following command to list when each package was last updated: $ rpm -qa -last Compare this to Red Hat Security Advisories (RHSA) listed at https://access.redhat.com/security/updates/active/ to determine whether the system is missing applicable security and bugfix updates. If updates are not installed, this is a finding.
If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: # yum update If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using "rpm".
To determine whether "yum" is configured to use "gpgcheck", inspect "/etc/yum.conf" and ensure the following appears in the "[main]" section: gpgcheck=1 A value of "1" indicates that "gpgcheck" is enabled. Absence of a "gpgcheck" line or a setting of "0" indicates that it is disabled. If GPG checking is not enabled, this is a finding. If the "yum" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed.
The "gpgcheck" option should be used to ensure checking of an RPM package's signature always occurs prior to its installation. To configure yum to check package signatures before installing them, ensure the following line appears in "/etc/yum.conf" in the "[main]" section: gpgcheck=1
To determine whether "yum" has been configured to disable "gpgcheck" for any repos, inspect all files in "/etc/yum.repos.d" and ensure the following does not appear in any sections: gpgcheck=0 A value of "0" indicates that "gpgcheck" has been disabled for that repo. If GPG checking is disabled, this is a finding. If the "yum" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed.
To ensure signature checking is not disabled for any repos, remove any lines from files in "/etc/yum.repos.d" of the form: gpgcheck=0
If another file integrity tool is installed, this is not a finding. Run the following command to determine if the "aide" package is installed: # rpm -q aide If the package is not installed, this is a finding.
Install the AIDE package with the command: # yum install aide
Inspect "/boot/grub/grub.conf" for any instances of "selinux=0" in the kernel boot arguments. Presence of "selinux=0" indicates that SELinux is disabled at boot time. If SELinux is disabled at boot time, this is a finding.
SELinux can be disabled at boot time by an argument in "/boot/grub/grub.conf". Remove any instances of "selinux=0" from the kernel arguments in that file to prevent SELinux from being disabled at boot.
To find the location of the AIDE database file, run the following command: # grep DBDIR /etc/aide.conf Using the defined values of the [DBDIR] and [database] variables, verify the existence of the AIDE database file: # ls -l [DBDIR]/[database_file_name] If there is no database file, this is a finding.
Run the following command to generate a new database: # /usr/sbin/aide --init By default, the database will be written to the file "/var/lib/aide/aide.db.new.gz". Storing the database, the configuration file "/etc/aide.conf", and the binary "/usr/sbin/aide" (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: # cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz To initiate a manual check, run the following command: # /usr/sbin/aide --check If this check produces any unexpected output, investigate.
The existence of the file "/etc/hosts.equiv" or a file named ".rhosts" inside a user home directory indicates the presence of an Rsh trust relationship. If these files exist, this is a finding.
The files "/etc/hosts.equiv" and "~/.rhosts" (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location. # rm /etc/hosts.equiv $ rm ~/.rhosts
If an HBSS or HIPS is active on the system, this is Not Applicable. Check the file "/etc/selinux/config" and ensure the following line appears: SELINUX=enforcing If SELINUX is not set to enforcing, this is a finding.
The SELinux state should be set to "enforcing" at system boot time. In the file "/etc/selinux/config", add or correct the following line to configure the system to boot into enforcing mode: SELINUX=enforcing
Verify there are no ".shosts" or "shosts.equiv" files on the system. # find / -name '*.shosts' # find / -name shosts.equiv If any ".shosts" or "shosts.equiv" files are found on the system, this is a finding.
Remove any found ".shosts" or "shosts.equiv" files from the system. # rm /[path]/[to]/[file]/.shosts # rm /[path]/[to]/[file]/shosts.equiv
Check the file "/etc/selinux/config" and ensure the following line appears: SELINUXTYPE=targeted If it does not, this is a finding.
The SELinux "targeted" policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in "/etc/selinux/config": SELINUXTYPE=targeted Other policies, such as "mls", provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
To check for unlabeled device files, run the following command: # ls -RZ /dev | grep unlabeled_t It should produce no output in a well-configured system. If there is output, this is a finding.
Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type "unlabeled_t", investigate the cause and correct the file's context.
To check for virtual console entries which permit root login, run the following command: # grep '^vc/[0-9]' /etc/securetty If any output is returned, then root logins over virtual console devices is permitted. If root login over virtual console devices is permitted, this is a finding.
To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in "/etc/securetty": vc/1 vc/2 vc/3 vc/4 Note: Virtual console entries are not limited to those listed above. Any lines starting with "vc/" followed by numerals should be removed.
To check for serial port entries which permit root login, run the following command: # grep '^ttyS[0-9]' /etc/securetty If any output is returned, then root login over serial ports is permitted. If root login over serial ports is permitted, this is a finding.
To restrict root logins on serial ports, ensure lines of this form do not appear in "/etc/securetty": ttyS0 ttyS1 Note: Serial port entries are not limited to those listed above. Any lines starting with "ttyS" followed by numerals should be removed
To obtain a listing of all users and the contents of their shadow password field, run the command: $ awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 ":" $2}' /etc/shadow Identify the operating system accounts from this listing. These will primarily be the accounts with UID numbers less than 500, other than root. If any default operating system account (other than root) has a valid password hash, this is a finding.
Some accounts are not associated with a human user of the system, and exist to perform some administrative function. An attacker should not be able to log into these accounts. Disable logon access to these accounts with the command: # passwd -l [SYSACCT]
To verify that null passwords cannot be used, run the following command: # grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth If this produces any output, it may be possible to log into accounts with empty passwords. If NULL passwords can be used, this is a finding.
If an account is configured for password authentication but does not have an assigned password, it may be possible to log onto the account without authentication. Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords.
To check that no password hashes are stored in "/etc/passwd", run the following command: # awk -F: '($2 != "x") {print}' /etc/passwd If it produces any output, then a password hash is stored in "/etc/passwd". If any stored hashes are found in /etc/passwd, this is a finding.
If any password hashes are stored in "/etc/passwd" (in the second field, instead of an "x"), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.
To list all password file entries for accounts with UID 0, run the following command: # awk -F: '($3 == 0) {print}' /etc/passwd This should print only one line, for the user root. If any account other than root has a UID of 0, this is a finding.
If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
To check the ownership of "/etc/shadow", run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.
To properly set the owner of "/etc/shadow", run the command: # chown root /etc/shadow
To check the group ownership of "/etc/shadow", run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.
To properly set the group owner of "/etc/shadow", run the command: # chgrp root /etc/shadow
To check the permissions of "/etc/shadow", run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following permissions: "----------" If it does not, this is a finding.
To properly set the permissions of "/etc/shadow", run the command: # chmod 0000 /etc/shadow
To check the ownership of "/etc/gshadow", run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.
To properly set the owner of "/etc/gshadow", run the command: # chown root /etc/gshadow
To check the group ownership of "/etc/gshadow", run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.
To properly set the group owner of "/etc/gshadow", run the command: # chgrp root /etc/gshadow
To check the permissions of "/etc/gshadow", run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following permissions: "----------" If it does not, this is a finding.
To properly set the permissions of "/etc/gshadow", run the command: # chmod 0000 /etc/gshadow
To check the ownership of "/etc/passwd", run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.
To properly set the owner of "/etc/passwd", run the command: # chown root /etc/passwd
To check the group ownership of "/etc/passwd", run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.
To properly set the group owner of "/etc/passwd", run the command: # chgrp root /etc/passwd
To check the permissions of "/etc/passwd", run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following permissions: "-rw-r--r--" If it does not, this is a finding.
To properly set the permissions of "/etc/passwd", run the command: # chmod 0644 /etc/passwd
To check the ownership of "/etc/group", run the command: $ ls -l /etc/group If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.
To properly set the owner of "/etc/group", run the command: # chown root /etc/group
To check the group ownership of "/etc/group", run the command: $ ls -l /etc/group If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.
To properly set the group owner of "/etc/group", run the command: # chgrp root /etc/group
To check the permissions of "/etc/group", run the command: $ ls -l /etc/group If properly configured, the output should indicate the following permissions: "-rw-r--r--" If it does not, this is a finding.
To properly set the permissions of "/etc/group", run the command: # chmod 644 /etc/group
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in "/lib/modules". All files in these directories should not be group-writable or world-writable. To find shared libraries that are group-writable or world-writable, run the following command for each directory [DIR] which contains shared libraries: $ find -L [DIR] -perm /022 -type f If any of these files (excluding broken symlinks) are group-writable or world-writable, this is a finding.
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: # chmod go-w [FILE]
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 /usr/local/lib /usr/local/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in "/lib/modules". All files in these directories should not be group-writable or world-writable. To find shared libraries that are not owned by "root" and do not match what is expected by the RPM, run the following command: for i in /lib /lib64 /usr/lib /usr/lib64 do for j in `find -L $i \! -user root` do rpm -V -f $j | grep '^.....U' done done If the command returns any results, this is a finding.
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 /usr/local/lib /usr/local/lib64 If any file in these directories is found to be owned by a user other than “root” and does not match what is expected by the RPM, correct its ownership by running one of the following commands: # rpm --setugids [PACKAGE_NAME] Or # chown root [FILE]
System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin All files in these directories should not be group-writable or world-writable. To find system executables that are group-writable or world-writable, run the following command for each directory [DIR] which contains system executables: $ find -L [DIR] -perm /022 -type f If any system executables are found to be group-writable or world-writable, this is a finding.
System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: # chmod go-w [FILE]
System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin All files in these directories should not be group-writable or world-writable. To find system executables that are not owned by "root", run the following command for each directory [DIR] which contains system executables: $ find -L [DIR] \! -user root If any system executables are found to not be owned by root, this is a finding.
System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin If any file [FILE] in these directories is found to be owned by a user other than root, correct its ownership with the following command: # chown root [FILE]
To check the minimum password length, run the command: $ grep PASS_MIN_LEN /etc/login.defs The DoD requirement is "15". If it is not set to the required value, this is a finding. $ grep –E ‘pam_cracklib.so.*minlen’ /etc/pam.d/* If no results are returned, this is not a finding. If any results are returned and are not set to “15” or greater, this is a finding.
To specify password length requirements for new accounts, edit the file "/etc/login.defs" and add or correct the following lines: PASS_MIN_LEN 15 The DoD requirement is "15". If a program consults "/etc/login.defs" and also another PAM module (such as "pam_cracklib") during a password change operation, then the most restrictive must be satisfied.
To check the minimum password age, run the command: $ grep PASS_MIN_DAYS /etc/login.defs The DoD requirement is 1. If it is not set to the required value, this is a finding.
To specify password minimum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MIN_DAYS [DAYS] A value of 1 day is considered sufficient for many environments. The DoD requirement is 1.
To check the maximum password age, run the command: $ grep PASS_MAX_DAYS /etc/login.defs The DoD requirement is 60. If it is not set to the required value, this is a finding.
To specify password maximum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MAX_DAYS [DAYS] The DoD requirement is 60.
To check the password warning age, run the command: $ grep PASS_WARN_AGE /etc/login.defs The DoD requirement is 7. If it is not set to the required value, this is a finding.
To specify how many days prior to password expiration that a warning will be issued to users, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_WARN_AGE [DAYS] The DoD requirement is 7.
Obtain a list of approved system and application accounts from the ISSO. For each system and application account identified, run the following command: # chage -l <application_account> Last password change : Nov 05, 2018 Password expires : Nov 04, 2019 Password inactive : Dec 10, 2019 Account expires : never Minimum number of days between password change : 1 Maximum number of days between password change : 365 Number of days of warning before password expires : 7 If "Maximum number of days between password change" is greater than "365", this is a finding. If the date of "Last password change" exceeds 365 days, this is a finding. If the date of "Password expires" is greater than 365 days from the date of "Last password change", this is a finding.
Set the "Maximum number of days between password change" to "365": # chage -M 365 <application_account> Change the password for the system/application account: #passwd <application_account>
To check how many digits are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth Note: The "dcredit" parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as "dcredit=-1". If “dcredit” is not found or not set to the required value, this is a finding.
The pam_cracklib module's "dcredit" parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "dcredit=-1" after pam_cracklib.so to require use of a digit in passwords.
To check how many uppercase characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth Note: The "ucredit" parameter (as a negative number) will indicate how many uppercase characters are required. The DoD requires at least one uppercase character in a password. This would appear as "ucredit=-1". If “ucredit” is not found or not set to the required value, this is a finding.
The pam_cracklib module's "ucredit=" parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "ucredit=-1" after pam_cracklib.so to require use of an uppercase character in passwords.
To check how many special characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth Note: The "ocredit" parameter (as a negative number) will indicate how many special characters are required. The DoD requires at least one special character in a password. This would appear as "ocredit=-1". If “ocredit” is not found or not set to the required value, this is a finding.
The pam_cracklib module's "ocredit=" parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "ocredit=-1" after pam_cracklib.so to require use of a special character in passwords.
To check how many lower-case characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth Note: The "lcredit" parameter (as a negative number) will indicate how many lower-case characters are required. The DoD requires at least one lower-case character in a password. This would appear as "lcredit=-1". If “lcredit” is not found or not set to the required value, this is a finding.
The pam_cracklib module's "lcredit=" parameter controls requirements for usage of lower-case letters in a password. When set to a negative number, any password will be required to contain that many lower-case characters. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "lcredit=-1" after pam_cracklib.so to require use of a lower-case character in passwords.
To check how many characters must differ during a password change, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth Note: The "difok" parameter will indicate how many characters must differ. The DoD requires eight characters differ during a password change. This would appear as "difok=8". If “difok” is not found or is set to a value less than “8”, this is a finding.
The pam_cracklib module's "difok" parameter controls requirements for usage of different characters during a password change. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "difok=[NUM]" after pam_cracklib.so to require differing characters when changing passwords, substituting [NUM] appropriately. The DoD requirement is 8.
To ensure the failed password attempt policy is configured correctly, run the following command: # grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth The output should show "deny=3" for both files. If that is not the case, this is a finding.
To configure the system to lock out accounts after a number of incorrect logon attempts using "pam_faillock.so", modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.
Inspect the "password" section of "/etc/pam.d/system-auth", "/etc/pam.d/system-auth-ac", "/etc/pam.d/password-auth", "/etc/pam.d/password-auth-ac" and other files in "/etc/pam.d" to identify the number of occurrences where the “pam_unix.so” module is used in the “password” section. $ grep -E -c 'password.*pam_unix.so' /etc/pam.d/* /etc/pam.d/atd:0 /etc/pam.d/config-util:0 /etc/pam.d/crond:0 /etc/pam.d/login:0 /etc/pam.d/other:0 /etc/pam.d/passwd:0 /etc/pam.d/password-auth:1 /etc/pam.d/password-auth-ac:1 /etc/pam.d/sshd:0 /etc/pam.d/su:0 /etc/pam.d/sudo:0 /etc/pam.d/system-auth:1 /etc/pam.d/system-auth-ac:1 /etc/pam.d/vlock:0 Note: The number adjacent to the file name indicates how many occurrences of the “pam_unix.so” module are found in the password section. If the “pam_unix.so” module is not defined in the “password” section of “/etc/pam.d/system-auth”, “/etc/pam.d/system-auth-ac”, “/etc/pam.d/password-auth”, and “/etc/pam.d/password-auth-ac” at a minimum, this is a finding. Verify that the “sha512” variable is used with each instance of the “pam_unix.so” module in the “password” section: $ grep password /etc/pam.d/* | grep pam_unix.so | grep sha512 /etc/pam.d/password-auth:password sufficient pam_unix.so sha512 [other arguments…] /etc/pam.d/password-auth-ac:password sufficient pam_unix.so sha512 [other arguments…] /etc/pam.d/system-auth:password sufficient pam_unix.so sha512 [other arguments…] /etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 [other arguments…] If this list of files does not coincide with the previous command, this is a finding. If any of the identified “pam_unix.so” modules do not use the “sha512” variable, this is a finding.
In "/etc/pam.d/system-auth”, "/etc/pam.d/system-auth-ac", “/etc/pam.d/password-auth”, and “/etc/pam.d/password-auth-ac”, among potentially other files, the "password" section of the files controls which PAM modules execute during a password change. Set the "pam_unix.so" module in the "password" section to include the argument "sha512", as shown below: password sufficient pam_unix.so sha512 [other arguments...] This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. Note: Any updates made to "/etc/pam.d/system-auth" will be overwritten by the "authconfig" program. The "authconfig" program should not be used.
Inspect "/etc/login.defs" and ensure the following line appears: ENCRYPT_METHOD SHA512 If it does not, this is a finding.
In "/etc/login.defs", add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: ENCRYPT_METHOD SHA512
Inspect "/etc/libuser.conf" and ensure the following line appears in the "[default]" section: crypt_style = sha512 If it does not, this is a finding.
In "/etc/libuser.conf", add or correct the following line in its "[defaults]" section to ensure the system will use the SHA-512 algorithm for password hashing: crypt_style = sha512
To check the ownership of "/boot/grub/grub.conf", run the command: $ ls -lL /boot/grub/grub.conf If properly configured, the output should indicate that the owner is "root". If it does not, this is a finding.
The file "/boot/grub/grub.conf" should be owned by the "root" user to prevent destruction or modification of the file. To properly set the owner of "/boot/grub/grub.conf", run the command: # chown root /boot/grub/grub.conf
To check the group ownership of "/boot/grub/grub.conf", run the command: $ ls -lL /boot/grub/grub.conf If properly configured, the output should indicate the group-owner is "root". If it does not, this is a finding.
The file "/boot/grub/grub.conf" should be group-owned by the "root" group to prevent destruction or modification of the file. To properly set the group owner of "/boot/grub/grub.conf", run the command: # chgrp root /boot/grub/grub.conf
To check the permissions of "/boot/grub/grub.conf", run the command: $ sudo ls -lL /boot/grub/grub.conf If properly configured, the output should indicate the following permissions: "-rw-------" If it does not, this is a finding.
Set file permissions for "/boot/grub/grub.conf" to 600, which is the default. To properly set the permissions of "/boot/grub/grub.conf", run the command: $ chmod 600 /boot/grub/grub.conf
To verify the boot loader password has been set and encrypted, run the following command: # grep password /boot/grub/grub.conf The output should show the following: password --encrypted $6$[rest-of-the-password-hash] If it does not, this is a finding. If the system uses UEFI verify the boot loader password has been set and encrypted: # grep password /boot/efi/EFI/redhat/grub.conf
The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command: # grub-crypt --sha-512 When prompted to enter a password, insert the following line into "/boot/grub/grub.conf" or “/boot/efi/EFI/redhat/grub.conf” immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]): password --encrypted [password-hash]
To check if authentication is required for single-user mode, run the following command: $ grep SINGLE /etc/sysconfig/init The output should be the following: SINGLE=/sbin/sulogin If the output is different, this is a finding.
Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file "/etc/sysconfig/init": SINGLE=/sbin/sulogin
To check whether interactive boot is disabled, run the following command: $ grep PROMPT /etc/sysconfig/init If interactive boot is disabled, the output will show: PROMPT=no If it does not, this is a finding.
To disable the ability for users to perform interactive startups, edit the file "/etc/sysconfig/init". Add or correct the line: PROMPT=no The "PROMPT" option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot.
Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity. Check the value of the system inactivity timeout with the following command: # grep -i tmout /etc/profile.d/* etc/profile.d/tmout.sh:TMOUT=900 /etc/profile.d/tmout.sh:readonly TMOUT /etc/profile.d/tmout.sh:export TMOUT If "TMOUT" is not set to "900" or less in a script located in the /etc/profile.d/ directory to enforce session termination after inactivity, this is a finding.
Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity. Create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as: #!/bin/bash TMOUT=900 readonly TMOUT export TMOUT
To check if the system login banner is compliant, run the following command: $ cat /etc/issue Note: The full text banner must be implemented unless there are character limitations that prevent the display of the full DoD logon banner. If the required DoD logon banner is not displayed, this is a finding.
To configure the system login banner: Edit "/etc/issue". Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the device cannot support the full DoD logon banner due to character limitations, the following text can be used: "I've read & consent to terms in IS user agreem't."
The status of the "kernel.randomize_va_space" kernel parameter can be queried by running the following commands: $ sysctl kernel.randomize_va_space kernel.randomize_va_space = 2 $ grep kernel.randomize_va_space /etc/sysctl.conf /etc/sysctl.d/* kernel.randomize_va_space = 2 If "kernel.randomize_va_space" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "2", this is a finding.
To set the runtime status of the "kernel.randomize_va_space" kernel parameter, run the following command: # sysctl -w kernel.randomize_va_space=2 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): kernel.randomize_va_space = 2 Issue the following command to make the changes take effect: # sysctl --system
The status of the "kernel.exec-shield" kernel parameter can be queried by running the following command: $ sysctl kernel.exec-shield kernel.exec-shield = 1 $ grep kernel.exec-shield /etc/sysctl.conf /etc/sysctl.d/* kernel.exec-shield = 1 If "kernel.exec-shield" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "1", this is a finding.
To set the runtime status of the "kernel.exec-shield" kernel parameter, run the following command: # sysctl -w kernel.exec-shield=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): kernel.exec-shield = 1 Issue the following command to make the changes take effect: # sysctl --system
The status of the "net.ipv4.conf.default.send_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.send_redirects net.ipv4.conf.default.send_redirects = 0 $ grep net.ipv4.conf.default.send_redirects /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.default.send_redirects = 0 If "net.ipv4.conf.default.send_redirects" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding.
To set the runtime status of the "net.ipv4.conf.default.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.send_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.send_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system
The status of the "net.ipv4.conf.all.send_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.send_redirects net.ipv4.conf.all.send_redirects = 0 $ grep net.ipv4.conf.all.send_redirects /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.all.send_redirects = 0 If "net.ipv4.conf.all.send_redirects" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.
To set the runtime status of the "net.ipv4.conf.all.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.send_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.send_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system
The status of the "net.ipv4.ip_forward" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 0 $ grep net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.ip_forward = 0 If "net.ipv4.ip_forward" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.
To set the runtime status of the "net.ipv4.ip_forward" kernel parameter, run the following command: # sysctl -w net.ipv4.ip_forward=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.ip_forward = 0 Issue the following command to make the changes take effect: # sysctl --system
The status of the "net.ipv4.conf.all.accept_source_route" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_source_route net.ipv4.conf.all.accept_source_route = 0 $ grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.all.accept_source_route = 0 If "net.ipv4.conf.all.accept_source_route" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.
To set the runtime status of the "net.ipv4.conf.all.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_source_route=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.accept_source_route = 0 Issue the following command to make the changes take effect: # sysctl --system
The status of the "net.ipv4.conf.all.accept_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_redirects net.ipv4.conf.all.accept_redirects = 0 $ grep net.ipv4.conf.all.accept_redirects /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.all.accept_redirects = 0 If "net.ipv4.conf.all.accept_redirects" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.
To set the runtime status of the "net.ipv4.conf.all.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.accept_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system
The status of the "net.ipv4.conf.all.secure_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.secure_redirects net.ipv4.conf.all.secure_redirects = 0 $ grep net.ipv4.conf.all.secure_redirects /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.all.secure_redirects = 0 If "net.ipv4.conf.all.secure_redirects" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.
To set the runtime status of the "net.ipv4.conf.all.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.secure_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.secure_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system
The status of the "net.ipv4.conf.all.log_martians" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.log_martians net.ipv4.conf.all.log_martians = 1 $ grep net.ipv4.conf.all.log_martians /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.all.log_martians = 1 If "net.ipv4.conf.all.log_martians" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "1", this is a finding.
To set the runtime status of the "net.ipv4.conf.all.log_martians" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.log_martians=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.log_martians = 1 Issue the following command to make the changes take effect: # sysctl --system
The status of the "net.ipv4.conf.default.accept_source_route" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_source_route net.ipv4.conf.default.accept_source_route = 0 $ grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.default.accept_source_route = 0 If "net.ipv4.conf.default.accept_source_route" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.
To set the runtime status of the "net.ipv4.conf.default.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_source_route=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.accept_source_route = 0 Issue the following command to make the changes take effect: # sysctl --system
The status of the "net.ipv4.conf.default.secure_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.secure_redirects net.ipv4.conf.default.secure_redirects = 0 $ grep net.ipv4.conf.default.secure_redirects /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.default.secure_redirects = 0 If "net.ipv4.conf.default.secure_redirect" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.
To set the runtime status of the "net.ipv4.conf.default.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.secure_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.secure_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system
The status of the "net.ipv4.conf.default.accept_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_redirects net.ipv4.conf.default.accept_redirects = 0 $ grep net.ipv4.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.default.accept_redirects = 0 If "net.ipv4.conf.default.accept_redirects" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.
To set the runtime status of the "net.ipv4.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.accept_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system
The status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_echo_ignore_broadcasts net.ipv4.icmp_echo_ignore_broadcasts = 1 $ grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.icmp_echo_ignore_broadcasts = 1 If "net.ipv4.icmp_echo_ignore_broadcasts" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "1", this is a finding.
To set the runtime status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.icmp_echo_ignore_broadcasts = 1 Issue the following command to make the changes take effect: # sysctl --system
The status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_ignore_bogus_error_responses net.ipv4.icmp_ignore_bogus_error_responses = 1 $ grep net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.icmp_ignore_bogus_error_responses = 1 If "net.ipv4.icmp_ignore_bogus_error_responses" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "1", this is a finding.
To set the runtime status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.icmp_ignore_bogus_error_responses = 1 Issue the following command to make the changes take effect: # sysctl --system
The status of the "net.ipv4.tcp_syncookies" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.tcp_syncookies net.ipv4.tcp_syncookies = 1 $ grep net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.tcp_syncookies = 1 If "net.ipv4.tcp_syncookies" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "1", this is a finding.
To set the runtime status of the "net.ipv4.tcp_syncookies" kernel parameter, run the following command: # sysctl -w net.ipv4.tcp_syncookies=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.tcp_syncookies = 1 Issue the following command to make the changes take effect: # sysctl --system
The status of the "net.ipv4.conf.all.rp_filter" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.rp_filter net.ipv4.conf.all.rp_filter = 1 $ grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.all.rp_filter = 1 If "net.ipv4.conf.all.rp_filter" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "1", this is a finding.
To set the runtime status of the "net.ipv4.conf.all.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.rp_filter=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.rp_filter = 1 Issue the following command to make the changes take effect: # sysctl --system
The status of the "net.ipv4.conf.default.rp_filter" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.rp_filter net.ipv4.conf.default.rp_filter = 1 $ grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.default.rp_filter = 1 If "net.ipv4.conf.default.rp_filter" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "1", this is a finding.
To set the runtime status of the "net.ipv4.conf.default.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.rp_filter=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.rp_filter = 1 Issue the following command to make the changes take effect: # sysctl --system
If IPv6 is disabled, this is not applicable. The status of the "net.ipv6.conf.default.accept_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.default.accept_redirects net.ipv6.conf.default.accept_redirects = 0 $ grep net.ipv6.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d/* net.ipv6.conf.default.accept_redirects = 0 If "net.ipv6.conf.default.accept_redirects" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.
To set the runtime status of the "net.ipv6.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv6.conf.default.accept_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv6.conf.default.accept_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system
If the system is a cross-domain system, this is not applicable. If IPv6 is disabled, this is not applicable. Run the following command to determine the current status of the "ip6tables" service: # service ip6tables status If the service is not running, it should return the following: ip6tables: Firewall is not running. If the service is not running, this is a finding.
The "ip6tables" service can be enabled with the following commands: # chkconfig ip6tables on # service ip6tables start
If the system is a cross-domain system, this is not applicable. If IPV6 is disabled, this is not applicable. Run the following command to determine the current status of the "ip6tables" service: # service ip6tables status If the service is not running, it should return the following: ip6tables: Firewall is not running. If the service is not running, this is a finding.
The "ip6tables" service can be enabled with the following commands: # chkconfig ip6tables on # service ip6tables start
If the system is a cross-domain system, this is not applicable. If IPv6 is disabled, this is not applicable. Run the following command to determine the current status of the "ip6tables" service: # service ip6tables status If the service is not running, it should return the following: ip6tables: Firewall is not running. If the service is not running, this is a finding.
The "ip6tables" service can be enabled with the following commands: # chkconfig ip6tables on # service ip6tables start
If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the "iptables" service: # service iptables status If the service is not running, it should return the following: iptables: Firewall is not running. If the service is not running, this is a finding.
The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start
If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the "iptables" service: # service iptables status If the service is not running, it should return the following: iptables: Firewall is not running. If the service is not running, this is a finding.
The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start
If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the "iptables" service: # service iptables status If the service is not running, it should return the following: iptables: Firewall is not running. If the service is not running, this is a finding.
The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start
Run the following command to ensure the default "INPUT" policy is "DROP": # iptables -nvL | grep -i input Chain INPUT (policy DROP 0 packets, 0 bytes) If the default policy for the INPUT chain is not set to DROP, this is a finding.
To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/iptables": :INPUT DROP [0:0]
If the system is configured to prevent the loading of the "dccp" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r dccp /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true”| grep -v “#” If no line is returned, this is a finding.
The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the "dccp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install dccp /bin/true
If the system is configured to prevent the loading of the "sctp" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r sctp /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true”| grep -v “#” If no line is returned, this is a finding.
The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the "sctp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install sctp /bin/true
If the system is configured to prevent the loading of the "rds" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated "/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r rds /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding.
The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the "rds" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install rds /bin/true
If the system is configured to prevent the loading of the "tipc" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r tipc /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true”| grep -v “#” If no line is returned, this is a finding.
The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the "tipc" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install tipc /bin/true
The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". To see the owner of a given log file, run the following command: $ ls -l [LOGFILE] Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration. If the owner is not root, this is a finding.
The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's owner: $ ls -l [LOGFILE] If the owner is not "root", run the following command to correct this: # chown root [LOGFILE]
The group-owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". To see the group-owner of a given log file, run the following command: $ ls -l [LOGFILE] Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration. If the group-owner is not root, this is a finding.
The group-owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's group owner: $ ls -l [LOGFILE] If the owner is not "root", run the following command to correct this: # chgrp root [LOGFILE]
The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's permissions: $ ls -l [LOGFILE] The permissions should be 600, or more restrictive. Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration. If the permissions are not correct, this is a finding.
The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's permissions: $ ls -l [LOGFILE] If the permissions are not 600 or more restrictive, run the following command to correct this: # chmod 0600 [LOGFILE]
To ensure logs are sent to a remote host, examine the file "/etc/rsyslog.conf". If using UDP, a line similar to the following should be present: *.* @[loghost.example.com] If using TCP, a line similar to the following should be present: *.* @@[loghost.example.com] If using RELP, a line similar to the following should be present: *.* :omrelp:[loghost.example.com] If none of these are present, this is a finding.
To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: *.* @[loghost.example.com] To use TCP for log message delivery: *.* @@[loghost.example.com] To use RELP for log message delivery: *.* :omrelp:[loghost.example.com]
To ensure logs are sent to a remote host, examine the file "/etc/rsyslog.conf". If using UDP, a line similar to the following should be present: *.* @[loghost.example.com] If using TCP, a line similar to the following should be present: *.* @@[loghost.example.com] If using RELP, a line similar to the following should be present: *.* :omrelp:[loghost.example.com] If none of these are present, this is a finding.
To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: *.* @[loghost.example.com] To use TCP for log message delivery: *.* @@[loghost.example.com] To use RELP for log message delivery: *.* :omrelp:[loghost.example.com]
Run the following commands to determine the current status of the "logrotate" service: # grep logrotate /var/log/cron* If the logrotate service is not run on a daily basis by cron, this is a finding.
The "logrotate" service should be installed or reinstalled if it is not installed and operating properly, by running the following command: # yum reinstall logrotate
Run the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, it should return the following: auditd is running... If the service is not running, this is a finding.
The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands: # chkconfig auditd on # service auditd start
Run the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, it should return the following: auditd is running... If the service is not running, this is a finding.
The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands: # chkconfig auditd on # service auditd start
Run the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, it should return the following: auditd is running... If the service is not running, this is a finding.
The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands: # chkconfig auditd on # service auditd start
Inspect "/etc/audit/auditd.conf" and locate the following line to determine how many logs the system is configured to retain after rotation: "# grep num_logs /etc/audit/auditd.conf" num_logs = 5 If the overall system log file(s) retention hasn't been properly set up, this is a finding.
Determine how many log files "auditd" should retain when it rotates logs. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [NUMLOGS] with the correct value: num_logs = [NUMLOGS] Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.
Inspect "/etc/audit/auditd.conf" and locate the following line to determine how much data the system will retain in each audit log file: "# grep max_log_file /etc/audit/auditd.conf" max_log_file = 6 If the system audit data threshold hasn't been properly set up, this is a finding.
Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting the correct value for [STOREMB]: max_log_file = [STOREMB] Set the value to "6" (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.
Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to rotate logs when they reach their maximum size: # grep max_log_file_action /etc/audit/auditd.conf max_log_file_action = rotate If the "keep_logs" option is configured for the "max_log_file_action" line in "/etc/audit/auditd.conf" and an alternate process is in place to ensure audit data does not overwhelm local audit storage, this is not a finding. If the system has not been properly set up to rotate audit logs, this is a finding.
The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by "auditd", add or correct the line in "/etc/audit/auditd.conf": max_log_file_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "suspend" "rotate" "keep_logs" Set the "[ACTION]" to "rotate" to ensure log rotation occurs. This is the default. The setting is case-insensitive.
Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to either suspend, switch to single-user mode, or halt when disk space has run low: admin_space_left_action = single If the system is not configured to switch to single-user mode, suspend, or halt for corrective action, this is a finding.
The "auditd" service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [ACTION] appropriately: admin_space_left_action = [ACTION] Set this value to "single" to cause the system to switch to single-user mode for corrective action. Acceptable values also include "suspend" and "halt". For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for [ACTION] are described in the "auditd.conf" man page.
To determine if the system is configured to audit calls to the "adjtimex" system call, run the following command: $ sudo grep -w "adjtimex" /etc/audit/audit.rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules -a always,exit -F arch=b64 -S adjtimex -k audit_time_rules If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "adjtimex" syscall, this is a finding.
Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules
To determine if the system is configured to audit calls to the "settimeofday" system call, run the following command: $ sudo grep -w "settimeofday" /etc/audit/audit.rules -a always,exit -F arch=b32 -S settimeofday -k audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to the "settimeofday" syscall, this is a finding.
Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S settimeofday -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
If the system is 64-bit only, this is not applicable. To determine if the system is configured to audit calls to the "stime" system call, run the following command: $ sudo grep -w "stime" /etc/audit/audit.rules -a always,exit -F arch=b32 -S stime -k audit_time_rules If the system is not configured to audit the "stime" syscall, this is a finding.
Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S stime -k audit_time_rules
To determine if the system is configured to audit calls to the "clock_settime" system call, run the following command: $ sudo grep -w "clock_settime" /etc/audit/audit.rules -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "clock_settime" syscall, this is a finding.
Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command: $ sudo grep -w "/etc/localtime" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding.
Add the following to "/etc/audit/audit.rules": -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.
To determine if the system is configured to audit account changes, run the following command: $ sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding.
Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes
To determine if the system is configured to audit account changes, run the following command: $sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding.
Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes
To determine if the system is configured to audit account changes, run the following command: $sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding.
Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes
To determine if the system is configured to audit account changes, run the following command: $sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding.
Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes
If you are running x86_64 architecture, determine the values for sethostname: $ uname -m; ausyscall i386 sethostname; ausyscall x86_64 sethostname If the values returned are not identical verify that the system is configured to monitor network configuration changes for the i386 and x86_64 architectures: $ sudo egrep -w '(sethostname|setdomainname|/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)' /etc/audit/audit.rules -a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications -a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit changes of the network configuration, this is a finding.
Add the following to "/etc/audit/audit.rules": # audit_network_modifications -a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications
To determine if the system is configured to audit changes to its SELinux configuration files, run the following command: $ sudo grep -w "/etc/selinux" /etc/audit/audit.rules If the system is configured to watch for changes to its SELinux configuration, a line should be returned (including "-p wa" indicating permissions that are watched). If the system is not configured to audit attempts to change the MAC policy, this is a finding.
Add the following to "/etc/audit/audit.rules": -w /etc/selinux/ -p wa -k MAC-policy
To determine if the system is configured to audit calls to the "chmod" system call, run the following command: $ sudo grep -w "chmod" /etc/audit/audit.rules -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "chmod" system call, this is a finding.
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod
To determine if the system is configured to audit calls to the "chown" system call, run the following command: $ sudo grep -w "chown" /etc/audit/audit.rules -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "chown" system call, this is a finding.
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod
To determine if the system is configured to audit calls to the "fchmod" system call, run the following command: $ sudo grep -w "fchmod" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fchmod" system call, this is a finding.
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod
To determine if the system is configured to audit calls to the "fchmodat" system call, run the following command: $ sudo grep -w "fchmodat" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fchmodat" system call, this is a finding.
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod
To determine if the system is configured to audit calls to the "fchown" system call, run the following command: $ sudo grep -w "fchown" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fchown" system call, this is a finding.
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod
To determine if the system is configured to audit calls to the "fchownat" system call, run the following command: $ sudo grep -w "fchownat" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fchownat" system call, this is a finding.
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod
To determine if the system is configured to audit calls to the "fremovexattr" system call, run the following command: $ sudo grep -w "fremovexattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fremovexattr" system call, this is a finding.
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod
To determine if the system is configured to audit calls to the "fsetxattr" system call, run the following command: $ sudo grep -w "fsetxattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fsetxattr" system call, this is a finding.
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod
To determine if the system is configured to audit calls to the "lchown" system call, run the following command: $ sudo grep -w "lchown" /etc/audit/audit.rules -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "lchown" system call, this is a finding.
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod
To determine if the system is configured to audit calls to the "lremovexattr" system call, run the following command: $ sudo grep -w "lremovexattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "lremovexattr" system call, this is a finding.
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod
To determine if the system is configured to audit calls to the "lsetxattr" system call, run the following command: $ sudo grep -w "lsetxattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "lsetxattr" system call, this is a finding.
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod
To determine if the system is configured to audit calls to the "removexattr" system call, run the following command: $ sudo grep -w "removexattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "removexattr" system call, this is a finding.
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod
To determine if the system is configured to audit calls to the "setxattr" system call, run the following command: $ sudo grep -w "setxattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "setxattr" system call, this is a finding.
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod
To verify that the audit system collects unauthorized file accesses, run the following commands: # grep EACCES /etc/audit/audit.rules -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access # grep EPERM /etc/audit/audit.rules -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding. If either command lacks output, this is a finding.
At a minimum, the audit system should collect unauthorized file accesses for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access
To verify that auditing of privileged command use is configured, run the following command once for each local partition [PART] to find relevant setuid / setgid programs: $ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: $ sudo grep path /etc/audit/audit.rules It should be the case that all relevant setuid / setgid programs have a line in the audit rules. If that is not the case, this is a finding.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition [PART]: $ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null Then, for each setuid / setgid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid / setgid program in the list: -a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
To verify that auditing is configured for all media exportation events, run the following command: $ sudo grep -w "mount" /etc/audit/audit.rules -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b32 -S mount -F auid=0 -k export -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b64 -S mount -F auid=0 -k export If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding. If no line is returned, this is a finding.
At a minimum, the audit system should collect media exportation events for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b32 -S mount -F auid=0 -k export If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b64 -S mount -F auid=0 -k export
To determine if the system is configured to audit user deletions of files and programs, run the following command: $ sudo egrep -w 'rmdir|unlink|unlinkat|rename|renameat' /etc/audit/audit.rules -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit "rmdir", this is a finding. If the system is not configured to audit "unlink", this is a finding. If the system is not configured to audit "unlinkat", this is a finding. If the system is not configured to audit "rename", this is a finding. If the system is not configured to audit "renameat", this is a finding. If no line is returned, this is a finding.
At a minimum, the audit system should collect file deletion events for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete
To verify that auditing is configured for system administrator actions, run the following command: $ sudo grep -w "/etc/sudoers" /etc/audit/audit.rules If the system is configured to watch for changes to its sudoers configuration, a line should be returned (including "-p wa" indicating permissions that are watched). If there is no output, this is a finding.
At a minimum, the audit system should collect administrator actions for all users and root. Add the following to "/etc/audit/audit.rules": -w /etc/sudoers -p wa -k actions
To determine if the system is configured to audit execution of module management programs, run the following commands: $ sudo egrep -e "(-w |-F path=)/sbin/insmod|(-w |-F path=)/sbin/rmmod|(-w |-F path=)/sbin/modprobe" /etc/audit/audit.rules -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules If "/sbin/insmod" is not being audited, this is a finding. If "/sbin/rmmod" is not being audited, this is a finding. If "/sbin/modprobe" is not being audited, this is a finding. To determine if the system is configured to audit calls to the "init_module" and "delete_module" system calls, run the following command: $ sudo egrep -w "init_module|delete_module" /etc/audit/audit.rules -a always,exit -F arch=b32 -S init_module -S delete_module -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit "init_module" this is a finding. If the system is not configured to audit "delete_module", this is a finding. If no line is returned, this is a finding.
Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b32 -S init_module -S delete_module -k modules If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S init_module -S delete_module -k modules
If network services are using the xinetd service, this is not applicable. To check that the "xinetd" service is disabled in system boot configuration, run the following command: # chkconfig "xinetd" --list Output should indicate the "xinetd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "xinetd" --list "xinetd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "xinetd" is disabled through current runtime configuration: # service xinetd status If the service is disabled the command will return the following output: xinetd is stopped If the service is running, this is a finding.
The "xinetd" service can be disabled with the following commands: # chkconfig xinetd off # service xinetd stop
If network services are using the xinetd service, this is not applicable. Run the following command to determine if the "xinetd" package is installed: # rpm -q xinetd If the package is installed, this is a finding.
The "xinetd" package can be uninstalled with the following command: # yum erase xinetd
Run the following command to determine if the "telnet-server" package is installed: # rpm -q telnet-server If the package is installed, this is a finding.
The "telnet-server" package can be uninstalled with the following command: # yum erase telnet-server
To check that the "telnet" service is disabled in system boot configuration, run the following command: # chkconfig "telnet" --list Output should indicate the "telnet" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "telnet" --list telnet off OR error reading information on service telnet: No such file or directory If the service is running, this is a finding.
The "telnet" service can be disabled with the following command: # chkconfig telnet off
Run the following command to determine if the "rsh-server" package is installed: # rpm -q rsh-server If the package is installed, this is a finding.
The "rsh-server" package can be uninstalled with the following command: # yum erase rsh-server
To check that the "rsh" service is disabled in system boot configuration, run the following command: # chkconfig "rsh" --list Output should indicate the "rsh" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "rsh" --list rsh off OR error reading information on service rsh: No such file or directory If the service is running, this is a finding.
The "rsh" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rsh" service can be disabled with the following command: # chkconfig rsh off
To check that the "rexec" service is disabled in system boot configuration, run the following command: # chkconfig "rexec" --list Output should indicate the "rexec" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "rexec" --list rexec off OR error reading information on service rexec: No such file or directory If the service is running, this is a finding.
The "rexec" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rexec" service can be disabled with the following command: # chkconfig rexec off
To check that the "rlogin" service is disabled in system boot configuration, run the following command: # chkconfig "rlogin" --list Output should indicate the "rlogin" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "rlogin" --list rlogin off OR error reading information on service rlogin: No such file or directory If the service is running, this is a finding.
The "rlogin" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rlogin" service can be disabled with the following command: # chkconfig rlogin off
Run the following command to determine if the "ypserv" package is installed: # rpm -q ypserv If the package is installed, this is a finding.
The "ypserv" package can be uninstalled with the following command: # yum erase ypserv
To check that the "ypbind" service is disabled in system boot configuration, run the following command: # chkconfig "ypbind" --list Output should indicate the "ypbind" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "ypbind" --list "ypbind" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "ypbind" is disabled through current runtime configuration: # service ypbind status If the service is disabled the command will return the following output: ypbind is stopped If the service is running, this is a finding.
The "ypbind" service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The "ypbind" service can be disabled with the following commands: # chkconfig ypbind off # service ypbind stop
Run the following command to determine if the "tftp-server" package is installed: # rpm -q tftp-server If the package is installed and not documented and approved by the ISSO, this is a finding.
The "tftp-server" package can be removed with the following command: # yum erase tftp-server
To check that the "tftp" service is disabled in system boot configuration, run the following command: # chkconfig "tftp" --list Output should indicate the "tftp" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "tftp" --list tftp off OR error reading information on service tftp: No such file or directory If the service is running and not documented and approved by the ISSO, this is a finding.
The "tftp" service should be disabled. The "tftp" service can be disabled with the following command: # chkconfig tftp off
Run the following command to determine the current status of the "crond" service: # service crond status If the service is enabled, it should return the following: crond is running... If the service is not running, this is a finding.
The "crond" service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The "crond" service can be enabled with the following commands: # chkconfig crond on # service crond start
To check which SSH protocol version is allowed, run the following command: # grep Protocol /etc/ssh/sshd_config If configured properly, output should be Protocol 2 If it is not, this is a finding.
Only SSH protocol version 2 connections should be permitted. The default setting in "/etc/ssh/sshd_config" is correct, and can be verified by ensuring that the following line appears: Protocol 2
Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes. Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes with the following command: # grep -i macs /etc/ssh/sshd_config MACs hmac-sha2-512,hmac-sha2-256 If any hashes other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, they are missing, or the returned line is commented out, this is a finding.
Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-512" and/or "hmac-sha2-256" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): MACs hmac-sha2-512,hmac-sha2-256 The SSH service must be restarted for changes to take effect. # sudo service sshd restart
Run the following command to see what the timeout interval is: # grep ClientAliveInterval /etc/ssh/sshd_config ClientAliveInterval 600 If "ClientAliveInterval" has a value greater than "600", this is a finding.
SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in "/etc/ssh/sshd_config" as follows: ClientAliveInterval [interval] The timeout [interval] is given in seconds. To have a timeout of ten minutes, set [interval] to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
To ensure the SSH idle timeout will occur when the "ClientAliveCountMax" is set, run the following command: # grep ClientAliveCountMax /etc/ssh/sshd_config If properly configured, output should be: ClientAliveCountMax 0 If it is not, this is a finding.
To ensure the SSH idle timeout occurs precisely when the "ClientAliveCountMax" is set, edit "/etc/ssh/sshd_config" as follows: ClientAliveCountMax 0
To determine how the SSH daemon's "IgnoreRhosts" option is set, run the following command: # grep -i IgnoreRhosts /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value "yes" is returned, then the required value is set. If the required value is not set, this is a finding.
SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via ".rhosts" files. To ensure this behavior is disabled, add or correct the following line in "/etc/ssh/sshd_config": IgnoreRhosts yes
To determine how the SSH daemon's "HostbasedAuthentication" option is set, run the following command: # grep -i HostbasedAuthentication /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value "no" is returned, then the required value is set. If the required value is not set, this is a finding.
SSH's cryptographic host-based authentication is more secure than ".rhosts" authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization. To disable host-based authentication, add or correct the following line in "/etc/ssh/sshd_config": HostbasedAuthentication no
To determine how the SSH daemon's "PermitRootLogin" option is set, run the following command: # grep -i PermitRootLogin /etc/ssh/sshd_config If a line indicating "no" is returned, then the required value is set. If the required value is not set, this is a finding.
The root user should never be allowed to log in to a system directly over a network. To disable root login via SSH, add or correct the following line in "/etc/ssh/sshd_config": PermitRootLogin no
To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command: # grep -i PermitEmptyPasswords /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value "no" is returned, then the required value is set. If the required value is not set, this is a finding.
To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config": PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.
To determine how the SSH daemon's "Banner" option is set, run the following command: # grep -i Banner /etc/ssh/sshd_config If a line indicating /etc/issue is returned, then the required value is set. If the required value is not set, this is a finding.
To enable the warning banner and ensure it is consistent across the system, add or correct the following line in "/etc/ssh/sshd_config": Banner /etc/issue Another section contains information on how to create an appropriate system-wide warning banner.
To ensure users are not able to present environment daemons, run the following command: # grep PermitUserEnvironment /etc/ssh/sshd_config If properly configured, output should be: PermitUserEnvironment no If it is not, this is a finding.
To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in "/etc/ssh/sshd_config": PermitUserEnvironment no
Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: # grep -i Ciphers /etc/ssh/sshd_config Ciphers aes256-ctr,aes192-ctr,aes128-ctr If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.
Limit the ciphers to those algorithms which are FIPS-approved. The following line in "/etc/ssh/sshd_config" demonstrates use of FIPS-approved ciphers: Ciphers aes256-ctr,aes192-ctr,aes128-ctr Note: The man page "sshd_config(5)" contains a list of supported ciphers.
To check that the "avahi-daemon" service is disabled in system boot configuration, run the following command: # chkconfig "avahi-daemon" --list Output should indicate the "avahi-daemon" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "avahi-daemon" --list "avahi-daemon" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "avahi-daemon" is disabled through current runtime configuration: # service avahi-daemon status If the service is disabled the command will return the following output: avahi-daemon is stopped If the service is running, this is a finding.
The "avahi-daemon" service can be disabled with the following commands: # chkconfig avahi-daemon off # service avahi-daemon stop
Run the following command to determine the current status of the "ntpd" service: # service ntpd status If the service is enabled, it should return the following: ntpd is running... If the service is not running, this is a finding.
The "ntpd" service can be enabled with the following command: # chkconfig ntpd on # service ntpd start
A remote NTP server should be configured for time synchronization. To verify one is configured, open the following file. /etc/ntp.conf In the file, there should be a section similar to the following: # --- OUR TIMESERVERS ----- server [ntpserver] If this is not the case, this is a finding.
To specify a remote NTP server for time synchronization, edit the file "/etc/ntp.conf". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver. server [ntpserver] This instructs the NTP software to contact that remote server to obtain time data.
If the system is an authorized mail relay host, this is not applicable. Run the following command to ensure postfix accepts mail messages from only the local system: $ grep inet_interfaces /etc/postfix/main.cf If properly configured, the output should show only "localhost". If it does not, this is a finding.
Edit the file "/etc/postfix/main.cf" to ensure that only the following "inet_interfaces" line appears: inet_interfaces = localhost
To verify the "openldap-servers" package is not installed, run the following command: $ rpm -q openldap-servers The output should show the following. package openldap-servers is not installed If it does not, this is a finding.
The "openldap-servers" package should be removed if not in use. # yum erase openldap-servers The openldap-servers RPM is not installed by default on RHEL6 machines. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed.
If the GConf2 package is not installed, this is not applicable. To check the current idle time-out value, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_delay If properly configured, the output should be "15". If it is not, this is a finding.
Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes: # gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /apps/gnome-screensaver/idle_delay 15
If the GConf2 package is not installed, this is not applicable. To check the screensaver mandatory use status, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_activation_enabled If properly configured, the output should be "true". If it is not, this is a finding.
Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true
If the GConf2 package is not installed, this is not applicable. To check the status of the idle screen lock activation, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/lock_enabled If properly configured, the output should be "true". If it is not, this is a finding.
Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/lock_enabled true
If the GConf2 package is not installed, this is not applicable. To ensure the screensaver is configured to be blank, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode If properly configured, the output should be "blank-only". If it is not, this is a finding.
Run the following command to set the screensaver mode in the GNOME desktop to a blank screen: # gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome-screensaver/mode blank-only
To check that the "abrtd" service is disabled in system boot configuration, run the following command: # chkconfig "abrtd" --list Output should indicate the "abrtd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "abrtd" --list "abrtd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "abrtd" is disabled through current runtime configuration: # service abrtd status If the service is disabled the command will return the following output: abrtd is stopped If the service is running, this is a finding.
The Automatic Bug Reporting Tool ("abrtd") daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The "abrtd" service can be disabled with the following commands: # chkconfig abrtd off # service abrtd stop
If the system requires the use of the "atd" service to support an organizational requirement, this is not applicable. To check that the "atd" service is disabled in system boot configuration, run the following command: # chkconfig "atd" --list Output should indicate the "atd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "atd" --list "atd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "atd" is disabled through current runtime configuration: # service atd status If the service is disabled the command will return the following output: atd is stopped If the service is running, this is a finding.
The "at" and "batch" commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon "atd" keeps track of tasks scheduled via "at" and "batch", and executes them at the specified time. The "atd" service can be disabled with the following commands: # chkconfig atd off # service atd stop
To check that the "ntpdate" service is disabled in system boot configuration, run the following command: # chkconfig "ntpdate" --list Output should indicate the "ntpdate" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "ntpdate" --list "ntpdate" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "ntpdate" is disabled through current runtime configuration: # service ntpdate status If the service is disabled the command will return the following output: ntpdate is stopped If the service is running, this is a finding.
The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in "/etc/ntp/step-tickers" or "/etc/ntp.conf" and then sets the local hardware clock to the newly synchronized system time. The "ntpdate" service can be disabled with the following commands: # chkconfig ntpdate off # service ntpdate stop
To check that the "oddjobd" service is disabled in system boot configuration, run the following command: # chkconfig "oddjobd" --list Output should indicate the "oddjobd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "oddjobd" --list "oddjobd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "oddjobd" is disabled through current runtime configuration: # service oddjobd status If the service is disabled the command will return the following output: oddjobd is stopped If the service is running, this is a finding.
The "oddjobd" service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with "oddjobd" is through the system message bus. The "oddjobd" service can be disabled with the following commands: # chkconfig oddjobd off # service oddjobd stop
To check that the "qpidd" service is disabled in system boot configuration, run the following command: # chkconfig "qpidd" --list Output should indicate the "qpidd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "qpidd" --list "qpidd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "qpidd" is disabled through current runtime configuration: # service qpidd status If the service is disabled the command will return the following output: qpidd is stopped If the service is running, this is a finding.
The "qpidd" service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The "qpidd" service can be disabled with the following commands: # chkconfig qpidd off # service qpidd stop
To check that the "rdisc" service is disabled in system boot configuration, run the following command: # chkconfig "rdisc" --list Output should indicate the "rdisc" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "rdisc" --list "rdisc" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "rdisc" is disabled through current runtime configuration: # service rdisc status If the service is disabled the command will return the following output: rdisc is stopped If the service is running, this is a finding.
The "rdisc" service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. The "rdisc" service can be disabled with the following commands: # chkconfig rdisc off # service rdisc stop
To verify the "nodev" option is configured for all NFS mounts, run the following command: $ mount | grep "nfs " All NFS mounts should show the "nodev" setting in parentheses, along with other mount options. If the setting does not show, this is a finding.
Add the "nodev" option to the fourth column of "/etc/fstab" for the line which controls mounting of any NFS mounts.
To verify the "nosuid" option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the "nosuid" setting in parentheses, along with other mount options. If the setting does not show, this is a finding.
Add the "nosuid" option to the fourth column of "/etc/fstab" for the line which controls mounting of any NFS mounts.
Identify any removable media that is configured on the system: # cat /etc/fstab /dev/mapper/vg_rhel6-lv_root / ext4 defaults 1 1 UUID=0be9b205-f8e6-4bf4-b0ba-1f235fc55936 /boot ext4 defaults 1 2 UUID=5D49-30B2 /boot/efi vfat umask=0077,shortname=winnt 0 0 /dev/mapper/vg_rhel6-lv_home /home ext4 defaults 1 2 /dev/mapper/vg_rhel6-lv_tmp /tmp ext4 defaults 1 2 /dev/mapper/vg_rhel6-lv_var /var ext4 defaults 1 2 /dev/mapper/vg_rhel6-lv_swap swap swap defaults 0 0 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 /dev/sdc1 /media/usb vfat defaults,rw,noexec 0 0 If any of the identified removable media devices do not have "noexec" defined, this is a finding.
The "noexec" mount option prevents the direct execution of binaries on the mounted filesystem. Users should not be allowed to execute binaries that exist on partitions mounted from removable media (such as a USB key). The "noexec" option prevents code from being executed directly from the media itself, and may therefore provide a line of defense against certain types of worms or malicious code. Add the "noexec" option to the fourth column of "/etc/fstab" for the line which controls mounting of any removable media partitions.
To verify that Samba clients running smbclient must use packet signing, run the following command: # grep signing /etc/samba/smb.conf The output should show: client signing = mandatory If it is not, this is a finding.
To require samba clients running "smbclient" to use packet signing, add the following to the "[global]" section of the Samba configuration file in "/etc/samba/smb.conf": client signing = mandatory Requiring samba clients such as "smbclient" to use packet signing ensures they can only communicate with servers that support packet signing.
If Samba is not in use, this is not applicable. To verify that Samba clients using mount.cifs must use packet signing, run the following command: # grep sec /etc/fstab /etc/mtab The output should show either "krb5i" or "ntlmv2i" in use. If it does not, this is a finding.
Require packet signing of clients who mount Samba shares using the "mount.cifs" program (e.g., those who specify shares in "/etc/fstab"). To do so, ensure signing options (either "sec=krb5i" or "sec=ntlmv2i") are used. See the "mount.cifs(8)" man page for more information. A Samba client should only communicate with servers who can support SMB packet signing.
To verify the password reuse setting is compliant, run the following command: # grep remember /etc/pam.d/system-auth /etc/pam.d/password-auth If the line is commented out, the line does not contain "password required pam_pwhistory.so" or "password requisite pam_pwhistory.so", or the value for "remember" is less than “5”, this is a finding.
Do not allow users to reuse recent passwords. This can be accomplished by using the "remember" option for the "pam_pwhistory" PAM module. In the file "/etc/pam.d/system-auth" and /etc/pam.d/password-auth, append "remember=5" to the lines that refer to the "pam_pwhistory.so" module, as shown: password required pam_pwhistory.so [existing_options] remember=5 or password requisite pam_pwhistory.so [existing_options] remember=5 The DoD requirement is five passwords.
Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding.
Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE] Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation web site: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html
Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding.
Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE] Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation web site: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html
Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding.
Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE] Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation web site: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html
The following command will list which audit files on the system have permissions different from what is expected by the RPM database: # rpm -V audit | grep '^.M' If there is any output, for each file or directory found, compare the RPM-expected permissions with the permissions on the file or directory: # rpm -q --queryformat "[%{FILENAMES} %{FILEMODES:perms}\n]" audit | grep [filename] # ls -lL [filename] If the existing permissions are more permissive than those expected by RPM, this is a finding.
The RPM package management system can restore file access permissions of the audit package files and directories. The following command will update audit files with permissions different from what is expected by the RPM database: # rpm --setperms audit
The following command will list which audit files on the system have ownership different from what is expected by the RPM database: # rpm -V audit | grep '^.....U' If there is output, this is a finding.
The RPM package management system can restore file ownership of the audit package files and directories. The following command will update audit files with ownership different from what is expected by the RPM database: # rpm --setugids audit
The following command will list which audit files on the system have group-ownership different from what is expected by the RPM database: # rpm -V audit | grep '^......G' If there is output, this is a finding.
The RPM package management system can restore file group-ownership of the audit package files and directories. The following command will update audit files with group-ownership different from what is expected by the RPM database: # rpm --setugids audit
The following command will list which audit files on the system have file hashes different from what is expected by the RPM database. # rpm -V audit | awk '$1 ~ /..5/ && $2 != "c"' If there is output, this is a finding.
The RPM package management system can check the hashes of audit system package files. Run the following command to list which audit files on the system have hashes that differ from what is expected by the RPM database: # rpm -V audit | grep '^..5' A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file that has changed was not expected to then refresh from distribution media or online repositories. rpm -Uvh [affected_package] OR yum reinstall [affected_package]
To find world-writable files, run the following command for each local partition [PART], excluding special filesystems such as /selinux, /proc, or /sys: # find [PART] -xdev -type f -perm -002 If there is output, this is a finding.
It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account.
Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. Procedure: Examine the system to see if the Host Intrusion Prevention System (HIPS) is installed: # rpm -qa | grep MFEhiplsm Verify that the McAfee HIPS module is active on the system: # ps -ef | grep -i “hipclient” If the MFEhiplsm package is not installed, check for another intrusion detection system: # find / -name <daemon name> Where <daemon name> is the name of the primary application daemon to determine if the application is loaded on the system. Determine if the application is active on the system: # ps -ef | grep -i <daemon name> If the MFEhiplsm package is not installed and an alternate host-based intrusion detection application has not been documented for use, this is a finding. If no host-based intrusion detection system is installed and running on the system, this is a finding.
Install and enable the latest McAfee HIPS package or McAfee ENSL.
To ensure the system is configured to log a message instead of rebooting the system when Ctrl-Alt-Delete is pressed, ensure the following line is in "/etc/init/control-alt-delete.override": exec /usr/bin/logger -p authpriv.notice "Ctrl-Alt-Delete pressed" If the system is not configured to block the shutdown command when Ctrl-Alt-Delete is pressed, this is a finding.
By default, the system includes the following line in "/etc/init/control-alt-delete.conf" to reboot the system when the Ctrl-Alt-Delete key sequence is pressed: exec /sbin/shutdown -r now "Ctrl-Alt-Delete pressed" To configure the system to log a message instead of rebooting the system, add the following line to "/etc/init/control-alt-delete.override" to read as follows: exec /usr/bin/logger -p authpriv.notice "Ctrl-Alt-Delete pressed"
Run the following command to determine the current status of the "postfix" service: # service postfix status If the service is enabled, it should return the following: postfix is running... If the service is not enabled, this is a finding.
The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The "postfix" service can be enabled with the following command: # chkconfig postfix on # service postfix start
Run the following command to determine if the "sendmail" package is installed: # rpm -q sendmail If the package is installed, this is a finding.
Sendmail is not the default mail transfer agent and is not installed by default. The "sendmail" package can be removed with the following command: # yum erase sendmail
To check that the "netconsole" service is disabled in system boot configuration, run the following command: # chkconfig "netconsole" --list Output should indicate the "netconsole" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "netconsole" --list "netconsole" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "netconsole" is disabled through current runtime configuration: # service netconsole status If the service is disabled the command will return the following output: netconsole is stopped If the service is running, this is a finding.
The "netconsole" service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. The "netconsole" service can be disabled with the following commands: # chkconfig netconsole off # service netconsole stop
To verify the default runlevel is 3, run the following command: # grep initdefault /etc/inittab The output should show the following: id:3:initdefault: If it does not, this is a finding.
Setting the system's runlevel to 3 will prevent automatic startup of the X server. To do so, ensure the following line in "/etc/inittab" features a "3" as shown: id:3:initdefault: