Red Hat Enterprise Linux 6 Security Technical Implementation Guide

  • Version/Release: V2R2
  • Published: 2020-12-04
  • Released: 2021-01-22
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
a
The system must use a separate file system for /tmp.
CM-6 - Low - CCI-000366 - V-217846 - SV-217846r603264_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000001
Vuln IDs
  • V-217846
  • V-38455
Rule IDs
  • SV-217846r603264_rule
  • SV-50255
The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.
Checks: C-19327r376553_chk

Run the following command to determine if "/tmp" is on its own partition or logical volume: $ mount | grep "on /tmp " If "/tmp" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.

Fix: F-19325r376554_fix

The "/tmp" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.

a
The system must use a separate file system for /var.
CM-6 - Low - CCI-000366 - V-217847 - SV-217847r603264_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000002
Vuln IDs
  • V-217847
  • V-38456
Rule IDs
  • SV-217847r603264_rule
  • SV-50256
Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories, installed by other software packages.
Checks: C-19328r376556_chk

Run the following command to determine if "/var" is on its own partition or logical volume: $ mount | grep "on /var " If "/var" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.

Fix: F-19326r376557_fix

The "/var" directory is used by daemons and other system services to store frequently-changing data. Ensure that "/var" has its own partition or logical volume at installation time, or migrate it using LVM.

a
The system must use a separate file system for /var/log.
CM-6 - Low - CCI-000366 - V-217848 - SV-217848r603264_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000003
Vuln IDs
  • V-217848
  • V-38463
Rule IDs
  • SV-217848r603264_rule
  • SV-50263
Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".
Checks: C-19329r376559_chk

Run the following command to determine if "/var/log" is on its own partition or logical volume: $ mount | grep "on /var/log " If "/var/log" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.

Fix: F-19327r376560_fix

System logs are stored in the "/var/log" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.

a
The system must use a separate file system for the system audit data path.
CM-6 - Low - CCI-000366 - V-217849 - SV-217849r603264_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000004
Vuln IDs
  • V-217849
  • V-38467
Rule IDs
  • SV-217849r603264_rule
  • SV-50267
Placing "/var/log/audit" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.
Checks: C-19330r376562_chk

Run the following command to determine if "/var/log/audit" is on its own partition or logical volume: $ mount | grep "on /var/log/audit " If "/var/log/audit" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.

Fix: F-19328r376563_fix

Audit logs are stored in the "/var/log/audit" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

b
The audit system must alert designated staff members when the audit storage volume approaches capacity.
AU-5 - Medium - CCI-001855 - V-217850 - SV-217850r603264_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-001855
Version
RHEL-06-000005
Vuln IDs
  • V-217850
  • V-38470
Rule IDs
  • SV-217850r603264_rule
  • SV-50270
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
Checks: C-19331r376565_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low: # grep space_left_action /etc/audit/auditd.conf space_left_action = email If the system is not configured to send an email to the system administrator when disk space is starting to run low, this is a finding. The "syslog" option is acceptable when it can be demonstrated that the local log management infrastructure notifies an appropriate administrator in a timely manner.

Fix: F-19329r376566_fix

The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: space_left_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "email" "exec" "suspend" "single" "halt" Set this to "email" (instead of the default, which is "suspend") as it is more likely to get prompt attention. The "syslog" option is acceptable, provided the local log management infrastructure notifies an appropriate administrator in a timely manner. RHEL-06-000521 ensures that the email generated through the operation "space_left_action" will be sent to an administrator.

a
The system must use a separate file system for user home directories.
CM-6 - Low - CCI-000366 - V-217851 - SV-217851r603264_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000007
Vuln IDs
  • V-217851
  • V-38473
Rule IDs
  • SV-217851r603264_rule
  • SV-50273
Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.
Checks: C-19332r376568_chk

Run the following command to determine if "/home" is on its own partition or logical volume: $ mount | grep "on /home " If "/home" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.

Fix: F-19330r376569_fix

If user home directories will be stored locally, create a separate partition for "/home" at installation time (or migrate it later using LVM). If "/home" will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.

c
Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
CM-5 - High - CCI-001749 - V-217852 - SV-217852r603264_rule
RMF Control
CM-5
Severity
High
CCI
CCI-001749
Version
RHEL-06-000008
Vuln IDs
  • V-217852
  • V-38476
Rule IDs
  • SV-217852r603264_rule
  • SV-50276
The Red Hat GPG keys are necessary to cryptographically verify packages are from Red Hat.
Checks: C-19333r376571_chk

To ensure that the GPG keys are installed, run: $ rpm -q gpg-pubkey The command should return the strings below: gpg-pubkey-fd431d51-4ae0493b gpg-pubkey-2fa658e0-45700c69 If the Red Hat GPG Keys are not installed, this is a finding.

Fix: F-19331r376572_fix

To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG keys must be installed properly. To install the Red Hat GPG keys, run: # rhn_register If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG keys from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in "/media/cdrom", use the following command as the root user to import them into the keyring: # rpm --import /media/cdrom/RPM-GPG-KEY

a
The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.
CM-7 - Low - CCI-000382 - V-217853 - SV-217853r603264_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000382
Version
RHEL-06-000009
Vuln IDs
  • V-217853
  • V-38478
Rule IDs
  • SV-217853r603264_rule
  • SV-50278
Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the system is being managed by RHN or RHN Satellite Server the "rhnsd" daemon can remain on.
Checks: C-19334r376574_chk

If the system uses RHN or an RHN Satellite, this is not applicable. To check that the "rhnsd" service is disabled in system boot configuration, run the following command: # chkconfig "rhnsd" --list Output should indicate the "rhnsd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "rhnsd" --list "rhnsd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "rhnsd" is disabled through current runtime configuration: # service rhnsd status If the service is disabled the command will return the following output: rhnsd is stopped If the service is running, this is a finding.

Fix: F-19332r376575_fix

The Red Hat Network service automatically queries Red Hat Network servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system was registered to an RHN server or satellite and managed as such. The "rhnsd" service can be disabled with the following commands: # chkconfig rhnsd off # service rhnsd stop

b
System security patches and updates must be installed and up-to-date.
SI-2 - Medium - CCI-001233 - V-217854 - SV-217854r603264_rule
RMF Control
SI-2
Severity
Medium
CCI
CCI-001233
Version
RHEL-06-000011
Vuln IDs
  • V-217854
  • V-38481
Rule IDs
  • SV-217854r603264_rule
  • SV-50281
Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities.
Checks: C-19335r376577_chk

If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server which provides updates, invoking the following command will indicate if updates are available: # yum check-update If the system is not configured to update from one of these sources, run the following command to list when each package was last updated: $ rpm -qa -last Compare this to Red Hat Security Advisories (RHSA) listed at https://access.redhat.com/security/updates/active/ to determine whether the system is missing applicable security and bugfix updates. If updates are not installed, this is a finding.

Fix: F-19333r376578_fix

If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: # yum update If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using "rpm".

b
The system package management tool must cryptographically verify the authenticity of system software packages during installation.
CM-5 - Medium - CCI-001749 - V-217855 - SV-217855r603264_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001749
Version
RHEL-06-000013
Vuln IDs
  • V-217855
  • V-38483
Rule IDs
  • SV-217855r603264_rule
  • SV-50283
Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering.
Checks: C-19336r376580_chk

To determine whether "yum" is configured to use "gpgcheck", inspect "/etc/yum.conf" and ensure the following appears in the "[main]" section: gpgcheck=1 A value of "1" indicates that "gpgcheck" is enabled. Absence of a "gpgcheck" line or a setting of "0" indicates that it is disabled. If GPG checking is not enabled, this is a finding. If the "yum" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed.

Fix: F-19334r376581_fix

The "gpgcheck" option should be used to ensure checking of an RPM package's signature always occurs prior to its installation. To configure yum to check package signatures before installing them, ensure the following line appears in "/etc/yum.conf" in the "[main]" section: gpgcheck=1

a
The system package management tool must cryptographically verify the authenticity of all software packages during installation.
CM-5 - Low - CCI-001749 - V-217856 - SV-217856r603264_rule
RMF Control
CM-5
Severity
Low
CCI
CCI-001749
Version
RHEL-06-000015
Vuln IDs
  • V-217856
  • V-38487
Rule IDs
  • SV-217856r603264_rule
  • SV-50288
Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.
Checks: C-19337r376583_chk

To determine whether "yum" has been configured to disable "gpgcheck" for any repos, inspect all files in "/etc/yum.repos.d" and ensure the following does not appear in any sections: gpgcheck=0 A value of "0" indicates that "gpgcheck" has been disabled for that repo. If GPG checking is disabled, this is a finding. If the "yum" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed.

Fix: F-19335r376584_fix

To ensure signature checking is not disabled for any repos, remove any lines from files in "/etc/yum.repos.d" of the form: gpgcheck=0

b
A file integrity tool must be installed.
CM-7 - Medium - CCI-001774 - V-217857 - SV-217857r603264_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001774
Version
RHEL-06-000016
Vuln IDs
  • V-217857
  • V-38489
Rule IDs
  • SV-217857r603264_rule
  • SV-50290
The AIDE package must be installed if it is to be available for integrity checking.
Checks: C-19338r376586_chk

If another file integrity tool is installed, this is not a finding. Run the following command to determine if the "aide" package is installed: # rpm -q aide If the package is not installed, this is a finding.

Fix: F-19336r376587_fix

Install the AIDE package with the command: # yum install aide

b
The system must use a Linux Security Module at boot time.
AC-3 - Medium - CCI-002163 - V-217858 - SV-217858r603264_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-002163
Version
RHEL-06-000017
Vuln IDs
  • V-217858
  • V-51337
Rule IDs
  • SV-217858r603264_rule
  • SV-65547
Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.
Checks: C-19339r376589_chk

Inspect "/boot/grub/grub.conf" for any instances of "selinux=0" in the kernel boot arguments. Presence of "selinux=0" indicates that SELinux is disabled at boot time. If SELinux is disabled at boot time, this is a finding.

Fix: F-19337r376590_fix

SELinux can be disabled at boot time by an argument in "/boot/grub/grub.conf". Remove any instances of "selinux=0" from the kernel arguments in that file to prevent SELinux from being disabled at boot.

b
A file integrity baseline must be created.
CM-7 - Medium - CCI-001774 - V-217859 - SV-217859r603264_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001774
Version
RHEL-06-000018
Vuln IDs
  • V-217859
  • V-51391
Rule IDs
  • SV-217859r603264_rule
  • SV-65601
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Checks: C-19340r376592_chk

To find the location of the AIDE database file, run the following command: # grep DBDIR /etc/aide.conf Using the defined values of the [DBDIR] and [database] variables, verify the existence of the AIDE database file: # ls -l [DBDIR]/[database_file_name] If there is no database file, this is a finding.

Fix: F-19338r376593_fix

Run the following command to generate a new database: # /usr/sbin/aide --init By default, the database will be written to the file "/var/lib/aide/aide.db.new.gz". Storing the database, the configuration file "/etc/aide.conf", and the binary "/usr/sbin/aide" (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: # cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz To initiate a manual check, run the following command: # /usr/sbin/aide --check If this check produces any unexpected output, investigate.

c
There must be no .rhosts or hosts.equiv files on the system.
CM-6 - High - CCI-000366 - V-217860 - SV-217860r603264_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
RHEL-06-000019
Vuln IDs
  • V-217860
  • V-38491
Rule IDs
  • SV-217860r603264_rule
  • SV-50292
Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.
Checks: C-19341r376595_chk

The existence of the file "/etc/hosts.equiv" or a file named ".rhosts" inside a user home directory indicates the presence of an Rsh trust relationship. If these files exist, this is a finding.

Fix: F-19339r376596_fix

The files "/etc/hosts.equiv" and "~/.rhosts" (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location. # rm /etc/hosts.equiv $ rm ~/.rhosts

b
The system must use a Linux Security Module configured to enforce limits on system services.
AC-3 - Medium - CCI-002165 - V-217861 - SV-217861r603264_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
RHEL-06-000020
Vuln IDs
  • V-217861
  • V-51363
Rule IDs
  • SV-217861r603264_rule
  • SV-65573
Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. However, McAfee Endpoint Security for Linux (ENSL) is an approved alternative to both McAfee Virus Scan Enterprise (VSE) and HIPS. In either scenario, SELinux is interoperable with the McAfee products and SELinux is still required.
Checks: C-19342r462504_chk

If an HBSS or HIPS is active on the system, this is Not Applicable. Check the file "/etc/selinux/config" and ensure the following line appears: SELINUX=enforcing If SELINUX is not set to enforcing, this is a finding.

Fix: F-19340r462505_fix

The SELinux state should be set to "enforcing" at system boot time. In the file "/etc/selinux/config", add or correct the following line to configure the system to boot into enforcing mode: SELINUX=enforcing

c
The Red Hat Enterprise Linux operating system must not contain .shosts or shosts.equiv files.
CM-6 - High - CCI-000366 - V-217862 - SV-217862r603264_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
RHEL-06-000021
Vuln IDs
  • V-217862
  • V-100011
Rule IDs
  • SV-217862r603264_rule
  • SV-109115
The .shosts and shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
Checks: C-19343r462695_chk

Verify there are no ".shosts" or "shosts.equiv" files on the system. # find / -name '*.shosts' # find / -name shosts.equiv If any ".shosts" or "shosts.equiv" files are found on the system, this is a finding.

Fix: F-19341r462696_fix

Remove any found ".shosts" or "shosts.equiv" files from the system. # rm /[path]/[to]/[file]/.shosts # rm /[path]/[to]/[file]/shosts.equiv

a
The system must use a Linux Security Module configured to limit the privileges of system services.
AC-6 - Low - CCI-002235 - V-217863 - SV-217863r603264_rule
RMF Control
AC-6
Severity
Low
CCI
CCI-002235
Version
RHEL-06-000023
Vuln IDs
  • V-217863
  • V-51369
Rule IDs
  • SV-217863r603264_rule
  • SV-65579
Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.
Checks: C-19344r376604_chk

Check the file "/etc/selinux/config" and ensure the following line appears: SELINUXTYPE=targeted If it does not, this is a finding.

Fix: F-19342r376605_fix

The SELinux "targeted" policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in "/etc/selinux/config": SELINUXTYPE=targeted Other policies, such as "mls", provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.

a
All device files must be monitored by the system Linux Security Module.
AC-3 - Low - CCI-002165 - V-217864 - SV-217864r603264_rule
RMF Control
AC-3
Severity
Low
CCI
CCI-002165
Version
RHEL-06-000025
Vuln IDs
  • V-217864
  • V-51379
Rule IDs
  • SV-217864r603264_rule
  • SV-65589
If a device file carries the SELinux type "unlabeled_t", then SELinux cannot properly restrict access to the device file.
Checks: C-19345r376607_chk

To check for unlabeled device files, run the following command: # ls -RZ /dev | grep unlabeled_t It should produce no output in a well-configured system. If there is output, this is a finding.

Fix: F-19343r376608_fix

Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type "unlabeled_t", investigate the cause and correct the file's context.

b
The system must prevent the root account from logging in from virtual consoles.
IA-2 - Medium - CCI-000770 - V-217865 - SV-217865r603264_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000770
Version
RHEL-06-000027
Vuln IDs
  • V-217865
  • V-38492
Rule IDs
  • SV-217865r603264_rule
  • SV-50293
Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account.
Checks: C-19346r376610_chk

To check for virtual console entries which permit root login, run the following command: # grep '^vc/[0-9]' /etc/securetty If any output is returned, then root logins over virtual console devices is permitted. If root login over virtual console devices is permitted, this is a finding.

Fix: F-19344r376611_fix

To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in "/etc/securetty": vc/1 vc/2 vc/3 vc/4 Note: Virtual console entries are not limited to those listed above. Any lines starting with "vc/" followed by numerals should be removed.

a
The system must prevent the root account from logging in from serial consoles.
IA-2 - Low - CCI-000770 - V-217866 - SV-217866r603264_rule
RMF Control
IA-2
Severity
Low
CCI
CCI-000770
Version
RHEL-06-000028
Vuln IDs
  • V-217866
  • V-38494
Rule IDs
  • SV-217866r603264_rule
  • SV-50295
Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.
Checks: C-19347r376613_chk

To check for serial port entries which permit root login, run the following command: # grep '^ttyS[0-9]' /etc/securetty If any output is returned, then root login over serial ports is permitted. If root login over serial ports is permitted, this is a finding.

Fix: F-19345r376614_fix

To restrict root logins on serial ports, ensure lines of this form do not appear in "/etc/securetty": ttyS0 ttyS1 Note: Serial port entries are not limited to those listed above. Any lines starting with "ttyS" followed by numerals should be removed

b
Default operating system accounts, other than root, must be locked.
CM-6 - Medium - CCI-000366 - V-217867 - SV-217867r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000029
Vuln IDs
  • V-217867
  • V-38496
Rule IDs
  • SV-217867r603264_rule
  • SV-50297
Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.
Checks: C-19348r376616_chk

To obtain a listing of all users and the contents of their shadow password field, run the command: $ awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 ":" $2}' /etc/shadow Identify the operating system accounts from this listing. These will primarily be the accounts with UID numbers less than 500, other than root. If any default operating system account (other than root) has a valid password hash, this is a finding.

Fix: F-19346r376617_fix

Some accounts are not associated with a human user of the system, and exist to perform some administrative function. An attacker should not be able to log into these accounts. Disable logon access to these accounts with the command: # passwd -l [SYSACCT]

c
The system must not have accounts configured with blank or null passwords.
CM-6 - High - CCI-000366 - V-217868 - SV-217868r603264_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
RHEL-06-000030
Vuln IDs
  • V-217868
  • V-38497
Rule IDs
  • SV-217868r603264_rule
  • SV-50298
If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
Checks: C-19349r376619_chk

To verify that null passwords cannot be used, run the following command: # grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth If this produces any output, it may be possible to log into accounts with empty passwords. If NULL passwords can be used, this is a finding.

Fix: F-19347r376620_fix

If an account is configured for password authentication but does not have an assigned password, it may be possible to log onto the account without authentication. Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords.

b
The /etc/passwd file must not contain password hashes.
IA-5 - Medium - CCI-000196 - V-217869 - SV-217869r603264_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000196
Version
RHEL-06-000031
Vuln IDs
  • V-217869
  • V-38499
Rule IDs
  • SV-217869r603264_rule
  • SV-50300
The hashes for all user account passwords should be stored in the file "/etc/shadow" and never in "/etc/passwd", which is readable by all users.
Checks: C-19350r376622_chk

To check that no password hashes are stored in "/etc/passwd", run the following command: # awk -F: '($2 != "x") {print}' /etc/passwd If it produces any output, then a password hash is stored in "/etc/passwd". If any stored hashes are found in /etc/passwd, this is a finding.

Fix: F-19348r376623_fix

If any password hashes are stored in "/etc/passwd" (in the second field, instead of an "x"), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.

b
The root account must be the only account having a UID of 0.
CM-6 - Medium - CCI-000366 - V-217870 - SV-217870r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000032
Vuln IDs
  • V-217870
  • V-38500
Rule IDs
  • SV-217870r603264_rule
  • SV-50301
An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.
Checks: C-19351r376625_chk

To list all password file entries for accounts with UID 0, run the following command: # awk -F: '($3 == 0) {print}' /etc/passwd This should print only one line, for the user root. If any account other than root has a UID of 0, this is a finding.

Fix: F-19349r376626_fix

If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.

b
The /etc/shadow file must be owned by root.
CM-6 - Medium - CCI-000366 - V-217871 - SV-217871r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000033
Vuln IDs
  • V-217871
  • V-38502
Rule IDs
  • SV-217871r603264_rule
  • SV-50303
The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.
Checks: C-19352r376628_chk

To check the ownership of "/etc/shadow", run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.

Fix: F-19350r376629_fix

To properly set the owner of "/etc/shadow", run the command: # chown root /etc/shadow

b
The /etc/shadow file must be group-owned by root.
CM-6 - Medium - CCI-000366 - V-217872 - SV-217872r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000034
Vuln IDs
  • V-217872
  • V-38503
Rule IDs
  • SV-217872r603264_rule
  • SV-50304
The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.
Checks: C-19353r376631_chk

To check the group ownership of "/etc/shadow", run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.

Fix: F-19351r376632_fix

To properly set the group owner of "/etc/shadow", run the command: # chgrp root /etc/shadow

b
The /etc/shadow file must have mode 0000.
CM-6 - Medium - CCI-000366 - V-217873 - SV-217873r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000035
Vuln IDs
  • V-217873
  • V-38504
Rule IDs
  • SV-217873r603264_rule
  • SV-50305
The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.
Checks: C-19354r376634_chk

To check the permissions of "/etc/shadow", run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following permissions: "----------" If it does not, this is a finding.

Fix: F-19352r376635_fix

To properly set the permissions of "/etc/shadow", run the command: # chmod 0000 /etc/shadow

b
The /etc/gshadow file must be owned by root.
CM-6 - Medium - CCI-000366 - V-217874 - SV-217874r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000036
Vuln IDs
  • V-217874
  • V-38443
Rule IDs
  • SV-217874r603264_rule
  • SV-50243
The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
Checks: C-19355r376637_chk

To check the ownership of "/etc/gshadow", run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.

Fix: F-19353r376638_fix

To properly set the owner of "/etc/gshadow", run the command: # chown root /etc/gshadow

b
The /etc/gshadow file must be group-owned by root.
CM-6 - Medium - CCI-000366 - V-217875 - SV-217875r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000037
Vuln IDs
  • V-217875
  • V-38448
Rule IDs
  • SV-217875r603264_rule
  • SV-50248
The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
Checks: C-19356r376640_chk

To check the group ownership of "/etc/gshadow", run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.

Fix: F-19354r376641_fix

To properly set the group owner of "/etc/gshadow", run the command: # chgrp root /etc/gshadow

b
The /etc/gshadow file must have mode 0000.
CM-6 - Medium - CCI-000366 - V-217876 - SV-217876r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000038
Vuln IDs
  • V-217876
  • V-38449
Rule IDs
  • SV-217876r603264_rule
  • SV-50249
The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.
Checks: C-19357r376643_chk

To check the permissions of "/etc/gshadow", run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following permissions: "----------" If it does not, this is a finding.

Fix: F-19355r376644_fix

To properly set the permissions of "/etc/gshadow", run the command: # chmod 0000 /etc/gshadow

b
The /etc/passwd file must be owned by root.
CM-6 - Medium - CCI-000366 - V-217877 - SV-217877r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000039
Vuln IDs
  • V-217877
  • V-38450
Rule IDs
  • SV-217877r603264_rule
  • SV-50250
The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.
Checks: C-19358r376646_chk

To check the ownership of "/etc/passwd", run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.

Fix: F-19356r376647_fix

To properly set the owner of "/etc/passwd", run the command: # chown root /etc/passwd

b
The /etc/passwd file must be group-owned by root.
CM-6 - Medium - CCI-000366 - V-217878 - SV-217878r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000040
Vuln IDs
  • V-217878
  • V-38451
Rule IDs
  • SV-217878r603264_rule
  • SV-50251
The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.
Checks: C-19359r376649_chk

To check the group ownership of "/etc/passwd", run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.

Fix: F-19357r376650_fix

To properly set the group owner of "/etc/passwd", run the command: # chgrp root /etc/passwd

b
The /etc/passwd file must have mode 0644 or less permissive.
CM-6 - Medium - CCI-000366 - V-217879 - SV-217879r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000041
Vuln IDs
  • V-217879
  • V-38457
Rule IDs
  • SV-217879r603264_rule
  • SV-50257
If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.
Checks: C-19360r376652_chk

To check the permissions of "/etc/passwd", run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following permissions: "-rw-r--r--" If it does not, this is a finding.

Fix: F-19358r376653_fix

To properly set the permissions of "/etc/passwd", run the command: # chmod 0644 /etc/passwd

b
The /etc/group file must be owned by root.
CM-6 - Medium - CCI-000366 - V-217880 - SV-217880r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000042
Vuln IDs
  • V-217880
  • V-38458
Rule IDs
  • SV-217880r603264_rule
  • SV-50258
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
Checks: C-19361r376655_chk

To check the ownership of "/etc/group", run the command: $ ls -l /etc/group If properly configured, the output should indicate the following owner: "root" If it does not, this is a finding.

Fix: F-19359r376656_fix

To properly set the owner of "/etc/group", run the command: # chown root /etc/group

b
The /etc/group file must be group-owned by root.
CM-6 - Medium - CCI-000366 - V-217881 - SV-217881r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000043
Vuln IDs
  • V-217881
  • V-38459
Rule IDs
  • SV-217881r603264_rule
  • SV-50259
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
Checks: C-19362r376658_chk

To check the group ownership of "/etc/group", run the command: $ ls -l /etc/group If properly configured, the output should indicate the following group-owner. "root" If it does not, this is a finding.

Fix: F-19360r376659_fix

To properly set the group owner of "/etc/group", run the command: # chgrp root /etc/group

b
The /etc/group file must have mode 0644 or less permissive.
CM-6 - Medium - CCI-000366 - V-217882 - SV-217882r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000044
Vuln IDs
  • V-217882
  • V-38461
Rule IDs
  • SV-217882r603264_rule
  • SV-50261
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
Checks: C-19363r376661_chk

To check the permissions of "/etc/group", run the command: $ ls -l /etc/group If properly configured, the output should indicate the following permissions: "-rw-r--r--" If it does not, this is a finding.

Fix: F-19361r376662_fix

To properly set the permissions of "/etc/group", run the command: # chmod 644 /etc/group

b
Library files must have mode 0755 or less permissive.
CM-5 - Medium - CCI-001499 - V-217883 - SV-217883r603264_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
RHEL-06-000045
Vuln IDs
  • V-217883
  • V-38465
Rule IDs
  • SV-217883r603264_rule
  • SV-50265
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system.
Checks: C-19364r376664_chk

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in "/lib/modules". All files in these directories should not be group-writable or world-writable. To find shared libraries that are group-writable or world-writable, run the following command for each directory [DIR] which contains shared libraries: $ find -L [DIR] -perm /022 -type f If any of these files (excluding broken symlinks) are group-writable or world-writable, this is a finding.

Fix: F-19362r376665_fix

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: # chmod go-w [FILE]

b
Library files must be owned by a system account.
CM-5 - Medium - CCI-001499 - V-217884 - SV-217884r603264_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
RHEL-06-000046
Vuln IDs
  • V-217884
  • V-38466
Rule IDs
  • SV-217884r603264_rule
  • SV-50266
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.
Checks: C-19365r462367_chk

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 /usr/local/lib /usr/local/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in "/lib/modules". All files in these directories should not be group-writable or world-writable. To find shared libraries that are not owned by "root" and do not match what is expected by the RPM, run the following command: for i in /lib /lib64 /usr/lib /usr/lib64 do for j in `find -L $i \! -user root` do rpm -V -f $j | grep '^.....U' done done If the command returns any results, this is a finding.

Fix: F-19363r462368_fix

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 /usr/local/lib /usr/local/lib64 If any file in these directories is found to be owned by a user other than “root” and does not match what is expected by the RPM, correct its ownership by running one of the following commands: # rpm --setugids [PACKAGE_NAME] Or # chown root [FILE]

b
All system command files must have mode 755 or less permissive.
CM-5 - Medium - CCI-001499 - V-217885 - SV-217885r603264_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
RHEL-06-000047
Vuln IDs
  • V-217885
  • V-38469
Rule IDs
  • SV-217885r603264_rule
  • SV-50269
System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.
Checks: C-19366r376670_chk

System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin All files in these directories should not be group-writable or world-writable. To find system executables that are group-writable or world-writable, run the following command for each directory [DIR] which contains system executables: $ find -L [DIR] -perm /022 -type f If any system executables are found to be group-writable or world-writable, this is a finding.

Fix: F-19364r376671_fix

System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: # chmod go-w [FILE]

b
All system command files must be owned by root.
CM-5 - Medium - CCI-001499 - V-217886 - SV-217886r603264_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
RHEL-06-000048
Vuln IDs
  • V-217886
  • V-38472
Rule IDs
  • SV-217886r603264_rule
  • SV-50272
System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.
Checks: C-19367r376673_chk

System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin All files in these directories should not be group-writable or world-writable. To find system executables that are not owned by "root", run the following command for each directory [DIR] which contains system executables: $ find -L [DIR] \! -user root If any system executables are found to not be owned by root, this is a finding.

Fix: F-19365r376674_fix

System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin If any file [FILE] in these directories is found to be owned by a user other than root, correct its ownership with the following command: # chown root [FILE]

b
The system must require passwords to contain a minimum of 15 characters.
IA-5 - Medium - CCI-000205 - V-217887 - SV-217887r603264_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000205
Version
RHEL-06-000050
Vuln IDs
  • V-217887
  • V-38475
Rule IDs
  • SV-217887r603264_rule
  • SV-50275
Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. While it does not negate the password length requirement, it is preferable to migrate from a password-based authentication scheme to a stronger one based on PKI (public key infrastructure).
Checks: C-19368r462370_chk

To check the minimum password length, run the command: $ grep PASS_MIN_LEN /etc/login.defs The DoD requirement is "15". If it is not set to the required value, this is a finding. $ grep –E ‘pam_cracklib.so.*minlen’ /etc/pam.d/* If no results are returned, this is not a finding. If any results are returned and are not set to “15” or greater, this is a finding.

Fix: F-19366r462371_fix

To specify password length requirements for new accounts, edit the file "/etc/login.defs" and add or correct the following lines: PASS_MIN_LEN 15 The DoD requirement is "15". If a program consults "/etc/login.defs" and also another PAM module (such as "pam_cracklib") during a password change operation, then the most restrictive must be satisfied.

b
Users must not be able to change passwords more than once every 24 hours.
IA-5 - Medium - CCI-000198 - V-217888 - SV-217888r603264_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000198
Version
RHEL-06-000051
Vuln IDs
  • V-217888
  • V-38477
Rule IDs
  • SV-217888r603264_rule
  • SV-50277
Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.
Checks: C-19369r376679_chk

To check the minimum password age, run the command: $ grep PASS_MIN_DAYS /etc/login.defs The DoD requirement is 1. If it is not set to the required value, this is a finding.

Fix: F-19367r376680_fix

To specify password minimum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MIN_DAYS [DAYS] A value of 1 day is considered sufficient for many environments. The DoD requirement is 1.

b
User passwords must be changed at least every 60 days.
IA-5 - Medium - CCI-000199 - V-217889 - SV-217889r603264_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000199
Version
RHEL-06-000053
Vuln IDs
  • V-217889
  • V-38479
Rule IDs
  • SV-217889r603264_rule
  • SV-50279
Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.
Checks: C-19370r376682_chk

To check the maximum password age, run the command: $ grep PASS_MAX_DAYS /etc/login.defs The DoD requirement is 60. If it is not set to the required value, this is a finding.

Fix: F-19368r376683_fix

To specify password maximum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MAX_DAYS [DAYS] The DoD requirement is 60.

a
Users must be warned 7 days in advance of password expiration.
CM-6 - Low - CCI-000366 - V-217890 - SV-217890r603264_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000054
Vuln IDs
  • V-217890
  • V-38480
Rule IDs
  • SV-217890r603264_rule
  • SV-50280
Setting the password warning age enables users to make the change at a practical time.
Checks: C-19371r376685_chk

To check the password warning age, run the command: $ grep PASS_WARN_AGE /etc/login.defs The DoD requirement is 7. If it is not set to the required value, this is a finding.

Fix: F-19369r376686_fix

To specify how many days prior to password expiration that a warning will be issued to users, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_WARN_AGE [DAYS] The DoD requirement is 7.

b
System and Application account passwords must be changed at least annually.
IA-5 - Medium - CCI-000199 - V-217891 - SV-217891r603264_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000199
Version
RHEL-06-000055
Vuln IDs
  • V-217891
  • V-92257
Rule IDs
  • SV-217891r603264_rule
  • SV-102359
Any password, no matter how complex, can eventually be cracked. Therefore, system and application account passwords need to be changed periodically. If an organization fails to change the system and application account passwords at least annually, there is the risk that the account passwords could be compromised.
Checks: C-19372r376688_chk

Obtain a list of approved system and application accounts from the ISSO. For each system and application account identified, run the following command: # chage -l <application_account> Last password change : Nov 05, 2018 Password expires : Nov 04, 2019 Password inactive : Dec 10, 2019 Account expires : never Minimum number of days between password change : 1 Maximum number of days between password change : 365 Number of days of warning before password expires : 7 If "Maximum number of days between password change" is greater than "365", this is a finding. If the date of "Last password change" exceeds 365 days, this is a finding. If the date of "Password expires" is greater than 365 days from the date of "Last password change", this is a finding.

Fix: F-19370r376689_fix

Set the "Maximum number of days between password change" to "365": # chage -M 365 <application_account> Change the password for the system/application account: #passwd <application_account>

a
The system must require passwords to contain at least one numeric character.
IA-5 - Low - CCI-000194 - V-217892 - SV-217892r603264_rule
RMF Control
IA-5
Severity
Low
CCI
CCI-000194
Version
RHEL-06-000056
Vuln IDs
  • V-217892
  • V-38482
Rule IDs
  • SV-217892r603264_rule
  • SV-50282
Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
Checks: C-19373r462373_chk

To check how many digits are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth Note: The "dcredit" parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as "dcredit=-1". If “dcredit” is not found or not set to the required value, this is a finding.

Fix: F-19371r462374_fix

The pam_cracklib module's "dcredit" parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "dcredit=-1" after pam_cracklib.so to require use of a digit in passwords.

a
The system must require passwords to contain at least one uppercase alphabetic character.
IA-5 - Low - CCI-000192 - V-217893 - SV-217893r603264_rule
RMF Control
IA-5
Severity
Low
CCI
CCI-000192
Version
RHEL-06-000057
Vuln IDs
  • V-217893
  • V-38569
Rule IDs
  • SV-217893r603264_rule
  • SV-50370
Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.
Checks: C-19374r462376_chk

To check how many uppercase characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth Note: The "ucredit" parameter (as a negative number) will indicate how many uppercase characters are required. The DoD requires at least one uppercase character in a password. This would appear as "ucredit=-1". If “ucredit” is not found or not set to the required value, this is a finding.

Fix: F-19372r462377_fix

The pam_cracklib module's "ucredit=" parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "ucredit=-1" after pam_cracklib.so to require use of an uppercase character in passwords.

a
The system must require passwords to contain at least one special character.
IA-5 - Low - CCI-001619 - V-217894 - SV-217894r603264_rule
RMF Control
IA-5
Severity
Low
CCI
CCI-001619
Version
RHEL-06-000058
Vuln IDs
  • V-217894
  • V-38570
Rule IDs
  • SV-217894r603264_rule
  • SV-50371
Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.
Checks: C-19375r462379_chk

To check how many special characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth Note: The "ocredit" parameter (as a negative number) will indicate how many special characters are required. The DoD requires at least one special character in a password. This would appear as "ocredit=-1". If “ocredit” is not found or not set to the required value, this is a finding.

Fix: F-19373r462380_fix

The pam_cracklib module's "ocredit=" parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "ocredit=-1" after pam_cracklib.so to require use of a special character in passwords.

a
The system must require passwords to contain at least one lower-case alphabetic character.
IA-5 - Low - CCI-000193 - V-217895 - SV-217895r603264_rule
RMF Control
IA-5
Severity
Low
CCI
CCI-000193
Version
RHEL-06-000059
Vuln IDs
  • V-217895
  • V-38571
Rule IDs
  • SV-217895r603264_rule
  • SV-50372
Requiring a minimum number of lower-case characters makes password guessing attacks more difficult by ensuring a larger search space.
Checks: C-19376r462382_chk

To check how many lower-case characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth Note: The "lcredit" parameter (as a negative number) will indicate how many lower-case characters are required. The DoD requires at least one lower-case character in a password. This would appear as "lcredit=-1". If “lcredit” is not found or not set to the required value, this is a finding.

Fix: F-19374r462383_fix

The pam_cracklib module's "lcredit=" parameter controls requirements for usage of lower-case letters in a password. When set to a negative number, any password will be required to contain that many lower-case characters. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "lcredit=-1" after pam_cracklib.so to require use of a lower-case character in passwords.

a
The system must require at least eight characters be changed between the old and new passwords during a password change.
IA-5 - Low - CCI-000195 - V-217896 - SV-217896r603264_rule
RMF Control
IA-5
Severity
Low
CCI
CCI-000195
Version
RHEL-06-000060
Vuln IDs
  • V-217896
  • V-38572
Rule IDs
  • SV-217896r603264_rule
  • SV-50373
Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.
Checks: C-19377r462385_chk

To check how many characters must differ during a password change, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth Note: The "difok" parameter will indicate how many characters must differ. The DoD requires eight characters differ during a password change. This would appear as "difok=8". If “difok” is not found or is set to a value less than “8”, this is a finding.

Fix: F-19375r462386_fix

The pam_cracklib module's "difok" parameter controls requirements for usage of different characters during a password change. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "difok=[NUM]" after pam_cracklib.so to require differing characters when changing passwords, substituting [NUM] appropriately. The DoD requirement is 8.

b
The system must disable accounts after three consecutive unsuccessful logon attempts.
AC-7 - Medium - CCI-000044 - V-217897 - SV-217897r603264_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
RHEL-06-000061
Vuln IDs
  • V-217897
  • V-38573
Rule IDs
  • SV-217897r603264_rule
  • SV-50374
Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.
Checks: C-36335r602603_chk

To ensure the failed password attempt policy is configured correctly, run the following command: # grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth The output should show "deny=3" for both files. If that is not the case, this is a finding.

Fix: F-36298r602604_fix

To configure the system to lock out accounts after a number of incorrect logon attempts using "pam_faillock.so", modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows: Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section: auth required pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900 Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900 Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section: account required pam_faillock.so Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.

b
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).
IA-7 - Medium - CCI-000803 - V-217898 - SV-217898r603264_rule
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
RHEL-06-000062
Vuln IDs
  • V-217898
  • V-38574
Rule IDs
  • SV-217898r603264_rule
  • SV-50375
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Checks: C-19379r462388_chk

Inspect the "password" section of "/etc/pam.d/system-auth", "/etc/pam.d/system-auth-ac", "/etc/pam.d/password-auth", "/etc/pam.d/password-auth-ac" and other files in "/etc/pam.d" to identify the number of occurrences where the “pam_unix.so” module is used in the “password” section. $ grep -E -c 'password.*pam_unix.so' /etc/pam.d/* /etc/pam.d/atd:0 /etc/pam.d/config-util:0 /etc/pam.d/crond:0 /etc/pam.d/login:0 /etc/pam.d/other:0 /etc/pam.d/passwd:0 /etc/pam.d/password-auth:1 /etc/pam.d/password-auth-ac:1 /etc/pam.d/sshd:0 /etc/pam.d/su:0 /etc/pam.d/sudo:0 /etc/pam.d/system-auth:1 /etc/pam.d/system-auth-ac:1 /etc/pam.d/vlock:0 Note: The number adjacent to the file name indicates how many occurrences of the “pam_unix.so” module are found in the password section. If the “pam_unix.so” module is not defined in the “password” section of “/etc/pam.d/system-auth”, “/etc/pam.d/system-auth-ac”, “/etc/pam.d/password-auth”, and “/etc/pam.d/password-auth-ac” at a minimum, this is a finding. Verify that the “sha512” variable is used with each instance of the “pam_unix.so” module in the “password” section: $ grep password /etc/pam.d/* | grep pam_unix.so | grep sha512 /etc/pam.d/password-auth:password sufficient pam_unix.so sha512 [other arguments…] /etc/pam.d/password-auth-ac:password sufficient pam_unix.so sha512 [other arguments…] /etc/pam.d/system-auth:password sufficient pam_unix.so sha512 [other arguments…] /etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 [other arguments…] If this list of files does not coincide with the previous command, this is a finding. If any of the identified “pam_unix.so” modules do not use the “sha512” variable, this is a finding.

Fix: F-19377r462389_fix

In "/etc/pam.d/system-auth”, "/etc/pam.d/system-auth-ac", “/etc/pam.d/password-auth”, and “/etc/pam.d/password-auth-ac”, among potentially other files, the "password" section of the files controls which PAM modules execute during a password change. Set the "pam_unix.so" module in the "password" section to include the argument "sha512", as shown below: password sufficient pam_unix.so sha512 [other arguments...] This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. Note: Any updates made to "/etc/pam.d/system-auth" will be overwritten by the "authconfig" program. The "authconfig" program should not be used.

b
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).
IA-7 - Medium - CCI-000803 - V-217899 - SV-217899r603264_rule
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
RHEL-06-000063
Vuln IDs
  • V-217899
  • V-38576
Rule IDs
  • SV-217899r603264_rule
  • SV-50377
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Checks: C-19380r376712_chk

Inspect "/etc/login.defs" and ensure the following line appears: ENCRYPT_METHOD SHA512 If it does not, this is a finding.

Fix: F-19378r376713_fix

In "/etc/login.defs", add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: ENCRYPT_METHOD SHA512

b
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).
IA-7 - Medium - CCI-000803 - V-217900 - SV-217900r603264_rule
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
RHEL-06-000064
Vuln IDs
  • V-217900
  • V-38577
Rule IDs
  • SV-217900r603264_rule
  • SV-50378
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Checks: C-19381r376715_chk

Inspect "/etc/libuser.conf" and ensure the following line appears in the "[default]" section: crypt_style = sha512 If it does not, this is a finding.

Fix: F-19379r376716_fix

In "/etc/libuser.conf", add or correct the following line in its "[defaults]" section to ensure the system will use the SHA-512 algorithm for password hashing: crypt_style = sha512

b
The system boot loader configuration file(s) must be owned by root.
CM-6 - Medium - CCI-000366 - V-217901 - SV-217901r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000065
Vuln IDs
  • V-217901
  • V-38579
Rule IDs
  • SV-217901r603264_rule
  • SV-50380
Only root should be able to modify important boot parameters.
Checks: C-19382r376718_chk

To check the ownership of "/boot/grub/grub.conf", run the command: $ ls -lL /boot/grub/grub.conf If properly configured, the output should indicate that the owner is "root". If it does not, this is a finding.

Fix: F-19380r376719_fix

The file "/boot/grub/grub.conf" should be owned by the "root" user to prevent destruction or modification of the file. To properly set the owner of "/boot/grub/grub.conf", run the command: # chown root /boot/grub/grub.conf

b
The system boot loader configuration file(s) must be group-owned by root.
CM-6 - Medium - CCI-000366 - V-217902 - SV-217902r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000066
Vuln IDs
  • V-217902
  • V-38581
Rule IDs
  • SV-217902r603264_rule
  • SV-50382
The "root" group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.
Checks: C-19383r376721_chk

To check the group ownership of "/boot/grub/grub.conf", run the command: $ ls -lL /boot/grub/grub.conf If properly configured, the output should indicate the group-owner is "root". If it does not, this is a finding.

Fix: F-19381r376722_fix

The file "/boot/grub/grub.conf" should be group-owned by the "root" group to prevent destruction or modification of the file. To properly set the group owner of "/boot/grub/grub.conf", run the command: # chgrp root /boot/grub/grub.conf

b
The system boot loader configuration file(s) must have mode 0600 or less permissive.
CM-6 - Medium - CCI-000366 - V-217903 - SV-217903r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000067
Vuln IDs
  • V-217903
  • V-38583
Rule IDs
  • SV-217903r603264_rule
  • SV-50384
Proper permissions ensure that only the root user can modify important boot parameters.
Checks: C-19384r376724_chk

To check the permissions of "/boot/grub/grub.conf", run the command: $ sudo ls -lL /boot/grub/grub.conf If properly configured, the output should indicate the following permissions: "-rw-------" If it does not, this is a finding.

Fix: F-19382r376725_fix

Set file permissions for "/boot/grub/grub.conf" to 600, which is the default. To properly set the permissions of "/boot/grub/grub.conf", run the command: $ chmod 600 /boot/grub/grub.conf

b
The system boot loader must require authentication.
AC-3 - Medium - CCI-000213 - V-217904 - SV-217904r603264_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
RHEL-06-000068
Vuln IDs
  • V-217904
  • V-38585
Rule IDs
  • SV-217904r603264_rule
  • SV-50386
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
Checks: C-19385r462391_chk

To verify the boot loader password has been set and encrypted, run the following command: # grep password /boot/grub/grub.conf The output should show the following: password --encrypted $6$[rest-of-the-password-hash] If it does not, this is a finding. If the system uses UEFI verify the boot loader password has been set and encrypted: # grep password /boot/efi/EFI/redhat/grub.conf

Fix: F-19383r462392_fix

The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command: # grub-crypt --sha-512 When prompted to enter a password, insert the following line into "/boot/grub/grub.conf" or “/boot/efi/EFI/redhat/grub.conf” immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]): password --encrypted [password-hash]

b
The system must require authentication upon booting into single-user and maintenance modes.
AC-3 - Medium - CCI-000213 - V-217905 - SV-217905r603264_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
RHEL-06-000069
Vuln IDs
  • V-217905
  • V-38586
Rule IDs
  • SV-217905r603264_rule
  • SV-50387
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
Checks: C-19386r376730_chk

To check if authentication is required for single-user mode, run the following command: $ grep SINGLE /etc/sysconfig/init The output should be the following: SINGLE=/sbin/sulogin If the output is different, this is a finding.

Fix: F-19384r376731_fix

Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file "/etc/sysconfig/init": SINGLE=/sbin/sulogin

b
The system must not permit interactive boot.
AC-3 - Medium - CCI-000213 - V-217906 - SV-217906r603264_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
RHEL-06-000070
Vuln IDs
  • V-217906
  • V-38588
Rule IDs
  • SV-217906r603264_rule
  • SV-50389
Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.
Checks: C-19387r376733_chk

To check whether interactive boot is disabled, run the following command: $ grep PROMPT /etc/sysconfig/init If interactive boot is disabled, the output will show: PROMPT=no If it does not, this is a finding.

Fix: F-19385r376734_fix

To disable the ability for users to perform interactive startups, edit the file "/etc/sysconfig/init". Add or correct the line: PROMPT=no The "PROMPT" option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot.

a
The system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.
AC-11 - Low - CCI-000057 - V-217907 - SV-217907r603264_rule
RMF Control
AC-11
Severity
Low
CCI
CCI-000057
Version
RHEL-06-000071
Vuln IDs
  • V-217907
  • V-38590
Rule IDs
  • SV-217907r603264_rule
  • SV-50391
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000163-GPOS-00072
Checks: C-19388r462507_chk

Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity. Check the value of the system inactivity timeout with the following command: # grep -i tmout /etc/profile.d/* etc/profile.d/tmout.sh:TMOUT=900 /etc/profile.d/tmout.sh:readonly TMOUT /etc/profile.d/tmout.sh:export TMOUT If "TMOUT" is not set to "900" or less in a script located in the /etc/profile.d/ directory to enforce session termination after inactivity, this is a finding.

Fix: F-19386r462508_fix

Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity. Create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as: #!/bin/bash TMOUT=900 readonly TMOUT export TMOUT

b
The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
AC-8 - Medium - CCI-001385 - V-217908 - SV-217908r603264_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-001385
Version
RHEL-06-000073
Vuln IDs
  • V-217908
  • V-38593
Rule IDs
  • SV-217908r603264_rule
  • SV-50394
An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.
Checks: C-19389r376739_chk

To check if the system login banner is compliant, run the following command: $ cat /etc/issue Note: The full text banner must be implemented unless there are character limitations that prevent the display of the full DoD logon banner. If the required DoD logon banner is not displayed, this is a finding.

Fix: F-19387r376740_fix

To configure the system login banner: Edit "/etc/issue". Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the device cannot support the full DoD logon banner due to character limitations, the following text can be used: "I've read & consent to terms in IS user agreem't."

b
The system must implement virtual address space randomization.
CM-6 - Medium - CCI-000366 - V-217909 - SV-217909r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000078
Vuln IDs
  • V-217909
  • V-38596
Rule IDs
  • SV-217909r603264_rule
  • SV-50397
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return oriented programming (ROP) techniques.
Checks: C-19390r376742_chk

The status of the "kernel.randomize_va_space" kernel parameter can be queried by running the following commands: $ sysctl kernel.randomize_va_space kernel.randomize_va_space = 2 $ grep kernel.randomize_va_space /etc/sysctl.conf /etc/sysctl.d/* kernel.randomize_va_space = 2 If "kernel.randomize_va_space" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "2", this is a finding.

Fix: F-19388r376743_fix

To set the runtime status of the "kernel.randomize_va_space" kernel parameter, run the following command: # sysctl -w kernel.randomize_va_space=2 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): kernel.randomize_va_space = 2 Issue the following command to make the changes take effect: # sysctl --system

b
The system must limit the ability of processes to have simultaneous write and execute access to memory.
CM-6 - Medium - CCI-000366 - V-217910 - SV-217910r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000079
Vuln IDs
  • V-217910
  • V-38597
Rule IDs
  • SV-217910r603264_rule
  • SV-50398
ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range.
Checks: C-19391r376745_chk

The status of the "kernel.exec-shield" kernel parameter can be queried by running the following command: $ sysctl kernel.exec-shield kernel.exec-shield = 1 $ grep kernel.exec-shield /etc/sysctl.conf /etc/sysctl.d/* kernel.exec-shield = 1 If "kernel.exec-shield" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "1", this is a finding.

Fix: F-19389r376746_fix

To set the runtime status of the "kernel.exec-shield" kernel parameter, run the following command: # sysctl -w kernel.exec-shield=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): kernel.exec-shield = 1 Issue the following command to make the changes take effect: # sysctl --system

b
The system must not send ICMPv4 redirects by default.
CM-6 - Medium - CCI-000366 - V-217911 - SV-217911r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000080
Vuln IDs
  • V-217911
  • V-38600
Rule IDs
  • SV-217911r603264_rule
  • SV-50401
Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.
Checks: C-19392r376748_chk

The status of the "net.ipv4.conf.default.send_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.send_redirects net.ipv4.conf.default.send_redirects = 0 $ grep net.ipv4.conf.default.send_redirects /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.default.send_redirects = 0 If "net.ipv4.conf.default.send_redirects" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding.

Fix: F-19390r376749_fix

To set the runtime status of the "net.ipv4.conf.default.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.send_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.send_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

b
The system must not send ICMPv4 redirects from any interface.
CM-6 - Medium - CCI-000366 - V-217912 - SV-217912r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000081
Vuln IDs
  • V-217912
  • V-38601
Rule IDs
  • SV-217912r603264_rule
  • SV-50402
Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.
Checks: C-19393r376751_chk

The status of the "net.ipv4.conf.all.send_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.send_redirects net.ipv4.conf.all.send_redirects = 0 $ grep net.ipv4.conf.all.send_redirects /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.all.send_redirects = 0 If "net.ipv4.conf.all.send_redirects" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.

Fix: F-19391r376752_fix

To set the runtime status of the "net.ipv4.conf.all.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.send_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.send_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

b
IP forwarding for IPv4 must not be enabled, unless the system is a router.
CM-6 - Medium - CCI-000366 - V-217913 - SV-217913r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000082
Vuln IDs
  • V-217913
  • V-38511
Rule IDs
  • SV-217913r603264_rule
  • SV-50312
IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.
Checks: C-19394r376754_chk

The status of the "net.ipv4.ip_forward" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 0 $ grep net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.ip_forward = 0 If "net.ipv4.ip_forward" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.

Fix: F-19392r376755_fix

To set the runtime status of the "net.ipv4.ip_forward" kernel parameter, run the following command: # sysctl -w net.ipv4.ip_forward=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.ip_forward = 0 Issue the following command to make the changes take effect: # sysctl --system

b
The system must not accept IPv4 source-routed packets on any interface.
CM-6 - Medium - CCI-000366 - V-217914 - SV-217914r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000083
Vuln IDs
  • V-217914
  • V-38523
Rule IDs
  • SV-217914r603264_rule
  • SV-50324
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
Checks: C-19395r376757_chk

The status of the "net.ipv4.conf.all.accept_source_route" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_source_route net.ipv4.conf.all.accept_source_route = 0 $ grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.all.accept_source_route = 0 If "net.ipv4.conf.all.accept_source_route" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.

Fix: F-19393r376758_fix

To set the runtime status of the "net.ipv4.conf.all.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_source_route=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.accept_source_route = 0 Issue the following command to make the changes take effect: # sysctl --system

b
The system must not accept ICMPv4 redirect packets on any interface.
CM-6 - Medium - CCI-000366 - V-217915 - SV-217915r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000084
Vuln IDs
  • V-217915
  • V-38524
Rule IDs
  • SV-217915r603264_rule
  • SV-50325
Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.
Checks: C-19396r376760_chk

The status of the "net.ipv4.conf.all.accept_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_redirects net.ipv4.conf.all.accept_redirects = 0 $ grep net.ipv4.conf.all.accept_redirects /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.all.accept_redirects = 0 If "net.ipv4.conf.all.accept_redirects" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.

Fix: F-19394r376761_fix

To set the runtime status of the "net.ipv4.conf.all.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.accept_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

b
The system must not accept ICMPv4 secure redirect packets on any interface.
CM-6 - Medium - CCI-000366 - V-217916 - SV-217916r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000086
Vuln IDs
  • V-217916
  • V-38526
Rule IDs
  • SV-217916r603264_rule
  • SV-50327
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
Checks: C-19397r376763_chk

The status of the "net.ipv4.conf.all.secure_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.secure_redirects net.ipv4.conf.all.secure_redirects = 0 $ grep net.ipv4.conf.all.secure_redirects /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.all.secure_redirects = 0 If "net.ipv4.conf.all.secure_redirects" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.

Fix: F-19395r376764_fix

To set the runtime status of the "net.ipv4.conf.all.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.secure_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.secure_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

a
The system must log Martian packets.
CM-6 - Low - CCI-000366 - V-217917 - SV-217917r603264_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000088
Vuln IDs
  • V-217917
  • V-38528
Rule IDs
  • SV-217917r603264_rule
  • SV-50329
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
Checks: C-19398r376766_chk

The status of the "net.ipv4.conf.all.log_martians" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.log_martians net.ipv4.conf.all.log_martians = 1 $ grep net.ipv4.conf.all.log_martians /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.all.log_martians = 1 If "net.ipv4.conf.all.log_martians" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "1", this is a finding.

Fix: F-19396r376767_fix

To set the runtime status of the "net.ipv4.conf.all.log_martians" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.log_martians=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.log_martians = 1 Issue the following command to make the changes take effect: # sysctl --system

b
The system must not accept IPv4 source-routed packets by default.
CM-6 - Medium - CCI-000366 - V-217918 - SV-217918r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000089
Vuln IDs
  • V-217918
  • V-38529
Rule IDs
  • SV-217918r603264_rule
  • SV-50330
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
Checks: C-19399r376769_chk

The status of the "net.ipv4.conf.default.accept_source_route" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_source_route net.ipv4.conf.default.accept_source_route = 0 $ grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.default.accept_source_route = 0 If "net.ipv4.conf.default.accept_source_route" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.

Fix: F-19397r376770_fix

To set the runtime status of the "net.ipv4.conf.default.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_source_route=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.accept_source_route = 0 Issue the following command to make the changes take effect: # sysctl --system

b
The system must not accept ICMPv4 secure redirect packets by default.
CM-6 - Medium - CCI-000366 - V-217919 - SV-217919r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000090
Vuln IDs
  • V-217919
  • V-38532
Rule IDs
  • SV-217919r603264_rule
  • SV-50333
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
Checks: C-19400r376772_chk

The status of the "net.ipv4.conf.default.secure_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.secure_redirects net.ipv4.conf.default.secure_redirects = 0 $ grep net.ipv4.conf.default.secure_redirects /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.default.secure_redirects = 0 If "net.ipv4.conf.default.secure_redirect" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.

Fix: F-19398r376773_fix

To set the runtime status of the "net.ipv4.conf.default.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.secure_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.secure_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

a
The system must ignore ICMPv4 redirect messages by default.
CM-6 - Low - CCI-000366 - V-217920 - SV-217920r603264_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000091
Vuln IDs
  • V-217920
  • V-38533
Rule IDs
  • SV-217920r603264_rule
  • SV-50334
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
Checks: C-19401r376775_chk

The status of the "net.ipv4.conf.default.accept_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_redirects net.ipv4.conf.default.accept_redirects = 0 $ grep net.ipv4.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.default.accept_redirects = 0 If "net.ipv4.conf.default.accept_redirects" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.

Fix: F-19399r376776_fix

To set the runtime status of the "net.ipv4.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.accept_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

a
The system must not respond to ICMPv4 sent to a broadcast address.
CM-6 - Low - CCI-000366 - V-217921 - SV-217921r603264_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000092
Vuln IDs
  • V-217921
  • V-38535
Rule IDs
  • SV-217921r603264_rule
  • SV-50336
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
Checks: C-19402r376778_chk

The status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_echo_ignore_broadcasts net.ipv4.icmp_echo_ignore_broadcasts = 1 $ grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.icmp_echo_ignore_broadcasts = 1 If "net.ipv4.icmp_echo_ignore_broadcasts" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "1", this is a finding.

Fix: F-19400r376779_fix

To set the runtime status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.icmp_echo_ignore_broadcasts = 1 Issue the following command to make the changes take effect: # sysctl --system

a
The system must ignore ICMPv4 bogus error responses.
CM-6 - Low - CCI-000366 - V-217922 - SV-217922r603264_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000093
Vuln IDs
  • V-217922
  • V-38537
Rule IDs
  • SV-217922r603264_rule
  • SV-50338
Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.
Checks: C-19403r376781_chk

The status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_ignore_bogus_error_responses net.ipv4.icmp_ignore_bogus_error_responses = 1 $ grep net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.icmp_ignore_bogus_error_responses = 1 If "net.ipv4.icmp_ignore_bogus_error_responses" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "1", this is a finding.

Fix: F-19401r376782_fix

To set the runtime status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.icmp_ignore_bogus_error_responses = 1 Issue the following command to make the changes take effect: # sysctl --system

b
The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
SC-5 - Medium - CCI-001095 - V-217923 - SV-217923r603264_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-001095
Version
RHEL-06-000095
Vuln IDs
  • V-217923
  • V-38539
Rule IDs
  • SV-217923r603264_rule
  • SV-50340
A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.
Checks: C-19404r376784_chk

The status of the "net.ipv4.tcp_syncookies" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.tcp_syncookies net.ipv4.tcp_syncookies = 1 $ grep net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.tcp_syncookies = 1 If "net.ipv4.tcp_syncookies" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "1", this is a finding.

Fix: F-19402r376785_fix

To set the runtime status of the "net.ipv4.tcp_syncookies" kernel parameter, run the following command: # sysctl -w net.ipv4.tcp_syncookies=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.tcp_syncookies = 1 Issue the following command to make the changes take effect: # sysctl --system

b
The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
CM-6 - Medium - CCI-000366 - V-217924 - SV-217924r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000096
Vuln IDs
  • V-217924
  • V-38542
Rule IDs
  • SV-217924r603264_rule
  • SV-50343
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
Checks: C-19405r376787_chk

The status of the "net.ipv4.conf.all.rp_filter" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.rp_filter net.ipv4.conf.all.rp_filter = 1 $ grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.all.rp_filter = 1 If "net.ipv4.conf.all.rp_filter" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "1", this is a finding.

Fix: F-19403r376788_fix

To set the runtime status of the "net.ipv4.conf.all.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.rp_filter=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.all.rp_filter = 1 Issue the following command to make the changes take effect: # sysctl --system

b
The system must use a reverse-path filter for IPv4 network traffic when possible by default.
CM-6 - Medium - CCI-000366 - V-217925 - SV-217925r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000097
Vuln IDs
  • V-217925
  • V-38544
Rule IDs
  • SV-217925r603264_rule
  • SV-50345
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
Checks: C-19406r376790_chk

The status of the "net.ipv4.conf.default.rp_filter" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.rp_filter net.ipv4.conf.default.rp_filter = 1 $ grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.default.rp_filter = 1 If "net.ipv4.conf.default.rp_filter" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "1", this is a finding.

Fix: F-19404r376791_fix

To set the runtime status of the "net.ipv4.conf.default.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.rp_filter=1 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.conf.default.rp_filter = 1 Issue the following command to make the changes take effect: # sysctl --system

b
The system must ignore ICMPv6 redirects by default.
CM-6 - Medium - CCI-000366 - V-217926 - SV-217926r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000099
Vuln IDs
  • V-217926
  • V-38548
Rule IDs
  • SV-217926r603264_rule
  • SV-50349
An illicit ICMP redirect message could result in a man-in-the-middle attack.
Checks: C-19407r376793_chk

If IPv6 is disabled, this is not applicable. The status of the "net.ipv6.conf.default.accept_redirects" kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.default.accept_redirects net.ipv6.conf.default.accept_redirects = 0 $ grep net.ipv6.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d/* net.ipv6.conf.default.accept_redirects = 0 If "net.ipv6.conf.default.accept_redirects" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.

Fix: F-19405r376794_fix

To set the runtime status of the "net.ipv6.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv6.conf.default.accept_redirects=0 Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv6.conf.default.accept_redirects = 0 Issue the following command to make the changes take effect: # sysctl --system

b
The system must employ a local IPv6 firewall.
CM-6 - Medium - CCI-000366 - V-217927 - SV-217927r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000103
Vuln IDs
  • V-217927
  • V-38549
Rule IDs
  • SV-217927r603264_rule
  • SV-50350
The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.
Checks: C-19408r376796_chk

If the system is a cross-domain system, this is not applicable. If IPv6 is disabled, this is not applicable. Run the following command to determine the current status of the "ip6tables" service: # service ip6tables status If the service is not running, it should return the following: ip6tables: Firewall is not running. If the service is not running, this is a finding.

Fix: F-19406r376797_fix

The "ip6tables" service can be enabled with the following commands: # chkconfig ip6tables on # service ip6tables start

b
The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
CM-6 - Medium - CCI-000366 - V-217928 - SV-217928r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000106
Vuln IDs
  • V-217928
  • V-38551
Rule IDs
  • SV-217928r603264_rule
  • SV-50352
The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.
Checks: C-19409r376799_chk

If the system is a cross-domain system, this is not applicable. If IPV6 is disabled, this is not applicable. Run the following command to determine the current status of the "ip6tables" service: # service ip6tables status If the service is not running, it should return the following: ip6tables: Firewall is not running. If the service is not running, this is a finding.

Fix: F-19407r376800_fix

The "ip6tables" service can be enabled with the following commands: # chkconfig ip6tables on # service ip6tables start

b
The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
CM-6 - Medium - CCI-000366 - V-217929 - SV-217929r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000107
Vuln IDs
  • V-217929
  • V-38553
Rule IDs
  • SV-217929r603264_rule
  • SV-50354
The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.
Checks: C-19410r376802_chk

If the system is a cross-domain system, this is not applicable. If IPv6 is disabled, this is not applicable. Run the following command to determine the current status of the "ip6tables" service: # service ip6tables status If the service is not running, it should return the following: ip6tables: Firewall is not running. If the service is not running, this is a finding.

Fix: F-19408r376803_fix

The "ip6tables" service can be enabled with the following commands: # chkconfig ip6tables on # service ip6tables start

b
The system must employ a local IPv4 firewall.
CM-6 - Medium - CCI-000366 - V-217930 - SV-217930r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000113
Vuln IDs
  • V-217930
  • V-38555
Rule IDs
  • SV-217930r603264_rule
  • SV-50356
The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.
Checks: C-19411r376805_chk

If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the "iptables" service: # service iptables status If the service is not running, it should return the following: iptables: Firewall is not running. If the service is not running, this is a finding.

Fix: F-19409r376806_fix

The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start

b
The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
CM-6 - Medium - CCI-000366 - V-217931 - SV-217931r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000116
Vuln IDs
  • V-217931
  • V-38560
Rule IDs
  • SV-217931r603264_rule
  • SV-50361
The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.
Checks: C-19412r376808_chk

If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the "iptables" service: # service iptables status If the service is not running, it should return the following: iptables: Firewall is not running. If the service is not running, this is a finding.

Fix: F-19410r376809_fix

The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start

b
The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
CM-6 - Medium - CCI-000366 - V-217932 - SV-217932r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000117
Vuln IDs
  • V-217932
  • V-38512
Rule IDs
  • SV-217932r603264_rule
  • SV-50313
The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.
Checks: C-19413r376811_chk

If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the "iptables" service: # service iptables status If the service is not running, it should return the following: iptables: Firewall is not running. If the service is not running, this is a finding.

Fix: F-19411r376812_fix

The "iptables" service can be enabled with the following commands: # chkconfig iptables on # service iptables start

b
The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
CM-6 - Medium - CCI-000366 - V-217933 - SV-217933r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000120
Vuln IDs
  • V-217933
  • V-38513
Rule IDs
  • SV-217933r603264_rule
  • SV-50314
In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.
Checks: C-19414r376814_chk

Run the following command to ensure the default "INPUT" policy is "DROP": # iptables -nvL | grep -i input Chain INPUT (policy DROP 0 packets, 0 bytes) If the default policy for the INPUT chain is not set to DROP, this is a finding.

Fix: F-19412r376815_fix

To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/iptables": :INPUT DROP [0:0]

b
The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
CM-7 - Medium - CCI-000382 - V-217934 - SV-217934r603264_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
RHEL-06-000124
Vuln IDs
  • V-217934
  • V-38514
Rule IDs
  • SV-217934r603264_rule
  • SV-50315
Disabling DCCP protects the system against exploitation of any flaws in its implementation.
Checks: C-19415r462394_chk

If the system is configured to prevent the loading of the "dccp" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r dccp /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true”| grep -v “#” If no line is returned, this is a finding.

Fix: F-19413r462395_fix

The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the "dccp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install dccp /bin/true

b
The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
CM-7 - Medium - CCI-000382 - V-217935 - SV-217935r603264_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
RHEL-06-000125
Vuln IDs
  • V-217935
  • V-38515
Rule IDs
  • SV-217935r603264_rule
  • SV-50316
Disabling SCTP protects the system against exploitation of any flaws in its implementation.
Checks: C-19416r462397_chk

If the system is configured to prevent the loading of the "sctp" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r sctp /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true”| grep -v “#” If no line is returned, this is a finding.

Fix: F-19414r462398_fix

The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the "sctp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install sctp /bin/true

a
The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.
CM-7 - Low - CCI-000382 - V-217936 - SV-217936r603264_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000382
Version
RHEL-06-000126
Vuln IDs
  • V-217936
  • V-38516
Rule IDs
  • SV-217936r603264_rule
  • SV-50317
Disabling RDS protects the system against exploitation of any flaws in its implementation.
Checks: C-19417r376823_chk

If the system is configured to prevent the loading of the "rds" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated "/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r rds /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding.

Fix: F-19415r376824_fix

The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the "rds" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install rds /bin/true

b
The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.
CM-7 - Medium - CCI-000382 - V-217937 - SV-217937r603264_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
RHEL-06-000127
Vuln IDs
  • V-217937
  • V-38517
Rule IDs
  • SV-217937r603264_rule
  • SV-50318
Disabling TIPC protects the system against exploitation of any flaws in its implementation.
Checks: C-19418r462400_chk

If the system is configured to prevent the loading of the "tipc" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r tipc /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true”| grep -v “#” If no line is returned, this is a finding.

Fix: F-19416r462401_fix

The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the "tipc" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install tipc /bin/true

b
All rsyslog-generated log files must be owned by root.
SI-11 - Medium - CCI-001314 - V-217938 - SV-217938r603264_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
RHEL-06-000133
Vuln IDs
  • V-217938
  • V-38518
Rule IDs
  • SV-217938r603264_rule
  • SV-50319
The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.
Checks: C-19419r376829_chk

The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". To see the owner of a given log file, run the following command: $ ls -l [LOGFILE] Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration. If the owner is not root, this is a finding.

Fix: F-19417r376830_fix

The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's owner: $ ls -l [LOGFILE] If the owner is not "root", run the following command to correct this: # chown root [LOGFILE]

b
All rsyslog-generated log files must be group-owned by root.
SI-11 - Medium - CCI-001314 - V-217939 - SV-217939r603264_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
RHEL-06-000134
Vuln IDs
  • V-217939
  • V-38519
Rule IDs
  • SV-217939r603264_rule
  • SV-50320
The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.
Checks: C-19420r376832_chk

The group-owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". To see the group-owner of a given log file, run the following command: $ ls -l [LOGFILE] Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration. If the group-owner is not root, this is a finding.

Fix: F-19418r376833_fix

The group-owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's group owner: $ ls -l [LOGFILE] If the owner is not "root", run the following command to correct this: # chgrp root [LOGFILE]

b
All rsyslog-generated log files must have mode 0600 or less permissive.
SI-11 - Medium - CCI-001314 - V-217940 - SV-217940r603264_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
RHEL-06-000135
Vuln IDs
  • V-217940
  • V-38623
Rule IDs
  • SV-217940r603264_rule
  • SV-50424
Log files can contain valuable information regarding system configuration. If the system log files are not protected, unauthorized users could change the logged data, eliminating their forensic value.
Checks: C-19421r376835_chk

The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's permissions: $ ls -l [LOGFILE] The permissions should be 600, or more restrictive. Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration. If the permissions are not correct, this is a finding.

Fix: F-19419r376836_fix

The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's permissions: $ ls -l [LOGFILE] If the permissions are not 600 or more restrictive, run the following command to correct this: # chmod 0600 [LOGFILE]

b
The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.
AU-9 - Medium - CCI-001348 - V-217941 - SV-217941r603264_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001348
Version
RHEL-06-000136
Vuln IDs
  • V-217941
  • V-38520
Rule IDs
  • SV-217941r603264_rule
  • SV-50321
A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.
Checks: C-19422r376838_chk

To ensure logs are sent to a remote host, examine the file "/etc/rsyslog.conf". If using UDP, a line similar to the following should be present: *.* @[loghost.example.com] If using TCP, a line similar to the following should be present: *.* @@[loghost.example.com] If using RELP, a line similar to the following should be present: *.* :omrelp:[loghost.example.com] If none of these are present, this is a finding.

Fix: F-19420r376839_fix

To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: *.* @[loghost.example.com] To use TCP for log message delivery: *.* @@[loghost.example.com] To use RELP for log message delivery: *.* :omrelp:[loghost.example.com]

b
The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.
AU-4 - Medium - CCI-001851 - V-217942 - SV-217942r603264_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
RHEL-06-000137
Vuln IDs
  • V-217942
  • V-38521
Rule IDs
  • SV-217942r603264_rule
  • SV-50322
A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.
Checks: C-19423r376841_chk

To ensure logs are sent to a remote host, examine the file "/etc/rsyslog.conf". If using UDP, a line similar to the following should be present: *.* @[loghost.example.com] If using TCP, a line similar to the following should be present: *.* @@[loghost.example.com] If using RELP, a line similar to the following should be present: *.* :omrelp:[loghost.example.com] If none of these are present, this is a finding.

Fix: F-19421r376842_fix

To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: *.* @[loghost.example.com] To use TCP for log message delivery: *.* @@[loghost.example.com] To use RELP for log message delivery: *.* :omrelp:[loghost.example.com]

a
System logs must be rotated daily.
CM-6 - Low - CCI-000366 - V-217943 - SV-217943r603264_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000138
Vuln IDs
  • V-217943
  • V-38624
Rule IDs
  • SV-217943r603264_rule
  • SV-50425
Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.
Checks: C-19424r376844_chk

Run the following commands to determine the current status of the "logrotate" service: # grep logrotate /var/log/cron* If the logrotate service is not run on a daily basis by cron, this is a finding.

Fix: F-19422r376845_fix

The "logrotate" service should be installed or reinstalled if it is not installed and operating properly, by running the following command: # yum reinstall logrotate

b
The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.
AU-3 - Medium - CCI-001487 - V-217944 - SV-217944r603264_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-001487
Version
RHEL-06-000145
Vuln IDs
  • V-217944
  • V-38628
Rule IDs
  • SV-217944r603264_rule
  • SV-50429
Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.
Checks: C-19425r376847_chk

Run the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, it should return the following: auditd is running... If the service is not running, this is a finding.

Fix: F-19423r376848_fix

The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands: # chkconfig auditd on # service auditd start

b
The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
AC-17 - Medium - CCI-000067 - V-217945 - SV-217945r603264_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
RHEL-06-000148
Vuln IDs
  • V-217945
  • V-38631
Rule IDs
  • SV-217945r603264_rule
  • SV-50432
Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.
Checks: C-19426r376850_chk

Run the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, it should return the following: auditd is running... If the service is not running, this is a finding.

Fix: F-19424r376851_fix

The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands: # chkconfig auditd on # service auditd start

b
The operating system must produce audit records containing sufficient information to establish what type of events occurred.
AU-3 - Medium - CCI-000130 - V-217946 - SV-217946r603264_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
RHEL-06-000154
Vuln IDs
  • V-217946
  • V-38632
Rule IDs
  • SV-217946r603264_rule
  • SV-50433
Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.
Checks: C-19427r376853_chk

Run the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, it should return the following: auditd is running... If the service is not running, this is a finding.

Fix: F-19425r376854_fix

The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands: # chkconfig auditd on # service auditd start

b
The system must retain enough rotated audit logs to cover the required log retention period.
CM-6 - Medium - CCI-000366 - V-217947 - SV-217947r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000159
Vuln IDs
  • V-217947
  • V-38636
Rule IDs
  • SV-217947r603264_rule
  • SV-50437
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
Checks: C-19428r376856_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine how many logs the system is configured to retain after rotation: "# grep num_logs /etc/audit/auditd.conf" num_logs = 5 If the overall system log file(s) retention hasn't been properly set up, this is a finding.

Fix: F-19426r376857_fix

Determine how many log files "auditd" should retain when it rotates logs. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [NUMLOGS] with the correct value: num_logs = [NUMLOGS] Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.

b
The system must set a maximum audit log file size.
CM-6 - Medium - CCI-000366 - V-217948 - SV-217948r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000160
Vuln IDs
  • V-217948
  • V-38633
Rule IDs
  • SV-217948r603264_rule
  • SV-50434
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
Checks: C-19429r376859_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine how much data the system will retain in each audit log file: "# grep max_log_file /etc/audit/auditd.conf" max_log_file = 6 If the system audit data threshold hasn't been properly set up, this is a finding.

Fix: F-19427r376860_fix

Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting the correct value for [STOREMB]: max_log_file = [STOREMB] Set the value to "6" (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.

b
The system must rotate audit log files that reach the maximum file size.
CM-6 - Medium - CCI-000366 - V-217949 - SV-217949r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000161
Vuln IDs
  • V-217949
  • V-38634
Rule IDs
  • SV-217949r603264_rule
  • SV-50435
Automatically rotating logs (by setting this to "rotate") minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, "keep_logs" can be employed.
Checks: C-19430r376862_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to rotate logs when they reach their maximum size: # grep max_log_file_action /etc/audit/auditd.conf max_log_file_action = rotate If the "keep_logs" option is configured for the "max_log_file_action" line in "/etc/audit/auditd.conf" and an alternate process is in place to ensure audit data does not overwhelm local audit storage, this is not a finding. If the system has not been properly set up to rotate audit logs, this is a finding.

Fix: F-19428r376863_fix

The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by "auditd", add or correct the line in "/etc/audit/auditd.conf": max_log_file_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "suspend" "rotate" "keep_logs" Set the "[ACTION]" to "rotate" to ensure log rotation occurs. This is the default. The setting is case-insensitive.

b
The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.
AU-5 - Medium - CCI-001855 - V-217950 - SV-217950r603264_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-001855
Version
RHEL-06-000163
Vuln IDs
  • V-217950
  • V-54381
Rule IDs
  • SV-217950r603264_rule
  • SV-68627
Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.
Checks: C-19431r376865_chk

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to either suspend, switch to single-user mode, or halt when disk space has run low: admin_space_left_action = single If the system is not configured to switch to single-user mode, suspend, or halt for corrective action, this is a finding.

Fix: F-19429r376866_fix

The "auditd" service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [ACTION] appropriately: admin_space_left_action = [ACTION] Set this value to "single" to cause the system to switch to single-user mode for corrective action. Acceptable values also include "suspend" and "halt". For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for [ACTION] are described in the "auditd.conf" man page.

a
The audit system must be configured to audit all attempts to alter system time through adjtimex.
AU-12 - Low - CCI-000169 - V-217951 - SV-217951r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000169
Version
RHEL-06-000166
Vuln IDs
  • V-217951
  • V-81441
Rule IDs
  • SV-217951r603264_rule
  • SV-96155
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Checks: C-19432r376868_chk

To determine if the system is configured to audit calls to the "adjtimex" system call, run the following command: $ sudo grep -w "adjtimex" /etc/audit/audit.rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules -a always,exit -F arch=b64 -S adjtimex -k audit_time_rules If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "adjtimex" syscall, this is a finding.

Fix: F-19430r376869_fix

Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules

a
The audit system must be configured to audit all attempts to alter system time through settimeofday.
AU-12 - Low - CCI-000169 - V-217952 - SV-217952r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000169
Version
RHEL-06-000167
Vuln IDs
  • V-217952
  • V-38522
Rule IDs
  • SV-217952r603264_rule
  • SV-50323
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Checks: C-19433r376871_chk

To determine if the system is configured to audit calls to the "settimeofday" system call, run the following command: $ sudo grep -w "settimeofday" /etc/audit/audit.rules -a always,exit -F arch=b32 -S settimeofday -k audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to the "settimeofday" syscall, this is a finding.

Fix: F-19431r376872_fix

Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S settimeofday -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules

a
The audit system must be configured to audit all attempts to alter system time through stime.
AU-12 - Low - CCI-000169 - V-217953 - SV-217953r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000169
Version
RHEL-06-000169
Vuln IDs
  • V-217953
  • V-38525
Rule IDs
  • SV-217953r603264_rule
  • SV-50326
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Checks: C-19434r376874_chk

If the system is 64-bit only, this is not applicable. To determine if the system is configured to audit calls to the "stime" system call, run the following command: $ sudo grep -w "stime" /etc/audit/audit.rules -a always,exit -F arch=b32 -S stime -k audit_time_rules If the system is not configured to audit the "stime" syscall, this is a finding.

Fix: F-19432r376875_fix

Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S stime -k audit_time_rules

a
The audit system must be configured to audit all attempts to alter system time through clock_settime.
AU-12 - Low - CCI-000169 - V-217954 - SV-217954r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000169
Version
RHEL-06-000171
Vuln IDs
  • V-217954
  • V-38527
Rule IDs
  • SV-217954r603264_rule
  • SV-50328
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Checks: C-19435r376877_chk

To determine if the system is configured to audit calls to the "clock_settime" system call, run the following command: $ sudo grep -w "clock_settime" /etc/audit/audit.rules -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "clock_settime" syscall, this is a finding.

Fix: F-19433r376878_fix

Add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules If the system is 64-bit, then also add the following: # audit_time_rules -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules

a
The audit system must be configured to audit all attempts to alter system time through /etc/localtime.
AU-12 - Low - CCI-000169 - V-217955 - SV-217955r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000169
Version
RHEL-06-000173
Vuln IDs
  • V-217955
  • V-38530
Rule IDs
  • SV-217955r603264_rule
  • SV-50331
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
Checks: C-19436r376880_chk

To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command: $ sudo grep -w "/etc/localtime" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding.

Fix: F-19434r376881_fix

Add the following to "/etc/audit/audit.rules": -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.

a
The operating system must automatically audit account creation.
AC-2 - Low - CCI-000018 - V-217956 - SV-217956r603264_rule
RMF Control
AC-2
Severity
Low
CCI
CCI-000018
Version
RHEL-06-000174
Vuln IDs
  • V-217956
  • V-38531
Rule IDs
  • SV-217956r603264_rule
  • SV-50332
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Checks: C-19437r376883_chk

To determine if the system is configured to audit account changes, run the following command: $ sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding.

Fix: F-19435r376884_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

a
The operating system must automatically audit account modification.
AC-2 - Low - CCI-001403 - V-217957 - SV-217957r603264_rule
RMF Control
AC-2
Severity
Low
CCI
CCI-001403
Version
RHEL-06-000175
Vuln IDs
  • V-217957
  • V-38534
Rule IDs
  • SV-217957r603264_rule
  • SV-50335
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Checks: C-19438r376886_chk

To determine if the system is configured to audit account changes, run the following command: $sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding.

Fix: F-19436r376887_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

a
The operating system must automatically audit account disabling actions.
AC-2 - Low - CCI-001404 - V-217958 - SV-217958r603264_rule
RMF Control
AC-2
Severity
Low
CCI
CCI-001404
Version
RHEL-06-000176
Vuln IDs
  • V-217958
  • V-38536
Rule IDs
  • SV-217958r603264_rule
  • SV-50337
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Checks: C-19439r376889_chk

To determine if the system is configured to audit account changes, run the following command: $sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding.

Fix: F-19437r376890_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

a
The operating system must automatically audit account termination.
AC-2 - Low - CCI-001405 - V-217959 - SV-217959r603264_rule
RMF Control
AC-2
Severity
Low
CCI
CCI-001405
Version
RHEL-06-000177
Vuln IDs
  • V-217959
  • V-38538
Rule IDs
  • SV-217959r603264_rule
  • SV-50339
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Checks: C-19440r376892_chk

To determine if the system is configured to audit account changes, run the following command: $sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding.

Fix: F-19438r376893_fix

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

a
The audit system must be configured to audit modifications to the systems network configuration.
CM-6 - Low - CCI-000366 - V-217960 - SV-217960r603264_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000182
Vuln IDs
  • V-217960
  • V-38540
Rule IDs
  • SV-217960r603264_rule
  • SV-50341
The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.
Checks: C-19441r376895_chk

If you are running x86_64 architecture, determine the values for sethostname: $ uname -m; ausyscall i386 sethostname; ausyscall x86_64 sethostname If the values returned are not identical verify that the system is configured to monitor network configuration changes for the i386 and x86_64 architectures: $ sudo egrep -w '(sethostname|setdomainname|/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)' /etc/audit/audit.rules -a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications -a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit changes of the network configuration, this is a finding.

Fix: F-19439r376896_fix

Add the following to "/etc/audit/audit.rules": # audit_network_modifications -a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications

a
The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).
CM-6 - Low - CCI-000366 - V-217961 - SV-217961r603264_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000183
Vuln IDs
  • V-217961
  • V-38541
Rule IDs
  • SV-217961r603264_rule
  • SV-50342
The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.
Checks: C-19442r376898_chk

To determine if the system is configured to audit changes to its SELinux configuration files, run the following command: $ sudo grep -w "/etc/selinux" /etc/audit/audit.rules If the system is configured to watch for changes to its SELinux configuration, a line should be returned (including "-p wa" indicating permissions that are watched). If the system is not configured to audit attempts to change the MAC policy, this is a finding.

Fix: F-19440r376899_fix

Add the following to "/etc/audit/audit.rules": -w /etc/selinux/ -p wa -k MAC-policy

a
The audit system must be configured to audit all discretionary access control permission modifications using chmod.
AU-12 - Low - CCI-000172 - V-217962 - SV-217962r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000184
Vuln IDs
  • V-217962
  • V-38543
Rule IDs
  • SV-217962r603264_rule
  • SV-50344
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-19443r376901_chk

To determine if the system is configured to audit calls to the "chmod" system call, run the following command: $ sudo grep -w "chmod" /etc/audit/audit.rules -a always,exit -F arch=b32 -S chmod -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "chmod" system call, this is a finding.

Fix: F-19441r376902_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using chown.
AU-12 - Low - CCI-000172 - V-217963 - SV-217963r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000185
Vuln IDs
  • V-217963
  • V-38545
Rule IDs
  • SV-217963r603264_rule
  • SV-50346
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-19444r376904_chk

To determine if the system is configured to audit calls to the "chown" system call, run the following command: $ sudo grep -w "chown" /etc/audit/audit.rules -a always,exit -F arch=b32 -S chown -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S chown -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "chown" system call, this is a finding.

Fix: F-19442r376905_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using fchmod.
AU-12 - Low - CCI-000172 - V-217964 - SV-217964r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000186
Vuln IDs
  • V-217964
  • V-38547
Rule IDs
  • SV-217964r603264_rule
  • SV-50348
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-19445r376907_chk

To determine if the system is configured to audit calls to the "fchmod" system call, run the following command: $ sudo grep -w "fchmod" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fchmod -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fchmod" system call, this is a finding.

Fix: F-19443r376908_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.
AU-12 - Low - CCI-000172 - V-217965 - SV-217965r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000187
Vuln IDs
  • V-217965
  • V-38550
Rule IDs
  • SV-217965r603264_rule
  • SV-50351
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-19446r376910_chk

To determine if the system is configured to audit calls to the "fchmodat" system call, run the following command: $ sudo grep -w "fchmodat" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fchmodat -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fchmodat" system call, this is a finding.

Fix: F-19444r376911_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using fchown.
AU-12 - Low - CCI-000172 - V-217966 - SV-217966r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000188
Vuln IDs
  • V-217966
  • V-38552
Rule IDs
  • SV-217966r603264_rule
  • SV-50353
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-19447r376913_chk

To determine if the system is configured to audit calls to the "fchown" system call, run the following command: $ sudo grep -w "fchown" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fchown -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fchown" system call, this is a finding.

Fix: F-19445r376914_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using fchownat.
AU-12 - Low - CCI-000172 - V-217967 - SV-217967r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000189
Vuln IDs
  • V-217967
  • V-38554
Rule IDs
  • SV-217967r603264_rule
  • SV-50355
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-19448r376916_chk

To determine if the system is configured to audit calls to the "fchownat" system call, run the following command: $ sudo grep -w "fchownat" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fchownat -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fchownat" system call, this is a finding.

Fix: F-19446r376917_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.
AU-12 - Low - CCI-000172 - V-217968 - SV-217968r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000190
Vuln IDs
  • V-217968
  • V-38556
Rule IDs
  • SV-217968r603264_rule
  • SV-50357
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-19449r376919_chk

To determine if the system is configured to audit calls to the "fremovexattr" system call, run the following command: $ sudo grep -w "fremovexattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fremovexattr" system call, this is a finding.

Fix: F-19447r376920_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.
AU-12 - Low - CCI-000172 - V-217969 - SV-217969r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000191
Vuln IDs
  • V-217969
  • V-38557
Rule IDs
  • SV-217969r603264_rule
  • SV-50358
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-19450r376922_chk

To determine if the system is configured to audit calls to the "fsetxattr" system call, run the following command: $ sudo grep -w "fsetxattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S fsetxattr -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "fsetxattr" system call, this is a finding.

Fix: F-19448r376923_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using lchown.
AU-12 - Low - CCI-000172 - V-217970 - SV-217970r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000192
Vuln IDs
  • V-217970
  • V-38558
Rule IDs
  • SV-217970r603264_rule
  • SV-50359
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-19451r376925_chk

To determine if the system is configured to audit calls to the "lchown" system call, run the following command: $ sudo grep -w "lchown" /etc/audit/audit.rules -a always,exit -F arch=b32 -S lchown -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "lchown" system call, this is a finding.

Fix: F-19449r376926_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.
AU-12 - Low - CCI-000172 - V-217971 - SV-217971r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000193
Vuln IDs
  • V-217971
  • V-38559
Rule IDs
  • SV-217971r603264_rule
  • SV-50360
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-19452r376928_chk

To determine if the system is configured to audit calls to the "lremovexattr" system call, run the following command: $ sudo grep -w "lremovexattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S lremovexattr -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "lremovexattr" system call, this is a finding.

Fix: F-19450r376929_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.
AU-12 - Low - CCI-000172 - V-217972 - SV-217972r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000194
Vuln IDs
  • V-217972
  • V-38561
Rule IDs
  • SV-217972r603264_rule
  • SV-50362
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-19453r376931_chk

To determine if the system is configured to audit calls to the "lsetxattr" system call, run the following command: $ sudo grep -w "lsetxattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S lsetxattr -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "lsetxattr" system call, this is a finding.

Fix: F-19451r376932_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using removexattr.
AU-12 - Low - CCI-000172 - V-217973 - SV-217973r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000195
Vuln IDs
  • V-217973
  • V-38563
Rule IDs
  • SV-217973r603264_rule
  • SV-50364
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-19454r376934_chk

To determine if the system is configured to audit calls to the "removexattr" system call, run the following command: $ sudo grep -w "removexattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S removexattr -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "removexattr" system call, this is a finding.

Fix: F-19452r376935_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit all discretionary access control permission modifications using setxattr.
AU-12 - Low - CCI-000172 - V-217974 - SV-217974r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000196
Vuln IDs
  • V-217974
  • V-38565
Rule IDs
  • SV-217974r603264_rule
  • SV-50366
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Checks: C-19455r376937_chk

To determine if the system is configured to audit calls to the "setxattr" system call, run the following command: $ sudo grep -w "setxattr" /etc/audit/audit.rules -a always,exit -F arch=b32 -S setxattr -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid&gt;=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit the "setxattr" system call, this is a finding.

Fix: F-19453r376938_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod

a
The audit system must be configured to audit failed attempts to access files and programs.
AU-12 - Low - CCI-000172 - V-217975 - SV-217975r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000197
Vuln IDs
  • V-217975
  • V-38566
Rule IDs
  • SV-217975r603264_rule
  • SV-50367
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Checks: C-19456r376940_chk

To verify that the audit system collects unauthorized file accesses, run the following commands: # grep EACCES /etc/audit/audit.rules -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid&gt;=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid&gt;=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access # grep EPERM /etc/audit/audit.rules -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid&gt;=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid&gt;=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding. If either command lacks output, this is a finding.

Fix: F-19454r376941_fix

At a minimum, the audit system should collect unauthorized file accesses for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EACCES -F auid=0 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate \ -S ftruncate -F exit=-EPERM -F auid=0 -k access

a
The audit system must be configured to audit all use of setuid and setgid programs.
AC-6 - Low - CCI-002234 - V-217976 - SV-217976r603264_rule
RMF Control
AC-6
Severity
Low
CCI
CCI-002234
Version
RHEL-06-000198
Vuln IDs
  • V-217976
  • V-38567
Rule IDs
  • SV-217976r603264_rule
  • SV-50368
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
Checks: C-19457r376943_chk

To verify that auditing of privileged command use is configured, run the following command once for each local partition [PART] to find relevant setuid / setgid programs: $ sudo find [PART] -xdev -type f -perm /6000 2&gt;/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: $ sudo grep path /etc/audit/audit.rules It should be the case that all relevant setuid / setgid programs have a line in the audit rules. If that is not the case, this is a finding.

Fix: F-19455r376944_fix

At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition [PART]: $ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null Then, for each setuid / setgid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid / setgid program in the list: -a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged

a
The audit system must be configured to audit successful file system mounts.
AU-12 - Low - CCI-000172 - V-217977 - SV-217977r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000199
Vuln IDs
  • V-217977
  • V-38568
Rule IDs
  • SV-217977r603264_rule
  • SV-50369
The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.
Checks: C-19458r376946_chk

To verify that auditing is configured for all media exportation events, run the following command: $ sudo grep -w "mount" /etc/audit/audit.rules -a always,exit -F arch=b32 -S mount -F auid&gt;=500 -F auid!=4294967295 -k export -a always,exit -F arch=b32 -S mount -F auid=0 -k export -a always,exit -F arch=b64 -S mount -F auid&gt;=500 -F auid!=4294967295 -k export -a always,exit -F arch=b64 -S mount -F auid=0 -k export If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding. If no line is returned, this is a finding.

Fix: F-19456r376947_fix

At a minimum, the audit system should collect media exportation events for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b32 -S mount -F auid=0 -k export If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b64 -S mount -F auid=0 -k export

a
The audit system must be configured to audit user deletions of files and programs.
AU-12 - Low - CCI-000172 - V-217978 - SV-217978r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000200
Vuln IDs
  • V-217978
  • V-38575
Rule IDs
  • SV-217978r603264_rule
  • SV-50376
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as detecting malicious processes that attempt to delete log files to conceal their presence.
Checks: C-19459r376949_chk

To determine if the system is configured to audit user deletions of files and programs, run the following command: $ sudo egrep -w 'rmdir|unlink|unlinkat|rename|renameat' /etc/audit/audit.rules -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid&gt;=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid&gt;=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit "rmdir", this is a finding. If the system is not configured to audit "unlink", this is a finding. If the system is not configured to audit "unlinkat", this is a finding. If the system is not configured to audit "rename", this is a finding. If the system is not configured to audit "renameat", this is a finding. If no line is returned, this is a finding.

Fix: F-19457r376950_fix

At a minimum, the audit system should collect file deletion events for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete

a
The audit system must be configured to audit changes to the /etc/sudoers file.
AU-12 - Low - CCI-000172 - V-217979 - SV-217979r603264_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
RHEL-06-000201
Vuln IDs
  • V-217979
  • V-38578
Rule IDs
  • SV-217979r603264_rule
  • SV-50379
The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.
Checks: C-19460r376952_chk

To verify that auditing is configured for system administrator actions, run the following command: $ sudo grep -w "/etc/sudoers" /etc/audit/audit.rules If the system is configured to watch for changes to its sudoers configuration, a line should be returned (including "-p wa" indicating permissions that are watched). If there is no output, this is a finding.

Fix: F-19458r376953_fix

At a minimum, the audit system should collect administrator actions for all users and root. Add the following to "/etc/audit/audit.rules": -w /etc/sudoers -p wa -k actions

b
The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
AU-12 - Medium - CCI-000172 - V-217980 - SV-217980r603264_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
RHEL-06-000202
Vuln IDs
  • V-217980
  • V-38580
Rule IDs
  • SV-217980r603264_rule
  • SV-50381
The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
Checks: C-19461r376955_chk

To determine if the system is configured to audit execution of module management programs, run the following commands: $ sudo egrep -e "(-w |-F path=)/sbin/insmod|(-w |-F path=)/sbin/rmmod|(-w |-F path=)/sbin/modprobe" /etc/audit/audit.rules -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules If "/sbin/insmod" is not being audited, this is a finding. If "/sbin/rmmod" is not being audited, this is a finding. If "/sbin/modprobe" is not being audited, this is a finding. To determine if the system is configured to audit calls to the "init_module" and "delete_module" system calls, run the following command: $ sudo egrep -w "init_module|delete_module" /etc/audit/audit.rules -a always,exit -F arch=b32 -S init_module -S delete_module -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit "init_module" this is a finding. If the system is not configured to audit "delete_module", this is a finding. If no line is returned, this is a finding.

Fix: F-19459r376956_fix

Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b32 -S init_module -S delete_module -k modules If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S init_module -S delete_module -k modules

b
The xinetd service must be disabled if no network services utilizing it are enabled.
CM-7 - Medium - CCI-000382 - V-217981 - SV-217981r603264_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
RHEL-06-000203
Vuln IDs
  • V-217981
  • V-38582
Rule IDs
  • SV-217981r603264_rule
  • SV-50383
The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.
Checks: C-19462r376958_chk

If network services are using the xinetd service, this is not applicable. To check that the "xinetd" service is disabled in system boot configuration, run the following command: # chkconfig "xinetd" --list Output should indicate the "xinetd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "xinetd" --list "xinetd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "xinetd" is disabled through current runtime configuration: # service xinetd status If the service is disabled the command will return the following output: xinetd is stopped If the service is running, this is a finding.

Fix: F-19460r376959_fix

The "xinetd" service can be disabled with the following commands: # chkconfig xinetd off # service xinetd stop

a
The xinetd service must be uninstalled if no network services utilizing it are enabled.
CM-7 - Low - CCI-000382 - V-217982 - SV-217982r603264_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000382
Version
RHEL-06-000204
Vuln IDs
  • V-217982
  • V-38584
Rule IDs
  • SV-217982r603264_rule
  • SV-50385
Removing the "xinetd" package decreases the risk of the xinetd service's accidental (or intentional) activation.
Checks: C-19463r376961_chk

If network services are using the xinetd service, this is not applicable. Run the following command to determine if the "xinetd" package is installed: # rpm -q xinetd If the package is installed, this is a finding.

Fix: F-19461r376962_fix

The "xinetd" package can be uninstalled with the following command: # yum erase xinetd

c
The telnet-server package must not be installed.
CM-7 - High - CCI-000381 - V-217983 - SV-217983r603264_rule
RMF Control
CM-7
Severity
High
CCI
CCI-000381
Version
RHEL-06-000206
Vuln IDs
  • V-217983
  • V-38587
Rule IDs
  • SV-217983r603264_rule
  • SV-50388
Removing the "telnet-server" package decreases the risk of the unencrypted telnet service's accidental (or intentional) activation. Mitigation: If the telnet-server package is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.
Checks: C-19464r376964_chk

Run the following command to determine if the "telnet-server" package is installed: # rpm -q telnet-server If the package is installed, this is a finding.

Fix: F-19462r376965_fix

The "telnet-server" package can be uninstalled with the following command: # yum erase telnet-server

c
The telnet daemon must not be running.
CM-7 - High - CCI-000381 - V-217984 - SV-217984r603264_rule
RMF Control
CM-7
Severity
High
CCI
CCI-000381
Version
RHEL-06-000211
Vuln IDs
  • V-217984
  • V-38589
Rule IDs
  • SV-217984r603264_rule
  • SV-50390
The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. Mitigation: If an enabled telnet daemon is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.
Checks: C-19465r376967_chk

To check that the "telnet" service is disabled in system boot configuration, run the following command: # chkconfig "telnet" --list Output should indicate the "telnet" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "telnet" --list telnet off OR error reading information on service telnet: No such file or directory If the service is running, this is a finding.

Fix: F-19463r376968_fix

The "telnet" service can be disabled with the following command: # chkconfig telnet off

c
The rsh-server package must not be installed.
CM-7 - High - CCI-000381 - V-217985 - SV-217985r603264_rule
RMF Control
CM-7
Severity
High
CCI
CCI-000381
Version
RHEL-06-000213
Vuln IDs
  • V-217985
  • V-38591
Rule IDs
  • SV-217985r603264_rule
  • SV-50392
The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.
Checks: C-19466r376970_chk

Run the following command to determine if the "rsh-server" package is installed: # rpm -q rsh-server If the package is installed, this is a finding.

Fix: F-19464r376971_fix

The "rsh-server" package can be uninstalled with the following command: # yum erase rsh-server

c
The rshd service must not be running.
AC-17 - High - CCI-000068 - V-217986 - SV-217986r603264_rule
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
RHEL-06-000214
Vuln IDs
  • V-217986
  • V-38594
Rule IDs
  • SV-217986r603264_rule
  • SV-50395
The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
Checks: C-19467r376973_chk

To check that the "rsh" service is disabled in system boot configuration, run the following command: # chkconfig "rsh" --list Output should indicate the "rsh" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "rsh" --list rsh off OR error reading information on service rsh: No such file or directory If the service is running, this is a finding.

Fix: F-19465r376974_fix

The "rsh" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rsh" service can be disabled with the following command: # chkconfig rsh off

c
The rexecd service must not be running.
AC-17 - High - CCI-000068 - V-217987 - SV-217987r603264_rule
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
RHEL-06-000216
Vuln IDs
  • V-217987
  • V-38598
Rule IDs
  • SV-217987r603264_rule
  • SV-50399
The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
Checks: C-19468r376976_chk

To check that the "rexec" service is disabled in system boot configuration, run the following command: # chkconfig "rexec" --list Output should indicate the "rexec" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "rexec" --list rexec off OR error reading information on service rexec: No such file or directory If the service is running, this is a finding.

Fix: F-19466r376977_fix

The "rexec" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rexec" service can be disabled with the following command: # chkconfig rexec off

c
The rlogind service must not be running.
CM-7 - High - CCI-000381 - V-217988 - SV-217988r603264_rule
RMF Control
CM-7
Severity
High
CCI
CCI-000381
Version
RHEL-06-000218
Vuln IDs
  • V-217988
  • V-38602
Rule IDs
  • SV-217988r603264_rule
  • SV-50403
The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
Checks: C-19469r376979_chk

To check that the "rlogin" service is disabled in system boot configuration, run the following command: # chkconfig "rlogin" --list Output should indicate the "rlogin" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "rlogin" --list rlogin off OR error reading information on service rlogin: No such file or directory If the service is running, this is a finding.

Fix: F-19467r376980_fix

The "rlogin" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rlogin" service can be disabled with the following command: # chkconfig rlogin off

b
The ypserv package must not be installed.
CM-7 - Medium - CCI-000381 - V-217989 - SV-217989r603264_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
RHEL-06-000220
Vuln IDs
  • V-217989
  • V-38603
Rule IDs
  • SV-217989r603264_rule
  • SV-50404
Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.
Checks: C-19470r376982_chk

Run the following command to determine if the "ypserv" package is installed: # rpm -q ypserv If the package is installed, this is a finding.

Fix: F-19468r376983_fix

The "ypserv" package can be uninstalled with the following command: # yum erase ypserv

b
The ypbind service must not be running.
CM-7 - Medium - CCI-000382 - V-217990 - SV-217990r603264_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
RHEL-06-000221
Vuln IDs
  • V-217990
  • V-38604
Rule IDs
  • SV-217990r603264_rule
  • SV-50405
Disabling the "ypbind" service ensures the system is not acting as a client in a NIS or NIS+ domain.
Checks: C-19471r376985_chk

To check that the "ypbind" service is disabled in system boot configuration, run the following command: # chkconfig "ypbind" --list Output should indicate the "ypbind" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "ypbind" --list "ypbind" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "ypbind" is disabled through current runtime configuration: # service ypbind status If the service is disabled the command will return the following output: ypbind is stopped If the service is running, this is a finding.

Fix: F-19469r376986_fix

The "ypbind" service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The "ypbind" service can be disabled with the following commands: # chkconfig ypbind off # service ypbind stop

b
The tftp-server package must not be installed unless required.
CM-7 - Medium - CCI-000381 - V-217991 - SV-217991r603264_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
RHEL-06-000222
Vuln IDs
  • V-217991
  • V-38606
Rule IDs
  • SV-217991r603264_rule
  • SV-50407
Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.
Checks: C-19472r376988_chk

Run the following command to determine if the "tftp-server" package is installed: # rpm -q tftp-server If the package is installed and not documented and approved by the ISSO, this is a finding.

Fix: F-19470r376989_fix

The "tftp-server" package can be removed with the following command: # yum erase tftp-server

b
The TFTP service must not be running.
CM-7 - Medium - CCI-000381 - V-217992 - SV-217992r603264_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
RHEL-06-000223
Vuln IDs
  • V-217992
  • V-38609
Rule IDs
  • SV-217992r603264_rule
  • SV-50410
Disabling the "tftp" service ensures the system is not acting as a tftp server, which does not provide encryption or authentication.
Checks: C-19473r376991_chk

To check that the "tftp" service is disabled in system boot configuration, run the following command: # chkconfig "tftp" --list Output should indicate the "tftp" service has either not been installed, or has been disabled, as shown in the example below: # chkconfig "tftp" --list tftp off OR error reading information on service tftp: No such file or directory If the service is running and not documented and approved by the ISSO, this is a finding.

Fix: F-19471r376992_fix

The "tftp" service should be disabled. The "tftp" service can be disabled with the following command: # chkconfig tftp off

b
The cron service must be running.
CM-6 - Medium - CCI-000366 - V-217993 - SV-217993r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000224
Vuln IDs
  • V-217993
  • V-38605
Rule IDs
  • SV-217993r603264_rule
  • SV-50406
Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.
Checks: C-19474r376994_chk

Run the following command to determine the current status of the "crond" service: # service crond status If the service is enabled, it should return the following: crond is running... If the service is not running, this is a finding.

Fix: F-19472r376995_fix

The "crond" service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The "crond" service can be enabled with the following commands: # chkconfig crond on # service crond start

c
The SSH daemon must be configured to use only the SSHv2 protocol.
IA-2 - High - CCI-001941 - V-217994 - SV-217994r603264_rule
RMF Control
IA-2
Severity
High
CCI
CCI-001941
Version
RHEL-06-000227
Vuln IDs
  • V-217994
  • V-38607
Rule IDs
  • SV-217994r603264_rule
  • SV-50408
SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.
Checks: C-19475r376997_chk

To check which SSH protocol version is allowed, run the following command: # grep Protocol /etc/ssh/sshd_config If configured properly, output should be Protocol 2 If it is not, this is a finding.

Fix: F-19473r376998_fix

Only SSH protocol version 2 connections should be permitted. The default setting in "/etc/ssh/sshd_config" is correct, and can be verified by ensuring that the following line appears: Protocol 2

b
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
AC-17 - Medium - CCI-001453 - V-217995 - SV-217995r603816_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-001453
Version
RHEL-06-000228
Vuln IDs
  • V-217995
  • V-100013
Rule IDs
  • SV-217995r603816_rule
  • SV-109117
DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA. By specifying a hash algorithm list with the order of hashes being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest hash for securing SSH connections.
Checks: C-19476r603814_chk

Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes. Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes with the following command: # grep -i macs /etc/ssh/sshd_config MACs hmac-sha2-512,hmac-sha2-256 If any hashes other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, they are missing, or the returned line is commented out, this is a finding.

Fix: F-19474r603815_fix

Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-512" and/or "hmac-sha2-256" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): MACs hmac-sha2-512,hmac-sha2-256 The SSH service must be restarted for changes to take effect. # sudo service sshd restart

a
The SSH daemon must set a timeout interval on idle sessions.
SC-10 - Low - CCI-001133 - V-217996 - SV-217996r603819_rule
RMF Control
SC-10
Severity
Low
CCI
CCI-001133
Version
RHEL-06-000230
Vuln IDs
  • V-217996
  • V-38608
Rule IDs
  • SV-217996r603819_rule
  • SV-50409
Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.
Checks: C-19477r603817_chk

Run the following command to see what the timeout interval is: # grep ClientAliveInterval /etc/ssh/sshd_config ClientAliveInterval 600 If "ClientAliveInterval" has a value greater than "600", this is a finding.

Fix: F-19475r603818_fix

SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in "/etc/ssh/sshd_config" as follows: ClientAliveInterval [interval] The timeout [interval] is given in seconds. To have a timeout of ten minutes, set [interval] to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.

a
The SSH daemon must set a timeout count on idle sessions.
MA-4 - Low - CCI-000879 - V-217997 - SV-217997r603264_rule
RMF Control
MA-4
Severity
Low
CCI
CCI-000879
Version
RHEL-06-000231
Vuln IDs
  • V-217997
  • V-38610
Rule IDs
  • SV-217997r603264_rule
  • SV-50411
This ensures a user login will be terminated as soon as the "ClientAliveCountMax" is reached.
Checks: C-19478r377006_chk

To ensure the SSH idle timeout will occur when the "ClientAliveCountMax" is set, run the following command: # grep ClientAliveCountMax /etc/ssh/sshd_config If properly configured, output should be: ClientAliveCountMax 0 If it is not, this is a finding.

Fix: F-19476r377007_fix

To ensure the SSH idle timeout occurs precisely when the "ClientAliveCountMax" is set, edit "/etc/ssh/sshd_config" as follows: ClientAliveCountMax 0

b
The SSH daemon must ignore .rhosts files.
IA-2 - Medium - CCI-000766 - V-217998 - SV-217998r603264_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000766
Version
RHEL-06-000234
Vuln IDs
  • V-217998
  • V-38611
Rule IDs
  • SV-217998r603264_rule
  • SV-50412
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
Checks: C-19479r377009_chk

To determine how the SSH daemon's "IgnoreRhosts" option is set, run the following command: # grep -i IgnoreRhosts /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value "yes" is returned, then the required value is set. If the required value is not set, this is a finding.

Fix: F-19477r377010_fix

SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via ".rhosts" files. To ensure this behavior is disabled, add or correct the following line in "/etc/ssh/sshd_config": IgnoreRhosts yes

b
The SSH daemon must not allow host-based authentication.
IA-2 - Medium - CCI-000766 - V-217999 - SV-217999r603264_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000766
Version
RHEL-06-000236
Vuln IDs
  • V-217999
  • V-38612
Rule IDs
  • SV-217999r603264_rule
  • SV-50413
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
Checks: C-19480r377012_chk

To determine how the SSH daemon's "HostbasedAuthentication" option is set, run the following command: # grep -i HostbasedAuthentication /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value "no" is returned, then the required value is set. If the required value is not set, this is a finding.

Fix: F-19478r377013_fix

SSH's cryptographic host-based authentication is more secure than ".rhosts" authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization. To disable host-based authentication, add or correct the following line in "/etc/ssh/sshd_config": HostbasedAuthentication no

b
The system must not permit root logins using remote access programs such as ssh.
IA-2 - Medium - CCI-000770 - V-218000 - SV-218000r603264_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000770
Version
RHEL-06-000237
Vuln IDs
  • V-218000
  • V-38613
Rule IDs
  • SV-218000r603264_rule
  • SV-50414
Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.
Checks: C-19481r377015_chk

To determine how the SSH daemon's "PermitRootLogin" option is set, run the following command: # grep -i PermitRootLogin /etc/ssh/sshd_config If a line indicating "no" is returned, then the required value is set. If the required value is not set, this is a finding.

Fix: F-19479r377016_fix

The root user should never be allowed to log in to a system directly over a network. To disable root login via SSH, add or correct the following line in "/etc/ssh/sshd_config": PermitRootLogin no

c
The SSH daemon must not allow authentication using an empty password.
IA-2 - High - CCI-000766 - V-218001 - SV-218001r603264_rule
RMF Control
IA-2
Severity
High
CCI
CCI-000766
Version
RHEL-06-000239
Vuln IDs
  • V-218001
  • V-38614
Rule IDs
  • SV-218001r603264_rule
  • SV-50415
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
Checks: C-19482r377018_chk

To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command: # grep -i PermitEmptyPasswords /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value "no" is returned, then the required value is set. If the required value is not set, this is a finding.

Fix: F-19480r377019_fix

To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config": PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.

b
The SSH daemon must be configured with the Department of Defense (DoD) login banner.
AC-8 - Medium - CCI-000048 - V-218002 - SV-218002r603264_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
RHEL-06-000240
Vuln IDs
  • V-218002
  • V-38615
Rule IDs
  • SV-218002r603264_rule
  • SV-50416
The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.
Checks: C-19483r377021_chk

To determine how the SSH daemon's "Banner" option is set, run the following command: # grep -i Banner /etc/ssh/sshd_config If a line indicating /etc/issue is returned, then the required value is set. If the required value is not set, this is a finding.

Fix: F-19481r377022_fix

To enable the warning banner and ensure it is consistent across the system, add or correct the following line in "/etc/ssh/sshd_config": Banner /etc/issue Another section contains information on how to create an appropriate system-wide warning banner.

a
The SSH daemon must not permit user environment settings.
AC-4 - Low - CCI-001414 - V-218003 - SV-218003r603264_rule
RMF Control
AC-4
Severity
Low
CCI
CCI-001414
Version
RHEL-06-000241
Vuln IDs
  • V-218003
  • V-38616
Rule IDs
  • SV-218003r603264_rule
  • SV-50417
SSH environment options potentially allow users to bypass access restriction in some configurations.
Checks: C-19484r377024_chk

To ensure users are not able to present environment daemons, run the following command: # grep PermitUserEnvironment /etc/ssh/sshd_config If properly configured, output should be: PermitUserEnvironment no If it is not, this is a finding.

Fix: F-19482r377025_fix

To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in "/etc/ssh/sshd_config": PermitUserEnvironment no

b
The RHEL 6 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
AC-17 - Medium - CCI-000068 - V-218004 - SV-218004r603822_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000068
Version
RHEL-06-000243
Vuln IDs
  • V-218004
  • V-38617
Rule IDs
  • SV-218004r603822_rule
  • SV-50418
Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections.
Checks: C-19485r603820_chk

Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: # grep -i Ciphers /etc/ssh/sshd_config Ciphers aes256-ctr,aes192-ctr,aes128-ctr If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.

Fix: F-19483r603821_fix

Limit the ciphers to those algorithms which are FIPS-approved. The following line in "/etc/ssh/sshd_config" demonstrates use of FIPS-approved ciphers: Ciphers aes256-ctr,aes192-ctr,aes128-ctr Note: The man page "sshd_config(5)" contains a list of supported ciphers.

a
The avahi service must be disabled.
CM-7 - Low - CCI-000381 - V-218006 - SV-218006r603264_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
RHEL-06-000246
Vuln IDs
  • V-218006
  • V-38618
Rule IDs
  • SV-218006r603264_rule
  • SV-50419
Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.
Checks: C-19487r377033_chk

To check that the "avahi-daemon" service is disabled in system boot configuration, run the following command: # chkconfig "avahi-daemon" --list Output should indicate the "avahi-daemon" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "avahi-daemon" --list "avahi-daemon" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "avahi-daemon" is disabled through current runtime configuration: # service avahi-daemon status If the service is disabled the command will return the following output: avahi-daemon is stopped If the service is running, this is a finding.

Fix: F-19485r377034_fix

The "avahi-daemon" service can be disabled with the following commands: # chkconfig avahi-daemon off # service avahi-daemon stop

b
The system clock must be synchronized continuously, or at least daily.
AU-8 - Medium - CCI-001891 - V-218007 - SV-218007r603264_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001891
Version
RHEL-06-000247
Vuln IDs
  • V-218007
  • V-38620
Rule IDs
  • SV-218007r603264_rule
  • SV-50421
Enabling the "ntpd" service ensures that the "ntpd" service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.
Checks: C-19488r377036_chk

Run the following command to determine the current status of the "ntpd" service: # service ntpd status If the service is enabled, it should return the following: ntpd is running... If the service is not running, this is a finding.

Fix: F-19486r377037_fix

The "ntpd" service can be enabled with the following command: # chkconfig ntpd on # service ntpd start

b
The system clock must be synchronized to an authoritative DoD time source.
AU-8 - Medium - CCI-001891 - V-218008 - SV-218008r603264_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001891
Version
RHEL-06-000248
Vuln IDs
  • V-218008
  • V-38621
Rule IDs
  • SV-218008r603264_rule
  • SV-50422
Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is recommended.
Checks: C-19489r377039_chk

A remote NTP server should be configured for time synchronization. To verify one is configured, open the following file. /etc/ntp.conf In the file, there should be a section similar to the following: # --- OUR TIMESERVERS ----- server [ntpserver] If this is not the case, this is a finding.

Fix: F-19487r377040_fix

To specify a remote NTP server for time synchronization, edit the file "/etc/ntp.conf". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver. server [ntpserver] This instructs the NTP software to contact that remote server to obtain time data.

b
Mail relaying must be restricted.
CM-7 - Medium - CCI-000382 - V-218009 - SV-218009r603264_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
RHEL-06-000249
Vuln IDs
  • V-218009
  • V-38622
Rule IDs
  • SV-218009r603264_rule
  • SV-50423
This ensures "postfix" accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.
Checks: C-19490r377042_chk

If the system is an authorized mail relay host, this is not applicable. Run the following command to ensure postfix accepts mail messages from only the local system: $ grep inet_interfaces /etc/postfix/main.cf If properly configured, the output should show only "localhost". If it does not, this is a finding.

Fix: F-19488r377043_fix

Edit the file "/etc/postfix/main.cf" to ensure that only the following "inet_interfaces" line appears: inet_interfaces = localhost

a
The openldap-servers package must not be installed unless required.
CM-7 - Low - CCI-000381 - V-218010 - SV-218010r603264_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
RHEL-06-000256
Vuln IDs
  • V-218010
  • V-38627
Rule IDs
  • SV-218010r603264_rule
  • SV-50428
Unnecessary packages should not be installed to decrease the attack surface of the system.
Checks: C-19491r377045_chk

To verify the "openldap-servers" package is not installed, run the following command: $ rpm -q openldap-servers The output should show the following. package openldap-servers is not installed If it does not, this is a finding.

Fix: F-19489r377046_fix

The "openldap-servers" package should be removed if not in use. # yum erase openldap-servers The openldap-servers RPM is not installed by default on RHEL6 machines. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed.

b
The graphical desktop environment must set the idle timeout to no more than 15 minutes.
AC-11 - Medium - CCI-000057 - V-218011 - SV-218011r603264_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
RHEL-06-000257
Vuln IDs
  • V-218011
  • V-38629
Rule IDs
  • SV-218011r603264_rule
  • SV-50430
Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.
Checks: C-19492r377048_chk

If the GConf2 package is not installed, this is not applicable. To check the current idle time-out value, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_delay If properly configured, the output should be "15". If it is not, this is a finding.

Fix: F-19490r377049_fix

Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes: # gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /apps/gnome-screensaver/idle_delay 15

b
The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.
AC-11 - Medium - CCI-000057 - V-218012 - SV-218012r603264_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
RHEL-06-000258
Vuln IDs
  • V-218012
  • V-38630
Rule IDs
  • SV-218012r603264_rule
  • SV-50431
Enabling idle activation of the screen saver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.
Checks: C-19493r377051_chk

If the GConf2 package is not installed, this is not applicable. To check the screensaver mandatory use status, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_activation_enabled If properly configured, the output should be "true". If it is not, this is a finding.

Fix: F-19491r377052_fix

Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true

b
The graphical desktop environment must have automatic lock enabled.
AC-11 - Medium - CCI-000057 - V-218013 - SV-218013r603264_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
RHEL-06-000259
Vuln IDs
  • V-218013
  • V-38638
Rule IDs
  • SV-218013r603264_rule
  • SV-50439
Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby.
Checks: C-19494r377054_chk

If the GConf2 package is not installed, this is not applicable. To check the status of the idle screen lock activation, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/lock_enabled If properly configured, the output should be "true". If it is not, this is a finding.

Fix: F-19492r377055_fix

Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/lock_enabled true

a
The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
AC-11 - Low - CCI-000060 - V-218014 - SV-218014r603264_rule
RMF Control
AC-11
Severity
Low
CCI
CCI-000060
Version
RHEL-06-000260
Vuln IDs
  • V-218014
  • V-38639
Rule IDs
  • SV-218014r603264_rule
  • SV-50440
Setting the screensaver mode to blank-only conceals the contents of the display from passersby.
Checks: C-19495r377057_chk

If the GConf2 package is not installed, this is not applicable. To ensure the screensaver is configured to be blank, run the following command: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode If properly configured, the output should be "blank-only". If it is not, this is a finding.

Fix: F-19493r377058_fix

Run the following command to set the screensaver mode in the GNOME desktop to a blank screen: # gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome-screensaver/mode blank-only

a
The Automatic Bug Reporting Tool (abrtd) service must not be running.
CM-7 - Low - CCI-000382 - V-218015 - SV-218015r603264_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000382
Version
RHEL-06-000261
Vuln IDs
  • V-218015
  • V-38640
Rule IDs
  • SV-218015r603264_rule
  • SV-50441
Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers.
Checks: C-19496r377060_chk

To check that the "abrtd" service is disabled in system boot configuration, run the following command: # chkconfig "abrtd" --list Output should indicate the "abrtd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "abrtd" --list "abrtd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "abrtd" is disabled through current runtime configuration: # service abrtd status If the service is disabled the command will return the following output: abrtd is stopped If the service is running, this is a finding.

Fix: F-19494r377061_fix

The Automatic Bug Reporting Tool ("abrtd") daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The "abrtd" service can be disabled with the following commands: # chkconfig abrtd off # service abrtd stop

a
The atd service must be disabled.
CM-7 - Low - CCI-000382 - V-218016 - SV-218016r603264_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000382
Version
RHEL-06-000262
Vuln IDs
  • V-218016
  • V-38641
Rule IDs
  • SV-218016r603264_rule
  • SV-50442
The "atd" service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with "at" or "batch" is not common.
Checks: C-19497r377063_chk

If the system requires the use of the "atd" service to support an organizational requirement, this is not applicable. To check that the "atd" service is disabled in system boot configuration, run the following command: # chkconfig "atd" --list Output should indicate the "atd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "atd" --list "atd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "atd" is disabled through current runtime configuration: # service atd status If the service is disabled the command will return the following output: atd is stopped If the service is running, this is a finding.

Fix: F-19495r377064_fix

The "at" and "batch" commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon "atd" keeps track of tasks scheduled via "at" and "batch", and executes them at the specified time. The "atd" service can be disabled with the following commands: # chkconfig atd off # service atd stop

a
The ntpdate service must not be running.
CM-7 - Low - CCI-000382 - V-218017 - SV-218017r603264_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000382
Version
RHEL-06-000265
Vuln IDs
  • V-218017
  • V-38644
Rule IDs
  • SV-218017r603264_rule
  • SV-50445
The "ntpdate" service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.
Checks: C-19498r377066_chk

To check that the "ntpdate" service is disabled in system boot configuration, run the following command: # chkconfig "ntpdate" --list Output should indicate the "ntpdate" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "ntpdate" --list "ntpdate" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "ntpdate" is disabled through current runtime configuration: # service ntpdate status If the service is disabled the command will return the following output: ntpdate is stopped If the service is running, this is a finding.

Fix: F-19496r377067_fix

The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in "/etc/ntp/step-tickers" or "/etc/ntp.conf" and then sets the local hardware clock to the newly synchronized system time. The "ntpdate" service can be disabled with the following commands: # chkconfig ntpdate off # service ntpdate stop

a
The oddjobd service must not be running.
CM-7 - Low - CCI-000382 - V-218018 - SV-218018r603264_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000382
Version
RHEL-06-000266
Vuln IDs
  • V-218018
  • V-38646
Rule IDs
  • SV-218018r603264_rule
  • SV-50447
The "oddjobd" service may provide necessary functionality in some environments but it can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.
Checks: C-19499r377069_chk

To check that the "oddjobd" service is disabled in system boot configuration, run the following command: # chkconfig "oddjobd" --list Output should indicate the "oddjobd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "oddjobd" --list "oddjobd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "oddjobd" is disabled through current runtime configuration: # service oddjobd status If the service is disabled the command will return the following output: oddjobd is stopped If the service is running, this is a finding.

Fix: F-19497r377070_fix

The "oddjobd" service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with "oddjobd" is through the system message bus. The "oddjobd" service can be disabled with the following commands: # chkconfig oddjobd off # service oddjobd stop

a
The qpidd service must not be running.
CM-7 - Low - CCI-000382 - V-218019 - SV-218019r603264_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000382
Version
RHEL-06-000267
Vuln IDs
  • V-218019
  • V-38648
Rule IDs
  • SV-218019r603264_rule
  • SV-50449
The qpidd service is automatically installed when the "base" package selection is selected during installation. The qpidd service listens for network connections which increases the attack surface of the system. If the system is not intended to receive AMQP traffic then the "qpidd" service is not needed and should be disabled or removed.
Checks: C-19500r377072_chk

To check that the "qpidd" service is disabled in system boot configuration, run the following command: # chkconfig "qpidd" --list Output should indicate the "qpidd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "qpidd" --list "qpidd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "qpidd" is disabled through current runtime configuration: # service qpidd status If the service is disabled the command will return the following output: qpidd is stopped If the service is running, this is a finding.

Fix: F-19498r377073_fix

The "qpidd" service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The "qpidd" service can be disabled with the following commands: # chkconfig qpidd off # service qpidd stop

a
The rdisc service must not be running.
CM-7 - Low - CCI-000382 - V-218020 - SV-218020r603264_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000382
Version
RHEL-06-000268
Vuln IDs
  • V-218020
  • V-38650
Rule IDs
  • SV-218020r603264_rule
  • SV-50451
General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.
Checks: C-19501r377075_chk

To check that the "rdisc" service is disabled in system boot configuration, run the following command: # chkconfig "rdisc" --list Output should indicate the "rdisc" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "rdisc" --list "rdisc" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "rdisc" is disabled through current runtime configuration: # service rdisc status If the service is disabled the command will return the following output: rdisc is stopped If the service is running, this is a finding.

Fix: F-19499r377076_fix

The "rdisc" service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. The "rdisc" service can be disabled with the following commands: # chkconfig rdisc off # service rdisc stop

b
Remote file systems must be mounted with the nodev option.
CM-6 - Medium - CCI-000366 - V-218021 - SV-218021r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000269
Vuln IDs
  • V-218021
  • V-38652
Rule IDs
  • SV-218021r603264_rule
  • SV-50453
Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.
Checks: C-19502r377078_chk

To verify the "nodev" option is configured for all NFS mounts, run the following command: $ mount | grep "nfs " All NFS mounts should show the "nodev" setting in parentheses, along with other mount options. If the setting does not show, this is a finding.

Fix: F-19500r377079_fix

Add the "nodev" option to the fourth column of "/etc/fstab" for the line which controls mounting of any NFS mounts.

b
Remote file systems must be mounted with the nosuid option.
CM-6 - Medium - CCI-000366 - V-218022 - SV-218022r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000270
Vuln IDs
  • V-218022
  • V-38654
Rule IDs
  • SV-218022r603264_rule
  • SV-50455
NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.
Checks: C-19503r377081_chk

To verify the "nosuid" option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the "nosuid" setting in parentheses, along with other mount options. If the setting does not show, this is a finding.

Fix: F-19501r377082_fix

Add the "nosuid" option to the fourth column of "/etc/fstab" for the line which controls mounting of any NFS mounts.

a
The noexec option must be added to removable media partitions.
CM-6 - Low - CCI-000366 - V-218023 - SV-218023r603264_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000271
Vuln IDs
  • V-218023
  • V-38655
Rule IDs
  • SV-218023r603264_rule
  • SV-50456
Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.
Checks: C-19504r377084_chk

Identify any removable media that is configured on the system: # cat /etc/fstab /dev/mapper/vg_rhel6-lv_root / ext4 defaults 1 1 UUID=0be9b205-f8e6-4bf4-b0ba-1f235fc55936 /boot ext4 defaults 1 2 UUID=5D49-30B2 /boot/efi vfat umask=0077,shortname=winnt 0 0 /dev/mapper/vg_rhel6-lv_home /home ext4 defaults 1 2 /dev/mapper/vg_rhel6-lv_tmp /tmp ext4 defaults 1 2 /dev/mapper/vg_rhel6-lv_var /var ext4 defaults 1 2 /dev/mapper/vg_rhel6-lv_swap swap swap defaults 0 0 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 /dev/sdc1 /media/usb vfat defaults,rw,noexec 0 0 If any of the identified removable media devices do not have "noexec" defined, this is a finding.

Fix: F-19502r377085_fix

The "noexec" mount option prevents the direct execution of binaries on the mounted filesystem. Users should not be allowed to execute binaries that exist on partitions mounted from removable media (such as a USB key). The "noexec" option prevents code from being executed directly from the media itself, and may therefore provide a line of defense against certain types of worms or malicious code. Add the "noexec" option to the fourth column of "/etc/fstab" for the line which controls mounting of any removable media partitions.

a
The system must use SMB client signing for connecting to samba servers using smbclient.
CM-6 - Low - CCI-000366 - V-218024 - SV-218024r603264_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000272
Vuln IDs
  • V-218024
  • V-38656
Rule IDs
  • SV-218024r603264_rule
  • SV-50457
Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.
Checks: C-19505r377087_chk

To verify that Samba clients running smbclient must use packet signing, run the following command: # grep signing /etc/samba/smb.conf The output should show: client signing = mandatory If it is not, this is a finding.

Fix: F-19503r377088_fix

To require samba clients running "smbclient" to use packet signing, add the following to the "[global]" section of the Samba configuration file in "/etc/samba/smb.conf": client signing = mandatory Requiring samba clients such as "smbclient" to use packet signing ensures they can only communicate with servers that support packet signing.

a
The system must use SMB client signing for connecting to samba servers using mount.cifs.
CM-6 - Low - CCI-000366 - V-218025 - SV-218025r603264_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000273
Vuln IDs
  • V-218025
  • V-38657
Rule IDs
  • SV-218025r603264_rule
  • SV-50458
Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.
Checks: C-19506r377090_chk

If Samba is not in use, this is not applicable. To verify that Samba clients using mount.cifs must use packet signing, run the following command: # grep sec /etc/fstab /etc/mtab The output should show either "krb5i" or "ntlmv2i" in use. If it does not, this is a finding.

Fix: F-19504r377091_fix

Require packet signing of clients who mount Samba shares using the "mount.cifs" program (e.g., those who specify shares in "/etc/fstab"). To do so, ensure signing options (either "sec=krb5i" or "sec=ntlmv2i") are used. See the "mount.cifs(8)" man page for more information. A Samba client should only communicate with servers who can support SMB packet signing.

b
The system must prohibit the reuse of passwords within five iterations.
IA-5 - Medium - CCI-000200 - V-218026 - SV-218026r603264_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000200
Version
RHEL-06-000274
Vuln IDs
  • V-218026
  • V-38658
Rule IDs
  • SV-218026r603264_rule
  • SV-50459
Preventing reuse of previous passwords helps ensure that a compromised password is not reused by a user.
Checks: C-19507r462403_chk

To verify the password reuse setting is compliant, run the following command: # grep remember /etc/pam.d/system-auth /etc/pam.d/password-auth If the line is commented out, the line does not contain "password required pam_pwhistory.so" or "password requisite pam_pwhistory.so", or the value for "remember" is less than “5”, this is a finding.

Fix: F-19505r462404_fix

Do not allow users to reuse recent passwords. This can be accomplished by using the "remember" option for the "pam_pwhistory" PAM module. In the file "/etc/pam.d/system-auth" and /etc/pam.d/password-auth, append "remember=5" to the lines that refer to the "pam_pwhistory.so" module, as shown: password required pam_pwhistory.so [existing_options] remember=5 or password requisite pam_pwhistory.so [existing_options] remember=5 The DoD requirement is five passwords.

a
The operating system must employ cryptographic mechanisms to protect information in storage.
CM-6 - Low - CCI-000366 - V-218027 - SV-218027r603264_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000275
Vuln IDs
  • V-218027
  • V-38659
Rule IDs
  • SV-218027r603264_rule
  • SV-50460
The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.
Checks: C-19508r377096_chk

Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding.

Fix: F-19506r377097_fix

Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE] Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation web site: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html

a
The operating system must protect the confidentiality and integrity of data at rest.
SC-28 - Low - CCI-001199 - V-218028 - SV-218028r603264_rule
RMF Control
SC-28
Severity
Low
CCI
CCI-001199
Version
RHEL-06-000276
Vuln IDs
  • V-218028
  • V-38661
Rule IDs
  • SV-218028r603264_rule
  • SV-50462
The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.
Checks: C-19509r377099_chk

Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding.

Fix: F-19507r377100_fix

Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE] Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation web site: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html

a
The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures.
CM-6 - Low - CCI-000366 - V-218029 - SV-218029r603264_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000277
Vuln IDs
  • V-218029
  • V-38662
Rule IDs
  • SV-218029r603264_rule
  • SV-50463
The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.
Checks: C-19510r377102_chk

Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding.

Fix: F-19508r377103_fix

Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE] Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation web site: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html

b
The system package management tool must verify permissions on all files and directories associated with the audit package.
AU-9 - Medium - CCI-001493 - V-218030 - SV-218030r603264_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001493
Version
RHEL-06-000278
Vuln IDs
  • V-218030
  • V-38663
Rule IDs
  • SV-218030r603264_rule
  • SV-50464
Permissions on audit binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.
Checks: C-19511r377105_chk

The following command will list which audit files on the system have permissions different from what is expected by the RPM database: # rpm -V audit | grep '^.M' If there is any output, for each file or directory found, compare the RPM-expected permissions with the permissions on the file or directory: # rpm -q --queryformat "[%{FILENAMES} %{FILEMODES:perms}\n]" audit | grep [filename] # ls -lL [filename] If the existing permissions are more permissive than those expected by RPM, this is a finding.

Fix: F-19509r377106_fix

The RPM package management system can restore file access permissions of the audit package files and directories. The following command will update audit files with permissions different from what is expected by the RPM database: # rpm --setperms audit

b
The system package management tool must verify ownership on all files and directories associated with the audit package.
AU-9 - Medium - CCI-001494 - V-218031 - SV-218031r603264_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001494
Version
RHEL-06-000279
Vuln IDs
  • V-218031
  • V-38664
Rule IDs
  • SV-218031r603264_rule
  • SV-50465
Ownership of audit binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.
Checks: C-19512r377108_chk

The following command will list which audit files on the system have ownership different from what is expected by the RPM database: # rpm -V audit | grep '^.....U' If there is output, this is a finding.

Fix: F-19510r377109_fix

The RPM package management system can restore file ownership of the audit package files and directories. The following command will update audit files with ownership different from what is expected by the RPM database: # rpm --setugids audit

b
The system package management tool must verify group-ownership on all files and directories associated with the audit package.
AU-9 - Medium - CCI-001495 - V-218032 - SV-218032r603264_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001495
Version
RHEL-06-000280
Vuln IDs
  • V-218032
  • V-38665
Rule IDs
  • SV-218032r603264_rule
  • SV-50466
Group-ownership of audit binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The group-ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.
Checks: C-19513r377111_chk

The following command will list which audit files on the system have group-ownership different from what is expected by the RPM database: # rpm -V audit | grep '^......G' If there is output, this is a finding.

Fix: F-19511r377112_fix

The RPM package management system can restore file group-ownership of the audit package files and directories. The following command will update audit files with group-ownership different from what is expected by the RPM database: # rpm --setugids audit

b
The system package management tool must verify contents of all files associated with the audit package.
AU-9 - Medium - CCI-001496 - V-218033 - SV-218033r603264_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001496
Version
RHEL-06-000281
Vuln IDs
  • V-218033
  • V-38637
Rule IDs
  • SV-218033r603264_rule
  • SV-50438
The hash on important files like audit system executables should match the information given by the RPM database. Audit executables with erroneous hashes could be a sign of nefarious activity on the system.
Checks: C-19514r377114_chk

The following command will list which audit files on the system have file hashes different from what is expected by the RPM database. # rpm -V audit | awk '$1 ~ /..5/ &amp;&amp; $2 != "c"' If there is output, this is a finding.

Fix: F-19512r377115_fix

The RPM package management system can check the hashes of audit system package files. Run the following command to list which audit files on the system have hashes that differ from what is expected by the RPM database: # rpm -V audit | grep '^..5' A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file that has changed was not expected to then refresh from distribution media or online repositories. rpm -Uvh [affected_package] OR yum reinstall [affected_package]

b
There must be no world-writable files on the system.
CM-6 - Medium - CCI-000366 - V-218034 - SV-218034r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000282
Vuln IDs
  • V-218034
  • V-38643
Rule IDs
  • SV-218034r603264_rule
  • SV-50444
Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.
Checks: C-19515r377117_chk

To find world-writable files, run the following command for each local partition [PART], excluding special filesystems such as /selinux, /proc, or /sys: # find [PART] -xdev -type f -perm -002 If there is output, this is a finding.

Fix: F-19513r377118_fix

It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account.

b
The system must have a host-based intrusion detection tool installed.
CM-6 - Medium - CCI-000366 - V-218035 - SV-218035r603264_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-06-000285
Vuln IDs
  • V-218035
  • V-38667
Rule IDs
  • SV-218035r603264_rule
  • SV-50468
Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of system, which may not otherwise exist in an organization's systems management regime.
Checks: C-19516r462406_chk

Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. Procedure: Examine the system to see if the Host Intrusion Prevention System (HIPS) is installed: # rpm -qa | grep MFEhiplsm Verify that the McAfee HIPS module is active on the system: # ps -ef | grep -i “hipclient” If the MFEhiplsm package is not installed, check for another intrusion detection system: # find / -name &lt;daemon name&gt; Where &lt;daemon name&gt; is the name of the primary application daemon to determine if the application is loaded on the system. Determine if the application is active on the system: # ps -ef | grep -i &lt;daemon name&gt; If the MFEhiplsm package is not installed and an alternate host-based intrusion detection application has not been documented for use, this is a finding. If no host-based intrusion detection system is installed and running on the system, this is a finding.

Fix: F-19514r462407_fix

Install and enable the latest McAfee HIPS package or McAfee ENSL.

c
The x86 Ctrl-Alt-Delete key sequence must be disabled.
CM-6 - High - CCI-000366 - V-218036 - SV-218036r603264_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
RHEL-06-000286
Vuln IDs
  • V-218036
  • V-38668
Rule IDs
  • SV-218036r603264_rule
  • SV-50469
A locally logged-in user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
Checks: C-19517r377123_chk

To ensure the system is configured to log a message instead of rebooting the system when Ctrl-Alt-Delete is pressed, ensure the following line is in "/etc/init/control-alt-delete.override": exec /usr/bin/logger -p authpriv.notice "Ctrl-Alt-Delete pressed" If the system is not configured to block the shutdown command when Ctrl-Alt-Delete is pressed, this is a finding.

Fix: F-19515r377124_fix

By default, the system includes the following line in "/etc/init/control-alt-delete.conf" to reboot the system when the Ctrl-Alt-Delete key sequence is pressed: exec /sbin/shutdown -r now "Ctrl-Alt-Delete pressed" To configure the system to log a message instead of rebooting the system, add the following line to "/etc/init/control-alt-delete.override" to read as follows: exec /usr/bin/logger -p authpriv.notice "Ctrl-Alt-Delete pressed"

a
The postfix service must be enabled for mail delivery.
CM-6 - Low - CCI-000366 - V-218037 - SV-218037r603264_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-06-000287
Vuln IDs
  • V-218037
  • V-38669
Rule IDs
  • SV-218037r603264_rule
  • SV-50470
Local mail delivery is essential to some system maintenance and notification tasks.
Checks: C-19518r377126_chk

Run the following command to determine the current status of the "postfix" service: # service postfix status If the service is enabled, it should return the following: postfix is running... If the service is not enabled, this is a finding.

Fix: F-19516r377127_fix

The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The "postfix" service can be enabled with the following command: # chkconfig postfix on # service postfix start

b
The sendmail package must be removed.
CM-7 - Medium - CCI-000381 - V-218038 - SV-218038r603264_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
RHEL-06-000288
Vuln IDs
  • V-218038
  • V-38671
Rule IDs
  • SV-218038r603264_rule
  • SV-50472
The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.
Checks: C-19519r377129_chk

Run the following command to determine if the "sendmail" package is installed: # rpm -q sendmail If the package is installed, this is a finding.

Fix: F-19517r377130_fix

Sendmail is not the default mail transfer agent and is not installed by default. The "sendmail" package can be removed with the following command: # yum erase sendmail

a
The netconsole service must be disabled unless required.
CM-7 - Low - CCI-000382 - V-218039 - SV-218039r603264_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000382
Version
RHEL-06-000289
Vuln IDs
  • V-218039
  • V-38672
Rule IDs
  • SV-218039r603264_rule
  • SV-50473
The "netconsole" service is not necessary unless there is a need to debug kernel panics, which is not common.
Checks: C-19520r377132_chk

To check that the "netconsole" service is disabled in system boot configuration, run the following command: # chkconfig "netconsole" --list Output should indicate the "netconsole" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: # chkconfig "netconsole" --list "netconsole" 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "netconsole" is disabled through current runtime configuration: # service netconsole status If the service is disabled the command will return the following output: netconsole is stopped If the service is running, this is a finding.

Fix: F-19518r377133_fix

The "netconsole" service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. The "netconsole" service can be disabled with the following commands: # chkconfig netconsole off # service netconsole stop

b
X Windows must not be enabled unless required.
CM-7 - Medium - CCI-000381 - V-218040 - SV-218040r603264_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
RHEL-06-000290
Vuln IDs
  • V-218040
  • V-38674
Rule IDs
  • SV-218040r603264_rule
  • SV-50475
Unnecessary services should be disabled to decrease the attack surface of the system.
Checks: C-19521r377135_chk

To verify the default runlevel is 3, run the following command: # grep initdefault /etc/inittab The output should show the following: id:3:initdefault: If it does not, this is a finding.

Fix: F-19519r377136_fix

Setting the system's runlevel to 3 will prevent automatic startup of the X server. To do so, ensure the following line in "/etc/inittab" features a "3" as shown: id:3:initdefault:

a
The xorg-x11-server-common (X Windows) package must not be installed, unless required.
CM-7 - Low - CCI-000381 - V-218041 - SV-218041r603264_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
RHEL-06-000291
Vuln